IT Auditing - What You Need to Know
Michael C. Redmond, PhD, MBA, ISO Cyber Certifications
By Michael C. Redmond linkedin.com/in/michaelredmond2018
Definition Elaborated
Almost every training document defines IT Audit as “the examination and evaluation of an organization's information technology infrastructure, policies and operations. Information technology audits determine whether IT controls protect corporate assets, ensure data integrity and are aligned with the business's overall goals.” I found this sentence in over 30 published works but none of them attribute the original author. It has become the overall definition of IT Audit.
Let’s break down the definition one part at a time starting with “the examination and evaluation of an organization's information technology infrastructure.” An Asset Management Program should be in place with required documentation. ISO 55001:2014 Asset Management Systems Requirements is a good standard for evaluating the Governance, Risk and Compliance of the IT infrastructure.
“IT Policies and Operations” is a broad term and should be scoped before the audit. IT Governance is covered in ISO/IEC 38500. Information Security is covered in ISO 27001.
“Information technology audits determine whether IT controls protect corporate assets ensure data integrity and are aligned with the business's overall goals.” is the last sentence of the definition. The determination of the controls that are in place should have been done during a Risk Assessment. As an auditor, I always start with reviewing the risk assessment to see if it was properly performed. I use ISO/IEC 270005 Risk Management Standard as an assist in auditing the Risk Assessment.
Outside Auditor Engagement Letter
As an Auditor with an outside Consulting/Audit division of my firm, I find it interesting how many CIO’s and CISO’s hire outside auditors without ensuring the engagement letter is complete.
The engagement letter should include:
? Audit approach explanation
? Auditors resposibility statement
? Client responsibility statement
? Confirmation agreement statement
? Fair presentation statement
? Objective of the Audit
? Scope statement
? Significant weaknesses statement
? Verbal agreement recap statement
Ensure that you feel comfortable with their process. It is critical to verify if the IT Auditor is a certified IT Auditor. If they are auditing specialized topics such as Incident Response, Cyber Security Management Systems, or Disaster Recovery, ask for their certification in this area. It is especially important that if they are conducting a Financial Audit that the auditor who is auditing your Information Security and Cyber capabilities be certified with this expertise. Just as Compliance Audits should be conducted by Auditors with the specific background you require.
Types of Audits
Gap Analysis
Prior to an actual audit it is a good practice to request a Gap Analysis. This will help identify areas that are not compliant with the standards, regulations, and best practices that your organization has agreed to implement. I often conduct periodic Gap Analysis for clients who are in the process of implementing a new standard or regulations. This is a good tool to gage areas still needing improvement. Gap Analysis reports usually are given directly to the CIO or CISO to assist them in making their program better.
Compliance Audits
Compliance audits can be first party, second party or third party.
Many clients request a compliance audit for NIST, and various ISO’S (International Standards Organization.), GDPR, and many other compliance requirements so they can provide a sense of comfort to their customers that they are meeting requirements.
First Party or Internal Audits
Internal audits can be performed by Internal Audit or an outside auditor who is contracted to perform an Internal Audit. Internal Audit reports are usually provided to Sr. Management. According to ISO 19011, clause 6.5.1.,” the audit report must provide a clear, accurate, concise and complete picture of the audit.” It should not only provide information as to compliance with requirements, bust also help with identifying corrective actions and recommended improvements. Comparing the present report to past ones is a good way to gauge improvements or issues related to past non-conformities that are still not corrected. Internal Audits should be conducted throughout the year.
Secondary Party Audit
A supplier or customer may conduct the audit themselves or have it done by a contracted organization. These are more formal than an Internal Audit. The supplier or customer may be deciding whether or not to contract with your organization for services or products or deciding if they want to continue do so.
Third Party or External Audits
An External Auditor is independent of the origination being audited. They conduct audits annually. An External Audit may be performed by a regulatory authority, as part of the financial audit, or other authority.
