Altius IT provides this list of the Top 10 IT
Audit Questions and Answers to help you
make the most of your IT security audit.
I am planning to have an IT audit.
What do I need to do to prepare for the
A: Identify the purpose of the audit. Is
it for peace of mind? Did you experience a
security breach? Is it to help you meet
compliance requirements? Did a customer
request that you have a security audit? Security
audits can help you identify, manage, and reduce
your risks. Prior to the audit, make sure
you know your environment and where sensitive
data is collected, stored, and transmitted.
Q2: What is the scope and cost of a
A: Every engagement is unique and the audit can
be customized to your specific needs. In most
cases, the cost of the audit is directly related
to the size of your environment. Identify
in advance your Technical Safeguards: number of
external network entry points (public IP
addresses) to be assessed, the number of
applications/web sites to be audited, and your
internal servers/devices to be
evaluated. If desired, the auditor can
also review your Administrative Safeguards such
as your policies,
procedures, job descriptions, Incident Response
Plan, Business Continuity Plan, Security
Training and Awareness Plan, agreements with
service providers, cyber insurance, etc.
Q3: Do I receive an Auditor Opinion
A: If a customer is requesting that you have an
audit, you may want to provide your customer with an Auditor Opinion Letter in
of sending them a full audit report that could
raise additional questions. Let your
auditor know prior to finalizing the engagement
scope that you need an Auditor Opinion Letter.
Q4: What type of firm should I use for my
A. For IT and cyber related engagements, you
typically want to select a
Information Systems Auditor. Certified
auditors answer to global certifying
bodies so you are assured that their audits
and recommendations are made under the highest
level of quality, reliability, and thoroughness.
Certified Information Systems Auditors have the
knowledge and experience to evaluate your
environment to help ensure your controls are
sufficient and effective. Auditors are
bound by a Code of Ethics and, for your benefit,
are independent and do not provide IT related
services to your organization. By being
independent, the auditor does not have conflicts
of interest and the auditor's recommendations are in
your best interests.
Q5: Will the audit take up much of my
A: Experienced auditors work quickly and
efficiently. They know your time is
valuable and they minimize their impact on your
time and your environment. Prior to coming
on-site, your auditor can evaluate your public
network/IP addresses and review your
Administrative Safeguards (policies, etc.) from
location. By reviewing information in
advance, the auditor is more knowledgeable about your
environment prior to evaluating your internal
Q6: Will my systems be impacted by the IT
A: You may see some additional traffic as the
auditor evaluates your systems. However,
experienced auditors use built in protection
mechanisms so your systems are not flooded with
traffic that can cause user response time
Q7: How soon can the auditor get started?
A: Timing depends upon a variety of factors.
Let the auditor know if it is an emergency or
if you have other time constraints. In some
cases the auditor will send you Worksheets that
need to be filled out and returned to the
auditor prior to the start of their work.
The auditor will also need time to assemble the
appropriate staff for the engagement. If
travel is required, the auditor will need to
make airline, hotel, car rental, and other
Q8: What do I do once I receive the
A: Auditors will generally provide you with a
prioritized list of recommendations so you can
address the areas with the greatest risks.
In some instances the auditor's recommendations may be
based on security issues. In others, there
might be compliance requirements. Review the
auditor's findings with your management and IT staff and
prepare an action plan with assigned
responsibilities and expected completion dates.
Q9: What type of support will I receive
after the IT audit?
A: Each engagement is unique, so prior to
committing to an audit ask the auditor the type
of support available once you receive your audit
report. Since the auditor needs to be
independent, the auditor cannot assist with
remediation or corrective action. However,
your auditor should be able to answer questions
regarding the findings and recommendations.
Q10: How often should I have an IT
A: New vulnerabilities are discovered on a
weekly basis and hackers are constantly
improving and enhancing their techniques.
In today's environment where security breaches
are announced daily, most
organizations have annual audits. However,
you may also want to have an audit immediately
after a major change in your infrastructure or
Certified auditors can identify risk areas
and make recommendations to secure systems. With
the help of
organizations can better protect themselves and
the sensitive information stored on internal
Security Blog menu
Tags: security audit | it audit | network security audit | security audit q&a | security audit questions and answers | security audit top 10