A way of describing IT audit

You know how your day goes? You know how you use all of these widgets and doohickeys, and that’s how you usually converse or get any information? It’s my job to keep all of that stuff working (at least, I would like to). I’m not talking about just making Windows work on your computer, or troubleshooting your iPhone. I’m talking about the systems and processes which are used by those devices. You see, there are complex processes at very large companies which must keep running. You can’t send text messages? You can’t buy stuff off Amazon? You can’t watch cat videos? Something has gone wrong in those services, and it’s up to guys like me to prevent that from happening.

So I’ll check that the servers which provide the videos can still function when they’re running at full tilt, or when there’s barely a trickle coming in.¬† Regular phone calls and text messaging have complex systems which must¬† be checked to ensure they’ll do their job every single time. This includes gathering evidence, and assuring that what management claims about the workings of their systems is true. Has the system administrator updated the server’s OS to its latest patches? Did they test to ensure that the patches wouldn’t break anything? Are change controls in place to ensure that they even check that these patches wouldn’t break the system? How about security procedures? Have they been followed? Has the system been hardened to identified threats? These are some of the things IT auditors have to check.

This is not just about checking the hardware, though. Has management performed its due diligence and made sure that the data they have is backed up? How do they know whether the data that was backed up could be restored? Who is in charge of checking that the data is backed up and stored properly? If the servers go down, who’s job is to ensure that they all go up again? More questions can be asked, but I’m sure you get the gist of it.

So you may have heard of company’s getting their data breached, or have announced new services they will provide. However, it’s up to someone at these companies to ensure that governance practices have been followed, that the company can actually provide this service, that the service won’t expose the company to risks (e.g. litigation, huge losses, or data breaches), and will actually be a benefit to the company. And usually, it’s someone who knows about IT audit.