© SidorArt/Shutterstock.
CHAPTER 3
What Is the Scope of an IT Compliance Audit?
THE SCOPE OF AN information technology (IT) audit can vary depending on the specific risk and processes being examined, such as a network audit compared to an application audit. Nonetheless, there are common scope elements to all IT compliance audits, which include an examination of the related policies, adherence to those policies, and adequacy of vulnerability assessments.
A compliance review can determine if policies are being followed. The vulnerability assessment is used to measure the effectiveness of the policies. If everyone follows the policies, then the number of vulnerabilities declines. If the number of vulnerabilities does not decline, the fault typically lies with either individuals not adhering to policy or poorly designed policies. Vulnerability assessments need to be aligned with business goals. Additionally, the level of enforcement needs to align with the level of risk the organization is willing to accept.
The IT environment is vast and must be broken down into auditable chunks or domains. This chapter explores what is required to achieve and sustain compliance across different domains within the IT environment.