We have an IT department. Why is it necessary to have our IT systems audited by an outside auditor?
A company's basic responsibilities to its shareholders, clients, and trading partners include providing assurances that the electronic work environment is sufficiently secure and compliant and is being operated using the best practices. Having your internal IT team conduct all your audits is a little like having the fox watch the hen house; it is not an industry best practice. Independent audits provide clear, unbiased, and untested opinions about the status of your solutions as they pertain to policies or business practices.
Is this a legal requirement?
In some cases, when considering the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA), the Federal Information Security Management Act (FISMA), or Gramm-Leach-Bliley (GLBA), there is a legal requirement to have IT audits conducted on an annual basis.
A lot of firms offer IT audits. What exactly should we look for when choosing an IT auditor?
Making the right decision is not always easy, but it is very important to hire the best professional for your organization. First, look for an IT auditing firm that is focused on the technology, that uses certified auditors and that is not your company's architect, developer, or IT implementer. The company should have a reputation for being a firm but fair auditor; it should employ trained, experienced, and certified auditors; and it should provide a verified list of clients. You should look for a firm that has been accredited by a nationally known organization such as the Mortgage Bankers Association and also determine whether the firm is in good standing with its recognized association.
My CPA firm performs a financial audit for us every year and they always offer us an IT audit, but I've heard that CPAs should not be conducting these types of IT audits. Why not?
For exactly the same reason you would not call your dentist when you need your doctor. A CPA assists you in accounting and in financial matters. Currently, the tax law changes every year with tens of thousands of changes. How is it possible for one profession to be proficient in so many diverse areas of expertise? You would not want your podiatrist to be your cardiologist, lawyer, and dermatologist. An IT auditor is there to help you ensure that your IT systems are secure, compliant, and independently assessed. The best professional ANSI certification to sanction your IT systems is a Certified Information Systems Auditor (CISA).
It seems like most of the firms that offer IT audits are very large, well-established companies. I am not so sure about using a small firm.
As with any professional service, you need to conduct your research, interview your potential auditing firm, and verify the company's references or client list. In today's rapidly changing world, often the small firms are a best-value alternative, with auditors who are former employees of exactly the same firms that are known by all. For example, eValid8 is a growing company, but our auditing work has been for very large, influential corporations. As our company grows, we believe it is more important to focus on the experiences and integrity of the auditing firm, rather than the size of the company. Even the largest companies are using small auditing firms under their umbrella or even as subcontractors to conduct IT audits. So why wouldn't you just use the best -- eValid8.
What do we actually learn by having an IT audit?
What you will actually learn depends on the firm conducting your audit. The eValidated process is a collaborative and cooperative process where audit findings are shared with the stakeholder as they are discovered. Our process differs distinctly from the practices of most audit firms, where the audit is conducted in a "black box or cone of silence" until the final report is delivered, at which point you are handed your list of discrepancies. We believe in working with our clients, sharing our industry experience and knowledge, and helping our clients make informed decisions on how best to improve their practice or solution. Our goal is to help you perform better.
How long will an IT audit take?
The length of time to conduct an IT audit depends on several factors. The type of audit, the system being verified, whether the environment is collaborative and cooperative, the number of criteria, the methodology used to conduct the audit, and the experience of the auditor all play a part. The eValidated audit is managed from the start with a Letter of Management Assertions that defines the parameters of the audit and scope. The parameters are then converted to milestones and the audit is entered into a project management software package so the project can be managed proactively. This process is key to keeping our clients informed during all phases of the audit.
What happens when the audit is completed?
The audit outcome is a report that provides your organization with a synopsis of events or conditions that existed during the stated audit period. These events or items can then be reviewed by management and implementation teams to determine whether any action is required to improve or enhance the current solution. Only when the concerns of all affected parties have been addressed should your organization roll out any enhancements or added functionality to your IT system.
I noticed that eValid8 uses CISA designated auditors. Why is that important?
Agencies of the Federal Government, such as the Departments of Defense, State, Treasury, Energy, Justice and others, along with industry leaders, know that well-trained and experienced professionals are a must. It has been quoted at the federal level that "the experience of the auditor is the most critical component of the audit", Judith Spencer, GSA Federal Identity Credentialing Committee Chairperson. Certified IT auditors (CISA), who must pass comprehensive, challenging exams to achieve certification, are required to accrue educational units yearly to maintain that certification. A CISA certification is equivalent to a CPA, but a CISA is the right profession for the information technology field.
Is an IT audit about corporate governance and compliance? Or is it about security?
The answer to all three is yes. The scope of an IT audit can be based on any or all three of the criteria mentioned. The eValidated process will determine the scope and auditable parameters of your particular audit. As the customer, you will assist in making the decision as to what type of audit your system requires. If you are a health care provider, then IT security and compliance will be a factor in your audit. You have a legal responsibility to protect the privacy of your clients, which means you need the proper security parameters in place to protect that data. Sarbanes-Oxley requires corporations that are under SEC compliance guidelines or preparing for IPO to set their system controls to ensure accuracy and confidence in the data that is provided to the SEC and shareholders. An eValidated audit ensures that you are processing critical corporate information in accordance with legally mandated instructions.