Standard Operating Procedure (SOP) for Conducting ITGC Audit

1. Introduction

Overview of ITGC:
IT General Controls (ITGC) are essential controls that ensure the proper functioning of internal
controls within an IT environment. These controls support overall business operations and ensure
compliance with regulatory requirements. An effective ITGC framework is crucial for achieving
security objectives and maintaining the integrity and reliability of IT systems.

2. Detailed ITGC Terminology

1. IT Governance:
Definition: IT Governance encompasses the processes and structures that ensure IT supports
and aligns with the organization’s strategic objectives. It involves setting policies, standards,
and guidelines for managing IT resources effectively.

Example: An IT Governance framework might include the establishment of an IT Steering

Committee to oversee IT projects and align them with business goals.

2. Access Management:
Definition: Access Management involves controls to manage who has access to IT systems
and data. It ensures that only authorized individuals can access sensitive information, and
their access is restricted based on their roles and responsibilities.

Example: Implementing Multi-Factor Authentication (MFA) to ensure that only authorized

users can access critical systems.

3. Change Management:
Definition: Change Management controls manage changes to IT systems, applications, and
infrastructure. These controls ensure changes are authorized, tested, documented, and do
not negatively impact the IT environment.

Example: Using a change management tool like JIRA to log, approve, and track changes to a
database system before they are implemented.

4. Business Continuity Planning (BCP) & Disaster Recovery (DR):

Definition: BCP and DR controls ensure that an organization can continue its critical
operations during and after a disaster. BCP focuses on maintaining essential functions, while
DR is concerned with restoring IT systems after a disaster.

Example: Regularly testing the DR plan to ensure that systems can be restored within the
Recovery Time Objective (RTO) after an outage.

5. Backup Management:
Definition: Backup Management involves the processes of creating, storing, and maintaining
copies of data so that it can be restored in case of data loss or corruption. It ensures that
data is backed up regularly and securely.

Example: Implementing daily incremental backups and weekly full backups of all critical data
to a secure offsite location.

6. Incident Management:
Definition: Incident Management controls handle the identification, assessment, and
 resolution of IT incidents. The goal is to minimize the impact of incidents on business
operations and prevent future occurrences.

Example: Using an Incident Management tool like IRIS to log and track incidents from
detection to resolution.

7. Network Security:
Definition: Network Security controls protect the organization's network from unauthorized
access, attacks, and other security threats. This includes firewalls, intrusion
detection/prevention systems, and secure network configurations.

Example: Implementing a firewall with intrusion prevention capabilities to monitor and block
suspicious traffic entering the network.

8. System Hardening:
Definition: System Hardening involves securing IT systems by reducing their vulnerability to
threats. This includes applying security patches, disabling unnecessary services, and
configuring security settings.

Example: Applying the latest security patches to operating systems and applications to
protect against known vulnerabilities.

9. Vendor Management:
Definition: Vendor Management controls ensure that third-party vendors comply with the
organization’s security policies and standards. This includes assessing vendor risks and
monitoring their compliance.

Example: Conducting regular security assessments of cloud service providers to ensure they
meet the organization's security requirements.

10. Human Resources:

Definition: Human Resources controls ensure that employees with access to IT systems are
properly vetted, trained, and monitored. This includes background checks, access
termination procedures, and security awareness training.

Example: Ensuring that employees receive regular security training and that their access to
systems is promptly revoked upon termination.

11. Application Management:

Definition: Application Management controls ensure the integrity, availability, and security of
applications. This includes managing application development, maintenance, and
monitoring.

Example: Using version control tools to manage code changes and ensure that only
authorized changes are implemented in production environments.

12. Asset Management:

Definition: Asset Management controls involve tracking and managing IT assets throughout
their lifecycle, from procurement to disposal. This ensures that all assets are accounted for
and managed according to policies.

Example: Maintaining an up-to-date inventory of all IT assets, including hardware and

software, and ensuring that they are properly decommissioned at the end of their lifecycle.
13. Information Technology Management:
Definition: This involves the management of IT services, including endpoint security, VPN,
antivirus, data loss prevention (DLP), Active Directory (AD), patch management, BitLocker,
and email security.

