How to conduct an IT security audit

How to conduct an IT security audit

While some may view it as an uncomfortable exercise, conducting an internal security audit goes a long way to protect a company’s IT assets and data. Security compliance provides an effective means to find unprotected parts of the network and can help a company create actionable steps to improve their IT network’s defences. 

Start Here

Audits are not fun, let’s be clear about that. They take time and energy and the fear of criticism for any issues and weakness that may be found can be overwhelming if you’re the person in charge of security. However, audits are an integral part of any business’s security plan and it’s necessary to conduct audits to find these weaknesses before disaster strikes. 

To start with, you’ll need to hire an external auditor to perform the audit. So, before searching for an auditor or auditing firm, lay out some clear objectives about what you require in an auditor. When hiring an auditor or an IT audit firm:

  • Review their credentials and don’t be swayed by certifications that may only be impressive on paper. Keep in mind that certifications do not ensure technical knowledge and competence. Instead, check to see the auditor has verifiable experience to conduct an IT security audit. 
  • Review their resume and look specifically for IT security audits that resemble your own in size and scope. Be sure to check their references, which means taking the time to communicate with past clients. Ask questions on the quality of their work, their competency with the technology, etc. 
  • Consider reaching out to your network to look for a qualified auditor. Contact people in your industry and ask them for references to IT auditors or auditing firms. 
  • Take the time to meet with auditors and auditing firms; don’t be afraid to devote enough time to choosing the right firm or individual. The goal is to choose the best solution that fits your company’s needs. You may need to contact several auditors and firms, asking them to make proposals on your projects. Then review their proposals—again, with an eye to choosing the right solution for your business. 

One tip: avoid any auditor who calls themselves an “ethical hacker.” These people may not have the necessary knowledge or credentials to conduct a true, in-depth audit of your IT network. It’s best to avoid them all together. 

Prepare for the Audit

Once you’ve found the right auditor or firm, the next step is negotiating the project. Be sure to discuss whether or not the auditor will need access to policies, system configure information, etc. These are proprietary and may include access to passwords and other security information; you’ll need to have an agreement in place detailing the access necessary, etc. 

Be sure the agreement/contract also includes an indemnification statement, which will allow them to access the IT network and not be held responsible for certain damages or losses. 

Auditors should agree with your company policy of how sensitive information is handled,  including any types of communications methods that are not allowed. 

Make sure that your business and IT managers are brought into the process early on. Make sure they’re aware of the requirements of the auditor before the audit takes place. Managers should know the day and time of testing, testing methods, etc. They will have the knowledge of how to limit the audit’s effect on company-wide systems. 

During negotiations (if not before), the auditor should discuss their testing methods in detail. Not all testing methods and tools are accurate, and not all auditors are as accomplished or dedicated as other auditors. 

The auditor will need this documentation and data to conduct the audit:

  • A complete list of all operating systems used
  • A complete list of all applications and software used
  • Copies of all relevant policies and procedures 
  • A layout of the network, with full details

 Your auditor may need or request other information, depending on the scope of the audit. 



The Audit Process

Generally, the audit process should have been previously detailed by the auditor, so you have a full understanding of what they will be doing, what they need to access and more. An audit usually follows these steps:

1). A check for all risks:

    • Weak policies
    • Unauthorised plans/decisions: including unidentified wireless networks, or unauthorised use of remote technology
    • Does the IT inventory match the environment laid out by your company’s policies & IT network map?

2). Vulnerability scan: the auditor checks to see if operating systems and applications patches are current and checks for vulnerabilities in each system. 

These are the basics of an internal audit—the tools and steps taken may vary slightly, but should cover these areas during the audit process. 

Reporting the Audit Results

Now that the audit’s completed, the auditor will create a report for your company to review. Here, it’s difficult to discern whether or not the audit has been done in a way that reflects the true vulnerabilities of your company, or if the audit was only a general testing that could be applied to almost any company. 

Here the areas the auditor’s report should cover:

  • What is the source of the threat? Is it from the public Internet or internal users?
  • What are the changes that the IT network could be breached? Have other websites experienced similar breaches from this type of threat?
  • What is the probable outcome of such a breach? How would this affect the company’s bottom line?
  • Recommendations on fixes for any issues found during the audit
  • The audit report should include legal liabilities—could a threat of this type put the company in legal trouble? If so, what types of legal issues could arise?
  • What are the risks of service interruptions for the company and its clients?

At this point, it’s time to ask any questions you may have about the report, which areas might be a future concern, and even to ask the auditor to make suggestions on security improvements and enhancements. 

Audits are about as fun as a colonoscopy; however, just like this unpleasant medical test, an internal audit is an important tool to spot trouble. Taking preventive measures to keep your IT network healthy and secure is one of the best investments you can make for your company.