IT Internal Audit Checklist

Use the IT Internal Audit Checklist to assess and optimize your internal IT processes, promoting efficiency, security, and adherence to established standards.​

IT Internal Audit Checklist



Disaster Recovery Controls

1. Are backups for systems and data regularly performed?


Photo Comment

2. Is a disaster recovery plan established and regularly tested?


Photo Comment

3. Is a business impact analysis plan established and regularly tested?


Photo Comment
Vendor Management Controls

1. Are security clauses included in contracts?


Photo Comment

2. Are SLAs monitored?


Photo Comment

3. Are vendor incident notifications sent to subservice organizations?


Photo Comment
Application Access Controls

1. Have user accounts been provisioned?


Photo Comment

2. Are access levels modifiable, and are user privileges limited to job function?


Photo Comment

3. Are periodical access reviews scheduled?


Photo Comment

4. Is there a password complexity requirement?


Photo Comment

5. Is admin activity monitored?


Photo Comment
Incident Management Controls

1. Is an incident response plan instated and regularly tested?


Photo Comment

2. Are customers notified following vendor incidents?


Photo Comment
Database Access Controls

1. Are database admin accounts controlled?


Photo Comment

2. Is admin activity monitored?


Photo Comment

3. Is application access to the database restricted?


Photo Comment
Operating System Access Controls

1. Are system installation checklists or images used?


Photo Comment

2. Are security and event logs enabled?


Photo Comment

3. Are unnecessary services turned off?


Photo Comment
Virtual Access Controls

1. Is access to hypervisors restricted?


Photo Comment

2. Are access levels modifiable?


Photo Comment

3. Are periodical access reviews conducted?


Photo Comment

4. Is there a password complexity requirement?


Photo Comment

5. Is the secure configuration guide applied to hypervisors and SANs?


Photo Comment

6. Is access to services running on the host restricted?


Photo Comment
Network Access Controls

1. Is there a firewall for remote access?


Photo Comment

2. Is there an IDS for remote access?


Photo Comment

3. Is there an IPS for remote access?


Photo Comment

4. Is there a VPN for remote access?


Photo Comment

5. Is there an MFA for remote access?


Photo Comment
Physical Security Controls

1. Are the following physical perimeter protections available: • Locks • Badge access • Battery backup up • Generators • HVAC


Photo Comment
Anti-Malware Controls

1. Is anti-virus software installed?


Photo Comment

2. Is gateway filtering implemented?


Photo Comment

3. Are browser protections in place?


Photo Comment
Vulnerability Management Controls

1. Is scanning and remediation for vulnerabilities performed?


Photo Comment

2. Is there a patch management program in place?


Photo Comment
Software Development Controls

1. Is the software development lifecycle established?


Photo Comment

2. Is secure coding and web app firewall/security testing conducted?


Photo Comment
User Awareness Controls

1. Have users been trained on security?


Photo Comment

2. Are background checks conducted for new employees?


Photo Comment

3. Are duties separated and documented?


Photo Comment

4. Are security logs collected and reviewed?


Photo Comment
Data Protection Controls

1. Is encryption implemented in transit and at rest?


Photo Comment

2. Is data classification in place?


Photo Comment

3. Are USB restrictions enforced?


Photo Comment

4. Is there a process for the removal of data from storage media?


Photo Comment
Asset Management Controls

1. Are hardware and software inventoried?


Photo Comment

2. Is the installation of unauthorized software, utility, and audit tools prohibited?


Photo Comment

3. Is system capacity and performance regularly monitored?


Photo Comment
Security Program Controls

1. Are risk assessments regularly performed?


Photo Comment

2. Are risks mitigated to acceptable levels?


Photo Comment

3. Are information security policies approved and in place?


Photo Comment

4. Are periodical independent audits performed?


Photo Comment
Change Management Controls

1. Is there a process for change management in place?


Photo Comment

2. Is there an inventory of IT assets?


Photo Comment

Is this sample what you are looking for?
Sign up to use & customise this template, or create your own custom checklist:

Checklist by GoAudits.com – Please note that this checklist is intended as an example. We do not guarantee compliance with the laws applicable to your territory or industry. You should seek professional advice to determine how this checklist should be adapted to your workplace or jurisdiction.

Seeing is Believing

Get a live demo customized to your unique needs, or get started with a 14-day FREE trial.