IS stands for information systems and refers to any system that collects, stores or processes data for the purpose of providing information, knowledge or a product/service. An IS audit is a review of past history. The goal of this review is to gather meaningful evidence and form an objective/independent opinion of a company’s controls. Company’s are required to perform audits for several different reasons and sometimes opt to perform audits voluntarily as a means of checking how well they are fulfilling their goals.
Categories of Audits
Internal Audits: This is when auditors perform an audit within their own organization, it is sometimes called a self assessment. Since the auditors are from within the same company it doesn’t carry as much weight as other forms of audit because they are seen as more likely to be biased. Also, the findings usually won’t be shared outside of the company. The findings from an internal audit cannot be used for licensing/certifications.
External Audits: An external audit is when a company is audited by auditors outside of the organization. For example this can be a customer auditing their vendor/supplier to verify internal controls, compliance or the integrity of their transactions. The goal is usually to ensure that the business relationship is performing as mutually agreed upon in their contracts.
Independent Audits: These auditors are outside of the customer-supplier business relationship. Third party independent audits are used for licensing, certification or product approval.
Types of Audits
Product Audits: These audits check the attributes of a product against the design specification, this includes the product’s size, function, color, markings etc.
Process Audits: These are used to test whether a sequence of activities meets the desired requirements. Some examples of this are disaster recovery plans (DRPs), business impact analysis (BIAs) or business continuity plans (BCP).
System Audits: These audits evaluate the management of individual systems, most notable the configuration of the system. In addition to that an auditor would look at team member’s activities, the control environment, how system events are monitored, how changes are implemented, patching, incident response capability and more.
Compliance Audits: These verify the implementation of and adherence to a standard or regulation. This type of audit is required for many of the compliance regulations like HIPAA, SOX, GDPR and California’s consumer privacy law. Compliance audits usually test for the presence of the required security controls outlined in the compliance regulation that is being tested for.
Administrative Audits: These verify that the appropriate policy and procedures exist and have been implemented as intended. This type of audit tests for the presence of the required documentation, tests that this documentation is easily accessible to employees within the company and looks for proof that employees are complying with the rules.
Information Systems Technical Certification: This involves formal system testing against a particular standard. It can also include accreditation, which is when management accepts that a system meets a certain set of requirements.
Surveillance Audits: These audits verify that an auditee is following the correct procedures. It is usually done as a checkup between when a company achieved certification/compliance and recertification. For example ISO certified organizations undergo surveillance audits every 6 months.
Follow up Audits: These audits are performed after an initial audit to ensure that corrective action has been implemented properly. For example if you do a compliance audit and find that 5 necessary security controls are missing, you may schedule another audit 4 months after that audit to ensure that those problems were corrected and that your company is now compliant. Usually these audits will be more focused than other audits because it’s heavily influenced by the findings of the initial audit.
Final Thoughts
An audit is a systematic inspection of records in an attempt to gather meaningful evidence. It involves analysis, evidence testing and confirmation. A good audit must generate a report that is considered to represent a high assurance of truth. Audits can be performed by internal auditors, external auditors and independent auditors. Independent auditor’s have the highest assurance because they have no affiliation with the company and their findings can be used for certification. In terms of what can be audited, you can have audits done for regulatory compliance, individual systems, products, processes and administrative policy.