IT Internal Audit Checklist

Use the IT Internal Audit Checklist to assess and optimize your internal IT processes, promoting efficiency, security, and adherence to established standards.

Download as free PDF

Library
IT & Data Center
IT Internal Audit Checklist

Anti-Malware Controls

Vulnerability Management Controls

Software Development Controls

User Awareness Controls

Data Protection Controls

Asset Management Controls

Security Program Controls

Change Management Controls

Disaster Recovery Controls

Vendor Management Controls

Application Access Controls

Incident Management Controls

Database Access Controls

Operating System Access Controls

Virtual Access Controls

Network Access Controls

Physical Security Controls

Is this sample what you are looking for?
Sign up to use & customise this template, or create your own custom checklist:

Checklist by GoAudits.com – Please note that this checklist is intended as an example. We do not guarantee compliance with the laws applicable to your territory or industry. You should seek professional advice to determine how this checklist should be adapted to your workplace or jurisdiction.

Easy inspection app for your digital checklists

Conduct inspections anytime, anywhere - even offline
Capture photos as proof of compliance or areas needing attention
Instantly generate and share detailed reports after the inspections
Assign & track follow-up tasks, view historical trends on a centralized dashboard

IT Internal Audit Checklist

Use the IT Internal Audit Checklist to assess and optimize your internal IT processes, promoting efficiency, security, and adherence to established standards.

1. Is anti-virus software installed?

2. Is gateway filtering implemented?

3. Are browser protections in place?

1. Is scanning and remediation for vulnerabilities performed?

2. Is there a patch management program in place?

1. Is the software development lifecycle established?

2. Is secure coding and web app firewall/security testing conducted?

1. Have users been trained on security?

2. Are background checks conducted for new employees?

3. Are duties separated and documented?

4. Are security logs collected and reviewed?

1. Is encryption implemented in transit and at rest?

2. Is data classification in place?

3. Are USB restrictions enforced?

4. Is there a process for the removal of data from storage media?

1. Are hardware and software inventoried?

2. Is the installation of unauthorized software, utility, and audit tools prohibited?

3. Is system capacity and performance regularly monitored?

1. Are risk assessments regularly performed?

2. Are risks mitigated to acceptable levels?

3. Are information security policies approved and in place?

4. Are periodical independent audits performed?

1. Is there a process for change management in place?

2. Is there an inventory of IT assets?

1. Are backups for systems and data regularly performed?

2. Is a disaster recovery plan established and regularly tested?

3. Is a business impact analysis plan established and regularly tested?

1. Are security clauses included in contracts?

2. Are SLAs monitored?

3. Are vendor incident notifications sent to subservice organizations?

1. Have user accounts been provisioned?

2. Are access levels modifiable, and are user privileges limited to job function?

3. Are periodical access reviews scheduled?

4. Is there a password complexity requirement?

5. Is admin activity monitored?

1. Is an incident response plan instated and regularly tested?

2. Are customers notified following vendor incidents?

1. Are database admin accounts controlled?

2. Is admin activity monitored?

3. Is application access to the database restricted?

1. Are system installation checklists or images used?

2. Are security and event logs enabled?

3. Are unnecessary services turned off?

1. Is access to hypervisors restricted?

2. Are access levels modifiable?

3. Are periodical access reviews conducted?

4. Is there a password complexity requirement?

5. Is the secure configuration guide applied to hypervisors and SANs?

6. Is access to services running on the host restricted?

1. Is there a firewall for remote access?

2. Is there an IDS for remote access?

3. Is there an IPS for remote access?

4. Is there a VPN for remote access?

5. Is there an MFA for remote access?

1. Are the following physical perimeter protections available: • Locks • Badge access • Battery backup up • Generators • HVAC