it audit assignment

• Our Audit Process
• SOC 1 Audits
• SOC 2 Audits
• HIPAA Audits
• HITRUST Certification
• FedRAMP Compliance
• StateRAMP Assessment
• CMMC Compliance Assessment
• Penetration Testing
• ISO 27001 Certification
• Leadership Team
• What is SOC 2?
• What is a SOC 2 Report?
• What is SOC 1?
• 2022 Trust Services Criteria (TSCs)
• Audit Terms

IT Audits 101: Professional Guidance From an IT Auditor

In the ever-evolving landscape of technology, organizations rely heavily on their information systems and digital infrastructure to operate efficiently and securely. However, with technological advancements come new risks and vulnerabilities. To determine the integrity , availability , and confidentiality of data , organizations turn to Information Technology (IT) audits—a systematic evaluation of their IT systems and controls. In this blog post, we will delve into the world of IT audits, understanding their significance, and exploring the benefits they bring to businesses.

What Is an IT (Information Technology) Audit & What Is Its Purpose?

An IT audit is a comprehensive examination of an organization’s IT systems, infrastructure, and processes. Its primary objective is to evaluate the effectiveness of internal controls and identify any weaknesses or vulnerabilities that could compromise the confidentiality, integrity, or availability of information. IT audits cover a wide range of areas, including data security, network infrastructure, hardware and software assets, IT governance, compliance, and more. Auditing – whether it is internally or by a third-party – helps organizations determine that their IT is functioning as effectively as possible. The purpose of an IT audit is to provide visibility into the effectiveness of your IT systems.

How Does an IT Audit Differ From an Audit?

The key difference between an audit and an IT audit lies in the scope and focus of the examination. An audit, generally referred to as a financial or external audit, is a comprehensive examination of an organization’s financial statements, accounting records, and internal controls.

What Are the Two Types of IT Auditing?

There are two main kinds of IT audits: compliance audits and controls assessments.

• Compliance Audits: These audits focus on how well you’re adhering to regulations, industry best practices, and standards. Popular IT compliance audits are SOC 1 and SOC 2 audits. A SOC 1 audit includes both business process and information technology control objectives and testing. SOC 2 compliance demonstrates that your company has adequate controls in place governing information security in your environment . Both SOC 1 and SOC 2 must be issued by a CPA firm that specializes in auditing IT security and business process controls.
• Controls Assessments: These assessments look at whether your system has been set up in a way that prevents high-risk activities from happening. There are several control frameworks your controls assessments can be tested against. For example, if a hacker wants to break into your systems but can’t because it’s too secure or has been designed in such a way that it won’t let them get through – that’s good! You’ve got strong controls on your side!

See more information on frameworks and examples of IT audits here:  HIPAA , HITRUST , NIST 800-53 , NIST 800-171 , NIST CSF , CMMC , FEDRAMP , ISO 27001 , GDPR , and CCPA .

What Is the IT Audit Process & What Should You Expect?

The IT audit process typically involves the following 6 phases:

• Planning and Preparation: The audit process begins with defining the scope and objectives of the audit. This phase involves understanding the organization’s IT landscape, identifying critical systems and processes, and determining the audit methodology and timeline.
• Risk Assessment: A comprehensive risk assessment is a vital component of any IT audit. It involves identifying potential threats, assessing their impact, and evaluating existing controls to mitigate those risks . This step helps prioritize audit activities and determines a targeted approach.
• Evaluation of Controls: Auditors assess the effectiveness of IT controls in place to protect information assets. These controls encompass various aspects, such as access management , data backups, change management , network security, and incident response. Evaluating controls provides insights into their adequacy and identifies gaps that need to be addressed.
• Compliance Review: Compliance with relevant regulations, industry standards, and internal policies is a critical aspect of IT audits. Auditors review documentation, procedures, and practices to determine alignment with the required standards, thereby minimizing legal and reputational risks.
• Vulnerability Assessment: Auditors perform vulnerability scans and penetration tests to identify weaknesses in the organization’s IT infrastructure. This involves assessing the robustness of firewalls, intrusion detection systems, encryption protocols , and other security mechanisms. The findings help organizations remediate vulnerabilities and strengthen their defenses.
• Reporting: The audit findings are documented in a comprehensive report that outlines identified risks, control deficiencies , and considerations for improvement. This report serves as a roadmap for management to address the identified issues and enhance the security and efficiency of their IT systems.

Who Performs an IT Audit?

An IT audit can be performed internally or externally by a third party.

• The organization’s own IT staff performs internal IT audits . These are often done to evaluate and improve the efficiency of existing systems, or to determine that information security policies and procedures are being followed correctly.
• External IT audits can be performed by a third party who is not affiliated with your company. This type of audit is typically used by companies that want an unbiased opinion on their security measures or other aspects of their technology infrastructure, such as cloud storage solutions used by employees working remotely .

What Do IT Auditors Look For?

IT auditors look for various aspects during an IT audit to assess the effectiveness, reliability, and security of an organization’s IT infrastructure, systems, and processes. Here are some key areas that IT auditors typically focus on:

• Access controls, authentication mechanisms, password policies , network security measures, firewalls, intrusion detection systems, and data encryption techniques.
• Data backup and recovery procedures, data retention policies , data classification frameworks , and privacy controls.
• Change management processes to determine that changes to IT systems, applications, and configurations are properly authorized, documented, tested, and implemented.

The Importance of IT Audits for Your Organization

IT audits are an important process for enhancing information security, improving operational efficiency, and supporting strategic decision-making. They provide valuable insights to management and help organizations build a robust and resilient IT infrastructure. The following are key areas/processes within an organization that IT audits can be an integral part of.

Risk Management

IT audits play a crucial role in identifying and assessing risks associated with an organization’s IT environment. By conducting regular audits, businesses can proactively address potential vulnerabilities, reduce the likelihood of security breaches or data loss, and mitigate the impact of technological risks on their operations.

Compliance and Regulations

In today’s regulatory landscape, organizations face a multitude of legal and industry-specific requirements regarding the protection of data and IT systems. IT audits help determine compliance with relevant laws and regulations, such as the General Data Protection Regulation (GDPR) , Health Insurance Portability and Accountability Act (HIPAA) , Payment Card Industry Data Security Standard (PCI DSS) , and more.

Internal Control Evaluation

Robust internal controls are vital for safeguarding assets, preventing fraud, and maintaining operational efficiency. IT audits evaluate the design and effectiveness of internal controls related to IT processes, providing insights into potential weaknesses or gaps that need to be addressed.

Data Security and Privacy

With the increasing frequency and sophistication of cyber threats , organizations must prioritize data security and privacy. IT audits assess the organization’s security posture, identify vulnerabilities, and recommend measures to enhance data protection, including encryption, access controls, user authentication, and incident response plans .

Understanding the Benefits of IT Audits

IT audits provide several benefits to organizations. Here are some key benefits of conducting IT audits:

•   Enhanced Security: IT audits help organizations identify security gaps and implement appropriate measures to strengthen their defense against cyber threats. This leads to improved data protection, reduced risk of data breaches, and enhanced overall security posture.
•   Increased Efficiency: By evaluating IT processes and controls, audits identify areas where operational efficiency can be enhanced. This may involve streamlining workflows, eliminating redundant tasks, optimizing resource allocation, and adopting best practices, ultimately leading to cost savings and improved productivity.
•   Regulatory Compliance: Compliance with applicable laws and regulations is essential for maintaining trust with customers, partners, and stakeholders. IT audits determine that organizations meet regulatory requirements and avoid potential penalties or reputational damage.
• Risk Mitigation: Identifying and addressing IT-related risks helps organizations mitigate the potential impact of disruptions, whether caused by security breaches, system failures, or natural disasters. By proactively managing risks , organizations can enhance business continuity and resilience.

What Are the Limitations of IT Audits?

While IT audits provide valuable insights and benefits, they also have certain limitations that organizations should be aware of. Here are some limitations of IT audits:

• Sampling Limitations: Due to the vastness and complexity of IT systems and processes, IT audits often rely on sampling techniques to assess controls and risks. The auditor selects a subset of items or transactions for examination, which may not fully represent the entire population. As a result, there is a risk that the selected sample may not capture all potential issues or vulnerabilities.
• Limited Scope: IT audits typically focus on specific objectives, such as compliance with regulations, information security, or IT governance . While these areas are essential, the audit scope may not cover all aspects of the organization’s IT environment. Some potential risks or control weaknesses may go undetected if they fall outside the audit’s scope.
• Reliance on Information Provided: IT audits rely on the information provided by the organization being audited. The accuracy, completeness, and reliability of the information can affect the audit findings. If the organization provides incomplete or inaccurate information, it may lead to incorrect assessments or missed vulnerabilities.
• Time Sensitivity: IT audits provide a snapshot of the organization’s IT controls and processes at a particular point in time. IT environments are dynamic, with new technologies, vulnerabilities, and threats emerging regularly. Therefore, the audit findings may become outdated relatively quickly. Organizations need to continually monitor and update their controls to address evolving risks.
• Inherent Limitations of Controls Testing : IT audits assess the design and operating effectiveness of controls. However, even with thorough testing, there is always a possibility of control failures or gaps going undetected. Sophisticated attacks or emerging vulnerabilities may not be captured through standard control testing methodologies.
• Limited Assurance: IT audits provide reasonable assurance rather than absolute assurance. They are based on professional judgment, sampling techniques, and risk assessments. While auditors aim to provide reliable and objective assessments, there is still inherent uncertainty in the audit process. Therefore, audit findings should be interpreted in that context.
• Human Factor: IT audits involve interaction with individuals within the organization. The effectiveness of controls and security measures can be influenced by human behavior, including intentional or unintentional actions that may not be captured during an audit. The human factor introduces an additional layer of complexity and risk that may not be fully assessed through the audit process.

Despite these limitations, IT audits remain valuable for organizations in assessing and improving their IT environment. It is important to recognize these limitations and complement audits with other risk management practices, continuous monitoring , and proactive security measures to address potential gaps.

