Wipfli logo
Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books


How to prepare for your first IT audit

Jul 31, 2020

Preparing for your first IT audit can be a very stressful task for not only yourself but also your entire team. Mostly because you’ve never done it before, so you don’t know what to expect.

That’s why we’ve put together three tips to help you prepare for your IT audit.

1. Designate a point of contact

An important part of the IT audit is open communication and scheduling. Before and during the IT audit, the team tasked with obtaining documents and sitting in on in-person interviews with the IT auditors will be fairly busy during the week. An IT audit typically lasts three to four days depending on the scope agreed upon in the engagement letter. 

Before this engagement gets started, designate a communicative individual to serve as the main point of contact for the IT auditors to communicate with throughout the audit. 

We highly recommend that the individual selected also possesses strong project management and organization skills. Prior to coming on-site to perform their fieldwork, IT auditors will send a preliminary list of documents they will look to receive and use for testing purposes. That list is typically called a document request list. The main point of contact should be able to ensure that the IT auditors receive most of the items they have requested to inspect. 

Another key component of the IT audit is on-site fieldwork. IT auditors typically send a preliminary interview request list along with the document request list. The interview request list will contain proposed meeting times to discuss and walk through different areas that your management defined as in scope of the IT audit. 

The main point contact is typically in charge of making sure the meetings are scheduled correctly and they fit the auditee team’s schedule. In these interviews and walkthroughs, an IT auditor will talk with the team or subject matter expert and walk through internal controls in use for any particular area within the scope of the IT audit. The IT audit scope will have been predefined by management and will normally cover any combination of: internal controls typically relating to human resource (HR) practices for on-boarding new employees, IT governance, logical and physical access controls, computer operations, Gramm-Leach-Bliley Act (GLBA), and potentially other topics.

2. Get organized

Maintaining an internal file structure for policy and procedure documentation relating to IT audit topics can help substantially during the document and evidence testing phase. We recommend that members who participate in the IT audit gather any requested policies and procedures and organize them in folders. 

This can make the whole IT audit easier for both parties. The benefit is two-fold; better documentation will help the IT auditors receive their policies to review faster, and after the IT Audit is finished, management will have a clear list of all the documents that were reviewed during the course of the IT Audit.  

3. Understand the IT auditor’s true role

After you have worked very hard gathering policies and procedures on the document request list, there are also times when IT auditors request additional documents or items. They may need an additional sample, policy or procedure in order to complete testing. It’s important to remember, the IT auditors are there to help you identify any areas of improvement and provide recommendations to help you improve internal control procedures. A large part of what they do and request is centered around this end result.

You can rely on your IT auditors to have discussions with you or identify areas of improvement to help you prepare for the next regulatory examiner. Hopefully, if the IT audit went well, this will keep you on the same page, or better yet, one step ahead of the examiner during their next review.

What else you need to know about your IT audit

Typically, the final step of an IT audit is the report-development phase. As a client, you want to get your report back as quickly as possible. After the IT auditors write the first draft of the report, usually they incorporate recommendations into it. Then they share the first draft with you, giving you an opportunity to add management responses to any recommendations in the report. This is a chance for you to respond to the recommendations developed by the IT auditors and, overall, is a process designed to help ensure you can maintain an open communication mindset throughout the IT audit.

If you’d like to learn more about IT audits, click here. Or continue reading on:

How to protect the most common exceptions found in IT audits

Worried about cyber threats? Here are 3 ways MDR can help prevent data breaches

Multifactor authentication: Why you need it now


Drew Baker
Senior Consultant
View Profile
David T. Rich
Master Consultant
View Profile