IT Audit Checklist

Weaknesses in your company’s information technology (IT) system can disrupt your business operations, costing you time and money. A reliable IT audit checklist helps identify potential weak points while ensuring that your IT staff has the tools they need to secure your network, safeguard your data and avoid expensive repairs.

Why Have One?

IT audits help confirm the health (or troubling lack thereof) of your all-important information technology environment. They also verify that your IT team is aligned with the overall objectives of your business, while ensuring that your data is reliable, accurate and backed up.

The primary goals of an audit are to make certain your software and hardware are effective and appropriate while ensuring that your data is protected, and the members of your IT department have the communication and tools they need to effectively perform their responsibilities. An IT audit can also help companies uncover potential security risks and determine if they need to invest in updates to their software and/or your hardware.

Preparing for an IT Audit

To properly prepare for an internal IT audit, you need to understand the overall purpose and scope of the task. You also need to know its expected timeframe and what resources you will have to provide. These factors will typically depend on whether the audit is being conducted by an outside firm or your own team.

A well-crafted IT audit checklist is a point-by-point system that lets you evaluate the weaknesses (and strengths) of your IT infrastructure, as well as your IT operations, procedures and policies. Having a well-thought-out audit checklist lets you easily execute a comprehensive risk assessment that helps you identify areas of improvement and avoid serious issues down the line.

Businesses can also use IT audit checklists as guidelines for workers. If they understand how to protect data, IT staffers can help identify potential weaknesses or risks. Finding these potential weak points can make it easier to create plans to address them. IT audit checklists are also useful references for employees preparing for IT audits.

Creating an IT Audit Checklist

A good IT audit checklist will cover four key areas:


IT auditYour IT audit checklist should include steps to assess physical security measures, including locks on server rooms and security badges for individuals. It should also include steps to assess your entire network for vulnerabilities. This includes:

  • Making sure every procedure is well-documented
  • Confirming that you are separately storing sensitive data
  • Scanning for any potential unauthorized points of access
  • Searching for holes in firewalls and/or intrusion prevention systems
  • Testing any software dealing with sensitive information
  • Confirming that wireless networks are completely secure
  • Checking user identities and ensuring that each has the credentials to efficiently access sensitive data

Your IT audit checklist should also have steps to help determine if your IT staff applies patches in a timely manner and consistently updates applications and antivirus software. It should also look at critical network security practices, from multi-factor authentication to website access restrictions and everything in between.


Your audit needs to help determine whether your business complies with important regulatory requirements. Examples include:

  • Businesses with customers in the European Union must comply with the General Data Protection Regulation (GDPR).
  • Healthcare organizations must be compliant with HIPAA regulations and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH).
  • Publicly traded companies have to be in compliance with the Sarbanes-Oxley Act of 2002 (SOX)
  • Any organization that transmits, processes or stores payment card information has to be in compliance with Payment Card Industry Data Security Standard (PCI DSS)

Backing up Data

Your checklist should include a thorough review of how (and how often) your business backs up critical data. Data backups should be part of your business continuity and disaster recovery planning. At the bare minimum, you should determine:

  • When your backup method was last tested
  • How long it would take for your data backup system to recover
  • How long your company could afford to be down
  • The actual financial cost of prolonged downtime
  • If you have up-to-date copies of your data stored offsite

Your audit checklist should also include an inventory of your hardware, noting the age and overall performance demands of each piece. In most instances, you should consider replacing IT hardware about every three to five years.

If you would like to secure your company’s vital systems and enhance operational efficiencies, Fisher Technology can help. As leading-edge IT specialists, we manage servers and computers, complex cloud environments, mobile devices, network equipment and applications. We can defend your company from hackers and malware while streamlining your day-to-day business operations with electronic document automation and state-of-the-art workflow solutions. Contact us to learn more.

Leave a Comment