Many companies are rethinking their IT auditing policies because of anxiety over new data retention regulations and high profile corporate accounting scandals, data center professionals and industry analysts said.
A new report from analyst firm The Burton Group examines the many different forms an IT audit can take and lays out the information a company should know before implementing an auditing policy.
The report concludes that it's important not to discount the human factor when carrying out an audit. There are many automated tools for assisting in things like audit generation, information collection and analysis. But the knowledge and judgment of skilled workers is essential to weighing the findings of these tools and ultimately carrying out a successful audit.
Gerry Gebel, an analyst with the Midvale, Utah-based firm, said that data retention regulations like Sarbanes-Oxley and all of the attention paid to accounting scandals at Enron and Tyco are driving the new interest in auditing.
"HIPAA has been around for awhile, but some parts of it are just going into effect," Gebel said. "It's an ongoing process where a lot of these new regulations are rolled in over time.
"There is a general awareness out there that companies have to be more careful about who is accessing records," he added.
An information technology audit is a thorough examination of any number of the processes involved running an enterprise's data center. These processes might include user authentication and other security-related procedures, e-mail retention policies, or even the layout of the hardware.
The point of an IT audit is to find out where improvements can be made, and to make sure the company is in compliance with internally and externally mandated laws and regulations.
Keith Campbell, CIO of Oklahoma City-based Inoveon, Inc., a medical services firm, said his company regularly conducts IT audits in order to reassure its financial backers that the operation is running efficiently.
The first step is clarifying exactly what system and procedures will be audited, Campbell advised. Based on this information, decide who has the right skills to carry out the audit.
Next, figure out whether the audit should be conducted by employees of the company our outside consultants. Campbell said this largely depends on the why the audit is being conducted, but typically some combination of insiders and outsiders is best.
"We've hired external people because they lend credibility," he said.
The Burton Group report explains that qualifications for auditors vary depending on the system being audited. In some jurisdictions, compliance checks should be conducted by a certified auditor. The report predicts that changing compliance rules will prompt more and more auditors to see certification in the future.
Gebel reminded administrators to pay attention to audit trails, which are electronic records created by IT systems. Prioritize these reports, and store them appropriately because they can be very useful when audit time arrives, he said.
Stephen O'Grady, an IT analyst with Bath, Maine-based RedMonk, said that it's important to understand the overall context in which and audit is being done. Also, he said people can save time by leveraging the many existing frameworks for conducting audits that can be found on the Internet and elsewhere.
"Compliance needs to be a top-down mandated initiative," O'Grady said. "It's like brushing your teeth. You may not like it, but do it or pay."