Information Technology Internal Audit

Information Technology (IT) audits address the internal control environment of automated information systems and how these systems are used.  IT audits typically evaluate system input, output and processing controls, backup and recovery plans, and system security.  As companies continue to automate tasks, the increase in automation leads to increased risks and the need for proper checks and balances.  Companies are required to protect data from unauthorized individuals, whether they are employees or outside hackers.  Recent federal and state laws make failures in information security not only a matter of embarrassment or financial liability, but lose the wrong kind of data and it could become a criminal matter.   The new world has introduced new threats such as Identity theft and cyber terrorism.  Much of the risk can be understood and mitigated by performing vulnerability assessments, penetration testing and security reviews on computer systems.  Depending on your company and industry, you may have basic IT control issues or unique ones.  We customize to your needs. 

Potential IT Audit Areas

Disaster Recovery Program - Do you have one? What happens if the computer fails? Where is your hot site or backup location? How will disaster affect your payroll? How will disaster affect your product or service fulfillment?  Decosimo's internal audit group can assist you with setting up and testing a disaster recovery program.

Physical and Cyber Security – Are you protecting your employees, assets and information from a physical or cyber attack? Is your system setup to protect against identity theft? Do you have a plan in place in case of employee negligence or malicious actions? Are you running unpatched applications?  Are you up to date on the continual barrage of exploits?  Have you evaluated attack and penetration techniques? Decosimo's internal audit division can conduct tests to evaluate preparedness, as well as assist with the setup of protection against a physical or cyber security threat.

Network Security

A company’s network is exposed to significant risks as a result of internet connections, remote access and the use of laptops.  These risks include theft, systems failures, and unauthorized access to accounting records.  Exposure of some confidential information can result in fines to the company.  We recommend companies consider a vulnerability assessment, penetration test or security assessment to evaluate the effectiveness of their network security. 

Vulnerability Assessment -  A vulnerability assessment uses security hardware and software to scan a company’s outside facing computers and connections for all known software vulnerabilities.  The scan is usually non-intrusive and can take place any time of the day or night. There is no “user” action necessary.  Vulnerability assessment reports list the vulnerabilities found on each computer scanned and provides information on how to remove or mitigate the vulnerability found.

Penetration Test - A penetration test involves trying to legally break in to your network using known exploits and vulnerabilities. The methods used can vary from simple “social engineering,” that is, tricking your users into giving up a user ID or password, to sophisticated fake websites and emails that trick your users into giving their user ID’s or passwords to a phony “administrator.”  Penetration tests usually cost more than vulnerability assessments due to their sophistication. Unlike vulnerability scans, penetration tests can degrade the performance of your network while they are being executed.  Penetration tests are invaluable in pinpointing your greatest risks. Reports are produced which detail if and how your systems were penetrated. This information can then be used to direct computer security resources more effectively, helping you spend your money more wisely. 

Security Assessment - A security assessment requires a consultant to visit your site, review your security processes and policies, test your internal computers for vulnerabilities, test internal security settings and make recommendations to help “harden” your security posture. The consultant can help in resolving vulnerabilities and security holes found during the vulnerability scan and penetration test if you desire. A consultant can also develop industry standard computer security policies for your company and also conduct security education classes for your computer users.

We Can Help

When you need to mitigate IT risk, contact Decosimo's internal audit team and ask us how we can help. Our internal audit professionals have the experience and credentials to assist you with establishing controls and processes to protect your business.  These credentials include the International Information Systems Security Certification Consortium/s (ISC2) highest designation, the CISSP certificate, as well as several Global Information Assurance Certifications (GIAC), including the Certified Incident Handler (GCIH), Security Essentials (GSEC), and the Critical Infrastructure Protection (GCIP) certifications.

Examples of Information Security Findings

• Physical tour of IT department showed access to critical infrastructure through unsecured doors that should have been closed. In addition, we noted the use of a regular, water-based fire sprinkler system, which will damage IT equipment, instead of a gas-based or other system. 
  
• A physical security audit test to enter a company was performed with no interference at all.  Sometimes it is as easy as wearing a suit and tie and acting like you belong.