Example: Regularly updating antivirus definitions and ensuring that all endpoints are
protected against malware.

14. Information Security:

Definition: Information Security controls protect the confidentiality, integrity, and availability
of information. This includes implementing security policies, monitoring for security threats,
and responding to security incidents.

Example: Implementing encryption for sensitive data to protect it from unauthorized access.
3. Differences Between IT General Controls and Application Controls

1. Scope:

o ITGCs: These are broader and affect the overall IT environment. They ensure the
overall reliability and security of data and systems.

o Application Controls: These are specific to individual applications and ensure the
integrity of transactions processed by those applications.

2. Purpose:

o ITGCs: Focus on the overall control environment of IT systems, including

infrastructure, networks, and overall IT governance.

o Application Controls: Aim to ensure that data input, processing, and output within
individual applications are accurate and authorized.

3. Types of Controls:

o ITGCs: Include controls related to user access, system changes, IT operations, and
physical security.

o Application Controls: Include input controls (e.g., validation checks), processing

controls (e.g., calculations), and output controls (e.g., report generation).
4. Research Papers to Understand IT General Controls

1. Performing the IT General Controls Audit

o Author: Charles H. Le Grand, 2012

o Insight: Discusses the importance of internal audits in assessing IT general controls

to manage technology risks and compliance.

2. Controls in Business and IT: Formalization and Application

o Author: Lior Limonad, 2013

o Insight: Introduces a conceptual framework for integrating control aspects into

information systems, focusing on business operations and regulatory compliance.

3. IT General Controls in SAP ERP

o Author: Maxim Chuprunov, 2013

o Insight: Details essential ITGCs in SAP ERP systems to ensure data consistency and
compliance.

4. IT General Controls Testing: Assessing the Effectiveness of User Access Management

o Authors: Lorraine Lee & Rebecca S. Sawyer, 2019

o Insight: Focuses on IT general controls testing, particularly user access management,

to ensure effective IT control operations.

5. General Purpose Control System

o Authors: Chen Chih-Hsuan et al., 2017

o Insight: Presents a patent on a control system designed to manage testing machines,

highlighting practical control system applications.
5. Common IT General Control Frameworks Used by Organizations

1. COBIT:

o Overview: A comprehensive IT management and governance framework.

o Key Components: Governance objectives, process models, performance

management.

o Use Cases: IT governance, risk management, regulatory compliance.

2. ITIL:

o Overview: Practices for IT service management.

o Key Components: Service strategy, design, transition, operation, improvement.

o Use Cases: Managing IT services, improving service delivery.

3. NIST SP 800-53:

o Overview: Security and privacy controls for federal information systems.

o Key Components: Access control, audit and accountability, system protection.

o Use Cases: Securing information systems, FISMA compliance.

4. ISO/IEC 27001:

o Overview: Standard for information security management systems (ISMS).

o Key Components: Security policies, asset management, access control.

o Use Cases: Managing and protecting information assets, achieving certification.

5. SOX Compliance:

o Overview: U.S. federal law for financial disclosures and accounting fraud prevention.

o Key Components: ICFR, IT general controls, audits.

o Use Cases: Ensuring accuracy and integrity of financial reporting.

6. PCI DSS:

o Overview: Security standards for credit card information protection.

o Key Components: Secure network, cardholder data protection, access control.

o Use Cases: Protecting cardholder data, industry compliance.

7. COSO:

o Overview: Framework for internal control design and evaluation.

o Key Components: Control environment, risk assessment, monitoring.

o Use Cases: Governance, risk management, internal controls for financial reporting.
6. Data Requirement for ITGC

IT Governance

1. IT Policy.

2. IT Standards/ Procedures.

3. Information Security Policy.

4. Information Security Standard/ Procedures

5. Cyber Security Policy.

6. IT Asset Management Policy and Standard.

7. Backup SOP

8. System Hardening including Patch Management SOP

9. Change Management SOP.

10. Capacity Management SOP.

11. Cloud Management SOP.

12. Third Party Management SOP

13. Physical and Environmental Control SOP.

14. User Access Management SOP.

15. Incident Management SOP.

16. Network Management SOP.

17. Antivirus and Malware Management SOP.

18. Log Management and Monitoring SOP.

19. IT Organisation Chart.

20. IT Committee/ Committee's and Infosec Committee/ Committee's Minutes

21. IT Committee/ Committee's and Infosec Committee/ Committee's Terms of Reference or Roles
and Responsibility Document.

