How much is an organization's information worth? That is, what would be the cost — either quantitatively or qualitatively — if its sensitive or valuable information was compromised? For example, it would be costly if customers' personally identifiable information was leaked to the dark web, critical systems suffered denial of service attacks, or the organization was the target of a ransomware incident such as the recent SolarWinds attack.
Preventing, detecting, and exploiting such threats is why auditing IT controls is necessary. An IT audit examines and evaluates an organization's IT infrastructure, policies, and operations. Such audits determine whether IT controls protect corporate assets, ensure data integrity, and are aligned with the business's overall goals. With businesses increasingly reliant on technology, IT audits are critical to ensure information-related controls and processes are working effectively.
Some IT audits are for regulatory compliance, while others provide assurance that the organization is protecting its valuable information from breaches in confidentiality, integrity, or availability. Regardless of the audit's purpose, its primary objectives include:
- Evaluating the systems and processes in place that secure the organization's data.
- Determining risks to information assets and helping identify methods for minimizing those risks.
- Ensuring that information management processes comply with IT-specific laws, policies, and standards.
- Identifying inefficiencies in IT systems and associated management.
IT audits do much more than deal with threats from outside the organization. Insider breaches are just as bad — and sometimes worse — because they are harder to detect. If users have legitimate access to an organization's files, it is not easy to see if they may be using that access for illegitimate purposes.
Inside the Circle
The IT audit circle comprises several layers, similar to a layered security defense model (see "The Layers of IT Audits" below). These layers range from data assets at its center all the way up to the network along its outer edge.
Asset/Data This is the information that organizations want to protect. When such assets are breached, it may lead to theft, fraud, operational impacts, or loss of confidentiality. These risks can have financial, operational, reputational, strategic, compliance, and legal impacts.
Not all assets have the same value or importance to the organization. Organizations typically separate data and systems into three levels of risk: high, moderate, and low. Data may be classified for numerous reasons, including ease of access, maintaining regulatory compliance, and meeting other business objectives. For data security purposes, data classification can facilitate appropriate responses based on the type of data being retrieved, transmitted, or copied.
Databases Depending on the database contents, confidentiality, integrity, and availability are all risk concerns. Because the data is in a central depository, unauthorized access could provide access to significant amounts of data. In addition, databases are complex, increasing the risk of data corruption, which will impact all the applications and end users that access it. If database performance is slow, it could impact response time for a significant number of users. Activities to audit include:
- User access and authentication.
- Important tables, views, procedures, database links, and runtime logical flows that control certain functionality for business applications and data access permissions.
- Tracking of user, time, and change to the data.
Applications Some of the controls around applications include IT governance, logical security, change management, business continuity and disaster recovery, system development methodology, input controls, process controls, and output controls. Application audit objectives include efficiency, effectiveness, compliance, and financial reporting implications.
Operating System Examples of controls around operating systems include effective patch management, vulnerability assessments (health checks), and restricting and monitoring privileged administrative access. For example, the auditor should evaluate whether the latest patches are installed to close operating system vulnerabilities.
Physical System The goal of IT audits of physical access controls is to prevent unauthorized physical access, damage, and interference to the organization's premises and information. Physical security controls protect the computer centers, server farms, telecommunication rooms, and support facilities. Risks include unauthorized use, modification, destruction, or theft of equipment and data media, as well as access to sensitive information and disruption of system and operational processing.
IT audits should verify that access to restricted computing areas is limited to authorized individuals on a need-to-know basis. These audits also should cover environmental controls such as heating, ventilation, and air conditioning systems; fire suppression systems; and power failures.
Network Organizations rely on networks as an essential part of doing business. The network management staff is responsible for keeping the network available, secure, and performing well. Through various weaknesses — in the network, networked computers, applications, and user policies — the organization is susceptible to malware of all sorts. An IT audit of the network could include internal and external penetration testing to determine if there are any "backdoor" ways a hacker can enter the system.
IT audits need to be performed continuously. Four resources or variables affect the timing and depth of such audits: people, process, information, and technology. Any change to one of these variables warrants a reevaluation of the other three to determine whether new risks have been introduced and to make changes to IT controls.
Despite the controls that are in place, there will always be some risk. That requires internal auditors to be ever-vigilant to ensure the organization's assets are protected.