Auditors are required to ensure policies and processes are being followed by members of the organization. Auditors must be very aware of most policies and many processes in the organization. Auditors should report to a different management chain than those the auditor must audit. Auditors should audit a random representational sample of items in the various areas required to determine whether there are deficiencies and report results to management. Auditing should determine business effectiveness, efficiency and whether requirements are being met.

Skills Required

Auditors must have knowledge about organizational policies. Auditors must have excellent verbal and written communication skills. Practical experience in areas that the auditor must audit is a plus. Depending on the area of speciality that the auditor audits, relevant certifications may include CPA, CIA, CISSP, CCSN, CISM, CISA, and MCSE.

Policies Affecting the Auditor Position

Must Take Specific action

  • Password Policy - Must determine whether the password policy is being followed including how account reset is done, whether password complexity requirements are properly set and working, whether maximum password age is set, and password reset functionality exists.
  • Computer Training Policy - Determine whether users are aware of applicable policies and have been trained adequately for general computer use and specifically for their jobs.
  • User Privilege Policy - Auditors must determine whether the users have the proper least privileges to do their job. Most users should be restricted users or standard users.
  • Privacy and Confidentiality Policy - The auditor must check to determine whether the proper controls of access, encryption, disposal, and other controls are followed to protect confidential information.
  • Account Management Policy - Auditors must check to be sure this policy is being followed and that it is known what accounts staff members have access to.
  • Employee Termination Policy - Auditors must check to determine whether accounts of those who leave or change job roles are either removed or modified appropriately.
  • Employee Background Screening Policy - Auditors must determine whether background checks are done according to the policy.
  • Logon Banner Policy - Auditors should check to be sure a proper logon banner exists on systems and applications through the organization.
  • Code of Ethical Conduct Policy - Must be sure the organization has properly informed staff about their espectations and responsibilities. Staff must be informed that their activities may be monitored. Users must be educated about IT resource use, security incidents, security requirements, and security training.
  • Internet Connection Policy - Must ensure that connections to the internet are approved. Any wireless or modem connection must be approved. Checks to determine that the surf control program is meeting the set standards.
  • Approved Application Policy - Check to be sure that users are not using unapproved programs.
  • Wireless Communication Policy - Auditors check to be sure that wireless devices in use are of a type that is approved and are properly configured.
  • Network Documentation Policy - Auditors check to determine whether the network is documented as called for in this policy.
  • Network and Server Scanning Policy - Auditors must make sure this policy is being followed and the list of server administrators available to the security scanner staff is current.
  • Perimeter Security Policy - Auditors must be sure this policy is followed being sure logs are protected, change management processes are adhered to, and the network is structured according to policy including proper intrusion detection.
  • Internet DMZ Equipment Policy - Auditors should check to determine whether equipment is appropriately listed in the enterprise management system and configured according to policy.
  • Router Security Policy - Auditors should periodically check to ensure that routers are properly configured.
  • Telecommunications Communication Policy - Auditors must be able to determine that network communication is established and monitored according to this policy both for quality and security reasons.
  • Surf Control Policy - Auditors should check to be sure the users and administrators of surf control devices are in compliance with this policy.
  • Asset Control Policy - Auditors should check to determine whether equipment is properly listed in the asset tracking system and whether the information is current and accurate. They should review tasks where equipment moves were done and determine whether the database was updated appropriately.
  • Equipment and Media Disposal Policy - Auditors must periodically check to be sure this policy is being followed and the asset disposal procedure is effective.
  • Mobile Computer/Device Policy - Auditors must periodically check to be sure this policy is being followed.
  • IT Equipment Purchase and Failure Prevention Policy - Ensures that equipment put into place meets the failure prevention needs of the business.
  • Software Tracking Policy - Audits to be sure the database is up to date and software is properly licensed.
  • Software Licensing Policy - Audits to be sure software is properly licensed. Audit software on an annual basis to determine compliance. Inform managers of departments where they fail to be compliant. Document audit results and provide the information to senior management.
  • Intellectual Property Rights Policy - Audits to be sure assets that are considered intellectual property are tracked .
  • Virus Protection Policy - Audits systems and mail servers to be sure the approved and latest copy of anti-virus program is running with the latest virus definitions.
  • Patch Management Policy - Audit to be sure this policy is being followed on servers and workstations to a lesser degree.
  • System Lockdown Policy - The auditor should be sure the defined lockdown process is regularly followed.
  • Server Monitoring Policy - The auditor should check to be sure servers are monitored on a daily basis and the required checks are done according to the policy.
  • Backup and Recovery Policy - The auditor must check to be sure backups are being regularly done successfully. They must also check to be sure periodic sussessful testing of restore capabilities is accomplished.
  • Server Documentation Policy - Auditors must check to be sure the server list is current and complete.
  • Computer and Printer Naming Policy - Checks to be sure the computers and printers are named according to policy.
  • IP Address Assignment Policy - Auditors check to be sure this policy is not violated and that unauthorized equipment is not operating on the network. Auditors check IP address conflict reports.
  • Audit Trail Policy - Auditors check to be sure events are being logged on servers, reviewed, and retained according to the policy. Auditors check permissions and ensure that policy violations and security events are investigated throught the incident response plan.
  • Authentication Mechanism Policy - Auditors ensure that users do not share accounts and have minimum privileges to perform their duties. Auditors check systems to be sure account information is not sent in the clear and encrypted or hashed according to policy.
