Preparing for an IT Audit

Preparation for an IT audit begins before the audit is announced!!

Are you aware of the University’s policies and procedures? Do you perform activities that are not covered by the University’s procedures? 

  • If you do, are they procedures documented?
  • Are they readily accessible by your employees?
  • Are they current?
  • Are they being followed?
  • Any deviation from the ordinary or from the written procedure must be documented.
  • Documentation helps to prove what you did and your awareness of exceptions.

If you have appropriate documentation for your area of responsibility you will be moving in a direction to have a positive audit experience.

Primary Phases

Announcement

A notification for an audit when possible will be almost a week prior to the start of fieldwork.  The notification will normally be via an email and the email will include an entry memo. This memo will state the subject matter of the audit, objectives, scope, time table for the audit and how the results will be communicated.  Additional information in the notification may include list of deliverables necessary to perform fieldwork and the logistics for an opening meeting.  Your responsibilities as an auditee are to notify all necessary personnel in the area of the audit so they can make themselves available when needed during the timeframe of the audit and to prepare deliverables that have been requested in a timely manner.

Fieldwork

During this phase, the audit deliverables are reviewed, interviews are held with key staff, and all information obtained is documented by the auditor.  This phase will also be the initial vetting phase for issues uncovered during the audit with staff to ensure accuracy of the auditors work and to allow sufficient time for management to be notified of pending issues.

Reporting

This is the phase of the audit where results are communicated with the auditee as well as the auditee's management in a draft audit report.  Management responses are requested for the issues within the audit report along with an anticipated completion date for the audit issue remediation efforts.

Closing meeting

During this last phase of the audit, the draft audit report is covered one last time with the auditee as well as the responses provided by the audit issue owners so any last questions with regard to the draft audit report can be answered.  After the closing meeting the audit report will be sent out as final to the auditee and other interested parties.