Many IT teams dread the arrival of auditors. Perhaps they lack a basic understanding of the IT audit process, and don’t know what the auditors are looking for. However, IT teams should recognize the importance of having a third party evaluate the organization’s overall security and compliance position, and facilitate the process through the use of tools such as CyberArk.
IT audits play a critical role in determining whether the security controls in place actually protect IT assets and data and meet the organization’s business objectives. Auditors are tasked with identifying cybersecurity risks, finding ways to minimize those risk, and ensuring that the organization is in compliance with applicable government and industry regulations.
However, a new benchmarking study from Protiviti and ISACA reveals that IT audit teams are facing significant challenges when it comes to IT security, governance and risk management. Digital transformation initiatives are placing greater pressure on existing IT infrastructure and compelling companies to explore emerging technologies and alternative IT delivery models. This is giving rise to new cybersecurity risks that require a new approach to IT audits.
The seventh annual survey of more than 1,300 audit executives and professionals worldwide did find that IT audit teams are of growing importance to organizations. For the first time since the survey began, at least half of all organizations surveyed said they have a dedicated IT audit director or equivalent position. This is a significant increase from just five years ago when only one in three organizations had a dedicated IT audit director.
However, less than half of respondents said that their chief audit executive or IT audit director meets regularly with the company’s CIO to help develop an IT audit plan that effectively addresses security threats. Furthermore, 20 percent of organizations said they do not include cybersecurity in their IT audit plans at all, most commonly due to a lack of qualified people, skills and/or auditing tools.
For example, just 65 percent of survey respondents said they include privileged access management in their security-related audit activities. This is a significant gap. According to Forrester, approximately 80 percent of all security breaches involve misuse of privileged credentials.
However, manually discovering and reviewing privileged accounts is enormously time-consuming, and auditing hundreds or even thousands of daily privileged account sessions would be next to impossible. It would take dozens of full-time auditors focused exclusively on the task to review even a small percentage of privileged session activity.
CyberArk’s Privileged Account Security solution streamlines this process by centralizing privileged account management and providing privileged session logging and recording capabilities. The latest version also applies risk scores to privileged sessions so that auditors can focus on the most relevant activity. This increases the efficiency of IT audits and helps to create a more consistent framework for examining the risks associated with privileged account activity.
Clango’s team of CyberArk-certified engineers helps organizations leverage CyberArk to streamline and automate their privilege account audit processes. We have also developed the CyberArk Analytics Reporting Tool (CART) to help IT auditors and other business users extract and manipulate CyberArk data without the assistance of software developers or report writers. If your organization is struggling to meet today’s IT audit requirements, we invite you to schedule a no-obligation consultation with our experienced team.