The art of IT security audit response: Part 2: The audit process

Written by Jean-Camille LOISEAU | Published 20 December 2023

This article is a follow up to the introduction to IT Risk Management and IT Audit: https://cybersecsimplified.wixsite.com/blog/post/it-risk-management-and-it-audit

What’s the IT security audit Process:

Before delving into the response strategies, it's essential to understand the audit process. IT security audits are typically conducted by internal or external auditors to evaluate an organization's information systems, data protection measures, and adherence to security policies. These audits may focus on various areas such as network security, access controls, incident response, and compliance with industry standards.

IT security audits typically follow a simple codified phases:

1.         Planning & Initiation

2.         Fieldwork & Collection

3.         Meetings & Review

4.         Report & Negotiation

5.         Finalization & Remediation

Planning & Initiation:

Auditors having identified subjects or departments to be audited begin identifying specific scope and objectives. They determine which key areas of that department they want to look at and what risks such a department might be exposed to that they want to examine.

Having identified a team or set of teams to audit, they reach out through management to schedule the audit itself. The auditors also begin drafting a list of typical documents, presentation, minutes, procedure documents, incident or change records that they deem relevant to the topic being audited.

Finally, this phase concludes with the preparation and delivery of a letter of assessment to the management of the department and function being audited. This is typically a very formalized email officially informing the department of the audit, that the team and the managers, and appointed Subject Matter Experts must deliver.

Outlining the timelines and roadmap of the audit as well as indicating some of the key topics that will be of particular focus over the course of the audit. The department’s manager is then expected to acknowledge reception of the letter of assessment and inform their teams to prepare for the audit.

Fieldwork & Collection:

A preliminary meeting between auditors and the managers of the assessed systems, processes or departments takes place. An initial listing of topics and of supporting evidence documents is delivered by the auditors to the auditee who then assigns SMEs the role of collecting, preparing and delivering the requested documents to a drive or folder where they will undergo a review before being filtered, altered and then forwarded to the auditors.

The review and alterations during this phase are of the utmost importance in that phase as the auditee must always be careful not to “overshare” documents (or portion of documents) that are not directly relevant to the auditors’ requests.

In this phase of the assessment, the requests are usually straightforward and can be addressed solely through document sharing. However, some requests can be complex or requires detailed discussion, auditee then may schedule calls or meetings with the assessor to further understand the requirements and expectations.

In that phase a lot of coordination is necessary as the auditee often outsource their IT security to a different IT Production or IT security department and they need to contribute to the document collection.

Once the data and documents are collected by the auditor, they begin analyze processes, and test controls to assess their effectiveness and compliance with established standards.

Meetings and Review:

The auditors have collected a lot of data and documents and that brought new questions. As the auditors reviewed the documents delivered, the found information that was either confusing, contradicting other documents or even missing information that they seek. Typically, auditors will have a set of generic questions per themes and topics that they want answered and if / when the documents provided in the fieldwork phase are not delivering a clear answer, they rely on this phase to remediate that.

Having compiled series of questions for each of the topics and themes they review, the auditors schedule meetings with the SMEs and Manager(s) of each topic to interview the SME, demand additional information, additional evidence of statements provided in documents, etc. A typical example can be a team state that they retain log data for 6 months in “hot storage” easily available at a moment’s notice. The auditors will thus request some logs that fall in that category to be provided next day. Another example could be a claim of low incident made in a steering committee. Auditors will want to test this claim with an export of all incident tickets lodged and run queries to ensure that the claim accurately represents reality.

This phase is critical for 3 reasons. First it enables the auditors to test and control that the claims made by a department’s manager and their team about the state of their processes is a) true and b) aligned with expected standards. Secondly, it offers an opportunity for the auditors to interview the subject matter experts and ask more complex questions about how our processes and operations are designed and executed.

Finally, it offers the possibility for a team and their SME to straighten the record when something was misinterpreted by the auditors during their initial review, and to clarify important points. In this stage, the auditee and SME can also steer the auditors that may be tempted to go on a “fishing expedition” demanding information that are not in the scope of the audit or auditors that claim they found a major issue when in fact there are multiple mitigations in place that prevent any issue.

Report & Negotiation:

The auditors schedule a meeting with the auditee to deliver the initial findings and recommendations. The auditors prepare and present a draft report, highlighting the identified inefficiencies and potential areas for improvement. They propose recommendations to address the identified issues and enhance our processes, procedures, or compliance with relevant standards.

The auditee and the various SME are then able to review the initial findings and draft report and can provide additional information and evidence to amend/adjust the draft report if and where necessary. The auditee also negotiates with the auditors to rectify any incorrect findings or mismatches and ensure that the final report is accurate and a fair representation of the state of processes and operations with adequate criticality applied to each of the findings. The auditors will then work on preparing a final audit report. In that phase a few draft iterations may be produced to ensure accuracy.

Finalization & Remediation:

The auditors organize a final meeting with management and relevant audited stakeholders. There, the auditors present the complete audit report to the management and stakeholders. The auditors provide an overall review of the audit scope, highlighting the observed inefficiencies, final findings, and proposed recommendations. Additionally, the auditors may assign ratings or scores to different aspects of the audit to provide a summary assessment.

This meeting is usually followed up with internal meetings at the auditee level and their management to determine both temporary mitigation and remediation action plans. The auditee also need to assign relevant SME or reach out to relevant teams they have a dependency on to mitigate and remediate findings. Last but not least, the auditee, their management, and if the organization is large enough the operation control team  make a record of the relevant findings from the audit report in the some dedicated Risk and Problem management system such as a register that is designed to keep all stakeholders to tasks to deliver on committed improvement within agreed timelines.

The outlined phases of the audit process - from planning and initiation to finalization and remediation - emphasize the importance of proactive engagement, clear communication, and continuous improvement. Successful audit response requires meticulous preparation, effective collaboration with auditors, and a commitment to addressing identified issues promptly.

The iterative nature of the audit response, as seen in the detailed phases, underscores the significance of communication between auditors and auditees. Through meetings and reviews, potential misunderstandings are clarified, and stakeholders have the opportunity to rectify any discrepancies.

The negotiation phase ensures that the final audit report accurately reflects the state of processes and operations, fostering a fair representation of the organization's security posture. In the finalization and remediation phase, organizations not only address immediate concerns but also develop long-term strategies for enhancing their security controls and ensuring sustained compliance.