How to prepare for an IT audit

IT Audit

If you are involved in an outsourcing project, sooner or later, you will probably have to face an IT audit. Preparing for an IT audit is fundamental in these cases to pass it successfully and smoothly. So, a specialist from paperhelp ( will tell you the most important general guidelines to successfully face an information systems audit in this post.

When we are working within an outsourcing project in which there is a contract signed between a client and a service provider, at some point, there will be a review or audit, either internal or external. This audit usually has high visibility at the enterprise level and usually involves many actors, hence its relevance.

Let's start explaining some details that should be taken into account to face an IT audit in the best possible way:
  1. Identify the supplier's responsibilities in the contract signed with the client: it must be clear what the duties are for each of the contracted services and processes.
  2. Be clear about which people or roles will be the focal points in the audit for each of the processes.
  3. Prepare the logistics to manage the information requested by the auditors efficiently. The information request and online testing phase may involve several technical and management areas. Use a shared repository to store the data and a communication channel known by all parties.
  4. If possible, before the audit, make an internal assessment of which areas are compliant and not write an action plan and control what you know needs improvement. In many cases, it is necessary to involve the client to help resolve these gaps.
  5. "We are all one": this means that, although there are several areas that are evaluated, in the end, they are all part of the same project and should not avoid responsibilities and "blame" other areas for the mistakes made.
  6. At the end of the Audit, it is advisable to collect in a document all those requests of the reviewers and those errors found so that it can be of help to another project and learn from these errors.
  7. It is highly recommended to perform a mock audit before starting the audit based on previous experience to review failures and warn what should and should not be done.

What do they usually ask in an audit?


It should include the configuration items (CIs) in the scope of the contract. It should take into account fundamental aspects such as the software version, the status of those CIs, if the CI has personal information if security processes have to be launched on those CIs such as security check, user revalidation, vulnerability scanning, patch management, to know if there is software out of support, which team manages it, to have a security guide for each software. It is recommended to perform a periodic revalidation process of this inventory.

Security Management

There must be a security document agreed with the customer in which the roles and responsibilities by service/process and the securitization guidelines that apply to each product are reflected.

Always agree with the customer what security must be applied to each product, and once agreed, create an implementation plan
 to implement these agreements.

In cases where a security weakness is detected that goes beyond what has been agreed, a risk has to be documented with the client indicating what this risk implies for the systems.

Other essential aspects that are always reviewed are the password expiration of users (all personal users must have an expiration date), whether the default user password for a product has been changed, and the length of passwords.

Pay special attention to the retention of system audit logs, as this item is checked on an agreed-upon basis.

Security check (as a secondary control)

It must be checked that the agreed and implemented security settings are maintained in the systems to prevent deviations. If there are any, they must be managed with the client to check if they can be corrected or treated as an exception. This must be done periodically.

User management

- Whenever a user registration with administration privileges is requested, the approval of the user's manager and the owner of the right must be obtained, as well as a valid justification of need.
- All users must be revalidated periodically (each user must have a responsible person). Do not forget to do it in all the software that the supplier administers. Keep in mind that shared users within an organization should be stored in a repository that allows traceability to know who is using them and that the password should be changed after each use.

Risk and issues management

Whenever some processes or tasks are not going to be performed in time and form, show control of such defects through an action plan to correct them. If such non-compliance is due to the client, communicate the associated risk through a letter indicating the exact scope of what applies. Keep in mind that any non-compliance or deviation from what was agreed must be well managed through minutes, risk communication, project plan for its regularization and communicate it to the client when appropriate.

Patch Management

Have agreed with the customer a patching schedule together with the frequency of patching and manage with the customer any deviation from what was agreed, i.e., if, for example, it has been decided to apply monthly patches in Windows, make sure that it is done and if it is not, communicate it to the customer indicating the associated risk. Manage the implementation of a patch through the change management tool where the patch identifier to be applied is included and always with the client's prior authorization.


You must have a backup plan agreed with the client where the devices to be backed up are listed. It is as essential to make the backup as document it.

Disaster Recovery or Disaster Recovery Testing

Agree with the customer also a general and detailed plan perform periodic tests and once executed get a report with the result and actions to be corrected.

Construction (high) and decommissioning (low) of configuration items (CI)

This document describes the actors involved in this process and the responsibilities of each one of them, also indicating the process flow. A series of controls must be carried out at each registration and deregistration of CI to ensure its correct execution (verifies that it is bastioned, patched, with antivirus, registration in inventory...). Certify that it is done for all software, whether the operating system, middleware, network element, or storage.

Other points to take into account:

- Have signed service level agreements (SLAs) with the customer.
- The procedures agreed with the customer must be uploaded in "approved" status to a shared repository and reviewed periodically.
- If there are other suppliers on the project, have an agreement document with them and make sure they all follow the same policies agreed with the customer.
- Keep in mind if any special measures or controls need to be applied where personal or sensitive information is involved.

And with this last point, we end this post on dealing with an IT audit. I hope that if you ever find yourself in this situation, this information will be helpful for you to deal with it successfully.


Jeanna Bray is a person who finds the right words and forms of presentation to convey the benefits students get when addressing PaperHelp experts for research and writing assistance. You can hardly name a top-ranked copywriting course – free or paid – that she hasn't attended while pursuing a BA in Digital Communication.

Post a Comment

Previous Post Next Post