What Are the Best Practices for IT Audits?

To conduct effective and thorough IT audits, it is important to follow best practices. Here are some key best practices to consider when conducting IT audits:

• Establish Clear Objectives : Clearly define the objectives and scope of the IT audit based on the organization’s needs, regulatory requirements, and risk landscape. Establish specific goals to guide the audit process and align them with the organization’s strategic objectives.
• Risk-Based Approach: Take a risk-based approach to prioritize audit focus and resource allocation. Identify and assess the risks associated with the organization’s IT systems, infrastructure, and processes. Tailor the audit procedures to address the highest-risk areas and potential vulnerabilities.
• Maintain Independence and Objectivity: IT auditors should be independent and objective to maintain unbiased assessments. They should not have any conflicts of interest that could compromise their ability to provide impartial recommendations and findings.
• Use Established Audit Frameworks : Utilize established frameworks and standards, such as COBIT (Control Objectives for Information and Related Technologies) or NIST (National Institute of Standards and Technology) Cybersecurity Framework , to guide the audit process. These frameworks provide best practices and control objectives that can help determine comprehensive coverage and consistency.
• Adequate Planning and Preparation: Thoroughly plan and prepare for the audit. Understand the organization’s IT environment, systems, and processes. Develop a detailed audit plan , including timelines, resource requirements, and methodologies. Engage with relevant stakeholders and gather the necessary documentation to facilitate the audit process.
• Conduct Risk Assessment and Control Testing: Perform a comprehensive risk assessment to identify potential vulnerabilities and weaknesses. Evaluate the design and operating effectiveness of controls through testing, including technical assessments, document reviews, interviews, and observation. Use appropriate sampling techniques to determine representative coverage.
• Document Findings and Recommendations: Document audit findings, including control deficiencies, vulnerabilities, and areas of non-compliance. Provide clear and concise recommendations for addressing identified issues. Determine that findings are well-supported by evidence and include appropriate context to facilitate understanding and action by management.
• Communication and Collaboration: Maintain open communication and collaborate with relevant stakeholders throughout the audit process. Engage with management, IT teams, and other relevant departments to gather information, clarify findings, and discuss recommendations. Foster a collaborative environment to facilitate the implementation of audit recommendations.
• Follow-Up and Monitoring: Monitor the implementation of audit recommendations and track progress over time. Conduct follow-up audits to assess the effectiveness of corrective actions taken . Continuously monitor the IT environment for emerging risks and changes that may impact the effectiveness of controls.
• Continuous Learning and Improvement: Engage in continuous learning and professional development (such as security awareness training ) to stay updated with evolving IT risks, technologies, and best practices. Incorporate lessons learned from previous audits into future engagements to improve the effectiveness and efficiency of the audit process.
• Maintaining IT Audit Records: The responsibility for maintaining these records rests with the organization’s internal audit function, IT department, or a dedicated compliance team, depending on the organizational structure and policies in place.

By following these best practices, organizations can conduct robust and value-added IT audits that provide meaningful insights, drive improvements, and support the organization’s overall risk management and governance objectives.

In an era dominated by technology, IT audits have become an indispensable tool for organizations. They provide a comprehensive assessment of an organization’s IT systems, help identify vulnerabilities, and recommend measures to strengthen security, compliance, and operational efficiency. By investing in regular IT audits, businesses can stay ahead of emerging risks, protect their valuable assets, and determine the seamless functioning of their technology infrastructure.

If you’re looking for more information on IT Audits and SOC 2 compliance, check out our website and blog . We have a wealth of articles about this topic, from preparedness tips and why it’s important for startups as well as how to get started if your company needs help meeting these requirements!

If you are interested in engaging our auditing services or have any questions, please feel free to contact us and our team of audit professionals at Linford & Co .

Umar has over 15 years of experience in internal control-based audit, project management, cybersecurity consulting, attestation, and assurance services; 7 of those years were with the “Big Four” accounting firm, KPMG. He has overseen numerous SOC 1 and SOC 2 audits and other IT Compliance audits, including NIST 800-53. He has vast experience implementing comprehensive IT compliance frameworks for clients both in the public and private sectors. Umar is a certified information systems auditor (CISA) and received his Bachelor of Science degree in Business Information Technology from Virginia Tech.

Related Posts:

• SOC for Supply Chain: Professional Guidance for Supply Chain Audits
• How to Maintain Your HITRUST Certification: Professional Guidance
• How to Become a Compliant SOC 2 Data Center: Auditor Guidance
• SOC 2 Considerations for SaaS Providers from an Audit Professional
• Enhancing Your Company’s AI Security Policy - Professional Insights
• Navigating SOC 2 Scope for a Successful Audit - Professional Insights

• Resource Center

Management, compliance & auditing

• IT auditing and controls – planning the IT audit [updated 2021]

An IT audit can be defined as any audit that encompasses review and evaluation of automated information processing systems, related non-automated processes and the interfaces among them. 

How to perform an IT audit

Planning an IT audit involves two major steps: gathering information and planning, and then gaining an understanding of the existing internal control structure. More and more organizations are moving to a risk-based audit approach which is used to assess risk and helps an IT auditor decide as to whether to perform compliance testing or substantive testing. 

In a risk-based approach, IT auditors are relying on internal and operational controls as well as the knowledge of the company or the business. This type of risk assessment decision can help relate the cost and benefit analysis of the control to the known risk. In the “gathering information” step the IT auditor needs to identify five items:

• Knowledge of business and industry
• Prior year’s audit results
• Recent financial information
• Regulatory statutes
• Inherent risk assessments

A side note on “inherent risks” is to define it as the risk that an error exists that could be material or significant when combined with other errors encountered during the audit, assuming there are no related compensating controls. As an example, complex database updates are more likely to be miswritten than simple ones, and thumb drives are more likely to be stolen (misappropriated) than blade servers in a server cabinet. Inherent risks exist independent of the audit and can occur because of the nature of the business.

In the “gain an understanding of the existing internal control structure” step, the IT auditor needs to identify five other areas and items:

• Control environment
• Control procedures
• Detection risk assessment
• Control risk assessment
• Equate total risk

Once the IT auditor has “gathered information” and “understands the control,” they are ready to begin the planning, or selection of areas, to be audited. Remember, one of the key pieces of information that you will need in the initial steps is a current business impact analysis (BIA), to assist you in selecting the application which supports the most critical or sensitive business functions.

Objectives of an IT audit

Most often, IT audit objectives concentrate on substantiating that the internal controls exist and are functioning as expected to minimize business risk. These audit objectives include assuring compliance with legal and regulatory requirements, as well as the confidentiality, integrity and availability (CIA — no not the federal agency, but information security) of information systems and data.

IT audit strategies

There are two areas to talk about here, the first is whether to do compliance or substantive testing and the second is “how do I go about getting the evidence to allow me to audit the application and make my report to management?”  

So what is the difference between compliance and substantive testing?  Compliance testing is gathering evidence to test to see if an organization is following its control procedures. On the other hand, substantive testing is gathering evidence to evaluate the integrity of individual data and other information. 

For example, compliance testing of controls can be described with the following example. An organization has a control procedure that states that all application changes must go through change control. As an IT auditor, you might take the current running configuration of a router as well as a copy of the -1 generation of the configuration file for the same router, run a file, compare to see what the differences were and then take those differences and look for supporting change control documentation. 

Don’t be surprised to find network admins, when they are simply re-sequencing rules, forget to put the change through change control. For substantive testing, let’s say an organization has a policy or procedure concerning backup tapes at the offsite storage location which includes three generations (grandfather, father and son). An IT auditor would do a physical inventory of the tapes at the offsite storage location and compare that inventory to the organization's inventory as well as looking to ensure that all three generations were present.

The second area deals with “how do I go about getting the evidence to allow me to audit the application and make my report to management?” It should come as no surprise that you need the following:

• Review IT organizational structure
• Review IT policies and procedures
• Review IT standards
• Review IT documentation
• Review the organization’s BIA
• Interview the appropriate personnel
• Observe the processes and employee performance
• Examination, which incorporates by necessity, the testing of controls, and therefore includes the results of the tests.

As an additional commentary of gathering evidence, observation of what an individual does versus what they are supposed to do can provide the IT auditor with valuable evidence when it comes to controlling implementation and understanding by the user. Performing a walk-through can give valuable insight as to how a particular function is being performed.

Application vs. general controls

General controls apply to all areas of the organization including the IT infrastructure and support services. Some examples of general controls are:

• Internal accounting controls
• Operational controls
• Administrative controls
• Organizational security policies and procedures
• Overall policies for the design and use of adequate documents and records
• Procedures and practices to ensure adequate safeguards over access
• Physical and logical security policies for all data centers and IT resources

Application controls refer to the transactions and data relating to each computer-based application system; therefore, they are specific to each application. The objectives of application controls are to ensure the completeness and accuracy of the records and the validity of the entries made to them. Application controls are controls over IPO (input, processing and output) functions, and include methods for ensuring the following:

• Only complete, accurate and valid data are entered and updated in an application system
• Processing accomplishes the designed and correct task
• The processing results meet expectations
• Data is maintained

As an IT auditor, your tasks when performing an application control audit should include:

• Identifying the significant application components, the flow of transactions through the application (system) and gaining a detailed understanding of the application by reviewing all available documentation and interviewing the appropriate personnel (such as system owner, data owner, data custodian and system administrator)
• Identifying the application control strengths and evaluating the impact, if any, of weaknesses you find in the application controls
• Developing a testing strategy
• Testing the controls to ensure their functionality and effectiveness
• Evaluating your test results and any other audit evidence to determine if the control objectives were achieved
• Evaluating the application against management’s objectives for the system to ensure efficiency and effectiveness

IT audit control reviews

After gathering all the evidence the IT auditor will review it to determine if the operations audited are well controlled and effective. Now, this is where your subjective judgment and experience come into play. For example, you might find a weakness in one area which is compensated for by a very strong control in another adjacent area. It is your responsibility as an IT auditor to report both of these findings in your audit report.

