CHAPTER 6 Conducting an IT Infrastructure Audit for Compliance
AFTER THE AUDIT TEAM completes an auditing plan and that plan is approved, the audit team can scope audits to assess the information technology (IT) infrastructure for compliance. Testing for compliance is centered on the presence of adequate controls or countermeasures in the planned scope of the IT infrastructure. This includes verifying that policies are put in place and appropriately followed.
Audits are not just about testing controls. Effective governance, management oversight, and adherence to policies drive a risk culture that mitigates risk exposure. IT policies are more than simple business requirements that translate into technology controls. Policies, and how they are enforced, reflect the business perception of risk. Policies can reduce business risks by setting the “tone at the top” and promoting a risk-aware culture. Tone at the top refers to senior management’s stated commitment. In this case, it is senior management’s stated commitment to supporting the policies. It’s more than just words. It’s the actions senior management takes to implement and enforce these policies. This tone by management and the resulting risk-aware culture can build trust with the customer and the auditors.
The actual execution of an audit can vary widely based on the scope and objectives of the plan. Several methods, frameworks, and automated tools are available to assist in the process. The choices made will depend on the areas being assessed and the depth and breadth at which controls need to be examined.
