A major problem with your information technology (IT) systems can totally disrupt your business, costing you time and money while you wait for repairs. An IT audit checklist helps ensure that your IT department has the necessary tools to secure your network and avoid these expensive repairs. 

What to Include in Your IT Audit Checklist

Your IT audit checklist should cover these four areas:

Physical and Logical Security

It’s important to understand the physical security your company has in place to safeguard sensitive corporate data. Therefore, your audit checklist should include whether server rooms can lock and if individuals need security badges to enter. 

It’s also critical to assess your network for security vulnerabilities. This includes:

  • Ensuring that all procedures are well-documented.
  • Testing software that deals with sensitive information.
  • Looking for holes in your firewall or intrusion prevention systems.
  • Making sure that you’re storing sensitive data separately.
  • Checking that wireless networks are secure.
  • Scanning for unauthorized access points.
  • Ensuring proper access control, that is checking the identities of users and ensuring that they have the proper credentials to access sensitive data.

You should also determine if IT applies patches promptly and keeps all applications and antivirus software updated. And you should look at your critical network security practices. For example, do remote workers log on to your network via a VPN? Do you require multi-factor authentication? Do you restrict access to risky websites, such as file sharing and adult content sites? Have you implemented password policy best practices?

See also

Best Practice Guide: Using Automation to Transform Risk Management

Regulatory Compliance

Your internal auditors will be looking at whether your company complies with the relevant regulatory requirements.

For example, companies that do business with customers in the European Union are required to comply with the General Data Protection Regulation (GDPR). 

And healthcare organizations must comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations that provide data privacy and security provisions for protecting patients’ protected health information. Healthcare companies must also adhere to the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), which governs the protection of digital health information.

From an IT standpoint, publicly traded companies must comply with the Sarbanes-Oxley Act of 2002 (SOX), which centers around financial reporting and record-keeping. All organizations that store, process, or transmit payment card information must comply with the Payment Card Industry Data Security Standard (PCI DSS), which covers security around payment processing.

If your company has to adhere to these or other regulations, you must include all the requirements set out by each regulation in your checklist.

Data Backups

You should include a review of how and how often your company backs up critical data in your IT audit checklist. Data backups should be part of your disaster recovery and business continuity planning. This helps ensure you’re prepared for potential natural disasters and cyberattacks—and being prepared is key to keeping your company up and running. 

You should determine:

  • When you last tested your backup method.
  • How long it would take for your current data backup system to recover.
  • How long your business could realistically afford to be down.
  • The financial cost of downtime to your company.
  • If you have a copy of your data offsite.


Your IT audit checklist should also include a comprehensive inventory of your company’s hardware, noting the age and overall performance demands of each piece.  Best practices suggest that the inventory be maintained in an asset management system with a configuration management database (CMDB). Typically, you should replace IT hardware about every three to five years. With this information, you’ll know when your hardware nears its end of life so you can plan when to purchase new equipment. 

What does an IT audit do?

An IT audit confirms the health of your information technology environment. It also verifies that IT is aligned with the objectives of the business and that your data is accurate and reliable. 

The main goals of an IT audit are to ensure that your corporate data is adequately protected, your hardware and software are appropriate and effective, and the members of your information technology department have the tools they need to do their jobs. An IT audit, therefore, can help you uncover potential information security risks and determine if you need to update your hardware and/or software. 

To prepare for an IT audit, you need to know the purpose and scope of the audit, its time frame, and the resources you’ll have to provide. This will depend on whether the IT audit will be conducted by an outside firm or your own internal auditors. 

An IT audit checklist is a system that lets you evaluate the strengths and weaknesses of your company’s information technology infrastructure as well as your IT policies, procedures, and operations. Having an IT audit checklist in place lets you complete a comprehensive risk assessment that you can use to create a thorough annual audit plan. 

You can also use your IT audit checklist as a guideline for your employees. If they know what it takes to protect data, they can help identify potential risks or weaknesses. And finding these risks and weaknesses makes it easier to create a plan to address them. In addition, your employees can reference your IT audit checklist to prepare for your information technology audits.

Automating GRC: The Next Frontier
in Risk Management