The audit deliverable

So what’s included in the audit documentation and what does the IT auditor need to do once their audit is finished? Here’s the laundry list of what should be included in your audit documentation:

• Planning and preparation of the audit scope and objectives
• Description or walkthroughs on the scoped audit area
• Audit program
• Audit steps performed and audit evidence gathered
• Whether services of other auditors and experts were used and their contributions
• Audit findings, conclusions and recommendations
• Audit documentation relation with document identification and dates (your cross-reference of evidence to audit step)
• A copy of the report issued as a result of the audit work
• Evidence of audit supervisory review

When you communicate the audit results to the organization it will typically be done at an exit interview where you will have the opportunity to discuss with management any findings and recommendations. You need to be certain of the following: 

• The facts presented in the report are correct
• The recommendations are realistic and cost-effective, or alternatives have been negotiated with the organization’s management
• The recommended implementation dates will be agreed to for the recommendations you have in your report

Your presentation at this exit interview will include a high-level executive summary. 

Your audit report should be structured so that it includes:

• An introduction (executive summary)
• The findings are in a separate section and grouped by the intended recipient
• Your overall conclusion and opinion on the adequacy of controls examined and any identified potential risks
• Any reservations or qualifications concerning the audit.
• Detailed findings and recommendations

Finally, there are a few other considerations that you need to be cognizant of when preparing and presenting your final report. Who is the audience? If the report is going to the audit committee, they may not need to see the minutiae that go into the local business unit report. You will need to identify the organizational, professional and governmental criteria applied such as GAO-Yellow Book, CobiT or NIST SP 800-53. Your report will want to be timely to encourage prompt corrective action.

And as a final parting comment, if during an IT audit, you come across a materially significant finding, it should be communicated to management immediately, not at the end of the audit.

You can find other articles related to IT auditing and controls here .

Ken is President and owner of Data Security Consultation and Training, LLC. He has taught cybersecurity at the JAG school at the University of Virginia, KPMG Advisory University, Microsoft and several major federal financial institutions and government agencies. As CISO for the Virginia Community College System, Ken’s focus was the standardization of security around the ISO 27000 series framework. Writing is one of his passions and he has authored and/or co-authored several courses, including CISSP, CISA, CISM, CGEIT, CRISC, DoD Cloud Computing SRG and a course for training Security Control Assessors using NIST SP 800-53A. Ken has also achieved a number of certifications, including CISSP, SSCP, CCSP, CAP, ISSMP, ISSAP, ISSEP, CISM, CISA, CAC, CEH, ISO9000LA, ISO14001LA, ISO27001PA, Security+, CySA+, CASP, CTT+, CPT, GSEC, GSNA, GWAPT, CIA, CGAP, CFE, MCP, MCSA, MCSE and MCT.

In this Series

Top 10 cybersecurity best practices: Secure your organization’s data

Is AI cybersecurity in your policies?

The top security architect interview questions you need to know

Federal privacy and cybersecurity enforcement — an overview

• U.S. privacy and cybersecurity laws — an overview
• Common misperceptions about PCI DSS: Let’s dispel a few myths
• How PCI DSS acts as an (informal) insurance policy
• Keeping your team fresh: How to prevent employee burnout
• How foundations of U.S. law apply to information security
• Data protection Pandora's Box: Get privacy right the first time, or else
• Privacy dos and don'ts: Privacy policies and the right to transparency
• Starr McFarland talks privacy: 5 things to know about the new, online IAPP CIPT learning path
• Data protection vs. data privacy: What’s the difference?
• NIST 800-171: 6 things you need to know about this new learning path
• Working as a data privacy consultant: Cleaning up other people’s mess
• 6 ways that U.S. and EU data privacy laws differ
• Navigating local data privacy standards in a global world
• Building your FedRAMP certification and compliance team
• SOC 3 compliance: Everything your organization needs to know
• SOC 2 compliance: Everything your organization needs to know
• SOC 1 compliance: Everything your organization needs to know
• Overview: Understanding SOC compliance: SOC 1 vs. SOC 2 vs. SOC 3
• How to comply with FCPA regulation – 5 Tips
• ISO 27001 framework: What it is and how to comply
• Why data classification is important for security
• Threat Modeling 101: Getting started with application security threat modeling [2021 update]
• VLAN network segmentation and security- chapter five [updated 2021]
• CCPA vs CalOPPA: Which one applies to you and how to ensure data security compliance
• Finding security defects early in the SDLC with STRIDE threat modeling [updated 2021]
• Cyber threat analysis [updated 2021]
• Rapid threat model prototyping: Introduction and overview
• Commercial off-the-shelf IoT system solutions: A risk assessment
• A school district's guide for Education Law §2-d compliance
• IT auditing and controls: A look at application controls [updated 2021]
• 6 key elements of a threat model
• Top threat modeling frameworks: STRIDE, OWASP Top 10, MITRE ATT&CK framework and more
• Average IT manager salary in 2021
• Security vs. usability: Pros and cons of risk-based authentication
• Threat modeling: Technical walkthrough and tutorial
• Comparing endpoint security: EPP vs. EDR vs. XDR
• Role and purpose of threat modeling in software development
• 5 changes the CPRA makes to the CCPA that you need to know
• 6 benefits of cyber threat modeling
• What is threat modeling?
• First Safe Harbor, then Privacy Shield: What EU-US data-sharing agreement is next?
• How to make cybersecurity budget cuts without sacrificing security
• How to mitigate security risk in international business environments
• Security theatrics or strategy? Optimizing security budget efficiency and effectiveness
• NY SHIELD Act: Security awareness and training requirements for New York businesses
• Time to update your cybersecurity policy?

Business growth

Business tips

The ultimate guide to conducting an IT audit (with checklist)

Table of contents:

What is an IT audit?

Depending on how large your organization is, you can either run a single comprehensive IT audit or audit different areas of your infrastructure individually. And depending on what your IT processes look like, there are a few different types of IT audits you can consider to shore up security. Here are some examples:

Cybersecurity audits: These audits look for potential weaknesses hackers or other bad actors can exploit to access protected data.

Enterprise-level IT structure audits: Because IT processes are more effective at scale when they have a defined structure, it's worthwhile to analyze how they've been organized.

Existing systems and applications audits: Businesses can audit the security measures for all existing systems and applications. 

Developing systems and applications audits: As businesses create new IT systems to meet their changing needs, they should be audited to ensure they're aligned with existing security standards.

Physical IT facility audits: Businesses can audit the conditions and security measures in place at the physical locations related to their essential IT infrastructure.

Third-party audits: It can be worthwhile to assess how well third-party applications are performing and how they affect the business's broader IT infrastructure.

Server audits: These audits assess the business's overall network security performance and whether it meets compliance standards.

Across the board, the goal is to assess the risks associated with your IT systems and to find ways to mitigate those risks, either by solving existing problems, correcting employee behavior, or implementing new systems.

Why you should perform IT audits regularly

In short: because everything your business does depends on a functioning IT ecosystem. Technology, like Bob Dylan once said, is a-changin', and so are cyber threats. Regular IT audits ensure your IT operations are keeping up with evolving standards in software and hardware while staying vigilant in the face of smarter and smarter cyber attackers.

More specifically, IT audits help businesses:

Uncover previously unseen security risks within existing processes

Ensure all their assets are secure and have been properly updated

Identify potential vulnerabilities before they can be exploited

Find inefficiencies in IT processes and address them before they become obstacles

Gain actionable business insights from traditionally siloed IT processes

Promote trust for employees, customers, and vendors

Save money in the long term by keeping IT operations running efficiently and preventing costly outages

IT audit checklist

If you're already ready to execute your next IT audit—congrats, no need to read the rest of this post.

You'll also do well to keep these complex processes and detailed procedures organized with a dedicated doc. The IT checklist above divides common audit tasks into five typical IT buckets we'll explore in the next section in more detail: system security, standards and procedures, documentation and reporting, performance monitoring, and systems development.

5 key areas of an IT audit

Usually, IT audits are conducted by an organization's IT manager or cybersecurity director (in smaller organizations, those roles may be occupied by the business owner or head of operations). There are five key areas of an IT audit that more or less correspond with an IT manager's key responsibilities:

Standards and procedures: This will help you manage ongoing protocols for essential practices like disaster recovery, document disposal, and securing backups.

Documentation and reporting: This helps you keep your processes for security, logs, and incident reporting transparent year-round.

Performance monitoring: Steps in this section help your teams keep sound documentation of things like outages, network performance, and IT costs.

Systems development: These items ensure your audit accounts for system development, testing, and implementation.

Within each of these areas, the auditor will run through a checklist of items to evaluate. Our audit checklist covers all of the steps of a basic IT audit, but depending on your infrastructure needs, you may find that you need to add areas or that some of those listed aren't necessary for your company.

IT audit process: 5 steps

Though the IT audit itself usually happens over the course of a few days, the process really begins long before that, when you take a look at your calendar and start laying out plans to schedule an audit in the future.

Step 1: Plan the audit

The first decision you'll need to make is whether to conduct an internal audit or hire an outside auditor to come in and offer a third-party perspective on your IT systems. External audits are more common in large corporations or companies that handle sensitive data. For the majority of companies, an internal audit is more than adequate and will be a lot less expensive to plan. If you want a little extra peace of mind, you might establish a yearly internal audit and hire an outside auditor once every few years.

When planning your audit, you'll need to decide:

Who your auditor will be (whether that means choosing an outside auditor or identifying an employee to be responsible for the audit)

When your audit will take place

What processes you need to establish to prepare your employees for the audit

An auditor will likely need to speak with different employees and team managers to learn about your company's IT workflows, so it's important to make sure you're not booking your audit for a time when your employees are swamped with other work.

