Audits and assessments are very different things. What does an IT audit do?
Let’s say you’re selling your business. You’re paying your own salary like any other employee and you’re throwing off enough cash to give your business value. How does the buyer know your numbers are legit?
You hire a CPA firm to audit your books against established accounting standards. (As a side note, IT can be material to your business value and a CPA audit can include several pages checking it out.)
Or let’s say you want to claim ISO compliance for your manufacturing line. Your registrar sends an auditor to check your compliance to the ISO standard.
The same thing happens in IT.
One of the local law firms achieved ISO 27001 last year to show they had established a well-controlled Information Security Management System. That’s impressive. After all their training and hard work to get ready, they called in the ISO auditor so they could receive the registration.
An audit measures against a defined standard. The auditor is certified to verify the evidence that you meet that standard.
An audit takes a sample of your business. The audit doesn’t recreate every transaction or review every process. It samples a representative subset to see if those samples meet spec. It verifies the claims you make to the outside world.
Now, the auditor is not going to come in and give you business advice. You hire somebody else to do that. We’ll discuss that tomorrow when we cover IT assessments.
I’m Carter Edmonds with 20CREEK. We help you build IT you’ll brag about.
Episode #41 – 2/5/2019