1. Running head: WRITING THE IT INFRASTRUCTURE AUDIT REPORT 1
Writing the IT Infrastructure Audit Report
John Intindolo
June 7, 2014
ISSC471- IT Security: Auditing
Professor Janelle Davis
American Public University
2. WRITING THE IT INFRASTRUCTURE AUDIT REPORT 2
An IT Security Audit is used to determine how effective an organization’s IT controls are, and
to ensure that those controls maintain compliance with company policies. There are many steps that
go into compliance including protecting and securing of private data, implementing proper security
controls, as well as performing periodic security assessments. Once an audit has been conducted it
is time for the final report to be written. Writing the IT Infrastructure audit report is perhaps the most
important part of the audit process. This is because the report communicates the results to the
leaders of the organization, prevents misinterpretation of its results, and discusses measures to be
taken in order to correct any issues. The scope, objectives, methods, work completed, use of
other’s work, and findings (amongst other things) combine to make up the basis of the report.
With that said, it is important to understand just exactly what an IT Security Audit is. An IT
Security Audit by definition is an independent analysis and inspection of records and activities to
calculate the adequacy of system controls, certify compliance with company policies and
procedures, and to recommend necessary changes in controls, policies, and/or procedures
(Goldberg, n.d.). Basically, an IT Security Audit assures that the confidentiality, integrity, and
availability of an organization’s information assets are being maintained. Furthermore, performing an
IT Security Audit is done in a proactive manner; meaning that the its intended purpose is to test the
security controls and compliance with policies and procedures before a hacker has the chance to
exploit vulnerabilities within the system. Why is it so important for an organization to maintain
compliance for ISS?
Compliance for ISS is important to businesses because of the risk of sanctions that could be
imposed if a breach were to occur. These sanctions can be criminal, civil, or both. An example of
sanctions related to failed compliance of the Sarbanes-Oxley Act is a fine of up to $1 million and
3. WRITING THE IT INFRASTRUCTURE AUDIT REPORT 3
imprisonment for up to 10 years (Hladjik, 2007, pp. 3-4). Another reason that compliance is
important is that it also involves IT controls, and failure to assure the CIA of an organization’s
system can significantly impact the public image of the company or even the value of its assets. An
example of this is this past winter when Target had its customer’s credit card information stolen.
Besides the amount of money lost as a result of the crime, Target suffered a huge blow to their
public image because many customers did not want to shop there as a result of the incident. While
compliance is important there is another term that is closely related that plays an important role in
ISS, that being governance.
While compliance verifies that the correct controls are being implemented, governance looks to
use complete and accurate information and management controls to make the organization run
better (Weis & Solomon, 2011). So for example, governance ensures that thorough security
policies and procedures are in place to implement the policy. Now how do compliance and
governance relate to each other? Well without proper governance an organization cannot have
effective compliance or risk management, and compliance helps governance by ensuring that the
security policies and procedures implemented also meet the standards and regulations set forth.
Now understanding an IT Security Audit, compliance and governance (as well as their importance),
the next logical step is to discuss an IT compliance audit.
As stated earlier an IT compliance audit is an ongoing process of making sure that effective
security policies and controls are both implemented and maintained throughout the entire
organization. So how does this whole process of IT compliance auditing begin? In order to start
audit process one must first have a plan. That is where the scope of the audit comes in. The scope
covers everything covered within the audit. This includes information and resources. So the scope
4. WRITING THE IT INFRASTRUCTURE AUDIT REPORT 4
will include the measures needed to be taken to be in compliance, the seven domains covered under
the audit, the audit report which includes findings as well as assessment and recommendations (if
changes are needed). Basically, the scope is the outline of the entire audit. What tasks are necessary
for compliance?
Compliance is not a simple, but rather a process of several tasks needed and everyone within
the organization to adhere by. It begins with protecting and securing private data. This is done in
many ways including the development of privacy policies, routine risk assessment of access
controls, using encryption for work-related e-mails, and training employees on privacy practices and
policies. Privacy policies do not only exist within the company, but there are also privacy laws set
forth by the government that must be complied with. Due to “pressure from various stakeholder
action groups interested in concerns dealing with security and privacy, the U.S. government and a
few security conscientious industries” have set specific regulations and standards to be followed
(Chen, Ramamurthy, & Wen, 2012, p.158).
One of the most common privacy laws is the Health Insurance Portability and Accountability
Act also known as HIPAA. What HIPAA does is protect a person’s health information and permits
the disclosure of said health information to any third parties (“Understanding health information,”
n.d.). Next up for remaining compliant within the organization’s IT infrastructure is having the proper
security controls in place.
Since the biggest factor to information security is the management of risk, the use of proper
security controls are the ones that mitigate its risk. It is impossible to account for every risk however
because of monetary reasons, and it is for this reason that there must be some trade-off with risks.
In other words, the biggest risks will have security controls to mitigate them, while the smallest risks
5. WRITING THE IT INFRASTRUCTURE AUDIT REPORT 5
will use fewer resources (or even be ignored altogether). Due to the importance of the risk threat
level it is important to prioritize the risks from highest to lowest. This will ensure that the biggest
threats are dealt with and that resources are not wasted. What constitutes proper security controls?