Step 2: Prepare for the audit

Once you have a general time frame hammered out, you'll need to work with your audit team to prepare for the audit itself. A shortlist of things you'll need to figure out in this stage includes:

Your audit objectives

The scope of the audit (what areas are being evaluated, and at what level of detail the auditor will perform their evaluation)

How the audit will be documented

A detailed audit schedule (which departments will be evaluated on different days, and how much time departments should plan to dedicate to the audit)

Step 3: Conduct the audit

Yup, conducting the audit is only step three in the five-step audit process. This step is pretty self-explanatory—if you did step two correctly, then step three will just be to execute the plan you created.

Keep in mind that even the best laid plans of mice and men (or I guess in this case, mice and keyboards) do often go awry, so this step may also include finding a way around any last-minute obstacles. Make sure you build in plenty of time so that you're not in a rush—if you wind up missing things in the audit, that defeats its whole purpose.

Step 4: Report your findings

After your audit is finished, you should have a hefty file of documentation to show for it with your auditor's notes, findings, and suggestions. The next step is to synthesize this information into an official audit report. This is the document you'll put on file for future reference and to help plan next year's audit.

Then, you'll want to create individual reports for the heads of each audited department. Summarize what was evaluated, run down the items that don't need changes, and highlight anything the department is doing really well. Then, give a rundown of the vulnerabilities the auditor identified, and separate them according to their cause:

Risks caused by poor adherence to established procedures will require corrective action.

Risks caused by vulnerabilities that had gone unnoticed prior to the audit will require new solutions.

Risks that are inherent to the department's work likely can't be eliminated completely, but the auditor may identify ways to mitigate them.

Along with each item, explain what the next steps will be in order to address the identified risks. In situations where risks were caused by willful carelessness, you may also want to loop in your HR department for guidance on how to handle the issue.

Step 5: Follow up

Let's be realistic: many (if not most) infrastructure vulnerabilities are caused at least in part by human error. Human error is just as likely to interfere with the solutions your team implements to correct the risks identified by the audit. 

After you deliver your report findings, put a date on the calendar to follow up with each team and ensure that corrections were implemented successfully. It's wise to schedule a few follow-ups throughout the year to check in with each team and make sure that everything continues to run smoothly until your next audit.

What about IT audit courses and certifications?

If you decide to handle your IT audits internally, it's a good idea to designate an auditor ahead of time and have them take relevant IT auditing courses to gain IT audit certification. Here are a few popular certifications to consider:

Certified Information Systems Auditor (CISA): This is probably the best-known IT audit certification, offered by the Information Systems Audit and Control Association (ISACA).

Certification in Risk and Information Systems Control (CRISC): Also offered by ISACA, this certification is good for those who want to focus on risk management.

Certified Information Systems Security Professional (CISSP): Offered by the International Information System Security Certification Consortium (ISC2), this certification is globally recognized for IT audits.

GIAC Systems and Network Auditor (GSNA): Another globally known certification, offered by Global Information Assurance Certification (GIAC), this helps IT professionals hone their technical auditing skills.

Certified Internal Auditor (CIA): The Institute of Internal Auditors (IIA) offers this versatile certification that's technically designed for broader internal auditing than just IT.

IT audit certifications aren't necessary, but they have a few pretty convincing advantages, like validating the security of your IT infrastructure, ensuring your teams are abiding by auditing fundamentals, and improving overall audit effectiveness. Let's just say it sounds a lot better when you can say your tech is backed by regular certified audits than it is to say your tech has occasional audits by an unnamed IT guy.

Keep in mind that certification takes time, so be prepared for your future auditor to set aside time to study up for their exam and pass it. Plus, there are other possible requirements, like mandatory work experience, application processing times, and the potential need to retake the exam. 

The auditor will also need to maintain their certification, so once they're certified, it can be helpful to work checkpoints into their ongoing responsibilities to ensure they're keeping up with requirements.

Automating your IT audits

You can also set up automations to do these "check-ins" for you by running regular vulnerability scans and monitoring system performance. Instead of filling your calendar with individual check-in meetings, you can let your tech handle the heavy lifting and only get involved when you get an alert.

Related reading:

This article was originally published in August 2022 by Amanda Pell. The most recent update was in August 2024.

Get productivity tips delivered straight to your inbox

We’ll email you 1-3 times per week—and never share your information.

Bryce Emley

Currently based in Albuquerque, NM, Bryce Emley holds an MFA in Creative Writing from NC State and nearly a decade of writing and editing experience. His work has been published in magazines including The Atlantic, Boston Review, Salon, and Modern Farmer and has received a regional Emmy and awards from venues including Narrative, Wesleyan University, the Edward F. Albee Foundation, and the Pablo Neruda Prize. When he isn’t writing content, poetry, or creative nonfiction, he enjoys traveling, baking, playing music, reliving his barista days in his own kitchen, camping, and being bad at carpentry.

• Information technology

Related articles

16 books every small business owner should read

16 books every small business owner should...

16 pricing strategies and examples (and how to set yours)

16 pricing strategies and examples (and how...

6 ways businesses are using AI in eCommerce

25 mission statement examples (and generator)

25 mission statement examples (and...

Improve your productivity automatically. Use Zapier to get your apps working together.

• Contact sales

Start free trial

IT Audit: Definition & Quick Guide (Checklist Included)

If you’re running a business or managing a project, the impact of a cybercriminal on your company can be catastrophic. They can steal customer data and ruin your reputation. It’s something many don’t recover from. And, unlike in the physical world, where bad neighborhoods are more clearly demarcated, IT risks can be like a trojan horse. They can appear friendly, but when your guard is down they ransack your data.

The threat can be internal, too, such as a disgruntled employee sabotaging everything you built for years in seconds. Bottom line: technology is useful, but it’s also vulnerable. That’s why organizations must do an IT audit to make sure their data and network are safe from attack. An IT security audit might be the only thing standing between success and failure.

What Is an IT Audit?

Audits sound bad. Nobody wants to get that letter announcing the IRS is about to open an audit on your financials. But an audit only means an official inspection of one’s accounts. An information technology audit is therefore an official examination of the IT infrastructure, policies and operations of an organization. It also adds an evaluation, to suggest improvements. IT audits have been going on since the mid-1960s and continuously evolved since that point as technology advances. It’s an important part of a good IT project management procedure.

You can think of this as an IT security audit. The point is to see if the IT controls in place are properly protecting the company’s assets, ensuring the integrity of the data, and staying in line with the goals and objectives of the company. This means that everything that involves IT is inspected, from physical security to the overall business and financial concerns.

Why Is It Important to Conduct an IT Audit?

An IT audit is crucial to guarantee that the IT operations, controls, infrastructure and processes of a company are safe from threats and working as intended. The main objective of an IT audit is to find areas of improvement and vulnerabilities to reduce the chances of IT risks and remain compliant with IT security standards. In addition to this key objective, there are other benefits from conducting regular IT audits, such as:

• Improving existing IT service management policies, guidelines and processes to better adjust to the business objectives of the organization.
• Finding new technologies such as software, hardware or networking that could help companies better store, manage and transfer their business data.
• Obtaining certifications such as SOC 2 allows companies to offer their products and services to new markets.
• Ensure employees across departments understand the IT best practices of the company.
• Avoid regulatory fines or potential business losses due to ineffective IT security practices.

Types of IT Audits

In broad strokes, an IT audit can be broken into two types; general control review and application control review. But, if you want to get more specific, here are five categories of a well-executed audit.

• Systems & applications: This focuses on the systems and applications within an organization. It makes sure they are appropriate, efficient, valid, reliable, timely and secure on all levels of activity.
• Information processing facilities: Verifies that the process is working correctly, timely and accurately, whether in normal or disruptive conditions.
• Systems development: To see if those systems that are under development are being created in compliance with the organization’s standards.
• Management of IT and enterprise architecture: Making sure that IT management is structured and processes in a controlled and efficient manner.
• Client/server, telecommunications, intranets and extranets: This spotlights telecommunication controls, such as a server and network, which is the bridge between clients and servers.All of this can be expedited with the help of IT project management software .

What Is an IT Auditor?

An IT auditor is responsible for inspecting the internal controls and risks associated with an organization’s IT infrastructure. Some of the main responsibilities of an IT auditor are identifying weaknesses, vulnerabilities and threats and suggesting solutions to prevent security breaches.

IT auditors help organizations meet security standards, obtain certifications and improve how data is managed. There are certifications for this skill, such as certified information system auditor (CISA) and certified information systems security professionals (CISSP).

IT Audit Process: How to Do an IT Audit

In a sense, an IT audit is a project and like any project, it involves planning , scheduling, reporting and tracking activities. Here’s a quick overview of each of the steps of the IT audit process.

1. Plan Your IT Audit

An IT audit is a thorough process so you need to plan carefully. Without a solid action plan , your audit might not achieve its key purpose which is to accurately find flaws, inefficiencies and vulnerabilities in the IT environment of your organization. To plan your IT audit there are several steps you and your team should go through. Here are some of the most important of them.

• Select an IT auditor, it could be an in-house internal auditor or an external firm
• Set goals and objectives for your IT audit
• Define the scope of your IT audit
• Decide if your IT audit will be recurrent and if so, how often it will be conducted
• Define a timeframe for your IT audit as well as a detailed schedule to inspect each area of your IT department
• Establish roles and responsibilities for your employees as the audit is executed to make sure they’re on the same page
• Create an IT audit plan to make sure stakeholders understand the IT audit scope, objectives and schedule

2. Execute the IT Audit

Once you have a solid IT audit plan, you can move on to the execution phase of your audit. During this phase, team management is key to making sure your IT department and any other employees and stakeholders involved collaborate with the IT auditor so that everything goes according to plan and the IT audit can be completed on time.

Related:   IT project management templates

3. Make IT Audit Reports

As explained above, an IT audit is a process that seeks to find inefficiencies, vulnerabilities, threats and opportunities for improvement for your business’ IT operations, so documenting these findings is key for success. Once the IT audit is complete, it is critical to create a thorough audit report that compiles all the observations and suggestions from the IT auditor. This is one of the most important steps of any audit, as the findings are only useful to the organization if they’re well documented.

