Information Technology Audit

Yeagley (2015) defines audits as periodic validation of the IT security implementation of an enterprise by a certification authority. Security audits should be performed to compare the current security posture against the security policy (Ousley-Rhodes, 2013). Audits can be performed by internal departments as well as outside agencies (2013). Audits by an unbiased third-party agency helps in highlighting the weakness within security policy and its enforcement. It can be performed on an annual, quarterly, monthly or any other regular interval however annual audit ensure the operational compliance of IT security and policy (2013). Audit is usually performed to comply by federal, state or industry regulations (Yeagley, 2015).

Some of the items that are usually captured in IT audits are:

1. Trend of security incidents

2. Trend of network and email traffic

3. Trend of attacks blocked

4. Tremd of undetected spam

5. Trend of invalid logging attempts

6. Trends of network latency

7. Tracking of non-compliant IT assets

8. Tracking of accounts with administrative rights

9. Tracking of new login creation request

10. Tracking of fully encrypted IT assets

11. Tracking of mobile applications

12. Tracking of desktop/laptop applications and updates

13. Status, outages, and performance of servers and IT nodes/routers

14. Tracking of unresolved IT user tickets and so on.

15. Tracking of remote logins and Virtual private network (VPN) usage

Internal controls within organization run the company with integrity following the corporate policy and objective (QuickBooks, 2018). Audits help in making sure that organization is compliant to enforcements and oversights from government which can be federal, state, county etc. as well as industry standard bodies like ISO, NIST etc. (2018). Principles of ethics laid down by the institute of internal auditors (2019), include integrity, objectivity, confidentiality, and competency. Integrity ensures trust and justice, objectivity is ensured by balanced assessment without being influenced, confidentiality ensures that information remains secure, while competency require needed skills and expertise of the area. These ethical principles are also the foundation of an IT audit encompassing trustworthiness, uninfluenced, secure, and expert review of IT network and architecture.

References:

The Institute of Internal Auditors (2019). Code of Ethics. Retrieved from https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx

QuickBooks (2018). Compliance requirements every business must follow. Retrieved from https://quickbooks.intuit.com/r/compliance-licensing/compliance-requirements-every-business-must-follow/

Rhodes-Ousley, M. (2013). The complete reference: Information Security. McGraw Hill: NY

Yeagley, G. (2015). IT Auditing and IT Risk Assessment: What’s the difference? Retrieved from https://www.compassitc.com/blog/it-auditing-and-it-risk-assessment-whats-the-difference