IT Audit Checklist for

Your IT Department
A major problem with your information technology (IT) systems can totally
disrupt your business, costing you time and money while you wait for
repairs. An IT audit checklist helps ensure that your IT department has the
necessary tools to secure your network and avoid these expensive
repairs. 

What to Include in Your IT Audit Checklist

Your IT audit checklist should cover these four areas:

Physical and Logical Security

It’s important to understand the physical security your company has in
place to safeguard sensitive corporate data. Therefore, your audit
checklist should include whether server rooms can lock and if individuals
need security badges to enter. 

It’s also critical to assess your network for security vulnerabilities. This
includes:

 Ensuring that all procedures are well-documented.

 Testing software that deals with sensitive information.

 Looking for holes in your firewall or intrusion prevention systems.

 Making sure that you’re storing sensitive data separately.

 Checking that wireless networks are secure.

 Scanning for unauthorized access points.

 Ensuring proper access control, that is checking the identities of users and
ensuring that they have the proper credentials to access sensitive data.

You should also determine if IT applies patches promptly and keeps all
applications and antivirus software updated. And you should look at your
critical network security practices. For example, do remote workers log on
to your network via a VPN? Do you require multi-factor authentication? Do
you restrict access to risky websites, such as file sharing and adult content
sites? Have you implemented password policy best practices?

Regulatory Compliance
Your internal auditors will be looking at whether your company complies
with the relevant regulatory requirements.

For example, companies that do business with customers in the European

Union are required to comply with the General Data Protection Regulation
(GDPR). 

And healthcare organizations must comply with the Health Insurance

Portability and Accountability Act of 1996 (HIPAA) regulations that provide
data privacy and security provisions for protecting patients’ protected
health information. Healthcare companies must also adhere to the Health
Information Technology for Economic and Clinical Health Act of 2009
(HITECH), which governs the protection of digital health information.

From an IT standpoint, publicly traded companies must comply with the

Sarbanes-Oxley Act of 2002 (SOX), which centers around financial
reporting and record-keeping. All organizations that store, process, or
 transmit payment card information must comply with the Payment Card
Industry Data Security Standard (PCI DSS), which covers security around
payment processing.

If your company has to adhere to these or other regulations, you must

include all the requirements set out by each regulation in your checklist.

Data Backups
You should include a review of how and how often your company backs
up critical data in your IT audit checklist. Data backups should be part of
your disaster recovery and business continuity planning. This helps
ensure you’re prepared for potential natural disasters and cyberattacks—
and being prepared is key to keeping your company up and running. 

You should determine:

 When you last tested your backup method.

 How long it would take for your current data backup system to recover.

 How long your business could realistically afford to be down.

 The financial cost of downtime to your company.

 If you have a copy of your data offsite.

Hardware
Your IT audit checklist should also include a comprehensive inventory of
your company’s hardware, noting the age and overall performance
demands of each piece.  Best practices suggest that the inventory be
maintained in an asset management system with a configuration
management database (CMDB). Typically, you should replace IT hardware
about every three to five years. With this information, you’ll know when
your hardware nears its end of life so you can plan when to purchase new
equipment. 

What does an IT audit do?

An IT audit confirms the health of your information technology
environment. It also verifies that IT is aligned with the objectives of the
business and that your data is accurate and reliable. 

The main goals of an IT audit are to ensure that your corporate data is
adequately protected, your hardware and software are appropriate and
effective, and the members of your information technology department
have the tools they need to do their jobs. An IT audit, therefore, can help
you uncover potential information security risks and determine if you
need to update your hardware and/or software. 

To prepare for an IT audit, you need to know the purpose and scope of
the audit, its time frame, and the resources you’ll have to provide. This will
depend on whether the IT audit will be conducted by an outside firm or
your own internal auditors. 

An IT audit checklist is a system that lets you evaluate the strengths and
weaknesses of your company’s information technology infrastructure as
well as your IT policies, procedures, and operations. Having an IT audit
checklist in place lets you complete a comprehensive risk assessment that
you can use to create a thorough annual audit plan. 

You can also use your IT audit checklist as a guideline for your employees.
If they know what it takes to protect data, they can help identify potential
risks or weaknesses. And finding these risks and weaknesses makes it
easier to create a plan to address them. In addition, your employees can
reference your IT audit checklist to prepare for your information
technology audits.