4. Follow Up

Ideally, the IT audit report should be an informative document with lots of suggestions to improve how your company manages its IT practices. Now, it’s time to plan how to put the audit findings into practice by taking actions such as training employees, procuring assets and implementing IT risk management frameworks .

IT Audit Checklist

Now that we’ve defined the major steps of the IT auditing process, let’s review some of the key areas that should be inspected during an IT audit.

IT Security Controls

• Antivirus software
• Network firewall
• Passwords encryption
• Two-factor authentication
• Physical security measures
• Unauthorized access alerts
• Employee IT security training

Standards & Procedures

• Employees are required to sign IT security acknowledgment agreements
• IT assets are disposed of safely to avoid data breaches
• Documents with sensitive data are shredded or disposed of safely
• Data backups are done and reviewed frequently
• Data is backed up in multiple locations
• There’s a well-defined IT disaster recovery plan

Documentation & Reporting

• Security protocols are well-documented
• Security protocols are updated as IT infrastructure changes
• IT logs are safely stored and reviewed frequently
• IT incidents are documented thoroughly

Performance Monitoring

• Outage events are recorded
• Hard drive, RAM and cloud storage are monitored
• Network performance is measured consistently
• IT expenses are tracked and minimized

Systems Development

• There are clear guidelines for managing the system design and development process
• System testing protocols are established
• There’s a post-implementation review process in place

While the items outlined above are a good starting point, there are many more variables that you should consider when planning and executing your IT audit so that it adjusts to the particular needs of your organization.

IT Audit Best Practices

The process of conducting an IT audit is complex and touches on all aspects of your information system. There are overreaching general management issues and policies to consider. There’s also security architecture and design, systems and networks, authentication and authorization and even physical security. It involves continuity planning and disaster recovery , like any good risk management.

There are, too, some overriding best practices that can steer you through the maze, so you start and finish effectively. These five tips will help you conduct an IT security audit properly.

• Scope: By knowing the scope of the audit ahead of time, you’re more likely to have an audit that runs without problems. For one thing, you’ll want to involve all relevant stakeholders when planning. Speak to those who are working in the IT environment. They can help you understand what risks you’re looking to identify and understand the current capabilities of the system. This way you’ll have a better idea if there’s a need to adopt new technologies or not. Also, know the applicable laws and regulations to make sure you’re compliant.
• Outside resources: You might have a team assembled in-house who are able to run the IT security audit themselves or you might need to seek outside contractors to help with parts or the whole thing. This must be determined beforehand. You might have an IT audit manager or need to hire a consultant, who can then train the team on what to keep an eye out for in-between IT audits.
• Implementation: Know the inventory you have and put these systems down in a list organized by priority. Know industry standards, methods and procedures to make sure you’re keeping up with the most current practices. Evaluate your audit to see if assets are protected and risks mitigated.
• Feedback: IT audit reports can feel like they’re in a different language if you’re not an IT professional. For the audit to be effective, the audit must be clear to those who are decision-makers. The IT auditor should give the report in person and field any questions so that when done there is no question about the work and whatever vulnerabilities were discovered.
• Repeat: An IT audit isn’t a one-time event, of course, but in between audits there is still work to do. That includes offering recommendations going forward and using IT software that can automatically monitor systems, users and assets. It’s a good idea to have a plan set up to review applicable laws, regulations and new developments quarterly, as the technology space is notoriously fast-moving.

How ProjectManager Facilitates the IT Audit Process

When doing an IT audit, there are many tasks that probably require a team to execute. Sounds like a project. While there are software packages that are designed to monitor IT security, an audit is a different animal and can benefit from a project management software to control it effectively.

Every audit can be broken down into a series of tasks, just as you use a work breakdown structure (WBS) to take a large project and break it up into smaller, more manageable pieces. A task list can be prioritized and then that spreadsheet uploaded into ProjectManager, where it’s transformed from a static sheet to a dynamic tool.

Visualize the Workflow With Kanban Boards

Once imported, the task list can be viewed in a variety of ways. There is the kanban view to manage workflows. The various tasks are individual cards, which are organized by columns that state whether the work is to be started, in progress or done. These cards can be assigned to one or more team members, who can comment directly on them to collaborate. Files and images can also be attached.

Make an Audit Schedule With Gantt Charts

Another view is the Gantt chart . This shows your task list to the left and populates those tasks across a timeline to the right. The tasks can again be assigned, collaborated on and tracked. ProjectManager is a cloud-based software, so all status updates are instantly reflected. Task dependencies can be linked to avoid blocking team members and if deadlines need to change that can be done with a simple drag and drop of the task timeline.

Project Dashboards for Monitoring the Audit

In terms of monitoring the progress of the IT security audit and reporting back to management, ProjectManager has a real-time dashboard . It keeps the project leader abreast of what’s going to and crunches the numbers automatically, displaying project metrics in clear and colorful graphs and charts. These can then be filtered to reflect the data you want and shared or printed out for a presentation.

ProjectManager also has many free templates to assist with various phases of any project. Our IT risk assessment template is a great place to start when doing an IT audit.

Information technology is part of almost every organization. The benefits are great, but so are the risks. ProjectManager is a cloud-based project management software that helps IT professionals manage the complex tasks involved in an IT audit. Try it free today with this 30-day trial.

Deliver your projects on time and on budget

Start planning your projects.

• Pamplona 88 4-1 | 08018 Barcelona | Spain

A Step-by-Step Guide to Conducting an Effective IT Audit

Title: A Step-by-Step Guide to Conducting an Effective IT Audit

Introduction: As an IT expert with over two decades of entrepreneurial experience and expertise in performing high-level IT audits, I understand the significance of a structured and comprehensive approach to ensure the success of these assessments. In this blog post, I will provide you with a detailed step-by-step guide to conducting an effective IT audit. Whether you are an IT professional seeking to enhance your auditing skills or a business owner interested in understanding the process, this guide will outline the key areas of focus and best practices to ensure a thorough and reliable IT audit.

Step 1: Define Audit Objectives and Scope The first step in conducting an IT audit is to clearly define the audit objectives and scope. Identify the specific goals you aim to achieve through the audit and understand the extent of the systems, processes, and assets that will be included in the assessment. Collaborate with relevant stakeholders to ensure alignment with business objectives.

Step 2: Gather Information and Data Collect relevant information and data about the IT infrastructure and systems to be audited. This may include hardware and software inventories, network diagrams, security policies, and access controls. Ensure the data collected is accurate and up-to-date to provide a reliable basis for analysis.

Step 3: Identify Key Risk Areas During this phase, identify the key risk areas relevant to the audited systems and processes. Common risk areas include cybersecurity vulnerabilities, data privacy compliance, system availability, data backups, and disaster recovery capabilities. Tailor the risk assessment to the specific industry and business requirements.

Step 4: Conduct Interviews and Workshops Engage with key personnel, including IT staff, department heads, and management, through interviews and workshops. These interactions provide valuable insights into the functioning of IT systems, potential weaknesses, and areas for improvement.

Step 5: Perform Technical Testing Utilize various technical tools and methodologies to perform in-depth testing of IT systems. This may include vulnerability assessments, penetration testing, and network security scans. Analyze the results to identify security gaps and weaknesses.

Step 6: Review IT Policies and Procedures Assess the organization’s IT policies and procedures, including change management, access controls, incident response, and data handling. Ensure that these policies align with industry best practices and regulatory requirements.

Step 7: Analyze Findings and Prioritize Risks Consolidate the audit findings and analyze the identified risks. Rank the risks based on their potential impact and likelihood of occurrence. This analysis helps prioritize remediation efforts and resource allocation.

Step 8: Develop Actionable Recommendations Based on the audit findings, develop clear and actionable recommendations to address the identified risks and weaknesses. Provide detailed steps for remediation, along with suggested timelines and responsible parties.

Step 9: Present Audit Report and Obtain Feedback Prepare a comprehensive audit report that includes an executive summary, detailed findings, risk analysis, and recommended actions. Present the report to key stakeholders, seek feedback, and address any concerns or questions.

Step 10: Monitor and Follow Up An IT audit is a continuous process, and its effectiveness depends on follow-up actions. Monitor the implementation of recommended changes and track progress over time. Periodically review and update the audit process to stay relevant to evolving IT landscapes.

Conclusion: Conducting an effective IT audit requires meticulous planning, thorough assessment, and clear communication. By following this step-by-step guide and incorporating best practices, IT professionals can ensure their audits provide valuable insights and contribute to the overall success and security of the organization. As an experienced IT expert, I encourage individuals and businesses to invest in regular IT audits to stay proactive in identifying and mitigating risks and maintaining a resilient technology infrastructure.

Further REading

10 Reasons Why a VC Should Conduct an IT Audit Before Investing

The Crucial Role of IT Audits in M&A Transactions

The Impact of Digital Transformation on IT Auditing Practices

Emerging IT Trends and Their Impact on Business Auditing

Navigations

• Privacy Policy
• Terms & Conditions

Contact Information

• [email protected]

copyright © 2022-2024 Aud-it | Aud-It Is A Division Of Rebelio.Tech

Download an audit example.

Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.

What Is an IT Internal Audit and Why Do You Need One?

9 minutes read

An IT Internal Audit has become increasingly vital for businesses to maintain the integrity, efficiency, and compliance of their IT systems. We explore what IT Internal Audits entail and why they are proving increasingly indispensable for the security of organizations.  

Understanding IT Internal Audits  

The definition and purpose  .

An IT Internal Audit is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps in achieving organizational objectives by systematically evaluating and enhancing the effectiveness of risk management, control, and governance processes within the IT infrastructure.  

Integrity360’s IT Internal Audit Service is tailored to suit the specific needs of our clients, spanning short-term to long-term commitments. We specialize in collaborating with Internal Audit functions to execute a series of IT Audit reviews, as stipulated in the Clients' Internal Audit plan. Unlike operational internal audit reviews, our focus is solely on IT Internal Audit Reviews, addressing the technological facets of your organization.  

