IT Audit Process – Real-life Example

I recently stumbled upon this post in Spiceworks community that talks about someone’s upcoming audit with BDO (a major international audit firm – not from Big 3, but still pretty large). Thanks to this Spicehead (this is how they call members of Spiceworks) we have their real findings and recommendations, I’m quoting them here:

“The auditor here has come and gone. We don’t have the report yet – but the things they were looking for relate directly to the security and integrity of the accounting and supporting systems. Who has access to what – how are usernames and passwords and associated rights assigned and reviewed (logical security), also extending the security of data exchanged between systems. They also want to see that we have periodic reviews of security and user rights in the accounting and related systems. They are also interested in reports generated using tools external to the accounting system – like Crystal reports. Here, they want to see integrity, management, and oversight in the development and maintenance of those reports. Change management was also a focus – they want to see evidence and documentation of plans for testing, implementation, training, and the like for updates and changes to key systems. The auditor also wanted information on software and processes that feed information into our accounting system – such as timecard and production reporting. Unlike previous visits from our auditors, there were no questions about backup, disaster planning, or physical security. The auditor said this would only be a focus if there were data breaches or losses that raised a flag, and perhaps also this may be because in prior years we had these items reviewed. Our prior auditor visits were shorter and less formal but, they tended to focus much more heavily on some of the things (backup, etc.) that were not reviewed this time around. However, as previously, they also covered the expected: ensuring that access to the accounting and related system was properly secured with only key users having administrative rights, and reviewing structure and controls in the IT department.”