IT Audits: The verify in “trust and verify”
Auditing is becoming an increasingly more important aspect of cybersecurity. A cybersecurity audit can help you gain valuable insights into different risk factors that could be making your company vulnerable. It can also help you stay within legal and regulatory requirements. For example, in early 2020, the Department of Defense (DoD) announced that they would require 3rd party Cybersecurity Maturity Model Certification (CMMC) audits of their contractors that process DoD data.
More and more industries, companies, and regulators are stepping up and not just trusting but verifying that the cyber controls are in place using effective auditing methods. By managing the risk of cyber threats, you can prevent damage to your reputation and loss of revenue. But what is exactly a cybersecurity audit, and what other benefits can it bring to your organization?
What is an IT Audit?
A cybersecurity or IT audit is a comprehensive analysis of your business’s IT infrastructure, its threats, weaknesses, and high-risk practices. The process includes the examination and evaluation of your organization’s information technology infrastructure, policies, and operations.
During this review, IT auditors examine physical and digital security controls, and business and financial controls that involve information technology systems. The goal is to demonstrate that your organization has taken all the necessary steps to protect your client and company data – and avoid potentially hefty penalties in the case of a breach.
Objectives of an IT audit
The objective of running an IT audit is to demonstrate how adequate your cybersecurity controls are and align them to comply with legal and regulatory requirements. Ultimately, you want to show your company acts with a good level of confidentiality, integrity, and that your digital assets are always available.
All businesses want to protect their information assets. Many cybersecurity incidents happen (or are made worse) because asset data management is unavailable or is not used effectively. For example, if an internet service provider fails to apply the latest security update, or if an employee’s account is not disabled when the person leaves the company – or, even, if there is a server in your datacenter that nobody is sure exactly what it does.
All of these can result in vulnerabilities, but there are also other reasons why you might want to run a cybersecurity audit. For instance:
- To ensure the privacy of internal and external stakeholders.
- To protect the reputation of your firm.
- To comply with federal and state laws, industry guidelines and contracts.
- To ensure confidentiality, integrity, and availability of the digital assets.
The first step of running any cybersecurity audit is to create a digital asset inventory that includes all systems, software, hardware, devices, communication infrastructure, asset owners, and vendors related to your organization.
To create this inventory, you need to make sure the business’ cybersecurity controls are designed properly, and can operate effectively.
Trust and Verify
The RiskQ audit module allows companies to verify their controls. First, assessors collect evidence. Then, auditors review and determine if the control is sufficient or not. Our workflow engine allows us to move the tasks between teams and act as the single source of truth for the auditor.
The 4 Phases of an Audit
There are four phases to an effective cybersecurity audit: Planning, Fieldwork, Reporting, and Follow Up. Let’s look into each of them in a little more detail.
Phase 1: Planning an IT Audit
You can divide the planning phase of an audit into two essential parts. First, you should prioritize the audit. Then, you can prepare for the Audit Kickoff.
The first step is to plan to succeed by prioritizing what is most important to audit. You will need to gather information about the digital assets and create a project plan.
Digital asset risk-based auditing uses impacts and likelihoods to assess risk and prioritize decisions for the IT auditor. These probabilities relate to decisions regarding compliance testing or substantive testing.
For example, in a digital asset risk-based approach, IT auditors prioritize testing internal and operational controls based on which digital assets are most important – and therefore require more protection. The goal of this cost-benefit methodology is to reduce risk. For this step, the IT auditor needs to have:
● Specific information about your business and industry knowledge.
● All results for previous audits.
● Any relevant regulatory laws and guidelines.
● The inherent digital asset scoring and control assessments.
It’s also essential to consider all “inherent risks” part of your cybersecurity audit. These are the risks that exist due to behavioral and user attributes (or, in other words, vulnerabilities such as unauthorized access points, phishing scams, insider threats, or poor data handling). For a control to be effective, you will want to look across the infrastructure for any and all security gaps and prioritize audit findings based on inherent cyber risk scores.
The IT auditor will also need to identify seven other areas/items to gain an understanding of the existing infrastructure and internal control structure:
● Digital asset inventory
● Digital asset exposures
● Control environment
● Control procedures
● Detection risk assessment
● Control risk assessment
● Equate total risk
Once the IT auditor has gathered all the information required for planning and understands the cybersecurity controls to prioritize, they are ready to begin the audit. It’s now time to select the applications they will want to audit – and that support the most critical or sensitive functions in your business. An up-to-date digital asset inventory and exposure quantification can help you do this more efficiently.
Preparing for the Audit Kickoff
The planning stage kicks off when the auditors issue a letter informing the teams involved that an audit will take place. You should always give your teams sufficient notice to prepare – the more time, the better. Teams are busy and will need to be resourced for the audit. They will likely need to plan their time, collect all relevant documentation, and make resources available.
Depending on the auditors, it’s possible they may already know your organization’s IT environment and have a set agenda of what they want to review or discuss. If the auditors do not understand your IT environment, or if this is a an audit of a new system, they will have some preliminary questions they need to ask.
Preparing your Inventory
By now, you should have a complete inventory of your digital assets, including systems, hardware, software, technologies, data types, where they are located, ownership, vendors, and their relationships. In other words, all the information about them. Where are they physically located? Where are all of your network closets? Where are your wiring closets? Where are your data centers? What is your infrastructure vs. what you are outsourcing? Do you have contracts and agreements with those people? Teams must have those at the ready for the auditors.
Preparing your Documentation
It’s also highly beneficial if you have copies of the approved policies and procedures ready for the auditor’s review. Drafts are not acceptable. All of the documents you provide must be signed and dated and include all the revision information, including information about the next revision date. All policies and procedures must be kept updated regularly, too. If something is not documented, it does not officially exist. Lastly, a lot of IT project work will be happening at the time of the audit. You should also make sure this is correctly documented as well, to eliminate unnecessary confusion (the auditor has to compare to see if the work is being done to specifications).
Auditors have different technical skills; some of them may be good at testing active directories, Unix systems, or mainframes. Some of them may know how to test different types of security systems. No one auditor knows everything. The audit team has to also determine what skills they will need to perform the audit.
To avoid spending time gathering all this information, make sure you can provide the auditor with all your documentation ahead of time. This includes processes, procedures, flow charts, data mappings, and other useful records. If it is an application or system they are reviewing, they will want to see it. If you don’t have these documented already, you are going to need to start gathering this information. You should also be ready to answer pertinent questions, confirm assumptions and ask about things that were not clear.
Providing Auditors with Past Records
You can provide your auditor with evidence from prior audits to tell the history of a specific digital asset, including its strengths and weaknesses. For example, if you have fixed something in the past, be upfront about it and show what was done and what was fixed. If it was not tested, the auditors will have to test it. This way, the auditing team will be able to see if they get the same issue or if it has been resolved.
Be prepared to show evidence and have the status tracked in case something is not complete, planned, or simply not done. The key is to know why it was not fixed, or how it was fixed to ensure that it can be re-tested. Maybe you had something that took a higher priority, and you could not get to test this in time. There needs to be proof that this project is inflight, the status, and an actual end date.
Auditors must be shown that you are taking cybersecurity seriously. For issues that are still open, be prepared to present status and evidence that progress is being tracked and reported to senior IT Management and Information Risk. Depending on the control, you may have to wait a full year to do a test. If it is an annual control, you may need to wait to see if it is fixed or not. Are there any issues that have come up since then? Provide all the updates to the auditors.
Learning From Your Cybersecurity Audits
Running a cybersecurity audit can also provide your team members with an opportunity to talk about lessons learned from previous audits. It’s always important to keep everyone updated about what is happening with the auditing process. This will also be done when the audit report is being issued. Communication is critical with the auditors and the business, and it needs to be a 2-way conversation and should happen during fieldwork as well.
Planning the Kickoff Meeting and Audit Length
After you receive an announcement letter, there will be a kickoff meeting. It would be best if you had your team assembled and asked the auditors who they need (they will be able to tell you this). Do not just bring just one or two people. Bring your whole team and let them decide who is needed or not. The boots-on-the-ground people will be needed to help answer any questions about the business, systems, controls, and risks to scope the audit correctly.
Discuss how long the period testing will cover. Will they cover half a year? Full year? These questions are all fair game because you do not have resources to be dedicating full time to this over a vast amount of time. Do not be afraid to ask the auditors questions. You want to test for one year…why are you testing the first six months when we are implementing controls in the second half of the year?
Phase 2: Fieldwork: Environment Walkthrough and Interviews
Once you are done with the planning phase of your cybersecurity audit, you should have your scope and the areas you will cover – and the teams are defined and ready to go. The plan is in place. It is now time to schedule a walkthrough of the environment and the interviews.
First, make sure your team is ready. Let the audit team schedule their meetings but make sure they manage everything.
Picking the Correct Team Members to Interview
Auditors have the right to speak to some people individually. Some people feel threatened and do not tell the whole truth when they have someone looking over their shoulder. However, there might be a rational reason you do not want that person alone in the room. Make expectations clear before each meeting. When the meeting is getting scheduled, ensure that you have provided the auditor with a competent, knowledgeable person who knows what is going on, is confident in the process, and good at explaining themselves… and knows when to hold their tongue, too. If you have a new team member and you want to sit in, just explain that to the auditor.
Acting When an Anomaly is Found
As soon as the audit team identifies an anomaly, there needs to be a check to make sure that the analysis and testing were done correctly. This should be brought to the control owner. Does this make sense to you based on what we discussed? Remember, the auditor is still learning about your digital assets or company if they are external auditors.
Based on what the auditor was initially told, they will test and confirm findings with the owners. If the owner indicates that the test was not done right, then they will need to rescope it and do it over. However, it could also be that they found something and may need to write it up better. Those discussions allow the auditors and the owners to learn from each other.
Documenting Everything in Writing
When doing a cybersecurity audit, you should always ensure that all the resulting information is written up properly. A comma can make a world of difference; the way things are written is very fundamental. When you put everything you have done into writing, make sure everything can be clearly understood by anyone reading it. The proper context is critical and usually the hardest part to get right. If you are being audited, there is nothing that prevents you from asking, “how is it going? Is there anything I need to know now?” Do not wait until the report goes out because then it is too late.
Be Transparent with Your Controls
All controls you already have in place in your organization will be most likely in scope for testing. If something does not exist, there is no need to test it. Perhaps something should be set up but it cannot be tested because you do not have it. It’s always better to be transparent. Show the controls you have in place, and indicate that they will find a few flaws and let them test. Do not wait for the auditor to find it and then admit you knew about the issue all along.
Collaborate With Your Auditors
As auditors find anomalies (and it’s likely they will, for that is the purpose of assessing your cybersecurity risks), they will bring it up to your team and verify them. There’s no reason why you shouldn’t be able to work with the auditors before they give the draft report. For example, you can provide information about who may fix certain issues and speak to them soonest to understand how long they may need and the dependencies. Ultimately you will sign off that you are taking care of it, but it may be someone other than you that is fixing that particular issue. It’s easier to do this before that audit report goes out.
Phase 3: Reporting
After a cybersecurity audit takes place, it’s time to provide all the stakeholders with a draft report. Although there should be nothing new coming up on that report at this point (all that needs to be discussed is corrective actions and target dates), this is the part in the process where a lot of issues start occurring.
First, your teams will need to calculate how long it will take to fix an issue, keeping in mind all relevant resources, priorities, etc. This must be considered and done thoroughly. Fixing things may take months. If you are fixing something and you are getting a report from a system of the status monthly, you may need a few of them to know if you are making real change.
Design vs Operating Effectiveness
There are two things to keep in mind when fixing issues arising from your cybersecurity audit. The first is the design of the control. The second, its operating effectiveness. Is the control designed properly? Is that the issue? Or is it operationally ineffective?
As an example, take a signature process. A claim check being sent out for anything over $99,000 requires three approvals. One person is out on vacation. This person keeps getting an email to approve the payment. They are out of the office, and the process is stalled. It is essential to know if there is a regulation tied to that payment. In this case, the person out did not do anything wrong; however, the process was not set up to delegate the approvals to someone else – there should have been an alternate approver. This is a design flaw in the control process.
Issuing the Final Report
Once management owners have signed off on the draft report, it’s time to issue the final report. At this point, keep in mind that all the dates should be decided, and there should be no further changes to the documents. So, if you want to make sure they contain everything you need to close your cybersecurity audit, remember that you don’t need to wait for the draft from the auditors. You can talk with them regularly during both the planning and the fieldwork phases of the process.
To clear the audit report may actually take twice the amount of time that it took to actually run the audit itself. This is why it’s important for System Owners to be consulted about how issues will need to be resolved, the timeline, and any resources required to execute the plan.
Phase 4: Follow Up
You now have gone through planning, kicking off, interviews, and have an audit report as a result of your efforts. As a general rule of thumb, you should always use project management best practices – both when auditing and in the follow-up. This includes what, how, when, who, and the dependencies for applying the changes you have uncovered.
Ensure that you have realistic target dates for your actions. Your plan should always align with the issues identified. Make sure what you are saying you are going to resolve actually makes sense for that issue. For example, if the issue talks about removing access for terminated employees, do not distract the team talking about some other related security gap or anything else that is not relevant to the issue at hand.
Everything you are going to fix also needs to be measurable to ensure that it is verified as complete. That is why it is important to pick the right person to do the fix, in an understandable project format, with the correct information for the auditor.
If management is using other projects to fix the current issue, ensure mitigating controls are considered as a short-term solution until the other project has been completed and the control re-tested.