The Role of a Chief Audit Executive in IT Internal Audits  

The Chief Audit Executive (CAE) is a central figure in internal auditing, often reporting directly to the CEO or Finance Director, while also maintaining a link to the Board Chairman. This position allows the CAE comprehensive oversight across the organization. Underpinned by the 'Internal Audit Charter' approved by the Board, the CAE possesses the authority to scrutinize any business operation, ensuring thorough and independent audits.  

The CAE's main responsibility is to the Board, delivering reports that include management recommendations for addressing identified risks. A key part of their role involves conducting follow-up audits to check the implementation of these recommendations, ensuring accountability and effective risk management. This makes the CAE crucial in upholding the integrity and efficiency of an organization's operations, especially in the IT sector.  

Why Your Business Needs an IT Internal Audit  

Compliance with Regulations  

For companies listed on stock exchanges like the FTSE 100 or 250, it's a regulatory requirement to have an Internal Audit (IA) function. An IT Internal Audit ensures that your organization not only complies with these mandates but also remains prepared for any regulatory shifts.  

Industry Reliance on IT  

In sectors extensively dependent on IT, establishing an IT audit team is not merely advisable; it's essential. This team is pivotal in managing and mitigating risks linked to IT systems and operations. Gaining visibility of your IT estate is vital in detecting any vulnerabilities and allows the organization to better provide evidence that they take their cyber security seriously to any regulators should the worst occur.  

Effective Resource Utilisation  

Many organizations grapple with completing their annual internal audit plan on time or lack the in-house technical expertise. Employing our IT Internal Audit Service can provide project-specific resources, thereby obviating the need for additional full-time staff.  

Aligning Performance with Expectations  

Evaluating how the IA function performs and whether it aligns with the Board's expectations is crucial. Our service identifies areas for improvement, enhancing the efficacy of the IA function.  

Managing Complexity and Third-Party Dependencies  

As operational complexity and dependency on third parties (like cloud service providers) increase, IT Internal Audits become critical in managing these relationships and ensuring the security and efficiency of such arrangements.  

Avoiding Regulatory Pitfalls  

Failure to execute the internal audit plan can lead to regulatory complications. Our service ensures the timely and comprehensive completion of your internal audit plan and the avoidance of such regulatory pitfalls.   

In short, an IT Internal Audit is more than a regulatory requirement; it's a strategic instrument that bolsters your IT infrastructure's control environment, aligns IT operations with business objectives, and guarantees the effective and secure functioning of your technological assets. By engaging with the experts at Integrity360, your organization can adeptly navigate the complexities of the IT domain, ensuring compliance, security, and operational excellence.  

Why use Integrity360 for your IT Internal Audit?  

• We can fulfill the objectivity and independence requirements set out in Internal Audit Charters  
• Integrity360 will seamlessly adopt the format of existing IA reports  
• Integrity360 can follow existing IT audit plans and be able to scope, plan, and complete projects within the annual planned schedule  
• Integrity360 can conduct risk assessments to prepare annual or 3-year IT audit plans  
• Integrity360 can present IT audit reports to the CISO, Senior Management, and the Board of Directors  
• We can perform follow-up reviews on reports we previously issued  

 For more information on our IT Internal Audit as a Service get in touch with us.  

Matthew Olney

Matthew is Integrity360’s Content Marketing Specialist and has worked in cyber security for over 6 years being nominated for a national cyber writing award in 2019. He turns complicated cyber security into simpler language designed to help everyone get to grips with this vitally important topic.

Schedule a call with an expert

What our experts have to say.

The Top Reported Cyber Security Incidents of 2023

EDR, XDR, SIEM and MDR: Which of these best fit your business?

6 Reasons Why Enterprises are Making the Switch to MDR

Bargains & Breaches: Staying Secure this Black Friday and Cyber Monday

Your Trusted Security Partner. On Time & On Budget.

PCI Solutions

• PCI Card Production & Provisioning
• PCI Compliance
• Cybersecurity Maturity Assessment
• Cyber Security Advisory Services
• Cyber Security Education
• Cyber Security Testing Services
• Managed Detection & Response
• Pen Testing
• SWIFT's CSP Assessment
• Our Partners
• Why Advantio
• Case Studies
• White Papers
• Information Security
• Privacy Policy

The global body for professional accountants

• Search jobs
• Find an accountant
• Technical activities
• Help & support

Can't find your location/region listed? Please visit our global website instead

• Middle East
• Cayman Islands
• Trinidad & Tobago
• Virgin Islands (British)
• United Kingdom
• Czech Republic
• United Arab Emirates
• Saudi Arabia
• State of Palestine
• Syrian Arab Republic
• South Africa
• Africa (other)
• Hong Kong SAR of China
• New Zealand
• Our qualifications
• Getting started
• Your career
• Apply to become an ACCA student
• Why choose to study ACCA?
• ACCA accountancy qualifications
• Getting started with ACCA
• ACCA Learning
• Register your interest in ACCA
• Learn why you should hire ACCA members
• Why train your staff with ACCA?
• Recruit finance staff
• Train and develop finance talent
• Approved Employer programme
• Employer support
• Resources to help your organisation stay one step ahead
• Support for Approved Learning Partners
• Becoming an ACCA Approved Learning Partner
• Tutor support
• Computer-Based Exam (CBE) centres
• Content providers
• Registered Learning Partner
• Exemption accreditation
• University partnerships
• Find tuition
• Virtual classroom support for learning partners
• Find CPD resources
• Your membership
• Member networks
• AB magazine
• Sectors and industries
• Regulation and standards
• Advocacy and mentoring
• Council, elections and AGM
• Tuition and study options
• Study support resources
• Practical experience
• Our ethics modules
• Student Accountant
• Regulation and standards for students
• Your 2024 subscription
• Completing your EPSM
• Completing your PER
• Apply for membership
• Skills webinars
• Finding a great supervisor
• Choosing the right objectives for you
• Regularly recording your PER
• The next phase of your journey
• Your future once qualified
• Mentoring and networks
• Advance e-magazine
• Affiliate video support
• About policy and insights at ACCA
• Meet the team
• Global economics
• Professional accountants - the future
• Supporting the global profession
• Download the insights app

Can't find your location listed? Please visit our global website instead

• Internal audit
• Learn about internal audit
• Back to Learn about internal audit
• A brief guide to internal auditing
• A brief guide to assignment planning
• A brief guide to assessing risks and controls
• A brief guide to assignment quality

A brief guide to assignment reporting

• A brief guide to follow up
• A brief guide to relationship management
• A brief guide to audit governance
• A brief guide to standards and responsibility
• A brief guide to strategic audit planning and resourcing
• A brief guide to working with other providers
• A brief guide to audit committees
• Guidance for Heads of Internal Audit
• Guidance for Audit Committee Chairs on working with the Head of Internal Audit
• Introduction
• Standard 1100 Independence and objectivity
• Standard 2200 Engagement planning
• Standard 2300 Performing the engagement
• Standard 2400 Communicating results
• Standard 2050 Coordination and reliance
• Financial Reporting Council (FRC) International Standards on Auditing (UK)
• Benefits of coordination
• Facilitating coordination
• Guidance on auditing planning for Internal Audit

You’ll report to stakeholders with your opinion on the effectiveness of the controls in place to manage risk, a balanced overview of key effective controls and to agree on actions that will address the key issues.

A ‘no surprises’ approach to continuous communication should be adopted throughout assignments. This open communication will build professional relationships and assist the internal auditor in assuring themselves as to the validity of their findings.

At the end of the audit a formal feedback meeting should also be held with the agreed stakeholders from the assignment planning stage. At this time, a balanced overview should be communicated to provide a complete picture of the audit work undertaken, results of the audit and discuss any issues openly to ensure:

• there are no surprises
• clarify the facts
• avoid misunderstandings
• influence management in respect of what action is required to address risk exposure
• discuss and possibly agree corrective actions at this time

Assignment reporting

Internal audit report to a range of stakeholders with their opinion on the effectiveness of the controls in place to manage risk, a balanced overview of key effective controls and the agreed upon actions to address any areas of improvement identified from the audit.

The reporting format should balance the differing needs of stakeholders. A departmental template for written reports, guidance and training should be in place.

In-house guidance and training should cover both verbal and written reporting, influencing skills, dealing with conflict and how to write effective audit reports. The department should continually improve reporting and seek to meet the needs of all stakeholders, from local to senior management and the audit committee.

Reports generally include an executive summary (to meet the needs of audit committee and senior management) and a detailed findings section (to meet the needs of local management) including the issue detail, evidence, the associated risk and agreed actions with dates and responsibility.

The executive summary should provide a balanced overview enabling senior management and the audit committee to quickly understand why you’ve reached your opinion. It should be in context and include the key risks, key effective controls and key weaknesses identified.

Internal audit needs to provide sufficient context within written reports and importantly remember to write to its audience. The audit committee members may not be fully aware of technical jargon or sector specific terms. Where it is not possible to avoid such language then a glossary may prove beneficial.

It is important to make clear any limitations to the scope of the work as agreed during the assignment planning stage and which may have subsequently arisen during performance of the assignment.

Issues aren’t always black and white and additional information will provide the reader with a full picture as to why controls / processes require strengthening. Aspects to consider include:

• the economic, regulatory and political environment
• competitor behaviour and risk issues
• the market environment
• material organisational changes
• trends highlighted by audit intelligence, eg improving or deteriorating controls or clearance of issues
• all reports should be based on fact and evidence

However, you must balance the above with brevity and focus as otherwise important messages can be lost. The auditor should also balance narrative and statistical / graphical reporting to communicate their message in the most effective manner.

Within the detailed findings section the most material issues should be reported first.

It may be appropriate to group findings together to reduce the overall number of actions for reporting purposes. If doing so, you should consider if findings have the same root cause, the same impact or the same source. For example, do they relate to not evidencing control, imply that data is insecure or all relate to the same team or manager?

