AUDIT
Knowledge Reference · IT Audit & Compliance
IT Audit &
Compliance
Landscape
A complete visual reference covering every phase of an IT audit — from foundations to frameworks. Built for people learning from scratch.
5
Finding Components (5Cs)
What is IT Audit? An independent, structured examination of an organisation's IT systems, controls and processes — asking one question: are the systems doing what they should, safely and reliably?
Three things every audit evaluates — the CIA triad
CONFIDENTIALITY
Data access is restricted
- Only authorised users can read or modify data
- Encryption, access controls, MFA
INTEGRITY
Data is accurate and unaltered
- Data cannot be tampered with undetected
- Audit logs, checksums, change controls
AVAILABILITY
Systems work when needed
- Systems are accessible to authorised users
- Backups, DR plans, uptime monitoring
Two types of frameworks auditors use simultaneously
AUDIT STANDARDS — HOW the auditor must behave
- ISACA / CISA — global IT audit certification body
- ITAF — IT Assurance Framework
- IIA Standards — internal audit professional standards
- GAAS — Generally Accepted Audit Standards
CONTROL FRAMEWORKS — WHAT the auditor tests against
- COBIT — IT governance and management
- ISO 27001 — information security management
- SOC 2 — trust service criteria for vendors
- NIST CSF — cybersecurity risk framework
Types of IT audit →
General Controls
Compliance Audit
Application Audit
Forensic / Investigative
The audit is won or lost in planning, not fieldwork. Five steps must be completed before a single test is run.
Step 01
Audit Mandate & Charter
Formal authority to audit
Independence from business units
Right to access all systems
Reports to audit committee
What could go wrong?
Which systems are most critical?
What did last year flag?
Likelihood × Impact matrix
Systems in scope
Locations covered
Time period under review
Explicit out-of-scope list + justification
Audit objectives
Test procedures
Timeline & milestones
Pass / fail criteria
Assign team roles
Confirm access and tools
Kick-off meeting with auditee
Document request list issued
Risk matrix — how auditors prioritise where to focus
High Likelihood
Medium
High
Critical
Med Likelihood
Low
Medium
High
Low Likelihood
Low
Low
Medium
Outputs →
Audit Charter
Risk Register
Scope Statement
Audit Plan
Never just accept what management tells you. The auditor independently verifies everything — network scans, system exports, user lists — not descriptions of them.
Servers, apps, databases, cloud instances
Network devices, endpoints
Cross-check against network scan
Shadow IT gap = immediate finding
Where does sensitive data originate?
Where is it processed and stored?
Where does it exit the system?
Encryption at every hop?
Map 03
Network Architecture
Topology and segmentation
Firewall rules review
DMZ configuration
Flat network = critical finding
Pull full user list from AD / IAM
Map roles and privileges
Identify privileged accounts
Orphaned accounts = common finding
Cloud providers (AWS, Azure, GCP)
SaaS vendors, outsourced IT
Payment processors, data vendors
SLAs, DPAs, security posture reviewed?
Outputs →
Asset Register
Data Flow Diagram
Network Map
Access Matrix
Third-Party Register
Three questions every control must answer: Does it exist? Is it designed to prevent the risk? Is it actually operating consistently?
Two types of IT controls
GENERAL IT CONTROLS (GITCs) — govern the whole environment
- Access management — user provisioning, MFA, least privilege
- Change management — approvals, testing, rollback
- IT operations — monitoring, incident response, patching
- Backup & recovery — frequency, integrity, restore testing
APPLICATION CONTROLS — built into specific systems
- Input controls — validation, format checks, auth gates
- Processing controls — calculations, logic, error handling
- Output controls — report accuracy, distribution, masking
- Interface controls — data transfer integrity between systems
Four testing techniques — from weakest to strongest
Inquiry
Ask people how the control works. Weakest alone — people describe the ideal, not reality.
Weak alone
Observation
Watch the control being performed live. Only proves it works when being watched.
Medium
Inspection
Examine documentary evidence — logs, change tickets, approval emails, reports.
Strong
Re-performance
Auditor independently re-executes the control and verifies the result themselves.
Strongest
Sampling rule: Annual controls → test all instances. Quarterly → all 4. Monthly → 3–6 months. Daily / continuous → 25–60 items.
Example — access management test procedure
Test 1
Pull full user access list
Extract from AD / IAMReconcile to HR headcount
Test 2
Check for leaver accounts
Cross-ref with HR termination listFlag active accounts for leavers
Test 3
Test joiner provisioning
Sample 25 new startersWas access approved before granted?
