While performing different types of IT audit, we always need to look at IT security. Let’s look at the main aspects of how we should audit IT security.
First of all let me divide the IT security into two different streams – 1) logical IT security and 2) physical IT security.
So, when I perform audit IT security (logical) i usually inspect the following areas:
- IT security policies and procedures;
- IT security software tools and techniques in place;
- List of user IDs in all systems in order to determine and validate the usage of shared accounts;
- Password controls, and other log-on controls (lockout, logging, etc.);
- The usage of vendor default passwords in all systems;
- Access controls to sensitive data and how it is segregated;
- Who can make modifications to security parameters in all systems;
- Appropriateness of data ownership assignment;
- Usage, monitoring and analyzing of security logs in all systems;
- Applying of vendor security patches to the systems;
- User management (adding, changing, deleting of users);
- Time-out settings for terminals and workstations;
- Encryption settings for sensitive data which is being transmitted;
- Firewall usage, DMZ, network perimeter.

To perform physical audit IT security, i usually examine the following:

- Controls over physical access to the buildings and computer facilities (video monitoring, receptionists, swipe card systems, etc.);
- Controls over access to the server room (list of formally approved persons with such access, logs of swipe card system);
- Environmental controls inside server room (humidity, temperature, fire alarms and systems, UPS, raised floor, air conditioning, etc.)

While performing audit IT security you should apply your professional judgment to each of the clients. For example, you need to take into consideration the size of the business (how many users have access to company systems), the size and roles of IT department, existence of outsourcing practices. During my practice of performing audit IT security I faced situations where small entities with only 2-3 IT employees had more strict security controls than big companies with 20-50 IT staff. It is also very important to assess the security risks for this particular company in order to determine which controls to examine during audit IT security. E.g. if you have a situation where company has only about 10 employees with access to computer systems and all of them know each other, and IT admin know all of them, then the risk of someone unknown getting access to the data is lower; and if you have a situation where company has about 100+ employees with access to data, and this access is changing constantly – then the risk of unauthorized access to sensitive data is bigger. Doing audit IT security you also need to understand what employee turnover is at the company – if no-one was terminated during the year it is one situation, and if they have terminations each day – this is completely another situation.

I must say, that audit IT security is the most important and the most challenging task during audit process. IT security is so important in these days, that lots of companies perform separate audit IT security on a quarterly or yearly basis.
Stay on the top, and apply your professional judgment.