There are a variety of views on arriving at the agreed actions presented within reports. In general these are:

• The internal auditor makes recommendations, based upon their understanding, which management then consider and respond to, either accepting or proposing an alternative.
• The internal auditor does not make any recommendation, instead they just present the finding and risk, which management then state how they will address it.
• The two parties discuss the findings and risks identified, exchanging professional views and documenting this within the report, which management then confirm acceptance of.

The key is to agree a protocol that works for your organisation. Whatever approach is adopted, it is important that everyone understands that the agreed actions must be owned by management. It is not internal audit’s responsibility to implement the identified improvements.

Internal audit should agree with the organisation what level of management can agree actions. Relevant factors will include the seriousness of the issue and the length of time the action will remain open, and also who can approve the acceptance of risk and how this should be documented for clear communication to audit committee.

The focus for audit committee should be upon acceptance of issues within the report and what management are going to do to put it right. Avoid excuses.

Audit opinions and issue ratings (if used) should be defined and communicated as an appendix to the audit report. Changes to the grading methodology should be discussed with audit committee and senior management to ensure that they reflect the views of the business and align with wider risk management processes wherever possible.

Performance reporting

Audit progress reports should also include quantitative and qualitative information surrounding the performance of the audit function, particular reporting against any protocol, and key performance indicators within the approved IA charter.

Frequency of reporting

Frequency of reporting at an individual assignment level will be driven by the completion of audits. It is important to issue reports in a timely manner to ensure the results of the audit are communicated whilst the feedback meeting is still fresh in participants' minds and to ensure timely resolution of issues identified.

The CAE should agree the frequency of other reporting and the format of that reporting with audit committee and senior management.

Audit committee should receive a CAE annual internal audit report and opinion. However, most as a minimum will also desire regular progress reporting against the annual plan and sight of any reports which have resulted in a negative opinion and therefore have early sight of issues that impact upon the annual assurance provided.

Depending upon the size of the audit plan, the audit committee may receive copies of all reports in the same manner as management, or a summarised progress report from which they can then choose to dive into the detail of individual reports should they so wish.

Frequency of reporting is likely to reflect the number of audit committees per annum. Typically these occur quarterly.

Some organisations will report upon critical issues every month.

Annual internal audit report and opinion

The annual report should reflect upon the work performed over the year and provide overall opinion in respect of risk management, corporate governance and internal control.

This should be based upon the internal audit work performed during the year, knowledge and consideration of other assurance work, and management’s progress, commitment and ability to implement recommendations and complete required actions on a timely basis.

This report should also highlight significant risk exposures and control issues, including fraud risks, governance issues, and other matters requested by senior management and audit committee.

IIA IPPF Standard 2060 – reporting to senior management and the board

IIA IPPF Standard 2400 – communicating results

IIA IPPF Standard 2600 – acceptance of risk

Related Links

• IIA website
• ACCA Careers
• ACCA Career Navigator
• ACCA-X online courses

Useful links

• Make a payment
• ACCA Rulebook
• Work for us
• Supporting Ukraine

Using this site

• Accessibility
• Legal & copyright
• Advertising

Send us a message

Planned system updates

View our maintenance windows

• IT Services

What Is an IT Audit? (2024)

In an interconnected world, reliable cybersecurity isn't just a priority — it's a business imperative. As technology has well and truly become the main driver of effectiveness and innovation — at best — inefficiencies or — knock on wood — looming cyberthreats pose more danger ever.

Data breaches may lead to operational shutdowns, and a bad IT infrastructure can cause serious drops in productivity, resulting in huge material and reputational losses. Regular IT audits provide a proactive approach to monitor and protect your organization's digital systems against potential threats.

With system audits, businesses ensure regulatory compliance and build trust and brand reputation by keeping customer information safe. Learn more about the importance of IT audits from our experts.

Table of Contents

What is an it audit, the benefits of it audits, types of it audits, it audit: five key areas, conducting an it audit, it audit takeaways, it audit faqs.

IT auditing is the process of evaluating a company’s information technology (IT) infrastructure, including the accompanying procedures, policies, and devices in use, mainly for the purpose of security. Audits are designed to make sure that the infrastructure works securely, while employees adhere to corresponding security standards by using their devices correctly.

In a way, it’s similar to other inspections (like technical SEO audits ), that evaluate the status of your systems, website, or any other system.

Why are information technology audits essential for businesses and individuals? Last year alone, 353 million people were subjected to data breaches. Even more alarming, this represents a 77% increase from 2022. The average data breach costs companies around $4.45 million to mitigate in 2023.

Besides the obvious material losses, companies may suffer huge reputational damage , that is often harder to remedy than updating their IT infrastructure.

Let’s take a quick look at the main benefits of regularly auditing your IT infrastructure:

• Ensuring the safety and security of all the company’s technology through proper updates
• Identifying obvious and potential system vulnerabilities before cyber criminals can exploit them
• Maintaining and enforcing security and privacy compliance measures
• Identifying inefficient IT processes and addressing them before they further disrupt workflows
• Adapting your systems to evolving security standards and needs

Depending on the size of your organization, you may run a comprehensive audit or examine different aspects of your entire infrastructure at a time. Also, depending on the IT processes you’ve implemented, there are several IT audit types you can use to double-check your security.

• Cybersecurity audits: These inspections look for potential system weaknesses that hackers may exploit to access sensitive company data.
• Auditing existing applications and systems: Businesses may also audit the security measures for their existing applications and systems.
• Enterprise-level audits: It’s worth considering comprehensive audits, as most IT processes are more effective at scale with a defined structure. Analyzing the entire system and how it’s been organized can prove more effective in identifying potential weaknesses.
• Auditing systems and applications under development: Businesses will eventually need to build new IT systems, adhering to evolving technology needs. These infrastructures should also be audited and tested to ensure they are up to par with existing security protocols.
• Third-party audits: These inspections assess how third-party applications and systems perform, as well as their effect on the company’s broader IT infrastructure.
• Physical IT facility audits: Examinations that assess the security measures and conditions at the IT infrastructure’s physical location.
• Server audits: Inspections focusing on assessing the overall network’s security performance and whether it needs to update compliance standards.

These information technology audits aim to determine the risks associated with your IT infrastructure and find effective ways to remedy them. This could involve addressing existing issues, changing employee behavior, or building new systems.

Just as with testing your website’s overall user experience , the last thing you want to do is conduct random tests and hope for the best.

IT audits should be conducted strategically by your in-house IT team or external partners, such as cybersecurity firms and IT service companies . As these audits are designed to examine the entire system's efficacy, the strategy should consist of five key areas that also correspond with your IT team’s basic responsibilities. These include:

• Examining system security
• Inspecting whether your employees and experts adhere to safe IT standards and procedures
• Monitoring the infrastructure's performance
• Documenting the processes and creating reports
• Developing new systems if necessary

While performing each of these processes, auditors have checklists that will help them evaluate the system, covering the basic steps of IT audits. However, depending on your infrastructure and needs, you may need to incorporate new areas essential for your business.

Even though audits will usually take a few days, the actual process will begin long before that. As such, it’s important to consider the entire timeframe of the process and start laying out plans before you opt for scheduling an audit.

Step1: Plan

The first major decision you’ll have to make is whether you will conduct the audit internally or whether you’ll hire an external expert. Larger enterprises with more sensitive data typically prefer the latter option.

However, for mid-sized and smaller companies, internal audits can also prove valuable and more inexpensive to plan and carry out. To enjoy the best of both worlds, consider establishing yearly internal audit protocols and opt for the help of outside auditors once every few years.

During the planning phase, you’ll need to make a few decisions:

• Who will the auditor be? (as discussed above)
• When will you want the audit to happen?
• What kind of protocols do you need to implement beforehand to ensure your employees will be prepared for the audit?

Auditors will likely want to speak with some of your managers and employees to learn more about your IT processes. Therefore, plan to make your staff available for those meetings throughout the audit duration.

Step 2: Prepare

Once you have the basics above sorted out, it’s time to start working with the audit team to initiate the preparation process. Here’s a quick list of the things you will need to address at this stage:

• Audit objectives
• The inspection’s scope (the areas that will be evaluated and how granular the inspection will be)
• Possible ways for documenting the audit
• Detailed audit workflow, including schedules and timeframes

Step 3: Perform the Audit

This step doesn’t need much explanation — if your plan is detailed enough, all you’ll have to do is follow each step.

However, don't forget that even the best plans can go awry, meaning that no matter how well you laid out the audit plans, you will likely need to address last-minute issues. Don’t rush each stage and allow enough time for inspecting every area of your infrastructure. This flexibility helps address problems when they arise and ensures no critical audit aspects are missed.

Step 4: Generate Reports

Once the audit is complete, you should have comprehensive documentation, including auditor notes, suggestions, and findings. The next step should be compiling all the information into a well-structured report. Filing the report for future reference is essential.

Once this is done, create individual reports for each department leader, summarizing the evaluation, and addressing items that don’t need changing. Additionally, provide an overview of potential weaknesses identified by the audit team, categorized by their root causes:

• Vulnerabilities caused by noncompliance with established standards and procedures
• Unnoticed risks caused by vulnerabilities that will require newly implemented solutions
• Risks that can’t be eliminated and should be mitigated

Along with every issue, you should also include an explanation of the next steps that will be taken to address these risks. In cases where risks stem from intentional negligence, consider involving your HR team in handling the issue.

Step 5: Follow-Ups

According to a joint study by Tessian and Stanford, around 88% of data breaches are caused by human error, while an old IBM study suggests that the percentage is closer to 95.

Human error is a major contributor to data breaches, potentially hindering the implementation of new solutions aimed at mitigating the identified vulnerabilities during the audit.

It’s vital to schedule follow-up meetings with all departments to ensure that the suggested changes have been implemented. Continue meeting with them regularly to discuss progress or concerns until your next audit.

