Johanson Group, LLP

View Original

IT Audit Checks: What You Need To Know

An IT audit is an assessment of your company's current information technology infrastructure. It provides a clear picture of your company's IT system and where its potential risks lie. 

Conducting an audit allows you to identify any gaps that exist as well as identify areas for improvement.

Here’s what you need to know.

Why IT audits are important

IT audits are important to cloud computing, data centers, and software-as-a-service (SaaS) and healthcare organizations because they help these companies ensure that their data is secure. IT audits help these organizations ensure that their data is not vulnerable to unauthorized access or theft. 

Although cloud computing, data centers, and SaaS give users access to sensitive data and information in real time, these services may be vulnerable if not audited regularly.

It is impossible for a company to know whether or not its security measures are effective without conducting an audit. An audit will also reveal any weaknesses in the company's security system so that they can be fixed before hackers exploit them.

There are several types of IT audits crucial to these types of organizations, two of the most prominent being SOC 2 compliance audits and HIPAA compliance audits. A SOC 2 audit is required by many companies that want to offer Cloud Service Level Agreements (SLAs) to their customers. It ensures that the company has adequate policies and procedures in place for handling security risks. The HIPAA audit ensures that a company's website is compliant with the Health Insurance Portability and Accountability Act (HIPAA). A SaaS organization may also have an ISO 2700 audit done on its service offerings.

How do I know my IT controls are working?

Before an IT audit, how can you check that all your IT controls are working effectively or not?

The first step is to identify the controls that you have in place. You should already have a list of them, provided by your IT department or other relevant parties. If not, consult these documents and get this information from them.

Once you know what controls are in place, ask yourself what each of them does and how it works.

For example, if you have a backup system, ask yourself: "What happens if the backup computer goes down?" 

Or if you have antivirus software installed to prevent ransomware on each computer: "What happens if my antivirus software doesn't work?”

Make sure each control has a job description (or purpose) and does what it is supposed to do. 

How do I know if I’m using the right IT controls for my company?

To know if you're using the right IT controls for your company in the right way, you need to identify which controls are most important for your organization.

You can start with a risk assessment process, where you identify all of your internal and external risks and rank them by their impact on your organization's operations; use this information to prioritize which controls you should focus on first.

Once you've identified these priorities, you'll want to ensure that the right people are involved in implementing these controls. Some might need approval from upper management or the board of directors; others may require approval from a committee or a peer group within the company. 

Suppose one person approves all IT security decisions across multiple departments. In that case, that person must have sufficient knowledge of each department's operations to decide what security measures will best benefit each department's needs.

Before my IT audit, how can I ensure that my IT controls are followed correctly?

Before your IT audit, you can ensure that your IT controls are followed correctly by conducting a self-audit. This will help you identify gaps in your current processes and allow you to address them before the audit.

A self-audit should include:

  1. A review of all IT controls to ensure they are followed correctly.

  2. An assessment of the adequacy of these controls based on best practices for similar businesses in similar industries.

  3. A comparison between what your business is doing and what it should be doing to ensure that risks are appropriately mitigated.

What do I need to prepare for my company’s upcoming IT audit?

To prepare for your company-wide IT audit, you must have the right tools and information available. 

You can do this by:

  • Gathering all of the relevant documentation. This includes everything from email threads to agreed-upon policies with vendors and clients.

  • Ensuring you have a system that stores essential data (for example, in a shared folder on Google Drive).

  • Noticing any changes in your processes or system that might affect checks later (for example, if you're going through major organizational changes).

What does an IT audit look for?

As you can see, a lot goes into an IT audit. 

The following are some of the important factors that an IT audit looks for:

Systems and software documentation

A thorough understanding of how systems are structured and documented is key to ensuring all processes are running smoothly. Without adequate documentation, identifying problems or making necessary changes will be difficult.

Systems and software configuration - 

The proper configuration ensures that the system performs as expected while reducing the likelihood of unexpected issues occurring later. 

For example, suppose you have multiple servers running different applications. In that case, the proper configuration will ensure they don't conflict with each other or cause any downtime when trying something new or changing configurations on their own (e.g., adding more RAM).

Systems and software security - 

Software security isn't just about keeping hackers out; it also involves protecting your data from being accessed by unauthorized parties within your organization (e.g., employees). 

This may include encryption techniques when storing sensitive information like passwords and password hashes (which uses one-way algorithms so that no one can reverse engineer them) or physical measures such as disabling unused ports with tape to ensure no one plugs something into them by accident!

What to look for when hiring your company’s IT auditor

Here are some things to look for when choosing an auditor for your IT audit:

  • Experience: Look at the company's experience, and make sure they have done audits on similar companies in your industry. You also want to ensure they have experience with your specific business model and processes.

  • Industry knowledge: You need someone who knows the industry as well as they know themselves! The more they know about your industry and how it works, the more likely they will be able to find issues specific to your company's needs

  • Up-to-date and current certifications and licenses: Many auditors have certifications on specific software systems or processes. You must check their credentials before hiring them to know their background and if they're qualified for the job at hand!

  • Timelines: Ensure that the auditing firm has enough time to complete the audit within your desired timeframe (usually within six months). If not, find another firm!

  • Good reviews: The best way of ensuring your auditor will do a good job is by reviewing their previous work. Many will have reviews up across the web on Google, Yelp, or other review sites. Another place to look for proof of quality work is at the auditor’s website, like a testimonial page.


How often should you conduct a formal IT audit?

We recommend conducting a formal IT audit at least once a year. That way, you can keep track of your company's progress and ensure it's on track for the future.

Proper auditing has become increasingly important in today's data security-focused world. It's clear that if businesses were more diligent in their audits, they would save money and avoid devastating losses to their reputations and their company's health. 


If you want to know more about the process and value of formal IT audits, feel free to reach out to Johanson Group. We'd love to talk with you!