|Home > Services > Audit and Assurance > Internal Audit|
Information Technology Internal Audit
Information Technology (IT) audits address the internal control environment of automated information systems and how these systems are used. IT audits typically evaluate system input, output and processing controls, backup and recovery plans, and system security. As companies continue to automate tasks, the increase in automation leads to increased risks and the need for proper checks and balances. Companies are required to protect data from unauthorized individuals, whether they are employees or outside hackers. Recent federal and state laws make failures in information security not only a matter of embarrassment or financial liability, but lose the wrong kind of data and it could become a criminal matter. The new world has introduced new threats such as Identity theft and cyber terrorism. Much of the risk can be understood and mitigated by performing vulnerability assessments, penetration testing and security reviews on computer systems. Depending on your company and industry, you may have basic IT control issues or unique ones. We customize to your needs.
Potential IT Audit Areas
Disaster Recovery Program - Do you have one? What happens if the computer fails? Where is your hot site or backup location? How will disaster affect your payroll? How will disaster affect your product or service fulfillment? Decosimo's internal audit group can assist you with setting up and testing a disaster recovery program.
Physical and Cyber Security – Are you protecting your employees, assets and information from a physical or cyber attack? Is your system setup to protect against identity theft? Do you have a plan in place in case of employee negligence or malicious actions? Are you running unpatched applications? Are you up to date on the continual barrage of exploits? Have you evaluated attack and penetration techniques? Decosimo's internal audit division can conduct tests to evaluate preparedness, as well as assist with the setup of protection against a physical or cyber security threat.
A company’s network is exposed to significant risks as a result of internet connections, remote access and the use of laptops. These risks include theft, systems failures, and unauthorized access to accounting records. Exposure of some confidential information can result in fines to the company. We recommend companies consider a vulnerability assessment, penetration test or security assessment to evaluate the effectiveness of their network security.
Vulnerability Assessment - A vulnerability assessment uses security hardware and software to scan a company’s outside facing computers and connections for all known software vulnerabilities. The scan is usually non-intrusive and can take place any time of the day or night. There is no “user” action necessary. Vulnerability assessment reports list the vulnerabilities found on each computer scanned and provides information on how to remove or mitigate the vulnerability found.
Penetration Test - A penetration test involves trying to legally break in to your network using known exploits and vulnerabilities. The methods used can vary from simple “social engineering,” that is, tricking your users into giving up a user ID or password, to sophisticated fake websites and emails that trick your users into giving their user ID’s or passwords to a phony “administrator.” Penetration tests usually cost more than vulnerability assessments due to their sophistication. Unlike vulnerability scans, penetration tests can degrade the performance of your network while they are being executed. Penetration tests are invaluable in pinpointing your greatest risks. Reports are produced which detail if and how your systems were penetrated. This information can then be used to direct computer security resources more effectively, helping you spend your money more wisely.
Security Assessment - A
security assessment requires a consultant to visit your site, review your
security processes and policies, test your internal computers for
vulnerabilities, test internal security settings and make recommendations to
help “harden” your security posture. The consultant can help in resolving
vulnerabilities and security holes found during the vulnerability scan and
penetration test if you desire. A consultant can also develop industry standard
computer security policies for your company and also conduct security education
classes for your computer users.
When you need to mitigate IT risk, contact Decosimo's internal audit team and ask us how we can help. Our internal audit professionals have the experience and credentials to assist you with establishing controls and processes to protect your business. These credentials include the International Information Systems Security Certification Consortium/s (ISC2) highest designation, the CISSP certificate, as well as several Global Information Assurance Certifications (GIAC), including the Certified Incident Handler (GCIH), Security Essentials (GSEC), and the Critical Infrastructure Protection (GCIP) certifications.
Examples of Information Security Findings
Decosimo is an independently owned and operated member firm of both the Moore Stephens North America (MSNA) association of member firms and the Moore Stephens International Limited (MSIL) network of member firms. Neither MSNA nor MSIL provide services to clients. Decosimo is a separate and distinct legal entity, subject to the laws and professional regulations of the jurisdictions in which it operates, and is not authorized to obligate or bind MSNA, MSIL, or any other member firm of MSNA or MSIL. Decosimo is liable only for its own acts or omissions and not those of any other person or entity including MSNA, MSIL and other member firms of MSNA and MSIL.