IT Audit: How to Be Prepared for Audit Requirements

Posted by at 15:23h

Information System Audit: IT Audit Checklist

No one looks forward to an IT audit, but an audit is critical for exposing problems with data or procedures. An organization lives or dies based on the quality of its data and the orderly flow of that data. IT auditing is essential for verifying that an IT environment is healthy, that IT is aligned with business objectives, and that data integrity is always maintained. Information System audits can provide a great deal of useful advice, and with a little advance preparation an audit can be painless and efficient.

IT Audit

It’s best to lay some groundwork. An auditor may request information before an audit, such as where sensitive information is stored. The auditor will want to know something about the systems and processes being audited, including the flow of critical data. You can ask which employees the auditor will want to interview and can see to it that the designated employees have everything they need for the interview.

External and Internal Audits

To prepare for an IT audit, you need to know the purpose of the audit, the audit’s scope, the timeframe, and the resources you’re expected to provide. These resources will in part depend on whether the audit is internal or external. An internal audit may be conducted by employees and primarily addresses business objectives and risks. An external audit is conducted by an accounting firm and verifies proper processing procedures.

An audit usually requires a business impact analysis as well as access to documentation and written procedures and policies. Auditors interview appropriate personnel and observe procedures to verify that they are performed in accordance with written procedures. It’s particularly important that an organization demonstrate that it knows where its sensitive data is at all times. Failure to accurately track data flow may cause an auditor to assume that data isn’t properly protected.

IT Audit Checklists are Useful Tools

When determining whether an internal audit is required, or to prepare for either internal or external audits, checklists are often used. Doing a self-assessment with a checklist ahead of time removes a lot of the stress of an IT audit.

One type of checklist outlines current projects and their scope, including personnel, budget, and expected outcome. Checklists like this are useful in keeping IT aligned with business goals. For further aspects of an IT audit, using a recognized framework as the basis for a checklist can be very illuminating. Various frameworks are available: ISACA’s COBIT, NIST, HIPAA, FISMA, PCI DSS. These frameworks give you something to measure your business against and provide a useful means for identifying risks.

Of course, compliance issues may make one framework preferable, but otherwise any of these frameworks could be useful to an organization in evaluating its risk and compliance. The auditor may be using one of these frameworks, and familiarity with that framework will help to clarify what processes are of interest to the auditor.


It’s still all too common for test files to be created from production data, thereby putting sensitive data at risk. This is the kind of situation an audit is designed to catch, but ROKITT ASTRA can see to it that the problem never occurs in the first place. ROKITT ASTRA data masking substitutes perfectly formatted test data for real data in fields that contain sensitive information, ensuring that your customer information is always secure and that your data is always compliant.

Another big risk factor in IT audits is not having an up-to-date schema showing the data flow of a network. ROKITT ASTRA provides a detailed graphical rendering of data flow and a map of the application landscape in a format that’s acceptable to auditors. ROKITT ASTRA shows which databases and applications are used for critical data processing.

With ROKITT ASTRA you can identify the table of origin for any piece of data and trace its path between databases for data verification purposes. This is not only invaluable for data verification; it can also be used to confirm that highly sensitive data is always protected. The ease of data discovery helps ensure regulatory compliance.

The more you know about your network, the safer your network is. Using checklists and ROKITT ASTRA to keep your fingers on your network’s pulse helps keep your network secure and operating at peak efficiency, not just after an audit but all the time.