As stated above deciding what security controls are necessary for the organization needs works
hand in hand with risk management. So the first step is to list all data and information systems within
the organization. Then one must consider the impact of each piece data and information system in
the organization, once again prioritized from highest to lowest importance. It is at this time that
security controls can be selected based upon the risk to the systems and then implemented to
mitigate the risks. The process does not end there however, as the controls shall be evaluated for
their effectiveness, determined that they meet the needs of the organization (by reducing the risk to
an adequate level), and lastly be continuously monitored. Continuous monitoring not only identifies
new threats, but also may require a change to the security controls implemented. What security
controls can be implemented to constitute compliance?
Understanding which security controls represent the best way to be in compliance starts with the
use of a common IT control framework known as Control Objectives for Information and related
Technology or simply COBIT. COBIT 5 is a foundation built of principles that an “organization
should build and test security policies, standards, guidelines, processes, and controls” (Olzak,
2013). Not only does COBIT provide this but it also helps to bring IT and management together, as
IT focuses on business aspects and allows management to better understand what they do. Some
examples of the types of controls that will be implemented to satisfy the need for compliance are:
access control, awareness and training, audit and accountability, security assessment and
6. WRITING THE IT INFRASTRUCTURE AUDIT REPORT 6
authorization, configuration management, incident response, risk assessment, and contingency
planning (Weiss & Solomon, 2011, p. 56).
As stated previously, achieving compliance is an ongoing process due to constant change within
an organization, standards, laws, regulations, and threats; therefore, in order to respond and adjust
to these changes several things need to happen. There are three basic categories that make up the
basis for maintaining compliance and they would be: periodic security assessments, annual security
compliance audits, and defining proper security controls.
The first category listed is conducting periodic security assessments. These type of security
assessments occur more frequently than the annual security compliance audit, and because so are
generally grouped into one of the following types: high-level (overall view of information systems),
comprehensive (a more succinct analysis of information systems), and preproduction (for new
systems or those implanting a major change). Changes occur all the time within a year’s time, so it is
imperative that periodic security assessments take place for maintaining compliance. Annual security
compliance auditing is to be performed as a complimentary method to periodic assessments. This
provides an independent review of how sufficient and effective the internal IT security controls are.
Defining proper security controls is the third component of maintaining compliance. This is by
creating a policy framework for IT security that will outline what is required for everyone in the
organization to maintain compliance. Essentially this is the why, what, and how of the organization’s
IT security framework. Without defining the proper security controls how will anyone know if they
are in compliance or not? For that reason, it vital to the security of an organization to have clear cut
and well defined security controls. Defining proper security controls is done using the following
framework: at the top is the policy which details the organization’s beliefs, goals, objectives, and
7. WRITING THE IT INFRASTRUCTURE AUDIT REPORT 7
acceptable procedures for IT security, followed by standards which make the policy more
meaningful and effective by creating an action or rule to support the policy, then proceeded by
guidelines which suggest the best practices to reach the policy’s objectives, and lastly may also
include a step by step outline of how the standards and guidelines are implemented to support the
policy (Guel, 2007).
Now comes the writing of the IT infrastructure audit report. The audit report is perhaps the
most important part of the auditing process, because without it being properly written management
may not consider the measures needed to be taken to improve compliance across the IT
infrastructure. That is why the audit report must be well written and easy to follow. Furthermore, it
should serve as a means to communicate the results, prevent misinterpretation of the results, and
detail a list of recommendations to improve compliance for upper management. An audit report is a
lengthy one and since the higher-ups in an organization are very busy they often do not have the time
to read the full report. That is where the executive summary comes into play.
The executive summary is the part of the audit report that is designed for the executives who are
too busy to read the full report or perhaps lack the technical competence to grasp what it says. It
should be a brief review of the entire report, and according to Jacka, “If there is a overpowering
need to share such detailed information, then the auditors should put it in the report” (2012). Make
no mistake though brief does not mean vague. The executive summary shall include the only most
important issues of the audit report. A good measuring stick for the length of the executive summary
is that it should be about 10% of the audit report (Weiss & Solomon, 2011, p. 154). So if the
report is 30 pages long, then the executive summary should be about 3 pages long. The next area of
the audit report is the summary of findings.
8. WRITING THE IT INFRASTRUCTURE AUDIT REPORT 8
The summary of findings is an abstract of what was discovered during the audit (within the seven
domains) of the IT infrastructure. A finding is broken down into four components and they are
criteria, circumstance, cause, and impact. Criteria is what is expected, circumstance is the situation
within the existing IT infrastructure, cause represents the reason a gap exists between the
circumstance and the criteria, and impact identifies the impact or potential impact on the entire IT
infrastructure based upon the difference between the circumstance and the criteria (Weiss &
Solomon, 2011, pp. 154-155). As referenced above there is a gap that exists between the
expected state and the actual situation occurring within the IT infrastructure. This is where a gap
analysis comes into play.
