The word ‘audit’ is often enough to strike fear into even the most resolute business owners. What issues will an audit raise? Will I have to fix them right away? What if it is bad news?
These questions and doubts mean that typically, SME owners do not conduct enough audits and are therefore missing key opportunities for improvement. As an IT Managed Service Provider of nearly fifteen years, we know that conducting a thorough IT audit is crucial before we can make any service recommendations.
The reality is, IT audits are really useful. They bring attention to issues that could cause crippling downtime in the future, and they open up opportunities to improve your technology and work more efficiently. Furthermore, due to COVID-19 and its effect on the business environment, technology now plays a more important role than ever in business.
When undertaking an internal IT audit, everything from physical hardware to data storage and access management is covered. The goal should be to check if all IT elements are functioning at optimal level, then, to know should anything happen, that they are sufficient enough to minimise the risk to the business. Every business is different, so the process should be co-ordinated to ensure a business is prepared for every eventuality.
We have assisted many businesses since our founding in 2006 with their IT audits to ensure their technology is future proof. By combining this experience and our knowledge into the technology sector, we have compiled a guide for you to follow should you decide to undertake this process in-house by yourself.
Steps for success
All IT audits are unique as they are very dependant on the specific needs of each organisation. However, these four steps will put you in the right direction for success.
Step #1: Define Scope
Before anything else, you will need to define the scope of your audit. Whether it is a generalised IT audit for the whole company or one more specific to the network security, you need to know what you are going to be looking at and what you can to skip.
In order to do this, a ‘perimeter’ should be drawn – a boundary around all of your valuable assets. This boundary should be as minimal as possible, encompassing any valuable assets you have that need future proofing. Everything within this boundary is what you will audit and anything outside of it should be ignored.
The best place to start with creating a perimeter is to create a comprehensive list of valuable company assets which you can distil down depending on your type audit. Businesses we have spoken have found this process to be difficult as knowing what to include can be hard to judge. In short, you should be including anything that if ever lost or destroyed, would take some money and time to recreate.
Step #2: Outline and calculate threats
Once the scope of your audit has been defined, you will need to create a list of any threats your assets can potentially face. If you’re unsure what threats to include, we have outlined some that will need to be considered below.
Malware, ransomware and hacking – External hacking is one of the greatest threats on a business and its valuable assets. No matter how big or small the organisation, or what the industry, this threat is serious and should always been considered.
Phishing and social engineering – An equally big threat to an organisation is where cyber criminals attempt to gain access to IT environments by targeting employees. In 2020, this threat is even more widespread than ever before.
Natural disasters – While natural disasters such as flooding or fires are rare, they are a viable threat to consider. This is because the repercussions of such a threat happening is devastating. Having the controls in place to protect against it will give you peace of mind, just in case.
Distributed Denial of Service (DDoS) – The impact of DDoS attacks should not be underestimated. Any user can be denied access to specific computer systems, devices, accounts and other IT resources. According to research this forms of attacks are growing in frequency, so should be considered in an IT audit.
Malicious misuse – Although you may not want to think this is a possibility, it is a threat that all companies face. Any individual who has access to your data can easily misuse or leak it, and without considering it as a viable threat, you may not be able to detect it.
Inadvertent misuse – Not all attacks that come from within your organisation are malicious. As humans we all make mistakes and if an employee accidentally leaks an asset, it pays to be prepared. This should definitely be considered.
After establishing your list of threats, it is also beneficial to calculate the risks of these threats happening. Such an assessment will allow you to put a price tag on each threat and prioritise each threat accordingly when it comes to future proofing them. Some elements to look into when calculating this include your own past experience of them, the security and technology landscape, and the state of the industry you are in.
Step #3: Construct security measures
Following your list of threats, the next step is to examine what security controls you have in place to help you decide whether you need to implement any new ones. Some of the most common security measures and ones to consider include:
- Firewall and antivirus
- Anti-spam filter
- Physical server security
- Data backup
- Multi-factor authentication
- User privilege
- Access control
- Employee security training
Step #4: Test, address, re-test
The fourth and final step is to test, address and re-test to essentially highlight any areas of weakness in your IT systems. When doing this you should collect and process data on all policies and procedures, as well as identify any deficiencies and work on how you can strengthen them to future proof your IT systems. This step is essential to a robust and successful IT audit.
Internal vs. External
When deciding to do an IT audit, the question on the minds of IT management is whether to do it internally or have an external auditor complete the process. Unfortunately, the decision of this is not as easy as you may think.
External auditors are great at what they do. They have the advantage of having a wealth of experience in completing them for a number of industries as well as access to a wide range of software and tools. However, as to be expected, they don’t come cheap and the right one with the necessary experience and knowledge can be hard to come by.
Internal audits, on the other hand, do cuts costs and are easy to do if you follow the steps listed in our guide. They can also be more efficient it is much easier for an internal employee to gather all necessary data as they know the company and should have access to it all. However, internal auditors will sometimes lack in experience and may not match the professionalism of an external auditor.
If you are struggling with knowing the best way to carry out your IT audit, we can help. entrustIT have over 15 years of experience in the technology sector and have assisted businesses like yours in future proofing their technology. Our experience has been especially useful throughout the pandemic, as we have been able to assist many of our customers in auditing the effectiveness of their technology for working from home. As disruption is expected throughout 2020 and well into 2021, an IT audit is going to be essential for companies wanting to survive past the pandemic.
Please get in touch for a free, no obligation chat with one of our experienced technicians for more information and assistance.
