IT and Security Audit Questionnaire

General Information:

 Name of the Company:

 Owner’s Name:
 Position:

Employee(s) Information:

 Number of Employees:
 Departments and Roles:
 Any recent changes in staff or significant turnover?

Access Controls:

 User Accounts:
o How are user accounts created and terminated?
o Is there a regular review of user access permissions?
 Administrator Accounts:
o How are administrator privileges granted?
o Are there restrictions on the use of administrator accounts?

Physical Security:

 How is physical access to IT infrastructure controlled?

 Are there security measures in place to prevent unauthorized access to servers
and networking equipment?

Data Protection:

 Data Encryption:
o Is sensitive data encrypted, both in transit and at rest?
o What encryption standards are employed?
 Data Backup:
o How often are data backups performed?
o Where are backup copies stored?

Network Security:
  How is the company’s network secured against unauthorized access?
 Are firewalls, intrusion detection/prevention systems in place?

Endpoint Security:

 What measures are in place to secure individual devices (computers, laptops,

mobile devices)?
 Is antivirus software deployed and regularly updated?

Security Policies:

 Are there documented IT security policies in place?

 How often are employees educated on IT security policies and best practices?

Incident Response and Monitoring:

 Is there an incident response plan in case of a security breach?

 How is the network and system activity monitored for potential security
incidents?

Employee Training:

 Are employees trained on recognizing and reporting security threats?

 How often is cybersecurity training conducted?

Third-Party Access:

 Are third-party vendors or contractors granted access to the company’s IT

systems?
 How is the security of third-party access managed?

Previous Security Incidents:

 Have there been any previous incidents of data breaches or security

compromises?
 If yes, how were they addressed and what measures were taken to prevent a
recurrence?

Employee Concerns:

 Have there been any reports or concerns raised by employees regarding IT

security or theft?
 Is there a confidential reporting mechanism in place?
Legal and Compliance:

 Is the company compliant with relevant data protection laws and regulations?
 How is legal counsel involved in ensuring compliance?

Future Security Enhancements:

 Are there planned initiatives to enhance IT security in the future?

 What steps are being taken to address current concerns about employee theft?

This questionnaire is a starting point and can be customized based on the specific
needs and nature of the business. It’s essential to conduct the audit professionally,
respecting privacy and legal considerations throughout the process.