What is IT auditing?
IT (information technology) audits examine and evaluate organisations’ IT controls – the policies and procedures that ensure information systems operate as intended.
Whether carried out internally or by independent external auditors, IT audits should provide objective assurance of corporate IT governance, risk management and/or compliance activities.
This will help demonstrate that your organisation is meeting its legal and regulatory obligations in line with its business objectives, or – if it is falling short – inform a programme of improvement.
IT audit and risk management
IT audits are an essential part of enterprise risk management. Like other types of audit, they gather qualitative and quantitative evidence, which can be assessed to identify weaknesses in your operations and inform how you resolve those weaknesses.
They can be carried out against any relevant standard or set of best practices, such as ISO 27001, SOC 2, or the CIS Controls.
IT audit standards
Audits can use a variety of standards and best practices as benchmarks, including:
ISO 27001
ISO 27001 is the international standard for an ISMS (information security management system) – a systematic approach to organisational security that encompasses people, processes and technology. Compliant organisations can achieve certification to the Standard to demonstrate that they are following best practice. Part of the process of demonstrating compliance with the Standard is carrying out internal audits at planned intervals.
Learn more about ISO 27001
SOC 2
SOC 2 (Service Organization Control) audit reports provide detailed information and assurance about a service organisation’s security, availability, processing integrity, confidentiality and/or privacy controls, based on their compliance with the AICPA’s (American Institute of Certified Public Accountants) TSC (Trust Services Criteria). The TSC are an industry-recognised, third-party assurance standard for auditing service organisations such as Cloud service providers, software providers and developers, web marketing companies and financial services organisations.
Learn more about SOC 2 audits
CIS Controls
The Center for Internet Security (CIS) Controls are a prioritised set of 20 actions designed to mitigate common cyber attacks on systems and networks. There are six Basic, ten Foundational and four Organizational controls, ranging from creating an inventory of hardware assets to carrying out penetration testing.
Learn more about the CIS Controls
IT audit qualifications
CISA® (Certified Information Systems Auditor)
ISACA® (formerly the Information Systems Audit and Control Association) is an independent non-profit organisation. Its CISA certification is an internationally recognised qualification for information systems audit control, assurance and security professionals. IT Governance is the exclusive approved reseller of ISACA publications and offers a complete range of CISA products, including study guides and training, designed to help you pass the CISA exam at the first attempt.
Learn more about CISA
ISO 27001 auditor
Lead Auditor
Build your career as a lead auditor, lead a team of auditors and gain the skills to achieve compliance with ISO 27001 with this five-day course. By attending and passing the course exam, you will achieve the ISO 27001 Certified ISMS Lead Auditor (CIS LA) qualification.
Learn more about the Certified ISO 27001 ISMS Lead Auditor Training Course
Internal Auditor
Learn how to drive continual improvement of your organisation’s ISMS, how to identify opportunities for improvement and take corrective action to maintain conformity to the ISO 27001 standard with this certified two-day course. By attending the course and passing the exam, you will achieve the ISO 17024-certificated ISO 27001 Certified ISMS Internal Auditor (CIS IA) qualification.
Learn more about the Certified ISO 27001 ISMS Internal Auditor Training Course