There was a time when an IT audit simply meant locating and checking your boxes, and making sure you had the right amount of software licenses, and that everything was working correctly. Those days are long gone. It is now a multi-disciplinary specialist evaluation of all aspects of your IT infrastructure and processes. That includes your hardware and software, your business processes and users, your conformance to legal and regulatory compliance and your resilience to cyberthreats. That’s IT, HR, risk and legal, and information security just for starters – and to do it right, you have to be expert in all of them.
Let’s start with the pure business side of things. This involves ensuring that your business processes are optimised, and that your IT capabilities are fully aligned with compliance requirements; all at the right cost. That alone involves an understanding of the total cost of ownership for all of your IT equipment: finding, buying, training, using, maintaining and replacing; and some of these costs can be variable and obscure.
A modern IT audit, however, must also ensure that your business is compliant with legal requirements (such as financial regulations and data protection requirements) and external standards such as the payment card industry’s data security standard (PCI DSS) if you need to process card payments. Ensuring compliance requires a legal understanding, and a deep knowledge of your business processes.
You also need a broad and deep understanding of information security. There’s a lot more to it than installing a firewall and some anti-virus software; in fact both of these can give you false comfort. Gartner tell us that 95% of firewall breaches are the result of misconfiguration; anti-virus programs can detect as little as 5% of the known viruses in circulation. Neither firewalls nor anti-virus protect your paper records, your premises or your staff, and in almost all cases they’re set up to protect you from outside threats, when more than 80% of your risks are internal.
But how do you audit your computer security if just ticking the “firewall” and “anti-virus’ boxes isn’t enough? How do you engage with the risks arising from negligence, poor processes and employee malfeasance? What about business continuity – do you even know what assets you’re protecting, never mind how you’d recover from a major disaster?
The problem with all of these different aspects in an IT audit is that they are all specialist subjects and all interrelated, focusing around information security. Few companies can cost-justify that degree of different expertise internally – so the logical conclusion for most companies is to outsource to a specialist audit services company. But since information security is arguably the central pillar of modern IT audits, it is essential that you chose a company with demonstrable and certified expertise in security.