Test 4
Review privileged accounts
List all admin / root accountsIs each one justified + documented?
Test 5
Verify periodic access reviews
Last 4 quarterly reviews with evidenceManager sign-off and follow-up
Test 6
Confirm MFA enforcement
Sample privileged usersMFA enabled and enforced by policy
Outputs →
Test Workpapers
Evidence Files
Exceptions Log
Every exception becomes a finding. The auditor rates each by severity, identifies root cause, and quantifies the business risk exposure.
The 5Cs — structure of every finding statement
"17 active user accounts belong to employees who left over 6 months ago."
Criteria
What should be true
"Policy requires all access be revoked within 24 hours of termination."
"HR offboarding does not trigger an automated IT access revocation."
Consequence
The risk exposure
"Former employees retain ability to access sensitive systems and data."
Corrective Action
What must be fixed
"Integrate HR system with IAM to auto-revoke access on termination date."
Finding severity ratings
Critical
Fix within 30 days
- Immediate threat to data or systems
- Active exploitation risk
- Board-level escalation
High
Fix within 90 days
- Significant control weakness
- Material risk exposure
- CISO involvement required
Medium
Fix within 180 days
- Control gap present
- Limited immediate exposure
- Management action plan
Low
Fix within 12 months
- Minor weakness
- Best-practice improvement
- Noted for next cycle
Outputs →
Findings Log
Risk Rating Matrix
Root Cause Analysis
The report is the auditor's most visible output. A well-written report drives change at board level. A poorly written one makes solid findings disappear.
Apply 5Cs structure to each findingAssign severity ratingsLink to workpaper evidence
Stage 2
Validate with Auditee
Share draft findingsAdjust for facts, not opinionsExit meeting / findings discussion
Executive summary (1 page)Scope & objectivesFindings summary + detailManagement action plan
Stage 4
Management Response
Agree — commit to owner + deadlineDisagree — factual dispute onlyAccept risk — CRO sign-off required
Stage 5
Issue & Distribute
Audit committee — full reportBoard — executive summaryRegulators — as required
Report sections and their audience
Section 1
Executive Summary
Overall opinionCritical finding countHeadline risk
BOARD / CEO
Section 2
Findings Summary
All findings by severityStatus at a glance
MANAGEMENT
Section 3
Detailed Findings
Full 5Cs per findingManagement response inline
IT / RISK
Owner, action, target dateSuccess criteria per finding
IT / RISK
Outputs →
Formal Audit Report
Management Action Plan
Executive Summary
The audit is only complete when findings are verified as fixed. Issuing the report is not the end — it's the start of the accountability phase.
Stage 1
Management Action Plan
Named owner (a person, not a team)Specific action stepsConcrete target dateSuccess criteria defined
Stage 2
Periodic Status Tracking
Monthly check-ins for Critical / HighQuarterly for Medium / LowEscalate if overdue — no exceptions
Stage 3
Evidence Collection
Screenshots, config exports, policy docsSystem-generated reports with timestampsStored in remediation workpaper
Auditor independently re-runs original testDoes not accept evidence on trust alonePolicy ≠ reality — both must be verified
Lead auditor sign-offClosed in tracking systemRecord retained for future cycles
Stage 6
Continuous Monitoring
SIEM alerts, vuln scanners, IAM reportsAutomated dashboard flags exceptionsFeeds next audit cycle risk assessment
Overdue finding escalation path
Due date
Finding Owner Reminder
→
→
→
Finding ageing report — monthly view to audit committee
Orphaned admin accounts
Critical
A. Sharma
47 days
Overdue
MFA not enforced — VPN
High
R. Patel
32 days
In Progress
No DR test in 18 months
High
D. Kim
18 days
On Track
Patch cycle exceeds 30 days
Medium
T. Obi
12 days
On Track
Outputs →
MAP Tracker
Closure Workpapers
Ageing Report
Monitoring Dashboard
Frameworks define what "good" looks like. Voluntary certifications = you choose them. Regulatory mandates = legally required. AI regulation = the emerging frontier.
SOC 2
Voluntary · Security Certification
Trust service criteria. De facto standard for SaaS and cloud companies selling to enterprise customers.