Application Details

1. List of Applications (Application Inventory) with criticality and which all applications output have
Financial Impact.

2. Application Interfacing Details including details of API Integration.

3. List of Applications which are used to generate MIS and Financial Statement.

IT Asset Management
1. IT Asset Register Inventory along with Criticality.

2. For in scope application if there are any critical systems(app+Infra) purchased or sold during the
period, details regarding the same(list+Purpose).

Change Management

1. Change Dump from the Application.

2. Change Dump from change record management system/ version control tool for the Application.

3. Documentation of Sample cases from the Change Dump including BRD, FSD and Test Cases.

Backup Management

1. Backup Schedule configuration screenshot for in scope application.

2. Screenshot of Backup Logs to determine whether backup is taken as per the retention limit.

3. Details of Alerts generated for completion of Backup (Successful or failed).

4. Restoration testing Report.

Access Management

1. Details of Application which is used for managing access (IDAM)

2. Dump from IDAM for users having access to the Application in scope.

3. Dump from the in-scope application itself regarding users having access to it.

4. List of Exit employees from HR for Specific Application.

5. Details of PIM/ PAM if any for accessing the critical system.

6. List of users configured in PIM/ PAM.

7. List of system which are configured in PIM/ PAM.

8. List of Servers on which logs for PIM/ PAM is stored.

9. Documentation of Approvals for Access Management of Sample set of users.

BCP & DR

Incident Management

Network Security

System Hardening

Vendor Management
Information Technology Management

Information Security
7. Detailed Standard Operating Procedure (SOP) for Auditing the respective process

Standard Operating Procedure (SOP) for Auditing the Change Management Process

1. Introduction

The Change Management process ensures that changes to IT systems, applications, and
infrastructure are controlled and coordinated to minimize risks. Auditing this process helps verify
that changes are properly documented, approved, implemented, and reviewed.

2. Purpose

This SOP provides detailed steps for auditing the Change Management process, ensuring that all
changes are managed in compliance with organizational policies and regulatory requirements.

3. Scope

This SOP applies to all IT-related changes within the organization, including hardware, software,
network configurations, and application updates.

4. Key Areas to Audit

 Change Request Documentation

 Approval Process

 Risk and Impact Assessment

 Testing and Backout Plans

 Implementation and Review

5. Step-by-Step Audit Procedure

Step 1: Understand the Change Management Process

 Objective: Familiarize yourself with the organization’s Change Management process,

including the tools (e.g., IRIS) and policies in place.

 Actions:

o Review the Change Management Policy.

o Understand the workflow, from the initiation of a Change Request (CR) to its closure.

o Identify key stakeholders involved in the process (e.g., Change Manager, CAB,
Implementation Team).

Step 2: Review Change Request Documentation

 Objective: Ensure that all changes are properly documented.

 Actions:

o Select a sample of Change Requests from the Change Management tool.

o Verify that each CR includes a clear description, reason for the change, and details of
the change.
 o Check that CRs are logged and tracked within the system.

Step 3: Evaluate the Approval Process

 Objective: Confirm that all changes are properly reviewed and approved before
implementation.

 Actions:

o Review the approval workflow for the selected CRs.

o Ensure that each CR has been reviewed by the Change Advisory Board (CAB) or an
appropriate authority.

o Check that approvals are documented with timestamps and the approver’s name.

Step 4: Assess Risk and Impact Evaluation

 Objective: Verify that potential risks and impacts of changes are properly assessed.

 Actions:

o Review the risk and impact assessment sections of the CRs.

o Ensure that high-risk changes have undergone additional scrutiny.

o Check for documented mitigation strategies for identified risks.

Step 5: Review Testing and Backout Plans

 Objective: Confirm that changes are tested in a controlled environment and that there are
backout plans in case of failure.

