Audit / Compliance

An information technology audit is an examination of the management controls within an Information Technology infrastructure.  Dark Star Technology is experienced at preparing technology groups for an Audit as well as working with organizations to understand Compliance issues and introducing controls to avoid any gaps in Compliance.

Because operations at modern companies are increasingly computerized, IT audits are used to ensure information-related controls and processes are working properly. The primary objectives of an IT audit include:

  • Evaluate the systems, processes and controls that are place to secure company data.

  • Determine risks to a company's information assets, and help identify methods to minimize those risks.

  • Ensure information management processes are in compliance with IT-specific laws, policies and standards.

  • Determine inefficiencies in IT systems and associated management.

The IT audit aims to evaluate the following (also known as the 4 A’s):

  • Availability - Will the organization's computer systems be available for the business at all times when required?

  • Access - Will the information in the systems be disclosed only to authorized users? Is the information safeguarded to the secure and confidential?

  • Accuracy - Will the information provided by the system always be accurate, reliable, and timely?

  • Agility – Does the information support the needs of each business unit, can it support strategic growth?

In this way, the audit hopes to assess the risk to the company's valuable asset (its information) and establish methods of minimizing those risks.

As the audit is focused on internal controls and processes, compliance is focused on an organization being in accordance with established guidelines or specifications. Software, for example, may be developed in compliance with specifications created by a standards body, and then deployed by user organizations in compliance with a vendor's licensing agreement. The definition of compliance can also encompass efforts to ensure that organizations are abiding by both industry regulations and government legislation.

Compliance is a prevalent business concern, partly because of an ever-increasing number of regulations that require companies to be vigilant about maintaining a full understanding of their regulatory compliance requirements. Some prominent regulations, standards and legislation with which organizations may need to be in compliance include:

  • Sarbanes-Oxley Act (SOX) of 2002: SOX was enacted to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. Among other provisions, the law sets rules on storing and retaining business records in IT systems.

  • Can Spam Act of 2003: The Can Spam Act requires businesses to label commercial emails as advertising, use legitimate return email addresses, provide recipients with opt-out options and process opt-out requests with 10 business days.

  • Health Insurance Portability and Accountability Act of 1996 (HIPAA): HIPAA Title II includes an administrative simplification section that mandates standardization of electronic health records systems and includes security mechanisms designed to protect data privacy and patient confidentiality.

  • Dodd-Frank Act: Enacted in 2010, this act aims to reduce federal dependence on banks by subjecting them to regulations that enforce transparency and accountability in order to protect customers.

  • Payment Card Industry Data Security Standard (PCI DSS): PCI DSS is a set of policies and procedures created in 2004 by Visa, MasterCard, Discover and American Express to ensure the security of credit, debit and cash card transactions.

  • Federal Information Security Management Act (FISMA): Signed into law in 2002, FISMA requires federal agencies to conduct annual reviews of information security programs, in order to keep risks to data at or below specified acceptable levels.

IT compliance guidelines vary by country; SOX, for example, is strictly a United States legislation.  As a result, multinational organizations must be cognizant of the regulatory compliance requirements of each country they operate within.

As regulations and other guidelines have increasingly become a concern of corporate management, companies are turning more frequently to specialized compliance software and IT compliance consultancies. In response to the risk and high profile and risk associated with compliance, many organizations have added compliance jobs such as a Chief Compliance Officer.