IT Audit Process

Published: June 14, 2006

By Bill Canning
Program Manager, Microsoft Corporation

See other Security Tip of the Month columns

Audits are a critical component of the regulatory compliance process. In general, it is the auditors who will determine whether your organization is in compliance with the regulations and standards that it must address. For example, in regard to Sarbanes-Oxley (SOX), external auditors will often determine the adequacy of the internal controls in your organization as part of the audit in relation to annual financial reporting. Understanding how the audit process works and how auditors operate is important because it informs IT managers how to establish an environment that is compliant and easy to audit. This topic focuses on how auditors conduct the IT audit process.

It is important to understand what auditors look for during a compliance audit. During the audit, the auditors look for evidence that indicates:

  • The organization has designed effective controls to address their compliance requirements and that there are no design deficiencies.

  • The organization consistently applies the controls they have designed and that there are no operational deficiencies.

If the auditors do not find evidence of an effective control program, or they find that the organization is not adhering to the control program, they note these deficiencies in their final audit report. This audit report is generally provided to the organization’s audit committee so that identified issues get the appropriate level of management exposure. Obviously, it is preferable that there be no deficiencies noted in this report.

The following process describes the general activities that auditors conduct during an audit. Your auditor might conduct the audit using a slightly different approach:

  • Step 1: Plan the audit (auditor)

  • Step 2: Hold audit kickoff meeting (auditor/organization)

  • Step 3: Gather data and test IT controls (auditor/organization)

  • Step 4: Remediate identified deficiencies (organization)

  • Step 5: Test remediated controls (auditor/organization)

  • Step 6: Analyze and report findings (auditor)

  • Step 7: Respond to findings (organization)

  • Step 8: Issue final report (auditor)

Understanding the steps in the IT audit process positions IT managers to know what to expect from the audit. In this way, you can better achieve your organization's regulatory compliance objectives, and optimize the audit process to complete it more efficiently.

How to Optimize the Audit Process

There are many ways to make the audit process more efficient and less difficult. These include:

  • Work with the auditor early in the process to understand the key areas on which they plan to focus during the audit. In some cases, you can reprioritize projects to ensure that you address what the auditors see as key risks in the environment, thus avoiding deficiencies in the audit.

  • Implement automated IT controls whenever possible. These controls are superior to manual ones because auditors can more easily test and validate them. The best way to optimize the efficiency and lower the cost of the IT audit process for your organization is to:

    • Maintain clean and concise documentation of IT controls and keep it updated.

    • Organize your IT controls to work with the framework that your auditors use. This will help ensure that you and your auditors communicate clearly about the regulatory objectives.

    • Take advantage of an IT controls framework. This will help you to more effectively address a variety of regulations with a single set of controls.

Further guidance on control frameworks and planning options to realize IT control efficiencies for your organization can be found in the Regulatory Compliance Planning Guide.