  • Computer Center Operations Policy - Auditors ensure the secondary power sources are in place and regularly tested. Auditors ensure environmental controls are effective and functioning as long as back up power can function. Auditors ensure that backup functionality is in place and working. Ensure that physical access controls are in place. Ensure that equipment maintenance is performed on a timely regular basis.
  • Computer Forensics Policy - Auditors review computer forensic practices and investigative logs to be sure policy is adhered to.
  • Server Security Policy - Auditors ensure the system configuration guidelines are followed
  • Workstation Configuration Policy - Auditors should audit workstation configurations to be sure they adhere to the policy. Only approved software should be operating, the patches should be up to data, current anti-virus should be operating, and minimum rights required for job duties should be provided.
  • Email Policy - Auditors ensure that inbound and outbound mail is filtered for both spam, anti-virus, and illegal file types. Auditors should check to be sure external email services are not used for business email, email server administration is done according to policy, users are trained to understand what sensitive data is and what email threats exist.
  • Certification and Accreditation Policy - Assure that certification and accreditation staff are qualified and trained. Assure that certifications and accreditations are done as required by policy.
  • Information Sensitivity Policy - Auditors must check to ensure this policy is being followed especially backup media, mobile devices, media and device disposal.
  • Risk Assessment Policy - Auditors should check to ensure risk assessments are done at the proper time and that they are properly done.
  • Database Passwords Policy - Auditors check to be sure database accounts and passwords are compliant.
  • -Encryption Policy - Auditors must be sure that sensitive data is stored and transmitted according to this policy and that computers with sensitive data are compliant.
  • Incident Response Policy - Auditors must check to be sure the incident response policy and processes are followed for all security incidents. Auditors must be sure required processes are in place and made aware to those affected.
  • Intrusion Detection Policy - Auditors check to be sure intrusion detection equipment is in place and monitored. Auditors must be sure required intrusion detection processes are in place and made aware to those affected.
  • Disaster Recovery Policy - Auditors must audit disaster recovery capabilities and determine the organizational degree of capability to recover from a disaster. The auditor should check to be sure that roles are defined, plans are in place at the proper locations, software and hardware is available at the proper locations, connectivity can be established when needed, and all required systems are covered by the disaster recovery plan.
  • Physical Security Policy - Auditors must check to be sure physical security devices are in place and the policy is enforced.
  • Insurance Purchase Policy - Auditors must check to be sure proper insurance is purchased when required based on policy, risk, and liability. Assessments and other means may be used to determine risk.
  • Segregation of Duties Policy - Auditors ensure this policy is not violated by checking various account privileges on server types and job duty requirements.
  • Change Management Policy - Auditors check to be sure software is distributed properly, software versions are controlled and documented, the development life cycle policy is followed, and the change process is followed.
  • Auditing Policy - Roles, responsibilities, and qualifications for auditors are defined by this policy. Auditors must create and follow plans according to this policy.
  • Third Party IT Service Policy - Auditors should check to be sure the contracting process is being followed and purchase of services is justified.
  • Software Standards Policy - Auditors review contracts and contract processes to be sure software is required to be escrowed, properly licensed, ownership of completed software is specified, confidentiality is guaranteed, the SDLC requires code checks and that they are done, and the software standards specification is complete and adhered to.
  • Business Continuity Policy - Auditors must audit completed and ongoing projects to determine whether business continuity is effectively planned for each project.
  • -Development Life Cycle Policy - Auditors must audit completed and ongoing projects to determine whether project development phases are being done according to quality standards and in the proper steps.
  • Configuration Management Policy - The auditors must determine whether changes are done according to the change control or configuration management process. Software source control libraries, software distribution, and configuration management should be checked.
  • External Requirements Policy - Auditors check procedures for identifying external requirements and where possible determine whether external requirements are being met.
  • Customer Support Policy - Auditors determine whether the help desk business requirements and procedures are defined. Auditors audit help desk quality issues including ticket history and results. Auditors review qualifications and training for help desk personnel.
  • Emergency Access Policy - Determine whether emergency access procedures are in place and followed. Determine whether emergency access staff and required rights are identified.
  • Service Level Policy - Determine whether Service Level Agreement framework and roles are defined. Determine the effectiveness of service level agreements and whether they are being met.
  • Service Monitoring Policy - Auditors review the monitoring of services to determine the effectiveness of the monitoring system and the level of service. Auditors make recommendations for improvements.
  • Internal Controls Policy - Auditors monitor internal controls, their effectiveness, and recommend improvements.
  • Service Reliability and Continuity Policy - Auditors review the information technology continuity plan and associated processes.
  • Service Quality Policy - Auditors check to determine whether business processes are prioritized based on their criticality to the business. Auditors review job roles and determine whether responsible parties are assigned to critical supporting services. Auditors determine whether the process performance is being reviewed and improved.
  • Quality Policy - Audit quality plan processes and activities to determine effectiveness.

Must be Aware

  • Browser Configuration Policy - Understand the reasons for browser specification (for standardization) and secure configuration.
  • IT Organizational Policy - Understand how the IT function is organized and how it supports the business.

Affects Job but Awareness not Required

  • * Computer Training Policy - Is trained in various technical areas.
  • * User Privilege Policy - May require more than basic access depending upon the organization.