 Actions:

o Check that a testing plan is included for each change, with details of the test
environment and results.

o Verify that backout plans are documented, outlining steps to revert the system to its
previous state if the change fails.

Step 6: Audit the Implementation Process

 Objective: Ensure that changes are implemented as planned and documented.

 Actions:

o Review the implementation logs for selected changes.

o Confirm that the changes were implemented according to the approved plan.

o Check for any deviations from the plan and how they were handled.

Step 7: Document Audit Findings

 Objective: Record and report any findings from the audit.

 Actions:
o Document any gaps, non-compliance, or weaknesses found in the Change
Management process.

o Provide recommendations for improvement.

o Prepare an audit report summarizing the findings and submit it to the relevant
stakeholders.
Standard Operating Procedure (SOP) for Auditing the Access Management Process

1. Introduction

Access Management controls who have access to IT systems and data, ensuring that only authorized
personnel can access sensitive information. Auditing this process helps ensure that access rights are
properly assigned, monitored, and reviewed.

2. Purpose

This SOP provides detailed steps for auditing the Access Management process, ensuring that access
controls are in place and functioning as intended.

3. Scope

This SOP applies to all IT systems, applications, and data within the organization.

4. Key Areas to Audit

 User Access Provisioning

 Access Level Approvals

 Access Reviews

 Role-Based Access Control (RBAC)

 De-provisioning of Access

 Monitoring and Logging

5. Step-by-Step Audit Procedure

Step 1: Understand the Access Management Process

 Objective: Familiarize yourself with the organization’s Access Management process and tools
(e.g., Active Directory, IAM systems).

 Actions:

o Review the Access Management Policy.

o Understand the workflow for provisioning, modifying, and de-provisioning user

access.

o Identify key stakeholders involved in the process (e.g., Access Manager, System
Owners).

Step 2: Review User Access Provisioning

 Objective: Ensure that user access is granted based on business needs and appropriate
approvals.

 Actions:

o Select a sample of user accounts created during the audit period.

o Verify that each account was created following a documented request and approval
process.
 o Ensure that access rights assigned match the user’s role and responsibilities.

Step 3: Evaluate Access Level Approvals

 Objective: Confirm that access levels are approved by the appropriate authority.

 Actions:

o Review the approval process for assigning access levels.

o Ensure that higher privilege access (e.g., admin rights) is approved by senior
management.

o Check that approvals are documented and stored in the system.

Step 4: Assess Role-Based Access Control (RBAC)

 Objective: Verify that access controls are based on roles and responsibilities.

 Actions:

o Review the RBAC model implemented in the organization.

o Ensure that access rights are aligned with job functions and responsibilities.

o Check for any deviations from the RBAC model and whether they are justified.

Step 5: Conduct Access Reviews

 Objective: Ensure that periodic access reviews are conducted to validate current access
rights.

 Actions:

o Review the schedule and results of access reviews.

o Verify that access rights are regularly reviewed by system owners and managers.

o Ensure that any necessary adjustments to access rights are made based on the
review findings.

Step 6: Review De-provisioning of Access

 Objective: Confirm that access is promptly removed when it is no longer required.

 Actions:

o Select a sample of terminated or transferred employees.

o Verify that their access rights were removed or modified promptly.

o Check that de-provisioning is documented and follows the organization’s procedures.

Step 7: Audit Monitoring and Logging

 Objective: Ensure that user activities are monitored and logged to detect unauthorized
access.

 Actions:
 o Review the logging and monitoring practices in place for critical systems.

o Verify that logs are regularly reviewed for suspicious activities.

o Ensure that any incidents of unauthorized access are investigated and addressed.

Step 8: Document Audit Findings

 Objective: Record and report any findings from the audit.

 Actions:

o Document any gaps, non-compliance, or weaknesses found in the Access

Management process.

o Provide recommendations for improvement.

o Prepare an audit report summarizing the findings and submit it to the relevant
stakeholders.
Standard Operating Procedure (SOP) for Auditing the Incident Management Process

1. Introduction

The Incident Management process is crucial for identifying, recording, analyzing, and resolving
incidents that disrupt normal IT services. Auditing this process ensures that incidents are handled
efficiently, minimizing the impact on business operations.

