The Repetitive History of IT Audit Outcomes

Paul M. Perry
Author: Paul M. Perry, CISM, CDPSE, CITP, CPA
Date Published: 15 June 2022

While the term “IT audit” may be defined differently across organizations based on industry requirements and their applicable frameworks, the outcomes of such audits are often fairly predictable. No matter what name audit findings are given (e.g., recommendations, deficiencies, weaknesses, exceptions, deviations, control gaps), they are usually consistent, and in most cases, (audit) history repeats itself—even within the same entity, year after year. If one could understand why this is the case, then the outcome of IT audits would have no value (aside from the notion of third-party verification of current controls), to which many in the IT industry gladly look forward. Resource limitations—both capital and human—are frequently the culprit of unsatisfactory audits. It is worth examining some typical IT audit findings and providing recommendations for how to prevent exceptions from occurring in the future.

I Still Have Access to That?

The primary deficiency uncovered in IT audits relates to separated users that still have access to the system (or website). A comparison of active user accounts to human resources (HR)-generated lists of terminated (or transferred) staff can quickly define user access changes that may have fallen through the cracks. Effective user access control reviews performed on a regular basis can also help detect unauthorized access that should have been removed and suggest design changes that should be made to systems or websites (i.e., employing least-privilege policies). Organizations may try to argue that doing security right 99.4% of the time should be celebrated, and while most would not disagree, it is important to remember that it only takes 1 person with unfettered access to data and systems to render security measures useless.

Effective user access control reviews performed on a regular basis can help detect unauthorized access and inform design changes that should be made to systems or websites.

Education, Education, Education

Another control that may be found to be missing during an audit that can have a profound impact on other areas (including cyberliability insurance) is a lack of cybersecurity awareness training for employees. It can be difficult to identify ineffective cybersecurity awareness training programs, but hosting periodic (i.e., monthly, quarterly, annually) training webinars or speaker presentations for employees are effective mitigation strategies against repeat comments in this area of an IT audit. On a cyberliability insurance statement, most insurance companies that uncover a lack of cybersecurity awareness training for employees during a breach investigation would, ultimately, not compensate on a policy citing such a negligence. This is not legal advice, however, an enterprise must do its part to educate employees about the do’s and don’ts of the use of IT.

Outsourcing Responsibility

Effective vendor management is another point of weakness for organizations in terms of proper IT controls that should be in place—and it is significant—based on global entities’ increased use of outsourced services meant to assist with day-to-day operations and information security. This deficiency is usually attributable to the outsourcing of responsibility along with the contracted service. Unfortunately, the usual mentality of organizations is “Set it and forget it,” or rather, “That is what we hired the vendor to do.”

Effective vendor management can be achieved by performing risk assessments of vendors before their final onboarding, which may include reviewing security or control-related reports (e.g., IS audit reports, security operations center [SOC] reports, vulnerability assessments [VAs], penetration [pen] test reports) and/or an ongoing discussion of what services the vendor is providing and how operations are going. What an organization does not want to discover after a breach occurs is that their third-party vendor consisted of a single person in the basement of their house with little to no physical or technological controls in place. Some imperative actions include:

  • Confirming whether the vendor performs background checks on employees
  • Understanding whether the vendor has solid IT controls in place to prevent unwarranted access
  • Knowing whether the vendor responds proactively to security issues and events

Such matters should be addressed on a regular basis and involve continuous discussions about agreed-upon actions to take.

Watching for Additional Deficiencies

While the aforementioned factors are complex enough to be addressed in their own separate articles, they make a good starting point for understanding control deficiencies that are common during IT audits. Organizational culture and the tone at the top play a role in how thoroughly deficiencies are addressed on a regular basis. A lack of appropriate tone or culture is easy to spot and can indicate issues throughout the organization.

Common deficiencies include:

  • The lack of multifactor authentication (MFA) for remote access to systems and websites—Employing MFA at every opportunity will soon become a must instead of a best practice. Most software applications and websites have MFA settings that can be activated, but if not, typically third-party software applications that support MFA can be added to a system.
  • Irregular backups or encryption of data—A consistent backup schedule that coincides with normal business operations should be created and encryption should be employed across all devices and networks. Backups should also be in a separate location from the original data.
  • Inadequate or untested incident response and disaster recovery plans—While having a plan is important, stakeholders must ensure that it is tested through a tabletop exercise on a regular basis (or as key personnel or systems change) or by performing a live recovery.
  • Lack of written policies and procedures around all activities and practices on information security and technology—A documented security policy ensures that the organization can reference a consistent truth about what IT and security actions are supposed to be taken. A set of guidelines helps get everyone back on track, particularly when new employees are hired or a security incident occurs.
  • Inadequate parameters or policies around credentialing and password strengthening (e.g., Active Directory)—Following strong password policies (i.e., in accordance with length and complexity best practices) makes it more difficult for threat actors to guess passwords or conduct brute force attacks.
  • Lack of internal vulnerability scans or external penetration testing—Utilize experts and software to periodically test the network for unpatched threats or unknown holes within the security boundaries that can be exploited by threat actors.

Conclusion

Finding the right framework to follow to implement the proper IT controls can be challenging. However, several relevant frameworks have been developed, such as COBIT®, that are quite comprehensive and follow a systematic pattern for the proper controls. Though some frameworks may have varying focus areas that emphasize different aspects of controls, all seek to help enterprises understand how to spend their time and resources by assessing IT assets per their related risk and prioritize, design and implement appropriate and cost-effective mitigation strategies.

Paul M. Perry, CISM, CDPSE, CITP, CPA

Is a member and practice leader of the Security, Risk and Controls group at Warren Averett CPA and Advisors. He and his team focus on cybersecurity, IT projects, risk assessments, internal controls, internal audit and control-related projects including system and organization control engagements.