*Sigh* . . . is there anything more boring that audits? Probably not, but that doesn’t take away the value of conducting them. We all know going through an audit feels like eating broccoli when you’re a kid—you may not enjoy it, but you know it’s good for you.
When most people hear the term “audit,” they think of taxes, but an IT audit for small business should be part of your regular routine. Sure, it may suck, but the consequences of not doing an audit will suck worse.
Learn it all in IT audits 101
If you’ve never heard of an IT audit before, you may be asking yourself (in the words of Dorothy Parker), “What fresh hell is this?” An IT audit is “the examination and evaluation of an organization’s information technology infrastructure, policies, and operations,” as defined by TechTarget. The goal is to make sure everything is running properly and to identify risks and inefficiencies.
If there’s an unnoticed security vulnerability somewhere, it could wreak havoc by opening the door to a data breach. Or, if there’s a lagging system, it could create a bottleneck that throws a wrench into productivity. Seemingly minor issues can erupt into major ones if left unattended, and it’s on IT to prevent that from happening. Performing regular audits helps you and your team stay vigilant, decreasing the chance of a big problem emerging when your proverbial pants are down.
IT audits are particularly important today because of how fast the tech field moves. Due to the pace of innovation, online security threats, pressure from competitors, new regulations, and a demanding workforce, it’s constantly evolving. To stand still is to fall behind, and the stakes are higher than ever.
Take the recent news about Equifax. Through a weak point in website software, hackers gained access to company data that potentially compromised sensitive information for 143 million American consumers, including Social Security numbers and driver’s license numbers. That’s almost half of the entire American population. While this hack stood out for its size and severity, businesses of all sizes are vulnerable. The 2017 Cyberthreat Defense Report found that an alarming 79 percent of networks were breached last year. IT audits are intended to find exploitable holes before hackers.
Take a top-down, risk-based approach
Step one is recognizing that IT audits are a good idea. But that leaves IT with the bigger question of, “How?” For businesses just getting started with this whole IT audit thing, a general, top-down, risk-based approach makes the most sense. The goal is to ferret out risks, so you can address them.
The starting point should be bringing all relevant stakeholders together to plan. Sounds like a blast, right? The fact is an IT audit for small business or large corporations doesn’t just concern the IT team; it concerns the entire organization, and you need the people in charge to be on board and cooperative. It should feel like a collaborative process—and it’ll be more insightful if input is provided by a diverse group.
During the planning meeting, outline the initial scope of the audit and your objectives. Decide what will be included in the review. For example, are regulatory compliance requirements on the table? Will systems still in development be included? Have you thought about all endpoints, including printers? You should also highlight particular areas of concern, so they can be prioritized. Are there root causes from previous IT issues that haven’t been sufficiently addressed? Has the company adequately prepared to deal with BYOD?
The top-down, risk-based methodology is based on four principles, as outlined by The Institute of Internal Auditors:
The identification of risks and related controls in IT general control processes.
The IT general control process risks that need to be identified are those that affect critical IT functionality in financially significant applications and related data.
The IT general control process risks that need to be identified exist in processes and at various IT layers: application program code, databases, operating systems, and networks.
Risks in IT general control processes are mitigated by the achievement of IT control objectives, not individual controls.
The most effective audits are done holistically. That doesn’t mean you need to take a shot of wheatgrass beforehand—it means you should use automated auditing systems (say that five times fast), along with interviews, surveys, and analysis to create a complete picture of the landscape.
Computer assisted audit techniques (CAATS) are an important part of any IT audit, too. These tools test systems to find gaps and see how systems respond when under pressure, but that doesn’t mean humans shouldn’t be involved. IT should guide the process but work closely with company leaders who are also invested in the audit’s success.
Eat your broccoli
Ultimately, it doesn’t matter whether you’re running an IT audit for small businesses or a huge company. The basic principles remain the same, although a small business has fewer departments and less complexity to deal with.
There is no hard and fast rule for how often to conduct an audit. Once a year is a good general policy, but for organizations facing a high degree of risk, it’s smart to do them more regularly. Yes, it may be a hassle, but what’s the alternative? Work can’t be fun all the time, and it’ll be even less fun if a security breach lands on your doorstep.
With cybersecurity, it’s never a good idea to wait until it’s too late. If you dread eating your IT broccoli, melt a boatload of cheese on it and get started. You’ll be glad you did.