“Audit” Doesn’t Have to Be a Dirty Word

Isn’t it interesting that a simple word like “audit” can invoke such stress and anxiety? Maybe it’s because the Internal Revenue Service uses the word audit similar to a parent scolding a misbehaving child. Having an audit looming over your head is enough to give even the most hardened individual the potential to break down in tears. It’s a shame that an audit has developed such a negative connotation as there are many positives that can come from an audit especially in the IT world. Businesses of all sizes have benefited from network audits by exposing issues and vulnerabilities before they become major problems. Let’s begin by taking a look at the very definition of an audit before we delve into the various types of network audits that are most common in the SMB space.

The origin of the word audit is rooted, as many English words are, in ancient Latin. The word derives from the Latin noun auditus which is an ancient term for a hearing. To further that definition, the deeper origin is the Latin verb audire which means to hear. The related English term is audio which does not carry a negative connotation. In fact, an audiophile is someone who has a deep enjoyment and an ear for well-designed music systems. Heaven knows the ability to listen is something often lacking in the world today! My point now comes full circle; SMB organizations should really embrace technology audits, because by listening to audit recommendations your network will run efficiently and productively.

Every small and mid-sized organization should have a plan in place to evaluate their entire network infrastructure, all network components, and all network users on a semi-regular basis. Usually, if there hasn’t been a comprehensive audit conducted in over a year (or maybe ever), the general audit should be the first step to provide a structure to work from.

Every audit type, general or otherwise, is built on five primary steps:

 

  1. Developing a plan.
  2. Inspection and inventory of systems, controls, and processes.
  3. Regular and stress testing of systems, controls, and processes.
  4. Results report.
  5. Post-audit change implementation and testing.

 

In many cases, entities and/or their agents don’t adhere to this methodology. They may complete some of the items listed above, but they don’t plan ahead of time, they don’t test the systems to try and ward off an impending failure, and they don’t go back after the report is created to actually re-test the changes their work dictated. Following the above steps is critical when performing any type of audit otherwise the audit itself could be fraught with omissions or inaccuracies. inspection app

Now, let’s take a look at the types of IT audits most common to SMB organizations. For the most part, you can break technology audits out into three main groups: general, design/infrastructure, and security. While there may be situations that require a deeper examination into a specified area, most audit requests are of the general variety. A general audit is a comprehensive high-level review of all critical components of an organization’s technology infrastructure. The level of granularity is open to interpretation, but the main focus is to determine if the network and its elements are functioning properly, if there are vulnerabilities, and if upgrades or cleanups are required. A general network audit includes inspection and recommendations for the following:

 

  • All equipment including end-user machines, physical and virtual servers, routers, switches, firewalls, security and intrusion prevention appliances, backup appliances, access points, etc.
  • Software suites and end-user applications.
  • Management consoles, administrative interfaces, and IT policies.
  • Connectivity including all wired and wireless connections, wireless transmission facilities, cabling, etc.

 

Since a general audit is not a deep dive, a detailed report for each of the above listed silos will likely create a good starting point for both the technical and business decision makers who will then mutually develop a plan to mitigate any negative findings. Most final reports include a list of discovered issues and distinguish issues based on a three-tiered advisory model: critical, moderate, and advised.

Now that you’ve embarked on the general audit process, and it has revealed you have a critical issue, what is the next step? A secondary audit, such as a security/vulnerability audit or a design/infrastructure audit is required to delve deeper into the issue and determine proper steps for remediation. This scenario is very much like taking your car in for an annual inspection and hearing the not-so-welcome news that your brakes need to be replaced. Obviously, it’s much better to uncover issues and vulnerabilities during an audit rather than during an actual incident that can cause devastating damage such as loss of sales data, intellectual property, or customer information.

 

Leave a Reply

Your email address will not be published. Required fields are marked *