Through the Eyes of an IT Auditor – Understanding Populations and Samples
Introduction
If you’re here, chances are you’re dealing with an IT audit, either for the first time or as a repeat experience. Audits may be considered a bit of a slog, and there’s no magic formula to breeze through them. However, there are ways to make things smoother for everyone involved. This blog aims to shed some light on the IT audit process, specifically focusing on SOC 2 Examinations, from the perspective of someone who’s been there – an IT auditor. We want to help you understand two key things:
- What we’re asking for?
- Why we’re asking for it?
We won’t cover every little detail of the IT audit process, nor will we dive into every topic discussed during an audit. But hopefully, by the end of this, you’ll have a clear understanding and an appreciation of what the auditor needs from you and why. This can help ensure you provide the necessary information upfront, leading to a more effective and efficient audit and a smoother audit experience for everyone involved.
Populations
Auditors rely heavily on evidence provided by the client to perform their audit procedures. That evidence starts off with populations of occurrences within the scope over the relevant audit period. While clients usually do a decent job of providing the right populations, there are times when clarification is needed. Here are a few examples of populations needed:
- User Access Management: This includes listings of employees / third party contractors who during the audit period have joined the Company, are current users of the systems, and employees / third party contractors who have left the organization. Fundamentally, auditors seek to ascertain who possesses access to the Company’s systems/applications and whether such access is authorized and appropriate.
- Application Changes: This includes a listing of all changes to applications that are actually implemented / promoted into the production environment during the audit period. We are looking to see that your change management process is followed, there are no unauthorized changes that are promoted into the production environment; and that there’s appropriate segregation of duties.
- IT/Security Incidents: This covers all incidents related to general IT and / or IT security issues within the audit period. We’re interested in seeing if there are processes and controls for identifying your critical IT Systems, protecting those IT Systems, detecting IT and Security incidents, responding to those incidents and then recovering from those incidents.
Evidence for Samples
From the populations obtained, we now select specific samples for testing. This helps us focus our requests and substantiate our findings regarding control compliance. Here are a few examples of the detailed information we need related to the samples we select:
- User Access Management (for each employee within our sample):
- For New Users
- New Hire Checklist / User Access Request Form
- Who approved the change
- For contractors, contractor agreement and any other relevant onboarding documentation as applicable
- For Terminated Users
- Evidence of timely revocation of system and application access
- Evidence that physical (badge) access was removed timely
- Evidence that Company assets (laptop) was returned (termination checklist)
- For Current Users
- Current user access listing with relevant access rights granted
- Periodic re-approval of all the accesses in the listing (i.e., evidence of user access review (UAR))
- For New Users
- Application Changes:
- Change ticket documentation including evidence to show:
- Who requested the change
- Who authorized the change
- Who developed change
- Who tested change
- Who approved the change
- Who deployed the change into the production environment
- Change ticket documentation including evidence to show:
- IT/Security Incidents:
- Ticket documentation showing the original issue, incident ticket status, and steps to resolve the issue (as needed).
By understanding these insights and adhering to the auditor’s requests, you can navigate the intricacies of IT auditing more adeptly, fostering transparency and efficiency throughout the audit journey.
Conclusion
Understanding the ins and outs of an IT audit can help you navigate the process with confidence and efficiency, whether it’s your first time or not. By grasping the key aspects discussed in this blog, you’re better equipped to make the audit experience smoother for yourself and your auditors.
From clarifying populations to ensuring logical user access, each step contributes to a smoother audit process. By providing the necessary information upfront and addressing any issues proactively, you not only speed up the audit but also help make the final report more accurate.
By promoting transparency and understanding between auditors and auditees, we can turn the audit process into a more positive experience for everyone involved. So, armed with this knowledge, approach your next audit with confidence, knowing that you’re ready to tackle its challenges with ease and effectiveness. And remember, we at AARC-360 pride ourselves on ease of communication, so when a request doesn’t make sense on first glance, raise a question before you waste any time – we are always here to help!
Sam Drummond (Staff Audit Consultant , AARC-360)
