IT Internal Audit

Information Technology Audit

An information technology audit, or information systems audit, is an examination of the management controls within an Information technology infrastructure and business applications.

Why is IT audit important?

• Since so many organizations are spending large amounts of money on information technology, they need to ensure that these IT systems are reliable, secure, and not vulnerable to cyber-attacks.

• IT audit is also cost-effective in the sense that it will reveal exactly which services you need and which ones your company can do without. Plus, since the technology we use is evolving so fast, an IT audit can let you know which of your systems and tools are outdated.

• An IT audit is crucial to any business because it maintains the integrity and reliability of an organization's information technology infrastructure and data. It overlooks functions like risk assessment, data integrity, compliance, security assessment, and aid to business continuity and disaster recovery.

An IT audit helps organizations to:

• Identify and mitigate IT risks: IT audits help organizations identify and manage risks like cyberattacks, data breaches, and system failures. IT auditors recommend ways to mitigate such risks by implementing security controls and developing business continuity plans.

• Ensure compliance with laws and regulations: Most industries are subject to laws and regulations that govern their IT systems and data management. With IT audits, organizations stay compliant with such requirements and prevent any legal actions.

• Improve the efficiency of IT operations: IT audits help identify areas where IT operations can be improved through workflow automation. This results in cost savings and improvement in overall business performance.

• Protect corporate assets: Organizations can protect their IT assets from unauthorized access, use, and destruction by using IT audits to identify the vulnerabilities they are exposed to. 

• Ensure the integrity of data: IT audits also ensure that the organizational database is accurate, updated, and reliable. This helps support business decisions and also with regulation compliance.

• Align IT with business goals and objectives: IT audits align IT systems and practices with business objectives. This accelerates the process for organizations to achieve their strategic goals.

In High level there are four (4) different stages of Audit 

1. Planning – The first stage is the most important because planning the audit ahead of time prevents unnecessary costs and allows auditors to use their resources more effectively. In this stage, auditors review the internal procedures related to IT and consult with experts. This stage aims to develop a detailed IT audit plan that covers the scope, objectives, deadlines, process, and budget of the planned audit.

3. Reporting – During and after conducting an IT audit, the auditor creates a report that explains how well the company's controls are performing. They write up a report draft, which is then reviewed with top management and finalized for delivery.

4. Follow-up – Audits often don't end once they've been carried out and filed away in the archives. If stated so in the contract, auditors may follow up to make sure that the recommendations are followed and whether the improvements are working adequately. The audit is officially closed if the follow-up demonstrates that the company successfully implemented the suggested improvements.

1.  Lack of Patch Management Process :

Risks :  System compromise, Data loss and exposure to confidential information

Solutions :   

•  Use tools (i,e. SCCM   ..etc )

• Manual Review Schedule

2.  Admin accounts are used for day to day activities:

Risks :  

• Using admin accounts for daily operations is always risky, Small typo/mistake can lead to huge impact as this account has all the access (i,e. delete,update..etc)

Solutions :   

•  Create second layer accounts only with read access just for daily operation.

•  Implement super user (i,e. pbrun)  access policy, Whenever users need they can raise the token to login with 

3. Disaster recovery (DR) plan doesn't exists or outdated

Risks :  

• Service restoration extended periods.

• Loss of data.

• Disaster recovery plan not updated as per the system/organization changes

•  Business Continuity plan (BCP) considered as recovery, However both the significantly different.

Solutions :   

•  Create proper disaster recovery plan with template

• Create Business continuity plan (BCP)

• Test Disaster recovery plan with real production system

•  If possible run the system in backup side for few days (i,e. active/passive concept - let system run with passive for few days).

4. Server logs are not being reviewed properly 

Risks :  

• Inside server logs Functional ID and Password are not encrypted/masking, Which is visible for public.

• Exposure of cyber attack and its serious consequence as sensitive (credentials) information are being leaked

Solutions :   

•  Always use masking / encryption method any sensitive information inside log

•  Before deply any new code or Job into production, Must be tested this into lower environments 

  5.  Servers with Public Facing IPs without necessity

Risks :  

• Increase exposure to Cyber Attacks.

• No documentation why servers are using Public IPs

Solutions :   

•  Switch to Private IP

•  Review need for Public facing IPs.

•  Create Information/ Network security policies .

             For more details on Information/Cyber Security policies click :  Information/Cyber Security Policies 

6. Non IT Users with Admin ID access :

Risks :  

• Users without necessary technical knowledge.

• Devices are not adequately patched or protected.

Solutions :   

•  Eliminate all admin access for Non-IT Staff .

•  Second layer account without admin rights.

•  Information security/ user access policy .

7. Lack of Physical access in Server Room :

Risks :  

• Unauthorized access.

• Theft and data loss

Solutions :   

•  Imposed physical security and environmental control.

8. Server backups are not properly secured or doesn't exists :

Risks :  

• Service interruptions

• Data loss

• Copy of server backups are not located in secure environments.

Solutions :   

•  Implement backup service

•  New location backup

9. Critical/sensitive data scan must be in place:

Risks :  

• Most of the organizations are not complete aware where is sensitive is location

• Unauthorized access to critical data

• Data Privacy

Solutions :   

•  Run Identity classify scan

•  Discover and classify all the Critical/ Sensitive information.

10. Vulnerability Scans are not occurring all the places :

Risks :  

• Servers are not listed with vulnerabilities scans. 

• System Compromise

• Data Loss

• Exposure of critical/sensitive data

Solutions :   

•  Regular basis perform vulnerability scans on critical system.

•  Based on vulnerability priority fixed them before it gets exploit.

Types of audit reports

Here are the main four audit report types:

1. Clean report (unqualified)

A clean report expresses an auditor's "unqualified opinion" which means the auditor did not find any issues with a company's financial records. "Unqualified" expresses that the company does not need to meet any additional qualifications to improve its financial status. This is the most desired and common type of audit report. 

2. Qualified report (qualified )

A qualified report expresses an auditor's qualified opinion of a company's financial standing. This shows that a company has not followed all the standards set by the GAAP but isn't conducting its fiscal business in an illegal or misrepresenting way. Auditors may issue this report if there are certain business transactions or practices of which they are unsure.

3. Disclaimer report (Disclaimer)

This may happen if a company does not give satisfactory answers to an auditor's questions or if there is a mistake in their financial records. Auditors issue disclaimer reports when they have excused themselves from providing an opinion about a company's financials. Disclaimer report allows them to distance themselves from a company if necessary and maintain their reputation as a fair and professional auditor.

4. Adverse opinion report (Adverse)

An adverse opinion report often highlights fraud within a company. Auditors issue adverse opinion reports when they discover instances of irregularities or misrepresentations in a company's financial statements. These companies often have disregarded the standards set by the GAAP. Adverse opinion report alerts finance professionals and members of the public of a company's possibly dishonest practices.