How to conduct an IT audit in-house [+free template]

The word ‘audit’ is often enough to strike fear into even the most resolute business owners. What issues will an audit raise? Will I have to fix them right away? What if it is bad news?

Such concerns and doubts mean that SME owners fail to perform enough audits and thus ignore crucial opportunities for improvement. As an IT Managed Service Provider of over a decade, we know that conducting a thorough IT audit is key before we can make any service recommendations.

The fact is, IT audits are truly useful. They draw attention to problems that in the future could cause crippling downtime, and open up possibilities for enhancing your technology and operating more effectively. Moreover, technology now plays a more important role than ever in business because of COVID-19 and its effect on the business environment.

When completing an internal IT audit, everything from physical hardware, to data storage and access management is covered. The aim should be to check if all IT elements are functioning at optimal level, and then to know should anything happen, that they are sufficient enough to minimise the risk pose on your organisation. Every business is different, so the process should be a coordinated effort to make sure a business is prepared for every eventuality.

We have assisted many organisations over the years with their IT audits to ensure their technology is future proof. By combining this experience and our insight into the technology sector, we have compiled a step-by-step process for you to follow should you decide to complete this process in-house by yourself.

Steps for success

All IT audits are unique as they are very dependant on the specific needs of each organisation. However, these four steps will put you in the right direction for success.

Step #1: Define Scope

You will need to determine the scope of your audit before anything else. This is neccessary whether it is a generalised IT audit for the whole company or one more specific to the network security of your business so that you know what you are going to be looking at and what you can skip.

To do this draw a ‘perimeter’ – a boundary around all of your valuable assets. The boundary should be as small as possible, encompassing any valuable business assets you have that need future proofing. Everything within this boundary is what you will audit and anything outside of it should be ignored.

The best place to start when drawing a perimeter is to create a complete list of valuable company assets that, depending on your type of audit, can be distilled down. Organisations we have spoken to in the past have commented on how they found this process to be difficult as they find it hard to judge what to include.  In short, you should include anything that if ever lost or destroyed, would take some money and time to recreate.

Step #2: Outline and calculate threats

Once the scope of your audit has been defined, you will need to create a list of any threats your assets can potentially face. If you’re unsure what threats to include, we have outlined some that you should considered including below.

Malware, ransomware and hacking – One of the biggest risks to an organisation and its valuable assets is external hacking. This threat is serious and should always be taken into account, no matter how large or small the company, or what the industry is.

Phishing and social engineering – In 2020, phishing and social engineering is more widespread than ever before, making it an equally big threat to an organisation as external hacking. It is where cyber criminals attempt to gain access to IT environments by targeting employees. 

Natural disasters – Although natural disasters such as flooding or fires are some what rare in the UK, they are a viable threat to consider. This is because if a threat like this occurs, the repercussions can be devastating. Put the controls in place to protect against it will give you peace of mind, just in case one does occur. 

Distributed Denial of Service (DDoS) – Organisations should not understimate the impacts of DDoS attacks. Any user can be denied access to specific computer systems, devices, accounts and other IT resources. According to research these types of attacks are growing in frequency, so should be considered in an IT audit.

Malicious misuse – Although you may not want to think this is a possibility, it is a threat that all companies face. Any person who has access to your data can easily misuse or leak it, and without considering it as a viable threat, you may not be able to detect it.

Inadvertent misuse – Not all attacks that come from within your organisation are malicious. As humans we all make mistakes and if an employee accidentally leaks an asset, it pays to be prepared. This should always be considered.

It is also helpful to calculate the risks of these threats occurring once you have formed your list of threats. Such an evaluation would allow you to put a price tag on each threat and give sufficient priority to each threat when it comes to future proofing. Some elements to look into when calculating this include your own past experience of them, the security and technology landscape, and the state of the industry you are in.

Step #3: Construct security measures

Following your list of threats, the next step is to examine what security controls you have in place. This will help you to know whether or not you need to implement any new ones. Some of the most common security measures and ones to consider include:

  • Firewall and antivirus
  • Anti-spam filter
  • Physical server security
  • Data backup
  • Multi-factor authentication
  • User privilege
  • Access control
  • Employee security training

Step #4: Test, address, re-test

The fourth and final step is to highlight any areas of weakness in your IT by testing, addressing and re-testing. When doing this you should collect and process data on all policies and procedures, as well as identify any deficiencies and work on how you can strengthen them to future proof your IT systems. This step is an essential element if you want to carry out a robust and successful IT audit.

Internal vs. External

When deciding to do an IT audit, IT management often find themselves questioning whether they should do it internally or if they should have an external auditor complete the process. Unfortunately, the decision of this is not as easy as you may have hoped.

External auditors are great at what they do. They have the benefit of a wealth of experience in completing them from a variety of industries, as well as available access to a wide range of software and tools. However, as to be expected, they don’t come cheap and it can be hard to come by the right one with the necessary experience and knowledge.

On the other hand, internal audits do minimise costs and are simple to do if you follow the steps mentioned in our guide. It is also easier for an internal employee to obtain all the required data as they know the business and should have ready access to it all. However, internal auditors can sometimes lack in experience and may not match the professionalism of an external auditor.

If you are struggling with knowing the best way to carry out your IT audit, we can help. Serval IT Systems have over a decade of experience in the technology sector and have assisted companies like yours in future-proofing their technology. Our experience has been especially useful throughout the pandemic, as we have been able to assist many of our customers in auditing the effectiveness of their technology for working from home. As disruption is expected throughout 2020 and well into 2021, an IT audit will be paramount in helping companies navigate through and survive past the pandemic.

Please get in touch for a free, no-obligation chat with one of our experienced technicians for more information and assistance.