Third Party ISO Compliance Audits
Organizations who choose to become certified in one of the ISO Management System Certification standards must have had at least one Internal Audit prior to the certification audit. To be certified the audit must be conducted by an accredited Management System Certification Body. A pre-audit is optional and must be done at least 3 months prior to a certification audit. The next audit stages are stage 1 audit (may be an offsite review of documents) and stage 2 audit (conducted onsite) prior to certification. After that a surveillance audit is completed in the second and third years. After the third year a re-certification audit will be required. Please refer to ISO9000, ISO/IEC 17021 and ISO/IEC 17065 for more information. ISO 19011:2018 – Guidelines for Auditing Management Systems is a good standard to review as part of your preparation.
Preparing to be Audited
Find out the requirements/ scope of the audit from the Auditor. If the audit is going to be conducted by an external party, they will usually provide your Internal Auditor with the scope.
Gather documentation that shows you are compliant with the requirements being audited.
Leadership and its commitment to the requirements is most always audited. Auditors will have questions related to this and ask to see documented proof. How has the organization demonstrated this? Have they ensured policies and objectives have been established and that objectives have been met? What necessary resources has leadership provided and how do they confirm continual improvement?
Polices must be suitable for your organization as well as include objectives and a commitment to meet those objectives.
The organization roles, responsibilities and authorities must conform to the standards, regulations or best practices that you are being audited against.
The risk assessment process must be robust enough to include risk acceptance criteria and produce consistent and valid results. There are many risk assessment methodologies including but not limited to: OCTAVE (Operationally Critical Threat and Vulnerability Evaluation). CRAMM (CCTA Risk Analysis and Management Method), MICROSFT and others. The auditor will most likely ask to see the documentation pertaining to the risk assessment as well as the risk treatment plans for each risk and the corresponding detailed plans used to attain the objectives.
Any documentation relating to the competence of resources, awareness of employees, and communication strategies should be readily available.
Operation planning and controls are indispensable to IT and documented information should provide confidence to the auditor that they are implemented as planned. Proof of regular monitoring, measurement, analysis and evaluation is a must.
Previous audits should be available and include the executed corrective action plans for nonconformities. Evidence of Top Management reviews of audits as well as their feedback on performance is expected to be presented at the same time.
Conclusion
IT Audits are an excellent tool for organizations to continuously improve and to maintain effective operations while meeting the organizations’ goals and helping with achieving the mission.
Certifications
I am including my certifications as an example of the certifications you may wish to look for in your consultants and auditors.
Certified as Senior Lead Implementer:
? ISO/IEC 27005 Information Security Risk Management
? ISO/IEC 27701 Privacy Information Management
Certified as Lead Implementer:
? ISO/IEC 27001 Information Security Management
? ISO/IEC 27032 Lead Cyber Security Manager
? ISO/IEC 27035 Security Incident Response
? ISO 22301 Business Continuity Management Systems
? ISO/IEC 21500 Lead Project Manager
? ISO 31000 Lead Risk Manager
? ISO 55001 Asset Management
? ISO 14001 Environmental Management
? ISO 9001 Quality Management
? ISO 26000 Social Responsibility
? ISO 37001 Anti Bribery Management Systems
Certified Implementer – Foundation
? ISO 22316 Security and Resiliency Management
? ISO 22320 Emergency Management
? ISO 20700 Management Consultancy Services
? GDPR General Data Protection Regulation (EU) 2016/679
Certified as Lead Auditor:
? ISO/IEC 27001 Information Security Management
? ISO 22301 Business Continuity Management Systems
? ISO 55001 Asset Management
? ISO 14001 Environmental Management
? ISO 9001 Quality Management
? ISO 26000 Social Responsibility
Other Certifications:
? Masters Business Continuity Planning (Disaster Recovery Institute) - MBCP
? Masters Business Continuity Planning (Business Continuity Institute) - FBCI
? Certified Emergency Manager - CEM
? Certified Project Manager – PMP
? Certified Trainer PECB