Audit Checklist: How to Pass a Security Audit
By nature, an audit is an independent activity by a person or team that can present objective findings and make recommendations for corrective measures. According to Small Business Chronicle, “An internal audit helps a company ensure it has the proper controls, governance and risk management processes in place.”
Bearing in mind the positive impacts an internal audit will have on your company, and the fact that regular internal audits can help you pass a security audit should one be necessary, you may feel compelled to implement one in your business. However, before diving in, you need to have a proper internal audit checklist in place to ensure that your company is fully prepared to execute it. Here are the seven steps to pass a security audit:
Step 1. Laying Out a Plan
The initial stage is planning. The auditing team needs to understand what they want to accomplish - what they are assessing if you will. Some things to consider in this stage of your audit checklist are:
- The purpose of the internal audit
- The scope of work
- What exactly is being audited?
- Is it several processes or just one?
- What is the relevance of the process being audited? (i.e. how is the process supporting the company's objectives and goals)
- Why are the processes being audited?
- Is there a specific risk that needs to be assessed in the processes being audited?
- Has there been a previous internal audit that this one can be measured against. If so, have any new processes been added to the business since the previous audit?
Step 2. Risk Analysis and Assessment
One of the main reasons to conduct IT assessments is to ensure that the organization’s systems conform to the various policies put in place. The problem is the global business environment is fast-paced and is constantly rushing to adopt current trends. As a result, internal auditors may not always be up to date on the latest risks to new systems, and whether they are effective and/or beneficial to a company.
Due to the ever-changing business landscape it may be a good idea to employ a subject matter expert (SME) for assistance with your internal audit. It’s also wise to keep your ear to the ground with the latest business journals, blogs, and relevant publications related to your specific industry. They generally report the most important news about security breaches, new risks to processes, and other pertinent information you may need to be aware of to maintain compliance.
Step 3. Consult a Control Tool
Whether you choose to use something like the Cybersecurity Assessment Tool (CAT) for banks, or the Automated Cybersecurity Examination Tool (ACET) for credit unions, having some kind of foundation from which to build your own audit checklist for your company may be beneficial.
Step 4. Gather Relevant Documents
This is a critical step in the audit checklist because it will give your audit team instant access to things like:
- The current processes and applications being used in the company, how they support the organization’s objectives, and what policies are being implemented at the present time
- Flow charts for the how the organization works including the chain of command from entry-level employee to upper management to CEO
- Any reports that are currently available to assess if a process or application is performing well/correctly
- Login data related to any applications that are being audited so the audit team can access them and test their functionality
Step 5. Meet with the Relevant Players
Who in the company is responsible for ensuring processes are being carried out correctly? Those are the individuals your internal audit team needs to meet with to discuss the goals of and plans for the audit. If the company has key shareholders or a board of directors that need to be included in this meeting, it may be a good idea to pull them in as well to let them know what is about to take place.
Before the meeting, create a gameplan of what you will be testing, what you will be looking for, and any questions you have for these higher ups. It may be helpful to bring narrations, flowcharts, and all of the documentation you collected in step four. The more information you can gather ahead of time, and the more well-versed you are in this information prior to this meeting, the better. It may also be beneficial to bring in your SME should you have one to address any other questions or concerns that arise in the meeting.
Step 6: Prepare to Execute the Audit Program
You’ve gathered your materials. You’ve gotten clear on what you’re assessing. Now is the point in our audit checklist where you need to write out the action items of your audit program so that you can execute it. A good audit program should at a minimum include the following:
- Objectives of the process
- Control testing procedures
- The risks likely to be met during the audit process and how they will be mitigated in the event they come up
- A protocol for how you will test processes and monitor their performance
Step 7: Implementing the Audit and Reviewing Results
You’ve finally made it to the final step of the audit checklist - executing the audit. Auditing processes, especially those not previously reviewed in the past, should be examined extensively to ensure nothing was missed. The review of the audit can be completed by:
- The Senior Manager or an Internal Audit Manager
- The Chief Auditor/ aka Chief Audit Executive
- The SME and
- The Audit Customer
Passing an IT audit and any other type of internal audit that your company may wish to undertake is a great way to ensure that you are in compliance with your company’s policies and procedures.