2. Purpose

This SOP provides detailed steps for auditing the Incident Management process to ensure that
incidents are properly managed in compliance with organizational policies and industry best
practices.

3. Scope

This SOP applies to all IT-related incidents within the organization, including hardware, software,
network issues, security breaches, and any other disruptions to IT services.

4. Key Areas to Audit

 Incident Identification and Logging

 Incident Categorization and Prioritization

 Incident Investigation and Diagnosis

 Incident Resolution and Recovery

 Incident Closure and Documentation

 Root Cause Analysis (RCA)

 Incident Reporting and Communication

 Incident Trend Analysis and Continuous Improvement

5. Step-by-Step Audit Procedure

Step 1: Understand the Incident Management Process

 Objective: Familiarize yourself with the organization’s Incident Management process,

including tools (e.g., IRIS) and policies in place.

 Actions:

o Review the Incident Management Policy.

o Understand the workflow, from incident identification to closure.

o Identify key stakeholders involved in the process (e.g., Incident Manager, Support
Teams).

Step 2: Review Incident Identification and Logging

 Objective: Ensure that incidents are promptly identified and logged in the Incident
Management system.

 Actions:
 o Select a sample of incidents from the Incident Management tool.

o Verify that each incident is logged with a clear description, timestamp, and relevant
details.

o Check that incidents are logged in a consistent and standardized manner.

Step 3: Evaluate Incident Categorization and Prioritization

 Objective: Confirm that incidents are properly categorized and prioritized based on their
impact and urgency.

 Actions:

o Review the categorization and prioritization process for selected incidents.

o Ensure that the severity and priority levels are assigned according to the
organization’s guidelines.

o Check that high-priority incidents receive immediate attention.

Step 4: Assess Incident Investigation and Diagnosis

 Objective: Verify that incidents are thoroughly investigated to identify the root cause.

 Actions:

o Review the investigation and diagnosis process for selected incidents.

o Ensure that incidents are analyzed by the appropriate technical teams.

o Check for documentation of the investigation findings.

Step 5: Review Incident Resolution and Recovery

 Objective: Confirm that incidents are resolved in a timely manner with minimal disruption to
services.

 Actions:

o Review the resolution and recovery steps taken for selected incidents.

o Ensure that incidents are resolved according to the organization’s SLAs.

o Check for any escalations and how they were handled.

Step 6: Audit Incident Closure and Documentation

 Objective: Ensure that incidents are properly closed and documented.

 Actions:

o Verify that all necessary documentation is completed before an incident is closed.

o Check that lessons learned and any follow-up actions are documented.

o Review the closure approval process.

Step 7: Evaluate Root Cause Analysis (RCA)

  Objective: Confirm that a thorough RCA is conducted for major incidents.

 Actions:

o Review RCAs for selected major incidents.

o Ensure that the root cause is clearly identified and documented.

o Check that corrective actions are implemented to prevent recurrence.

Step 8: Review Incident Reporting and Communication

 Objective: Ensure that incidents are reported and communicated to relevant stakeholders.

 Actions:

o Review the incident reporting process, including regular incident reports.

o Ensure that stakeholders are informed of incidents as per the communication plan.

o Check for compliance with any regulatory reporting requirements.

Step 9: Conduct Incident Trend Analysis and Continuous Improvement

 Objective: Verify that incident data is analyzed for trends and continuous improvement
opportunities.

 Actions:

o Review incident trend analysis reports.

o Ensure that recurring incidents are identified and addressed.

o Check for documentation of improvement actions based on trend analysis.

Step 10: Document Audit Findings

 Objective: Record and report any findings from the audit.

 Actions:

o Document any gaps, non-compliance, or weaknesses found in the Incident

Management process.

o Provide recommendations for improvement.

o Prepare an audit report summarizing the findings and submit it to the relevant
stakeholders.
Standard Operating Procedure (SOP) for Auditing the Backup and Restoration Process

1. Introduction

The Backup and Restoration process ensures that critical data and systems can be recovered in the
event of data loss, system failure, or other disruptions. Auditing this process verifies that backups are
performed regularly, stored securely, and can be restored as needed.

