Published February 22, 2018 • By Karen Walsh

An IT security audit often causes stress within a company—but they don’t need to. Helping to protect against a data threat event, security audits involve technical reviews reporting on configurations, technologies, infrastructure, and more. These data details that can intimidate those who feel less-than-expert in IT, but understanding the resources and strategies available to protect against modern attacks makes IT security less overwhelming.

What Is an IT Security Audit?

At its root, an IT security audit includes two different assessments. The manual assessment occurs when an internal or external IT security auditor interviews employees, reviews access controls, analyzes physical access to hardware, and performs vulnerability scans. These reviews should occur, at a minimum, annually. Some organizations, however, prefer to do them more frequently.

Organizations should also review system-generated reports. Automated assessments not only incorporate that data, but also respond to software monitoring reports and changes to server and file settings.

Why Is an IT Security Risk Assessment Important?

Before creating procedures and controls around IT security, organizations need to determine their risk exposure. ISACA notes that there are five main reasons to establish an enterprise security risk assessment.

First, a risk assessment can help to justify the financial expenditures needed to guard an organization. Information security comes at a cost. Tight budgets mean that additional expenditures can be challenging to get approved. An IT security risk assessment articulates critical risks and quantifies threats to information assets. By educating internal stakeholders so they can see not only the exposure, but also the value of mitigating critical risks, a security risk assessment helps justify security investments.

Second, risk assessments help streamline IT department productivity. By formalizing the structures that aid ongoing monitoring, IT departments can focus on proactively reviewing and collecting documentation rather than defensively responding to threats.

Moreover, assessments can help break down barriers. Starting with a security risk assessment puts corporate management and IT staff on the same page. Management needs to make decisions that mitigate risk while IT staff implements them. Working together from the same risk assessment gives everyone the information they need to protect the organization, and facilitates buy-in to security efforts beyond the IT department.

Enterprise security risk assessments also establish the basis for self-review. While IT staff knows the technical system, network, and application information, implementation depends on staff in other business units. Risk assessments provide accessible reports focused on actionable information, so that all involved can take the appropriate level of responsibility. To foster a culture of compliance, security cannot operate in isolation.

Finally, security risk assessments help share information across departments. With individualized vendors and systems, different departments within an organization may not know what others are doing. Since upper management within larger companies must all share responsibility, assessments provide the insight necessary for meaningful discussions supporting IT security.  

What Does an IT Security Auditor Do?

IT security auditors provide a variety of functions. They review an organization’s operations, financial reporting, and compliance. While these areas seem segregated, the three intersect in several places.

Financial audits incorporate more than just the standard review of a company’s books. When Congress passed the Sarbanes-Oxley Act of 2002 (SOX), the legislation included section 404. Section 404 requires financial reporting system audits to ensure compliance with the company’s internal controls. IT security, compliance, and financial reporting overlap in these legally-required reviews.

Another area where the three intersect is in SOC reporting. Many customers require their vendors to complete a Service Organization Control  (SOC) audit. Whether a company decides to engage in a SOC 1, SOC 2, or SOC 3 report, it will need to hire an auditor to determine the company’s data security protocols. SOC reporting can be viewed as SOX-adjacent. For organizations that anticipate a future SOX compliance mandate, SOC reporting can serve as valuable preparation. Therefore, engaging an IT security auditor not only helps to protect a business’s information assets, but offers opportunities to scale its compliance.

What Should an Organization Look for in an IT Security Auditor?

Although not all IT security auditors are Certified Public Accountants (CPAs), the American Institute of Certified Public Accountants (AICPA) offers resources to connect organizations with CPAs who have cybersecurity experience. Combining the two skillsets helps to develop or provide assurances for cybersecurity plans.

For companies just getting started with IT security controls, the AICPA also shares research to aid important decisions, as well as a framework for determining ways to create effective cybersecurity risk management practices.

As malware attacks and ransomware attacks continue to plague businesses, businesses need to protect themselves and ensure their customers are safe. One data breach can lead to bankruptcy, especially for small businesses.

What Is an IT security Audit Trail?

The most time-consuming aspect of an IT security audit is creating the audit trail. An audit trail consists of the documentation provided to the auditor that shows proof of processes to secure an IT environment.

When preparing for an IT security audit, companies need to start by organizing the documents that meet audit requirements. The documentation needs to prove business and industry knowledge. Because the auditor will read the previous year’s audit report, it is wise for a company to revisit it, as well, and gather evidence of corrective actions. Additionally, companies need to show the risk assessments, artifacts of compliance with regulatory statutes, and financial information evidence developed in the current year.

Moreover, the IT department needs to gather information showing the IT organizational structure, policies and procedures, standards, personnel list, the performance of employees and processes, and internal control tests. All this documentation shows facts that support the auditor’s opinion on their final report.

What Is the Difference Between General and Application Controls?

General controls focus on those infrastructures applicable to the entire business, including but not limited to IT. General controls include, but are not limited to, operational, administrative, accounting, and organizational.

Application controls focus on transaction and data within computer application systems. Therefore, these are specific to the company’s IT landscape. Application controls emphasize data accuracy, specifically the company’s input, processing, and output (IPO) function.

How Does Automating the IT Security Process Streamline It?

Auditing IT security requires vast amounts of documentation. SaaS tools, like ZenGRC, speed the process of aggregating information. They also help stakeholders communicate better. When multiple areas of an organization are creating and attempting to implement their own controls, security audit documentation becomes unwieldy and time-consuming to compile.

ZenGRC simplifies the IT audit process, beginning with its risk assessment modules. ZenGRC offers risk assessment modules that give insight into both vendor risk and company risk. The Risk Trend and Risk Responsibility graphics provide easy-to-digest, color-coded visuals that provide management a view of the company’s current risk.

Moreover, ZenGRC allows organizations to store their audit documentation in one location. Unlike shared drives, however, ZenGRC enables administrators to moderate user access efficiently. This moderation keeps records safe from tampering and also facilitates communication. While some employees require editing access, some merely need to view documents. ZenGRC allows IT professionals to follow user access protocols, even within their audit documentation processes.

Finally, ZenGRC efficiently generates reports that meet diverse needs. It gives the c-suite the overview they need to understand the IT landscape, while simultaneously giving IT professionals a place to record the depth of information necessary during an IT security audit.