- Security (mandatory) + Availability, Integrity, Confidentiality, Privacy
- Type I = design at a point in time
- Type II = operating over 6–12 months (enterprise required)
- Report shared with customers under NDA
ISO 27001
Voluntary · International Standard
Information Security Management System (ISMS). Most globally recognised security certification — publicly verifiable.
- 10 management clauses + 93 Annex A controls
- Statement of Applicability (SoA) defines scope
- Stage 1 (documentation) + Stage 2 (technical audit)
- Certificate valid 3 years with annual surveillance
COBIT
Voluntary · IT Governance Framework
Comprehensive IT governance and management framework by ISACA. Maps IT processes to business goals.
- 5 domains: Evaluate, Direct, Monitor / Build, Run
- Aligns IT with business objectives
- Used as audit benchmark for IT governance
- Companion to CISA certification
GDPR
Mandatory · EU Law
Any organisation anywhere processing EU personal data. Extraterritorial — applies globally. Fines up to 4% global turnover.
- Lawful basis required for every processing activity
- Data subject rights: access, erasure, portability
- 72-hour breach notification to regulator
- DPAs required with all third-party processors
HIPAA
Mandatory · US Healthcare Law
US healthcare organisations and their business associates. Governs Protected Health Information (PHI).
- Privacy Rule — patient rights over health data
- Security Rule — technical and admin safeguards
- Breach Notification Rule — 60-day notification
- Fines up to $1.9M per violation category
PCI-DSS
Mandatory · Payment Industry Standard
Any organisation that stores, processes, or transmits card data. Enforced contractually — fail and lose ability to accept payments.
- 12 requirements across 6 goals
- Cardholder Data Environment (CDE) must be defined
- Tokenisation reduces CDE scope significantly
- Annual QSA assessment for large merchants
● AI-Specific Regulation — The Emerging Frontier
EU AI Act
World's First Comprehensive AI Law · In force August 2024 · High-risk enforcement: August 2026
Applies to any organisation that provides, deploys, imports, or distributes AI systems affecting people in the EU — regardless of where the organisation is based. Risk-tiered obligations: the higher the potential harm, the heavier the compliance requirements.
Four risk tiers — the auditor's first task is classifying each AI system
Unacceptable
Banned Feb 2025
Examples
Social scoring by governments
Real-time biometric surveillance in public
Subliminal manipulation techniques
Exploitation of vulnerable groups
Audit action
- Confirm no prohibited systems deployed
- Document classification decision
High Risk
Enforce Aug 2026
Examples
CV screening / HR decisions
Credit scoring
Medical devices
Critical infrastructure
Biometric identification
Law enforcement
Full compliance required
- Risk management system
- Data governance + bias checks
- Technical documentation
- Automatic logging
- Human oversight mechanism
- Conformity assessment + CE mark
Limited Risk
Enforce Aug 2026
Examples
Chatbots and virtual assistants
Deepfake generation tools
Emotion recognition systems
Transparency required
- Disclose AI interaction to users
- Label AI-generated content
Examples
AI spam filters
AI in video games
Recommendation engines
No mandatory obligations
- Voluntary codes of practice
- Document classification decision
High-risk AI — audit obligations mapped to controls
Obligation 1
Risk Management System
Documented iterative risk processCovers full AI lifecycle
Obligation 2
Data Governance
Training data lineage documentedBias examination completedData quality checks in place
Obligation 3
Technical Documentation
Complete technical file existsCurrent and version-controlledCapabilities and limitations stated
Obligation 4
Logging & Record-keeping
Automatic logs generatedRetained for required periodTraceable to specific decisions
Obligation 5
Transparency to Users
AI interaction disclosed before useDisclosure clear and prominent
Obligation 6
Human Oversight
Human can stop or override systemOverride mechanism documented and tested
Obligation 7
Accuracy & Robustness
Accuracy metrics reviewedTested for adversarial inputsEdge case performance documented
Obligation 8
Conformity Assessment
Self-assessment or third-party auditRegistered in EU AI databaseCE marking applied
Framework overlap — one control test can satisfy multiple frameworks
Access management
Req.
Req.
Req.
Req.
Encryption
Req.
Req.
Req.
Req.
Incident response
Req.
Req.
Req.
Req.
Data subject rights
Partial
Partial
Req.
—
Network segmentation
Req.
Req.
Implied
Req.
AI system logging
—
Partial
Partial
—
Outputs →
SOC 2 Report
ISO 27001 Certificate
GDPR Assessment
PCI RoC
EU AI Act Conformity File