Why audit?
Performing an IT audit can serve many purposes. Essentially, after performing an audit or
having one done, will at the very least, leave you with a much better grasp of
the state of your IT. You will be able
to better apply this knowledge to your business processes, security, financials
and if performed thoroughly, upon Human Resource related issues.
The basic framework of an audit should assess your
Information Systems (IS) against the CIA model (Confidentiality, Integrity and
Availability, not THE CIA).
How
available are the systems to business activity?
Is access
to information restricted to authorized users?
How
accurately, reliably and timely is the information processed?
From that structure you can best assess how it will impact
other business areas.
With this basic knowledge in hand, you will have a better
idea of how your IS compares to similar companies in your industry or similar
environments. This knowledge can be used
to your competitive advantage including assessing impacts on insurance or
recruitment. The audit can be further
refined to focus on individual choices in business or security solutions. This may involve engaging in various aspects
of an IT audit.
One of the pitfalls to avoid is performing is one of these
aspects before gathering a firm grasp of the overall IS situation. One does not need to perform a penetration
test of the firewall to then be told that having port 80 access on the website
is insecure, for a public website that presents basic advertising information.
Any IT audit should start with an examination of the
business plan. From there, the direction
of the audit can be decided. The
resources available here can assist you in deciding whether an IT audit is
necessary; what you wish to achieve by performing an IT audit and how to
achieve it.