Tips for Creating an IT Compliance Audit Checklist
A compliance audit, in a nutshell, is a process involving extensive reviews of a company’s commitment to adhere to regulatory guidelines.
The nature of the audit varies depending on the industry and the kinds of data an organization stores and transmits. Healthcare companies, for example, are subject to HIPAA/HITECH rules, while the financial services sector must abide by PCI DSS standards.
In an IT compliance audit, auditors examine the risk management and security policies your organization put in place to determine the thoroughness and strength of your compliance efforts.
Importance of Audit Readiness and Compliance
Failing a compliance audit indicates security flaws in your system, and the consequences of not taking action can be dire, including the eventual closure of your business.
Network Vulnerabilities: Weak security infrastructure, protocols and processes make your network vulnerable to various forms of cybersecurity attacks such as malware, ransomware and AI botnets.
Hefty Fines and Costly Lawsuits: A 2015 data breach cost healthcare company Anthem $115 million in lawsuits. And as the result of a 2014 data breach, Home Depot has had to pay at least $134.5 million to credit card companies, banks and customers. Big brands may be able to withstand the legal and financial repercussions of a cyber attack, but can you?
Damage to Reputation: If your systems cannot be trusted to adequately safeguard sensitive customer information, you lose customers’ trust. Lost trust can lead to lost business and a damaged brand reputation, which can take time to rebuild.
The big question is: When auditors show up, are you ready? Do you know which grounds they will cover or the questions they will be asking?
An Overview of Compliance and Regulatory Frameworks
Audit and compliance frameworks are comprised of best practices and guidelines that organizations follow to stay compliant with regulations, strengthen network security, improve processes, and attain business goals.
They are used by external and internal auditors, and relevant third-party entities (e.g., potential investors and customers) to assess the security processes of an organization.
- Sarbanes-Oxley (SOX) for publicly traded companies and those planning to go public
- PCI DSS for financial entities and services that process credit card data
- HIPAA/HITECH for hospitals, insurance providers, and other organizations collecting personal health information (PHI)
- ISO for companies aiming to improve their security and quality management controls
- Privacy Shield, which replaces the US-EU Safe Harbor, for organizations that collect and process data between the U.S. and European Union
- NIST for government agencies, large enterprises, and any organization looking to minimize their cybersecurity risk
The best security and compliance framework to use will depend on what your company does and what your industry requires. You're not limited to just one framework. NIST, for example, can be used in conjunction with others in the list.
But in general, an audit framework’s primary role is to find out what your organization’s IT security system lacks versus established benchmarks. It measures:
- Data security
- Access control
- Security awareness
- Communications security
- Asset management
- Data backups
- Disaster recovery
- Business continuity planning
- And more
Key Considerations for Audit and Compliance Planning
Ernst & Young provides a comprehensive list of key IT considerations when conducting IT risk assessment and audit planning. These include:
- Is your existing information security strategy comprehensive? Does it include adequate vulnerability assessment, training and awareness, monitoring, predictive modeling, detection and response, and reporting controls?
- Is information security an IT-only responsibility? Or is it an organization-wide undertaking?
- Are there mechanisms in place that appropriately address known issues and identified threats? Are they effective?
- How soon can your organization respond to intrusions?
Business Continuity Management
- Is your business continuity plan holistic? Does it cover essential business continuity procedures such as business impact analysis, vendor assessment, change management, testing and maintenance?
- How soon can normal business functions resume should a disruption or disaster occur?
- Is the crisis management plan comprehensive? Do employees and other stakeholders understand the plan?
- Are the right mobile strategies in place, including risk and vulnerability identification, configuration settings, intrusion detection and response, and management of stolen or lost devices?
- Would you know if an attack occurs? If so, how will you respond?
- Are there existing policies for cloud usage? Do they coincide with other organizational policies, such as procurement, legal and IT policies?
- Does it make sense moving services to the cloud? Has the business implications of cloud usage been assessed?
- Do user authentication and access protocols exist?
IT Risk Management
- How well can IT identify, assess, manage, accept and remediate risks?
- How effective is the IT risk assessment process?
- Are there formal and documented IT governance processes for decisions regarding project approvals, capital allocations and others?
- Does your organization take advantage of the insights provided by your existing GRC (governance, risk and compliance) software, if any?
- Does your organization address areas that pose significant risks to the execution of projects and programs, such as partnerships with third parties, data migration and business change?
- How are program and project risks assessed?
- Are program protocols followed properly?
- When business objectives change, how is the program portfolio managed?
Software/IT Asset Management
- Does your organization have a comprehensive IT asset and software management methodology?
- Do you use asset management tools? If not, why not?
- Are there areas where software licensing costs can be reduced? Can software licensing agreements be renegotiated?
Social Media Risk Management
- How well do your company and its employees understand social media risks?
- When risks are identified, can you effectively handle them?
- Is there a process for social media usage within the organization? Do your employees know the guidelines?
- Are corrective actions warranted for existing social media activities? How do these activities affect branding and reputation?
Identity and Access Management
- Are there role-based or SoD (segregation of duties) protocols in place? Can these protocols prevent or detect error and fraud?
- Do your employees understand their roles and access permissions, as well as the responsibilities associated with them, well enough?
Data Loss Prevention and Privacy
- What types of sensitive data does your organization collect and store? Where does this data go? Internally or with third-party storage services?
- In what areas are you vulnerable? Are there controls to manage these inadequacies?
- How well does your company understand privacy regulations relevant to your industry? Do end users follow procedures to ensure compliance?
IT Compliance Audit Readiness
It cannot be stressed enough that IT security is an ongoing process, and compliance should not be the end goal. Instead, it should be treated as just the first step to more effectively protect your business in an IT landscape where threats are constantly evolving.
Editor’s Note: This post was originally published in August 2018 and has been updated with new information for comprehensiveness.