IT Security Audit FAQs
What is the difference between a risk assessment and an IT audit?
A risk assessment looks at an organization's controls and determines their level of risk, while an IT audit verifies that stated controls are actually in place.
Are you going to look at my policies?
As part of the auditing process, some policies may require review, but for an in-depth review of all policies, we offer a policy review service.
How long will the whole process take? How much of my time will you require?
This depends very much on your responsiveness and availability. It can be done as quickly as 2 weeks if it is a remote audit.
What if we don't know where to find the documentation you are requesting or just don't have it?
We send out a sheet that lists what documentation we need. If you don't know where to find something, you can ask us. If a piece of information is missing, the control will be marked "unimplemented" or "unverified" depending on the situation.
What if our asset groups differ from your control framework? Will we get charged extra?
No. Often times, a company's assets won't match up exactly to our control framework, in those instances, our analysts will create custom assets to fit your needs.
Can we get a preliminary report before the final audit is delivered?
Yes, but this must be requested up front during scoping.