Skip to main content

What systems does an audit cover?

During a security audit, each system an organization uses may be examined for vulnerabilities in the following areas:

 

  • Network vulnerabilities. Auditors look for weaknesses in any network component that an attacker could exploit to access systems or information or cause damage. Information, as it travels between two points, is particularly vulnerable. Security audits and regular network monitoring keep track of network traffic, including emails, instant messages, files, and other communications. Network availability and access points are also included in this part of the audit.
  • Security controls. With this part of the audit, the auditor looks at how effective a company's security controls are. That includes evaluating how well an organization has implemented the policies and procedures it has established to safeguard its information and systems. For example, an auditor may check to see if the company retains administrative control over its mobile devices. The auditor tests the company's controls to make sure they are effective and that the company is following its policies and procedures.
  • Encryption. This part of the audit verifies that an organization has controls in place to manage data encryption processes.
  • Software systems. Here, software systems are examined to ensure they are working properly and providing accurate information. They are also checked to ensure controls are in place to prevent unauthorized users from gaining access to private data. The areas examined include data processing, software development, and computer systems.
  • Architecture management capabilities. Auditors verify that IT management has organizational structures and procedures in place to create an efficient and controlled environment to process information.
  • Telecommunications controls. Auditors check that telecommunications controls are working on both client and server sides, as well as on the network that connects them.
  • Systems development audit. Audits covering this area verify that any systems under development meet security objectives set by the organization. This part of the audit is also done to ensure that systems under development are following set standards.
  • Information processing. These audits verify that data processing security measures are in place.

Organizations may also combine specific audit types into one overall control review audit.