An IT audit can be considered your very first steps onto foreign soil, your way of understanding exactly what’s going on in your customer or corporate environment, and taking stock of what you’re managing, monitoring, and protecting as an IT professional. Without an IT audit, you’re walking around blind, not sure what you’re responsible for, and always waiting for the next great disaster.
Want to start implementing an IT audit when you arrive at a new IT-based destination but are not sure how to begin or what to include? Here’s everything you need to know.
Why do you need an IT audit?
Whether you’re an MSP onboarding new customers to your service or an IT professional walking into a new role in a corporate setting, an IT audit should be high up on your to-do list.
You might be thinking, “Hey, the last person already left me a full list of everything I need to know, why should I start from scratch?” The truth is, it’s your responsibility to verify that all information you’ve been given is reliable and accurate, and you don’t want that nagging voice in the back of your mind worrying that something has been missed.
By making it your mission to evaluate all the systems and processes that are currently in place, you can be sure that you’ve verified all information and have seen it with your own eyes. This limits the risk of something falling through the cracks and gives you certainty over the work you’re doing.
An IT audit will allow you to identify any potential risks to data, files, and applications so that you can minimize them, give you a full inventory of everything you need to monitor and manage, help you to uncover inefficiencies in the way the organization works, and also allow you to compare existing processes against compliance laws and corporate policies for the industry in question.
Sounds important, right? But what should you be taking stock of exactly when you complete your IT audit? If you find yourself asking that question, let us help! Here’s a checklist of the must-have items for your IT audit, many of which can be generated automatically by using Atera’s Auditor Report.]
General inventory is not just the name of a high-up guy in the military. It’s also where you’ll detail all the end stations that you want to be monitoring. Some of these will be workstations like PCs, Macs, laptops, or even mobile phones. Others won’t have a user attached to them, for example, servers or domain controllers.
From the Auditor report, you can also view the distribution of each of these stations, and set visual thresholds to stay on top of their status, for example, CPU, Memory, and more. The report also details additional information about all devices and workstations, such as disk usage, port availability, and patches.
Here, you need to be able to easily view all of your MS Office versions, OS editions, and Antiviruses, and you might want to expand this view to see all of the software that’s installed on any and all devices with the help of a tool like Network Discovery.
This allows you to get an understanding of the types of software that your end-users are utilizing. There are a number of reasons why this could be helpful. For example, you could isolate multiple software tools that have duplicate functionality which could help you reduce tool sprawl, ending the subscription for the one which is least popular. You might also find shadow IT, software applications that users have downloaded without speaking to the IT or security team first. This is a common issue, and as third-party applications can open your environment up to risk, it’s worth being aware if this is a big problem, which could trigger further education across the business.
If you want to remove certain software from any device, there are a number of ways to make that happen using Atera. Use Software Inventory via the Devices tab, leverage PowerShell or Command Prompt, set an auto-healing script, and more. Read the full breakdown of each option, including a how-to.
An important part of an IT audit is security. Today’s IT professionals can’t outsource security and compliance, or expect the company to handle that separately. Today, security is IT. You, therefore, need a thorough list of all the security implemented across the business, both hardware like firewalls or software like antivirus or anti-ransomware solutions. There’s a balance to be had between onboarding too many security tools that don’t work in a complementary way or leave gaps and duplicate data sources, but also ensuring all your bases are covered. As a baseline, ensure you have solutions for:
- Endpoint protection and response: Making sure you have real-time scanning and detection for viruses and malware on all your devices.
- Ransomware protection: Keeping data secure even if an attack encrypts your files and applications, or makes them unusable.
- Email security: Quickly detect phishing emails and block them before the chance of human error occurs, including complex risks like Business Email Compromise.
- Backup: Ensuring business continuity in the case of a system failure, a cyberattack, or an unprecedented incident where the company is forced to work remotely.
- Network-level defenses: Detect network attacks such as brute-force, credential hunters, and drive-by-downloads where you may not even be aware of the infection.
- Firewalls: Controlling access between the network and the internet in real-time, with alerts to suspicious traffic, and segmentation for critical assets.
- Incident response: What happens if the worst happens? Business continuity plans, reporting, audit trails, and more.
After completing a thorough audit of what you have in place – ask yourself, how quickly can the business respond and recover in case of a threat? You may have gaps that you need to fill in order to get your posture where it needs to be.
Additional areas to consider during your IT audit
Depending on your specific business context, there will be other areas that you need to keep in mind and add to your IT audit on the fly. Here are a few examples that could be relevant to your situation.
Nearly all businesses use the cloud, whether that’s Infrastructure-as-a-Service, Platform-as-a-Service, or even just Software-as-a-Service. During your IT audit, don’t forget to consider cloud services and infrastructure, and remember that the Shared Responsibility Model means that public cloud providers are only responsible for the security of the cloud, while you’re still responsible for security in the cloud, including files, data, and applications.
Do employees and end users utilize mobile phones for work purposes? If so, then these will connect to the network and need to be considered as additional assets. You may not be able to control what applications or behavior users deploy on their own private phones and devices, so the security of the network becomes even more important.
Similarly, many companies now have remote work or work-from-home policies entrenched into the way that they run their business. If employees are using home computers, how are you managing this? Atera has a smart Work From Home solution, powered by Splashtop, which allows users to remotely access their work computers from home, with all the security and control that you enjoy from the office.
How are problems reported and centralized across the business? In many situations, an IT professional will walk in and be met by dozens of different channels for reporting, such as email, phone, WhatsApp, and even post-it notes left helpfully on the screen while you’re grabbing lunch. What systems will you put in place to ensure that you get a single view of all IT challenges, and can dispatch or deal with them accurately and without missing a trick?
While this isn’t strictly IT, it’s about permissions and roles. This is about asking yourself, who is the key stakeholder for any number of tasks that may need to be done in the IT environment. For example, who is the compliance officer, a regulated role for many companies and industries? Knowing who the right stakeholders are speeds up time to resolution for many issues, and helps you ensure no one is a single point of failure.
Bringing it all together for a successful IT audit
When you start a new role or onboard a new customer, you can feel like you’re jumping into the middle of a story, and that you need time to put out fires before you take a step back and get a view of your whole situation. However, this could end up with you making mistakes due to lack of visibility, or even opening the business up to risk.
Automated tools like Network Discovery and reports like IT Auditor Report can make it much easier to get greater visibility and control, allowing you to hit the ground running in a new environment and support best-in-class security, monitoring and management.
Once you’ve completed your IT audit, make sure that you have the full stack of technology in place to seamlessly fill any gaps and improve performance, whether that’s great security integrations, reports on reliability and usage, or a streamlined process for communication.
Atera is an all-in-one solution for IT professionals, with everything from RMM and helpdesk, to remote access, security integrations, and patch management. Give it a whirl for free, here.
See Atera in Action
RMM Software, PSA and Remote Access that will change the way you run your MSP Business