A gap analysis is a tool that is used to find the gap between the current state of the IT
infrastructure and the desired state that is necessary for compliance. Additionally, the gap analysis
will provide the necessary steps to bridge the gap between the two. Conducting a gap analysis is a
three step approach that includes the following: identifying the criteria for compliance, analyzing the
current situation of the IT infrastructure, and lastly what needs to be done to close the gap between
the two and reach the desired state for compliance (“Gap analysis,” n.d.). The next part of writing
the audit report is performing an IT Security Assessment.
One of the questions often asked about enterprise security is what should be focused on more
compliance or risk? The best answer to that question is that there needs to be a healthy balance
between the two. In fact, both risk management and compliance are essential to an organization and
merging, balancing, and managing the overlap between the two will avoid the biggest threats to the
organization (Anschuetz, 2013). Performing an IT Security Assessment is the area of enterprise
security that focuses on risk. This portion of the audit report covers risks, threats, and vulnerabilities.
9. WRITING THE IT INFRASTRUCTURE AUDIT REPORT 9
Risk is the likelihood of a loss occurring. A loss occurs when a threat has exploited a vulnerability or
weaknesses.
The assessment process includes basic principles in information security practices such as
security controls that can identify and record known types of attacks and prioritized by risk, and
training employees on social engineering attacks that can lead to malware being infected into the
organization’s network. The assessment process takes security to the next level though and is a
continuous model that consists of the following principles: collection of intelligence feeds, research
and training for solutions, threat analysis (assessments and reporting), developing corrective controls
and continuously improving, and monitoring through periodic security reviews or taking proactive
surveillance measures (Neghina & Scarlett, 2013).
Next would be a list of IT security controls and countermeasures that will enable compliance
within the organization’s IT infrastructure. This portion of the audit report compares the current state
of controls to the desired state of controls, and should clearly define any major gaps as well. The
easiest way to do this is by creating a spreadsheet documenting a list of controls with column
headings identifying controls that are in place, partially in place, or not in place at all. The next step is
the compliance assessment stage.
Compliance should be broken down throughout the entire IT infrastructure to clearly state the
compliance level that is being met. This would consist of compliant (which is satisfactory),
noncompliant (which means the requirement is not being met), not determined (there is not enough
evidence to make a conclusion one way or the other), or not applicable (compliance does not apply
in this case). Lastly, would be the compliance recommendations. It is at this point of the report that
recommendations are made and documented to ensure that the organization is in compliance.
10. WRITING THE IT INFRASTRUCTURE AUDIT REPORT
10
In conclusion, an IT Security Audit determines the effectiveness of an organization’s IT controls,
as well as making sure that those controls are following company policies in addition to complying
with laws and regulations. The most important part of the entire audit process is writing the actual
audit report, because this is where the audit is communicated to upper management. Without proper
documentation of the report it essentially becomes useless, as misinterpretation of its results may
occur or even worse if the leaders of the organization do not see the importance of corrective
actions.
11. WRITING THE IT INFRASTRUCTURE AUDIT REPORT
11
References
Anschueltz, C. (2013). When it comes to enterprise security is it better to focus on compliance or
risk?. Network World, 30(7), 16.
Chen, Y., Ramamurthy, K. K., & Wen, K. (2012). Organizations' Information Security Policy
Compliance: Stick or Carrot Approach?. Journal Of Management Information
Systems, 29(3), 157-188.
Gap analysis. (n.d.). Retrieved from http://www.mccd.edu/organizations/student/Gap Analysis.pdf
Goldberg, M. IT Security Auditing [PowerPoint slides]. Retrieved from
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=11&cad=rja&uac
t=8&ved=0CKQBEBYwCg&url=https%3A%2F%2Fisis.poly.edu%2Fcourses%2Fcs996
-management-
s2005%2FLectures%2Fsecurity%2520audit.ppt&ei=LIyTU9_qJNTNsQT_n4CQCg&usg
=AFQjCNEwYf2W68P7jNw9J6DzJxNirMhLDw&sig2=2JrsyrbmWZ_4s1xhQeOVzA&
bvm=bv.68445247,d.cWc
Guel, M. (2007). A short primer for developing security policies. Retrieved from
https://www.sans.org/security-resources/policies/Policy_Primer.pdf
Hladjk, J. It compliance and it security- part 2. Privacy & Data Protection, 7(4), 3-5.
Jacka, J. (2012). Just tell me what I need to know. Internal Auditor, 69(6), 71.
Neghina, D., & Scarlat, E. (2013). Managing information technology security in the context of
cyber crime trends. International Journal Of Computers, Communications &
Control, 8(1), 97-104.
12. WRITING THE IT INFRASTRUCTURE AUDIT REPORT
12
Olzak, T. (2013). Cobit 5 for information security: The underlying principles. Retrieved from
http://www.techrepublic.com/blog/it-security/cobit-5-for-information-security-the-
underlying-principles/
Weiss, M. & Solomon, M. (2011). Auditing IT infrastructures for compliance. Sudbury, Mass.:
Jones & Bartlett Learning.
Understanding health information privacy. (n.d.). Retrieved from
http://www.hhs.gov/ocr/privacy/hipaa/understanding/