Information System Audit - IT Audit - IT Security - Checklist

What is the Main Function of the Information System Audit ?

The primary function of an IT audit is to evaluate the systems that are in place to guard an organization's information. Specifically, information technology audit is used to evaluate the organization's ability to protect its information assets and to properly dispense information to authorized parties. The IT audit must evaluate the following:

  1. Will the organization's computer systems be available for the business at all times when required? (known as availability)

  2. Will the information in the systems be disclosed only to authorized users? (known as security and confidentiality)

  3. Will the information provided by the system always be accurate, reliable, and timely? (measures the integrity)

In this way, the auditor need to assess the risk to the company's valuable asset (its information) and establish methods of minimizing those risks.

IT audits are also known as Information Systems Audit, System Audit, IT Audit, IT Security Audit , or computer audits comprises of the following components -

  • Systems and Applications Audit: is part of an IT audit to verify that systems and applications are appropriate, are efficient, and are adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a system's activity. System and process assurance audits form a subtype, focusing on business process-centric business IT systems. Such audits have the objective to assist financial auditors.

  • Information Processing Facilities Audit : is part of an IT audit to verify that the processing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions.

  • Systems Development Audit: is part of an IT audit to verify that the systems under development meet the objectives of the organization, and to ensure that the systems are developed in accordance with generally accepted standards for systems development.

  • Audit of Management of IT and Enterprise Architecture: This is part of an Information System audit to verify that IT management has developed an organizational structure and procedures to ensure a controlled and efficient environment for information processing.

  • Audit of Client/Server, Telecommunications, Intranets, and Extranets: This is part of an Information System audit to verify that telecommunications controls are in place on the client (computer receiving services), server, and on the network connecting the clients and servers.

  • Web Presence Audits: Web presence assessment is part of an Information system audit The extension of the corporate IT presence beyond the corporate firewall (e.g. the adoption of social media by the enterprise along with the proliferation of cloud-based tools like social media management systems) has elevated the importance of incorporating web presence audits into the IT/IS audit. The purposes of these audits include ensuring the company is taking the necessary steps to:                 

    a. rein in use of unauthorized tools (e.g. "shadow IT")
   b. minimize damage to reputation
   c. maintain regulatory compliance
   d. prevent information leakage

   e. mitigate third-party risk

   f. minimize governance risk

  • Enterprise Communications Audits: The rise of VOIP networks and issues like BYOD and the increasing capabilities of modern enterprise telephony systems causes increased risk of critical telephony infrastructure being mis-configured, leaving the enterprise open to the possibility of communications fraud or reduced system stability. Banks, Financial institutions, and contact centers typically set up policies to be enforced across their communications systems. The task of auditing that the communications systems are in compliance with the policy falls on specialized telecom auditors. These audits ensure that the company's communication systems:

  1. adhere to stated policy

  2. follow policies designed to minimize the risk of hacking or phreaking

  3. maintain regulatory compliance

  4. prevent or minimize toll fraud

  5. mitigate third-party risk

  6. minimize governance risks

Information System Audit or IT audit checklist must cover the following sections- 

  • Information Security Policies

  • Organization of Information Security

  • Asset Management

  • Access Control

  • Cryptography

  • Physical & Environment Security

  • Operations Security

  • Communications Security

  • Supplier Relationships

  • Information Security Incident Management

  • Information Security aspects of business continuity management

  • Compliance

  • Risk Assessment & Risk Treatment

Please note that physical and ennvironment security (Admin) , Human resource Secuity and Software development security is not part of IT security Audit, since these dedicated departments have as such huge set of controls to address. 

A well matured and fully evolved IT Security Audit checklist must follow RBT (risk based thinking) process approach to IT Management, and cover elements of PDCA (plan do check & act) during audit. For IT security audit checklist click the following-

IT Audit - IT Security - IT audit checkl