Adriot understands that IT auditors work at the intersection between the IT systems and the people who specify, develop, implement, use, manage, and maintain them, and thus need to be competent and comfortable with both aspects. When evaluating technical system vulnerabilities, for instance, the auditor clearly needs a strong understanding of the technology in order to identify and characterize genuine technical issues.

 

Adriot’s deliverables include:

Operational computer system/network audits: Review the information security and other controls within and   surrounding operational computer systems and networks.

 

IT installation audits: Review the computer building, suite, room, or cupboard, including aspects such as physical security, environmental controls, computer and network operations processes, and management systems and of course the IT equipment itself.

 

Developing systems audits: Project/program management controls and implementation of appropriate information security controls within and supporting the developed system.

 

IT governance, management and strategic audits: Review the organization, structure, strategy, work planning, resource planning, budgeting, cost controls, and so on and, where applicable, relationships with outsourced IT providers.

 

IT process audits: Review processes within IT such as applications deployment, operations, maintenance, housekeeping (backups, preventive maintenance, etc.), support & incident handling, controls protecting the confidentiality, integrity, and availability of systems and data.

 

IT compliance audits: Review compliance with external requirements (i.e. IT-related laws and regulations such as software copyright and personal data/privacy) and internal/corporate requirements (IT/information security policies, standards, procedures, and guidelines).

 

Benchmarking: Comparing the IT performance, efficiency, and/or capabilities of an organization to other similar organizations, or comparing business units within a large organization, or measuring against generally accepted standards.

 

Contingency planning: Review business continuity and IT disaster recovery plans and the associated processes (e.g., tests and exercises).

 

Special investigations: Contingency and un-pre-planned work such as investigating suspected frauds or information security breaches, performing due diligence review of IT assets for mergers and acquisitions, and investigating incident reports from whistle-blowers.