- Faeez (Audit Practice Consulting Director)
Creating Continuous IT Audit
Updated: May 16
Being audit-ready means managing your IT risks, ensuring appropriate security controls, and complying with relevant legislation, and you have taken the necessary steps to prevent any unpleasant surprises in an IT audit report. The auditors will have everything they need to complete their work.
It is not surprising that things can get quite complicated on the IT side, especially when it is the centre of almost any organization, so regulations, risks, controls, and frameworks are essential to keep the business going. You will need to dedicate time, the right people, and the right technology, but once the audit program is ready, you will spend much less time dealing with it and be able to focus more on mission-critical activities than ad-hoc activities.
But how can you ensure that you are always prepared for a security audit, when there are so many other IT responsibilities to manage? Following are some steps that you can take to ensure that you are always prepared.
1. Identify, assess, and classify IT risks
To begin with, you must understand the risks facing your IT department. An example can be an incident of unauthorized access to company systems. If that situation happens, determine what aspects of your IT assets may have been compromised, both tangible assets (eg employee information) as well as intangible assets (eg business reputation).
The next step is to categorize your risks by impact: low, medium, or high. This will assist in prioritizing which risks should be addressed first.
2. Identify controls
When you have outlined and prioritized your risks, it is time to pair them with security controls. As you begin to identify the risks that are high impact, determine how to mitigate or manage them - these are your control measures. In the previous example of an unauthorized access, a firewall would prevent unauthorised access from external systems.
3. Map controls to a master framework library
In what proportion of your controls are they also included in your organization's current management frameworks? In the above example of unauthorised access, the control to mitigate the data breach risk to ensure people who log on to the system remotely are authorized, will also mitigate the enterprise risk (reputational and strategic).
As well as being a required control for the organisation, perhaps it is also a SOC compliance requirement. So essentially, you achieved 2 objectives when you implement this control.
4. Plan, scope, and stress-test micro-risks
Risk is addressed at numerous levels through controls. The most specific and detailed risks are referred to as microrisks. This level allows you to plan out all the specifics of your control measures, including the costs, processes, timing, and resources.
Let us once again use the system access example. Controls could include implementing a multi-factor authentication system. You should consider the cost, the security requirements, and the implementation of the control. Only then can you determine if it is a suitable solution for your company.
5. Assess effectiveness of existing controls
Now that your controls have been activated, are they functioning correctly? Several methods can be used to determine this. Utilize analytics to query your data and recognize problematic situations such as high-risk passwords that do not expire. Additionally, you may send self-assessment questionnaires and surveys to control owners to test their controls.
6. Capture, track, and report deficiencies
It is important to act quickly when you discover that a control is not performing as expected. In many cases, recurring data analysis can serve as an additional layer of control or to strengthen controls. To identify instances of inappropriate access, for example, you can use regular data analysis if access controls aren't fully effective.
7. Monitor and automate testing of controls
Analytical monitoring on a daily, weekly, or monthly basis assures that you are always up-to-date on the effectiveness of your risk management and control efforts. Although monitoring IT activities will vary by organization, common examples include user administration and special access logs, firewall changes, segregation of duties, physical access logs, or remote access logs.
8. Flag exceptions, review, investigate, and remediate
You would then treat the issues identified from your automated testing as exceptions or issues, and you would weed out the false positives from the actual control failures during this step. Following the identification of the control breakdowns, you would take remediation actions such as restricting or revoking access to systems or data, or changing the control to reduce the likelihood of this occurrence occurring again.
9. Ongoing improvement of processes
In order to be audit ready, you need to complete this final step. As your program matures, you will make constant adjustments and improvements to it. By testing, monitoring, and responding to exceptions on an ongoing basis, this process will reduce your risks over time and will improve your control process.
If you have questions or plan to build your IT Audit analytics, please feel free to reach out to us firstname.lastname@example.org for discussion.