IT audits are essential to keep your information infrastructure running smoothly and safely, ensuring all possible system vulnerabilities and risks are addressed and your sensitive data is out of unwanted hands.

It’s essential to make yearly IT audits a priority. Try to help your staff understand the need to adhere to safety protocols and other best practices to avoid costly and highly damaging data breaches.

Should you conduct audits with in-house teams or with outside professionals?

In-house teams are familiar with your infrastructure and may know about a few faulty protocols and vulnerable systems. Outside experts, on the other hand, can have a fresh perspective on things. To get the best of both worlds, conduct regular audits with your team every year, and opt for outside assistance once every few years.

What are the major consequences of a data breach?

Data breaches can result in immediate financial damage to your company and customers if you handle their sensitive personal and financial information. Mitigating the issues and implementing new systems can also be costly, however, the reputational damage may cause even bigger problems, such as reduced trust and credibility, fewer new customers, and current clientele loss.

How can you mitigate potential issues and vulnerabilities?

Depending on the type of problem, you may need to update or revamp some aspects of your infrastructure. Or you may need different security protocols such as active monitoring and frequent vulnerability testing. In other cases, enforcing safe device and internet usage practices to ensure your staff isn’t exposing themselves and your system to attacks may be necessary.

Latest Updates Related to IT Services

Most Popular IT Services Topics

Home / Resources / ISACA Journal / Issues / 2020 / Volume 1 / IS Audit Basics The Components of the IT Audit Report

Is audit basics: the components of the it audit report.

While authoring this column and, indeed, participating in the Audit and Assurance community on ISACA’s Engage Online forum, 1 my opinion is often sought on a wide range of audit-related topics from ISACA members around the world. Recently, I was asked about the contents of an audit report, and this struck me as something that was worthy of further discussion. We (as IT auditors) spend many hours discussing and seeking audit programs (which are of no interest to the business) and little or no time discussing the audit report, which (we hope) will provide business value.

So, what are the components of an IT audit report? This, of course, depends on the type of audit. According to ISACA, there are three types: an examination, a review and an agreed-upon procedure. 2 We will concentrate on examination, which is a systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions 3 about an entity or event, processes, operations, or internal controls for the purpose of forming an opinion and providing a report on the degree to which the assertions conform to an identified set of standards. 4 Fundamentally, this is our “standard” audit.

Audit Report Components

The mandatory components of an IT audit report are described in ISACA’s Information Technology Assurance Framework (ITAF) 5 under guideline 2401, reporting. In addition, an ISACA white paper, IS Audit Reporting , suggests further discretionary components ( figure 1 ). 6 The components are not necessarily in any order and many are self-explanatory (additional information may be found in the referenced documents, if required); however, the items in italics are worthy of further discussion. It is important to note that although ITAF requires these components, that does not necessarily mean that an audit report will have a separate section or heading for each. The components may be combined under different sections.

Scope of the Audit Engagement

The audit scope should define the audit subject. It should define the limits to the audit. This can be an organization, a division within the organization, a business process, an application system or supporting technology, such as a particular platform or network. 7 The scope statement should also define the period under review and when the audit was performed. To a knowledgeable reader, audit scope should indicate the expected breadth of audit work and topic areas covered. 8

Source of Management’s Representation

Management may make representations about the effectiveness of the control procedures. These are usually in the form of assertions or any formal declaration or set of declarations about the subject matter made by management. 9 Common assertions include confidentiality, integrity, availability and compliance. So, management may assert that the application under review is in compliance with, say the Payment Card Industry Data Security Standard

Objectives of the Audit

The purpose of the audit is identified in the audit objectives. Why are we auditing it? The objectives identify the items to be evaluated or assessed by the audit. 10 Audit objectives are most commonly phrased as, “To determine whether…” or, for example, “To assess the adequacy of internal controls.” 11 An objective may be “To determine whether the application under review is in compliance with PCI DSS.”

Source of the Criteria

Criteria are the standards and benchmarks used to measure and present the subject matter and against which an IS auditor evaluates the subject matter. 12 Criteria are often defined by the entity that is under review (e.g., contracts, service level agreements [SLAs], policies, standards); however, there will be instances, for example, when an organization has not defined its own standards, when other criteria should be applied. Criteria can be established by ISACA, other bodies of experts, and laws and regulations, or can have been developed specifically for the audit engagement. 13 Following the PCI DSS example, ISACA’s ICQ and Audit/Assurance Program for PCI DSS Compliance Program 14 might be considered suitable criteria.

Findings, Conclusions and Recommendations

Audit findings are provided in the audit report when action is required to correct a deficiency in a process or its related controls. 15 The five key elements, or attributes that should be addressed when presenting an audit finding, are described in figure 2 .

It is also good practice to allocate a rating to indicate the significance of each finding, along with a unique reference number to easily identify the item. These can be used by management to prioritize its response and by audit to track the findings through to completion. 16 The findings can also be presented in order of their significance. When capturing management’s responses, always capture the manager responsible and an agreed implementation date. These will aid with the audit follow-up process. 17

An Expression of Opinion

The purpose of this section is to provide an overall conclusion or opinion with respect to the engagement’s audit objectives. An auditor’s opinion is a formal statement expressed by the IT audit or assurance professional that describes the scope of the audit, the procedures used to produce the report, and whether or not the findings support that the audit criteria have been met. The types of opinions are: 18

• Unqualified opinion —Notes no exceptions or none of the exceptions noted aggregate to a significant deficiency. Essentially a clean bill of health with respect to the audit objectives.
• Qualified opinion —Notes exceptions aggregated to a significant deficiency (but not a material weakness). In this instance, the report should include an explanatory paragraph stating the reasons why a qualified opinion is expressed in the report.
• Adverse opinion —Notes one or more significant deficiencies aggregating to a material weakness. From an internal control perspective, an adverse opinion is expressed when adequate controls are not in place or in effect to provide reasonable assurance that control objectives are met, or that there is a reasonable likelihood that the control objectives are not met. Again, include an explanatory paragraph stating the reasons why the opinion was reached.

A disclaimer of opinion is issued when the auditor is unable to obtain sufficient appropriate audit evidence on which to base an opinion or if it is impossible to form an opinion due to the potential interactions of multiple uncertainties and their possible cumulative impact.

Executive Summary

An executive summary is a concise document demonstrating the problem, findings and recommendation of a longer report. 19 It typically includes a high-level description of the primary message of the report, key audit objectives and a brief summary of audit results. 20 It is not mandated by ITAF, but is highly recommended as, often, it is the only section of the report that will be read by senior executives.

THE CONTENTS OF THE AUDIT REPORT ARE RARELY DISCUSSED, EVEN THOUGH THEY WILL BE USED TO DRIVE THE AUDIT FOLLOW-UP PROCESS AND OFTEN RESULT IN EXPENDITURE TO THE ENTERPRISE.

IT audit professionals spend many hours searching for and discussing IT audit programs, and rightly so, since this can affect the quality of the work performed and, ultimately, the assurance provided to the enterprise. However, the contents of the audit report are rarely discussed, even though they will be used to drive the audit follow-up process and often result in expenditure to the enterprise. ISACA has produced standards, guidelines, a white paper and a report template, which should be referenced to ensure that each enterprise’s audit reports meet high professional standards. Adhering to these standards will also prove invaluable to the IT auditor when, as is often the case, the results of the audit report are challenged.

1 ISACA Online Forum, Audit and Assurance, https://engage.isaca.org/communities/community-home/digestviewer?communitykey=b4f0c214-8b78-4359-8bd0-8f0e7382b68a&tab=digestviewer 2 ISACA, Information Technology Assurance Framework (ITAF), USA, 2014, https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004Ko91EAC 3 An assertion is any formal declaration or set of declarations about the subject matter made by management. Ibid ., p. 19 4 ISACA, IS Audit Reporting , USA, 2015 5 Op cit ITAF 6 Op cit IS Audit Reporting 7 Ibid ., p. 22 8 Ibid. 9 Op cit ITAF, p. 73 10 Op cit IS Audit Reporting, p. 22 11 Ibid . 12 Op cit ITAF, p. 21 13 Ibid. , p. 79 14 ISACA, ICQ and Audit/Assurance Program for PCI DSS Compliance Program , USA, https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004KoDqEAK 15 Op cit IS Audit Reporting, p. 26 16 Cooke, I.; “Enhancing the Audit Follow-Up Process Using COBIT 5,” ISACA Journal vol. 6, 2016, https://www.isaca.org/archives 17 Ibid . 18 Op cit ITAF, p. 16 19 Harvard Kennedy School Communications Program, “How to Write an Executive Summary,” Harvard University, Cambridge, Massachusetts, USA, https://projects.iq.harvard.edu/files/hks-communications-program/files/how_to_write_an_exex_summ_to_use_4_18_18.pdf 20 Op cit IS Audit Reporting , p. 21

Ian Cooke , CISA, CRISC, CGEIT, COBIT 5 Assessor and Implementer, CFE, CIPM, CIPP/E, CIPT, FIP, CPTE, DipFM, ITIL Foundation, Six Sigma Green Belt Is the group IT audit manager with An Post (the Irish Post Office based in Dublin, Ireland) and has over 30 years of experience in all aspects of information systems. Cooke has served on several ISACA committees and is a member of ISACA’s CGEIT Exam Item Development Working Group. He is the topic leader for the Audit and Assurance discussions in the ISACA Online Forums. Cooke has supported the update of the CISA Review Manual and was a subject matter expert for the development of ISACA’s CISA and CRISC Online Review Courses. He is the recipient of the 2017 John W. Lainhart IV Common Body of Knowledge Award for contributions to the development and enhancement of ISACA publications and certification training modules. He welcomes comments or suggestions for articles via email ( [email protected] ), Twitter (@COOKEI), LinkedIn ( www.linkedin.com/in/ian-cooke-80700510/ ), or on the Audit and Assurance Online Forum ( engage.isaca.org/home ). Opinions expressed are his own and do not necessarily represent the views of An Post.