Open in app

Sign in

Write

Sign in

IT Audits in the Nutshell

Nemanja Jovic (Neo)
Devjam
Published in
6 min readJul 25, 2022
Picture by Art Systèmes Canada Inc

In the constant-changing world of Information Technology, almost every service that an end-user interacts with has to stay compliant. The company behind the scenes has to assure service availability, data integrity, security & consistent processes. Public standards demand all these aspects that force companies to stay compliant, and companies themselves have to ensure proper governance in place.

Why should you care about this article?

This article will give you unique insights into the diverse world of IT Audits; my main focus will be on companies traversing to Cloud environments.

You will understand the difference between internal & external audit types and why they are essential for an organization. As well as which IT audit program perfectly tailors for the business your company is running.

Compliance diversity

Considering that innovation around us is ascending daily and that corporations are moving their business into the cloud, many requirements should be fulfilled and considered for an organization to achieve a high level of compliance.

The organizational landscape consists of a diverse number of services that comprise internal and external components of their business. Companies in different industries have to comply with various rules. Financial institutions comply with standards such as PCI DSS, while companies in the Healthcare sector have to comply with HIPAA.

Internal & External Audits

Imagine your company is about to start a traversal journey to the cloud; both the cloud service provider and you as a consumer require assurance that all necessary controls are in place to enforce compliance.

An Internal Audit is a repeated procedure that verifies the deviation between the current organization state and demanded laws & regulations.

Internal audit plays a crucial role in identifying and addressing the risk associated with various cloud services. The company can engage with stakeholders to review the risk framework.

Internal audit can provide deeper insights into

  • Company's current cloud-governance program
  • If the business processes are helping in risk management
  • Data classification
  • Implemented cloud program effectiveness
  • Company compliance readiness for the external audit
  • Cloud risk exposure

An External Audit does an external company that has an association of registered auditors. The Auditor assures that your organization mitigates risks that can lead to threats. The external Auditor dedicates to making your compliance status right; he will expose your compliance status honestly, as it is, and provide concise points & feedback for improvement.

As the outcome of the External Audit, you can expect suggestions about new controls and improvements; this will boost the overall directions of the governance and compliance roadmap.

Your company will have to ensure immediate actions in case of high-risk findings.

External audits typically help you with

  • Identifying risks to your organization's information assets
  • Determining where systems are not hardened & controlled up to standard
  • Assures legal, regulatory, or contractual requirements
  • Assure parties consuming services that the cloud provider has and is maintaining required controls
  • Occur annually unless otherwise specified

Audit Scope Restrictions

Audit scope restrictions are used to channel focus towards areas that are per-say audit-ready, or in other cases — to restrict some parts of the systems from the audit review.

These restrictions are also used to ensure that audits will not impact the production environment or crucial systems that deliver business value.

You can also find restrictions being used as audit must(not)-happen directions, such as duration of the audit, a time when an audit can take action, and methods used to execute audit tests.

Companies usually do not allow direct testing on production systems since this approach might bring degradation.

Audit Planning

To start an audit, the company has to define the scope of the audit and ensure a directed focus on specific areas. Planning an audit should include the following phases.

Define Audit Intents

Planning the intents should result in defined goals that will generate audit output, usual steps that you can take are

  • Define and document audit goals
  • Define audit outcomes and format
  • Define audit frequency
  • Define the number of demanded auditors

Define Audit Range

Ensure the audit has proper focus and it will function within the non-harmful scope

  • Define cloud services to audit
  • Document currently utilized services
  • Define locations for audits to embark
  • Define key stages to audit — information assemblage, workshops, gap investigation, validation of evidence
  • Define escalation and contact
  • Define criteria and metrics by which to evaluate cloud service provider
  • Ensure criteria are consistent with the SLA and contract
  • Agree on final reporting dates
  • Ensure findings are captured and communicated back to business
  • Confirm report target audience
  • Document risk management processes to be operated as part of any remediation methods
  • Decide on an auditable process for remediation activities (ensuring traceability and accountability)

Fieldwork

During the fieldwork phase, auditors collect audit evidence by:

  • Interviewing staff, managers, and other stakeholders
  • Reviewing ISMS documents
  • Following ISMS processes in action
  • Checking system security compositions
  • Performing audit tests to validate the evidence

Analysis

The accumulated audit evidence is:

  • Sorted out and filed, reviewed & examined

Gap Analysis

Gap analysis presents a practical and essential function to begin benchmarking and identifying relevant areas where conditions are not met against specified frameworks or standards.

Personnel not engaged or functioning within the scope of coverage perform a gap analysis. The use of independent personnel is the best method to ensure no conflicts, favoritism, or existing connections with the unit personnel can in any way influence the determinations (positively or negatively).

An auditor or SME conducts the gap analysis against multiple requirements, which could range from a complete examination to a random selection of controls. The gap analysis results in a report highlighting the findings, including risks, recommendations, and level of conformity (or compliance) measured against the established standards.

Cloud Controls Matrix (CCM)

The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is a helpful instrument that entitles consumers and providers to think in terms of specific controls in the cloud map to particular regulations and frameworks (e.g., NIST, HIPPA, FIPS ENISA).

It provides a standard set of anticipations between provider and consumer.

Audit Reports

Audit Reporting, System, and Organization Controls intend to assist organizations in building complete trust with their customers.

SOC 1

Reports focus on controls at a cloud service provider likely relevant to an audit of a subscriber's financial statements.

There are two types of reports for these engagements:

  • Type 1: Report on the righteousness of the production of management's description of the service organization's system and the suitability of the structure of the controls to achieve the related control objectives included in the report as of a specified date.
  • Type 2: Report on the fairness of the presentation of management's description of the service organization's system and the practicality of the design and functional significance of the controls to execute the related control objectives incorporated in the report throughout a specified period.

SOC 2

Focuses on Controls at a Service organization relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.

These reports can play an essential role in:

  • Oversight of the organization
  • Vendor management programs
  • Internal corporate governance and risk management processes
  • Regulatory oversight

There are two types of reports for these engagements:

  • Type 1: Report on management's description of a service organization's system and the suitability of the design of controls
  • Type 2: Report on management's description of a service organization's system and the suitability of the design and operating effectiveness of controls

SOC 3

The SOC 3 report is a publicly available summary of the vendor's SOC 2 report and provides the AICPA SysTrust Security Seal. The information includes the external Auditor's opinion of the operation of controls (based on the AICPA's Security Trust Principles contained in the SOC 2 report), the assertion from the vendor's management regarding the effectiveness of controls, and an overview of the vendor's infrastructure and services.

This is an excellent resource for customers to validate that the vendor has obtained external auditor assurance without going through the process of requesting a SOC 2 report.

Internal Information Security Management System (ISMS)

Upon passing the audit procedure, an institution can have its information security management system (ISMS) certified by ISO/IEC 27001:2013. An ISMS will ensure that a structured, measured, and ongoing view of security is taken across an organization, allowing security impacts and risk-based decisions to be managed appropriately.

Security
Privacy
Enterprise Technology
Technology
Cloud Computing

--

--

Nemanja Jovic (Neo)
Devjam

Written by Nemanja Jovic (Neo)

4 Followers
Writer for

Chapter Lead, Microsoft MCT, DevOps Domain Expert

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams