What is IT auditing?
IT (information technology) audits examine and evaluate organisations’ IT controls – the policies and procedures that ensure information systems operate as intended.
Whether carried out internally or by independent external auditors, IT audits should provide objective assurance of corporate IT governance, risk management and/or compliance activities.
This will help demonstrate that your organisation is meeting its legal and regulatory obligations in line with its business objectives, or – if it is falling short – inform a programme of improvement.
IT audit and risk management
IT audits are an essential part of enterprise risk management. Like other types of audit, they gather qualitative and quantitative evidence, which can be assessed to identify weaknesses in your operations and inform how you resolve those weaknesses.
They can be carried out against any relevant standard or set of best practices, such as ISO 27001, SOC 2, or the CIS Controls.
IT audit standards
Audits can use a variety of standards and best practices as benchmarks, including:
ISO 27001 is the international standard for an ISMS (information security management system) – a systematic approach to organisational security that encompasses people, processes and technology. Compliant organisations can achieve certification to the Standard to demonstrate that they are following best practice. Part of the process of demonstrating compliance with the Standard is carrying out internal audits at planned intervals.
Learn more about ISO 27001 >>
SOC 2 (Service Organization Control) audit reports provide detailed information and assurance about a service organisation’s security, availability, processing integrity, confidentiality and/or privacy controls, based on their compliance with the AICPA’s (American Institute of Certified Public Accountants) TSC (Trust Services Criteria). The TSC are an industry-recognised, third-party assurance standard for auditing service organisations such as Cloud service providers, software providers and developers, web marketing companies and financial services organisations.
Learn more about SOC 2 audits >>
The Center for Internet Security (CIS) Controls are a prioritised set of 20 actions designed to mitigate common cyber attacks on systems and networks. There are six Basic, ten Foundational and four Organizational controls, ranging from creating an inventory of hardware assets to carrying out penetration testing.
Learn more about the CIS Controls >>