Many companies nowadays, especially international corporations, have trade secrets that would be disastrous if they fell into the wrong hands. Because of this, company audit practices now commonly include not only operational audits and computer audits, but audit risk management as well. These systems are usually put into place to combat or lower the internal risk that comes with hiring and resigning employees. The main function of risk management audit is to ensure that sensitive data and other valuable company assets are properly safeguarded and protected. One basic audit risk management activity is to determine who has access to certain sensitive data, and to figure out whether it is appropriate for those people to have access to that information. Audit control must also have the tools to monitor computer and company systems, and company insiders in order to identify illegal activity.
Here are some tips on how to find the proper tools for audit risk management:
- Secure the computers. Some of the most sensitive items in an office, in terms of audit risk management, are the computers the employees have access to and which usually contain sensitive company information. In order to mitigate this threat, you must have the proper tools to conduct reviews of audit trails with the specific purpose of searching for and finding security events and instances of abuse of information access privileges. These tools must also have the capacity to validate payroll controls, directory permissions, and accounting system configurations. This must also extend to the task of being able to validate that the backup software that is being utilized is configured appropriately, and that the backups are complete and error-free. Lastly, you must have the tools that would enable you to review network-sharing systems for possible sensitive information that is stored with minimal to no access restrictions.
- Secure the office workplace. Aside from the computer systems, another thingthat must be secured is the workplace itself. There are separate sets of tools that can be used to carry out office space inspections in order to determine if the employees indeed adhere to the security procedures and policies that are required by the company, such as ensuring that certain materials containing sensitive information are not left unattended, and that the computer screens at employee workstations are secured.
- Monitor standard employee access. You must also have the tools that will allow you to monitor employee access to information. These include tools to obtain a list of all of the company’s current personnel from human resources and to evaluate that list vis-à-vis the active company accounts. These tools must also allow you to systematically rescind or suspend information access when company personnel depart from the organization or change roles.
- Monitor standard physical access. It is also imperative to have the tools to observe physical security access logs. These should allow you to monitor employees who tend to conduct visits after office hours and during the weekends. These systems should also allow you to review CCTV feeds and system audit trails if any evidence of suspicious activity is found.
- Gather your tools. Now that you know what to look for, you can go online and find the tools that will fit your needs. Companies such as McAfee and Paisley Consulting offer a wide range of audit risk management tools to fit your needs.
The above activities must be conducted at least quarterly for maximum protection. If possible, it would be best to automate your auditing, which will not only conserve resources, but also detect certain security violations early on.