Canada Inc - Auditing

Why audit?

 Performing an IT audit can serve many purposes.  Essentially, after performing an audit or having one done, will at the very least, leave you with a much better grasp of the state of your IT.  You will be able to better apply this knowledge to your business processes, security, financials and if performed thoroughly, upon Human Resource related issues.

 The basic framework of an audit should assess your Information Systems (IS) against the CIA model (Confidentiality, Integrity and Availability, not THE CIA).

            How available are the systems to business activity?

            Is access to information restricted to authorized users?

            How accurately, reliably and timely is the information processed?

From that structure you can best assess how it will impact other business areas.

With this basic knowledge in hand, you will have a better idea of how your IS compares to similar companies in your industry or similar environments.  This knowledge can be used to your competitive advantage including assessing impacts on insurance or recruitment.  The audit can be further refined to focus on individual choices in business or security solutions.  This may involve engaging in various aspects of an IT audit.

One of the pitfalls to avoid is performing is one of these aspects before gathering a firm grasp of the overall IS situation.  One does not need to perform a penetration test of the firewall to then be told that having port 80 access on the website is insecure, for a public website that presents basic advertising information.

Any IT audit should start with an examination of the business plan.  From there, the direction of the audit can be decided.  The resources available here can assist you in deciding whether an IT audit is necessary; what you wish to achieve by performing an IT audit and how to achieve it.