- PCI DSS
The IT auditing process is inherently complex as it involves multiple internal and external stakeholders. Existing audit infrastructure has evolved from the bottom up, leaving most organizations without a single system of record, and preventing top down visibility and control. Moreover, companies leveraging outsourced services rely on SAS 70 service auditor reports to gain an understanding of the IT processes of their service providers.
Most organizations regularly test internal IT controls to ensure the security and continuity of their entire information systems infrastructure. Such controls, typically derived from COBIT control processes, reduce IT related risks and form the basis for good IT governance.
MetricStream provides a comprehensive IT audit management solution for Information Technology (IT) audits and assessments. The solution is part of MetricStream IT GRC Solution. By deploying the IT audit solution, organizations can streamline their IT audit and assessment processes, and enable multiple stakeholders to have visibility and control into these processes. The solution provides a single system of record for IT audits and assessments by integrating with various solutions that have already been implemented to automate the testing of controls.
The solution can be used along with MetricStream IT Compliance Management Solution to audit compliance with popular frameworks and regulations such as COBIT, ISO 27002, NIST, ITIL,NERC, HIPAA, PCI, Basel II, FISMA, GLBA, SOX, and FFIEC. The solution can also integrate with MetricStream solutions for IT risk management, IT policy management and IT incident management to support additional tasks such as risk based auditing, and policy compliance certification.
Risk-based IT Audit Planning: The MetricStream solution supports risk-based IT auditing and allows IT processes, assets, projects, and other audit entities to be selected to define the scope of the audit based on the risk assessments. The solution integrates with third-party tools to gather risk and vulnerability information from IT systems ( e.g. weak passwords and unused ports in web servers) so that auditors can plan audits based on the risk profile of IT assets.
IT Audit Projects: IT audit projects can be scheduled periodically based on the annual audit plan, or triggered on an ad-hoc basis for specific processes, projects, or applications. Based on the master audit calendar, auditors can be selected and assigned the IT audit responsibility with a due date. Automatic notifications are sent to the auditor as well as the auditee. Work papers with fully configurable workflows allow auditors to document audit activities and results.
IT Audits and Assessments: The MetricStream solution enables IT auditors to record qualitative or quantitative findings with detailed observations and recommendations in predefined formats, alongside the checklist of evaluation criteria and questions. The system also supports self-assessments and surveys related to IT controls in a consistent, reliable, and predictable manner. Audit managers can track the status of the audit, and measure its progress against milestones to ensure timely execution. A time tracking capability captures the time spent in auditing for optimal resource utilization.
IT Audit Reviews: The IT audit solution routes audit findings, observation reports, and auditors' recommendations for review and subsequent actions. Findings are sent to the process owners to seek their response . The solution also has built-in workflows for reviewing responses for approval or rejection. In-built options help initiate remedial actions for undesirable variations and trends, and schedule follow-up audits.
IT Audit Reports and Metrics: The IT audit solution provides comprehensive capabilities for compiling IT audit reports and work-papers. It provides complete visibility into the audit process, enables easy status tracking, and offers access to all audit data, as well as analyses of auditor performance and audit results. Graphical executive dashboards and flexible reports with drill-down capabilities provide IT audit statistics by audited entities, audit schedule, and calendar, finding reports, corrective and remediation actions triggered, and a variety of other parameters.