How internal IT audits can boost your process efficiency

When you hear the word audit, do you immediately picture an auditor with endless questions and an anxious team with no answers?

Well, think again! IT audits aren't that bad and can benefit you—if you're well-prepared. That's why, at ManageEngine, we conduct routine internal IT audits to help our IT teams comply with international information security standards, like the ISO 27000 series and SOC-2 type II.

Internal IT audits involve in-house auditors who examine our processes. This helps teams breeze through the audits conducted by external firms.

However, the intention behind these internal audits goes beyond just prepping for certifications. They function as tools of self-awareness and progress.

Here's how you can make the best use of internal IT audits and improve your processes.

Bring in the experts

One of the main reasons our internal IT audits work well is the qualifications of our internal auditors. They are trained with the help of industry-standard audit training firms and are qualified to investigate IT processes thoroughly.

Auditors can be qualified in certifications (like ISO) and regulations (like GDPR). Their expertise in security, privacy, and process control empowers them to transform our IT teams. By asking the right questions, auditors help IT teams evolve, and make their processes more secure, compliant, and competent.

Let's look at ISO audits, where teams must comply with clauses. For example, a clause regarding asset management reads:

"Assets maintained in the inventory shall be owned."

To the reader, it means an entity, say, an employee in the organization, must take responsibility for every asset in the inventory. However, ManageEngine auditors understand that the implications of this control don't end there. It also means:

• The employee who owns the asset must be well-informed of the organization's acceptable use policy, and should read, comprehend, and sign the policy and understand the consequences of not adhering to it.
• The employee takes responsibility for the security of the asset as well as the information that flows through it. The employee must be aware of the information security policy and what actions to take when the security of this information is compromised.
• All assets in the inventory are visible to the IT team through our help desk. The IT team can determine which are vulnerable, which are up-to-date, etc. They share the responsibility of these assets along with the employees.

First, the internal auditors check the teams' process narratives to confirm that they've covered all aspects of the clause. Process narratives are documents written by the IT teams that describe their processes in detail. Essentially, narratives are a form of commitment from the IT team to the auditors.

When auditors analyze these processes and correlate them to each control, the internal processes become more secure, reliable, and structured. Their narratives often improve, and the way teams look at their work can change since they are introduced to deeper insights into their process.

Establish evidence as the basis of control

After examining the team's process narratives, the auditors can request evidence to demonstrate that the teams truly understand their process narratives. Greater understanding helps them to improve and shape their processes. Additionally, having the IT teams gather evidence prepares the teams for an external audit.

Let's consider a scenario of our network operations team handling the purchase of assets. Assume a new asset was purchased a few months before the audit for network operations. Internal auditors could now seek the following evidence from the network operations team:

• Record of asset requests: Requests are raised through the asset management module in our IT help desk. Each asset is assigned a unique ID. We use the ID to gather all asset-related evidence, along with screenshots of the automated emails sent to team members.
• Record of approval: As per the process narratives, the network operations manager must approve the asset request via the tool and provide their comments, if any.
• Record of negotiations: Upon approval, the administration team takes over and handles price negotiations with vendors. Auditors can ask for copies of the purchase orders, and proof of negotiation. The network operations team must collect and store evidence, and submit it upon request.
• Record of server hardening: Before deployment, the network operations team hardens assets per our policy. Hardening is the process of securing a system by reducing its threat vectors through various processes. The auditors could seek evidence of hardening via checklists, emails, and approvals.

For proper documentation, the process also has to be carried out methodically. The network operations team can't afford to have gaps in its processes. That is the power of an evidence-based approach. As we conduct more internal audits, the process of the IT team also improves.

Use non-conformities as guiding tools

Non-conformities (NCs) are generally viewed as nightmares for an IT team during audits. Despite this perception, addressing NCs during an internal audit provides valuable visibility and insight into IT processes.

NCs reveal gaps in IT processes. When we fix these NCs, the process becomes rock-solid with respect to security, privacy, and compliance. The IT teams are pushed to evolve and strengthen their process. What's more, they affirm IT teams and the top management that the process is solid, and the teams can now go about their business without worrying about the gaps in processes.

Let's get back to the previous example, where our network operations center (NOC) team raised a purchase request for assets. The NOC team maintains its risk register, a repository of all risks, impact, and mitigation measures that relate to the team's activities, using a standard process:

Identify risks --> Evaluate risks --> Treat risks --> Take action

• To identify risks, the NOC team looks at vulnerabilities, threats, and impacts of purchasing assets.
• Then, it evaluates the risks through parameters like risk appetite and tolerance. The NOC team answers questions like: What could be the worst-case scenario? How much risk is acceptable for this purchase?
• Then, there are four options to deal with risk: mitigate, avoid, share, or accept. In this case, they could choose to mitigate the risk by implementing extra controls, share the risk by insuring the assets, or accept the risk as is.
• Based on what they choose to do in step 3, the NOC team performs the necessary actions deemed fit to treat the risk.

Our auditors analyze their risk register to see if they've missed any risks. For example, in step 1, they may have overlooked a vulnerability associated with the process: like updated background verification of vendor's security controls. In step 2, they might not have considered the worst-case scenario of the vendor's business closing down without notice and not being able to support us. In step 3, they might have chosen to mitigate the risk citing minimal impact. In these cases, our auditors may mark that as an NC.

Ultimately, internal IT audits are about deconstructing the process of IT teams, comparing them to industry standards like ISO, analyzing the scope of improvement, and helping IT teams get better.

If a company can conduct internal IT audits regularly with qualified auditors, they will see an improvement in their efficiency, as ManageEngine did.

To learn more about how ManageEngine complies with standards and regulations, and conducts internal audits, review our free e-book, A CIO's guide to rethinking compliance, that shares valuable insights about transforming your IT organization utilizing highly efficient process controls.