2. Purpose

This SOP provides detailed steps for auditing the Backup and Restoration process to ensure that data
is properly backed up, stored, and can be successfully restored in compliance with organizational
policies and industry best practices.

3. Scope

This SOP applies to all IT systems, applications, databases, and data within the organization that are
subject to backup and restoration procedures.

4. Key Areas to Audit

 Backup Policy and Schedule

 Backup Integrity and Completeness

 Backup Storage and Security

 Restoration Procedures

 Backup Monitoring and Reporting

 Disaster Recovery Testing

 Data Retention and Archiving

5. Step-by-Step Audit Procedure

Step 1: Understand the Backup and Restoration Process

 Objective: Familiarize yourself with the organization’s Backup and Restoration process,
including the tools (e.g., Veeam, SAP HANA Studio) and policies in place.

 Actions:

o Review the Backup and Restoration Policy.

o Understand the workflow for data backup, storage, and restoration.

o Identify key stakeholders involved in the process (e.g., Backup Administrator, IT

Operations Team).

Step 2: Review Backup Policy and Schedule

 Objective: Ensure that the backup policy and schedule are comprehensive and adhered to.

 Actions:

o Review the organization's backup policy, including frequency, scope, and retention
periods.
 o Verify that full and incremental backups are scheduled according to the policy.

o Ensure that backups cover all critical systems, applications, and data.

Step 3: Evaluate Backup Integrity and Completeness

 Objective: Confirm that backups are complete and can be restored without errors.

 Actions:

o Select a sample of recent backups and verify their integrity.

o Ensure that backups are complete, including all essential data and configurations.

o Check for any errors or issues reported during the backup process.

Step 4: Assess Backup Storage and Security

 Objective: Verify that backups are stored securely and are protected against unauthorized
access and physical damage.

 Actions:

o Review the storage locations for backups, both primary and secondary (e.g., Data
Center, DR site).

o Ensure that backups are encrypted and stored in a secure environment.

o Check that access to backup storage is restricted to authorized personnel.

Step 5: Review Restoration Procedures

 Objective: Ensure that data can be restored quickly and accurately when needed.

 Actions:

o Review the documented restoration procedures.

o Test the restoration process by selecting a sample of backups and performing a

restore.

o Verify that restored data matches the original and is functional.

Step 6: Audit Backup Monitoring and Reporting

 Objective: Ensure that backup operations are monitored and that issues are promptly
addressed.

 Actions:

o Review monitoring logs and reports for backup operations.

o Ensure that any failures or issues are logged, investigated, and resolved.

o Check for regular review of backup reports by the IT Operations Team.

Step 7: Evaluate Disaster Recovery Testing

 Objective: Confirm that disaster recovery (DR) testing is performed regularly to ensure
backup effectiveness.
  Actions:

o Review the schedule and results of DR testing.

o Ensure that DR tests include full restoration of critical systems and data.

o Check for any issues identified during DR tests and their resolution.

Step 8: Review Data Retention and Archiving

 Objective: Verify that data retention and archiving policies are followed.

 Actions:

o Review the organization's data retention policy.

o Ensure that backups are retained according to the policy and that older backups are
archived or deleted as required.

o Check for compliance with any legal or regulatory requirements for data retention.

Step 9: Document Audit Findings

 Objective: Record and report any findings from the audit.

 Actions:

o Document any gaps, non-compliance, or weaknesses found in the Backup and

Restoration process.

o Provide recommendations for improvement.

o Prepare an audit report summarizing the findings and submit it to the relevant
stakeholders.
Standard Operating Procedure (SOP) for Auditing the IT Asset Management Process

1. Introduction

The IT Asset Management (ITAM) process ensures that all IT assets, including hardware, software,
and related resources, are effectively managed throughout their lifecycle. Auditing this process
verifies that assets are accurately tracked, properly utilized, and securely disposed of when no longer
needed.

2. Purpose

This SOP provides detailed steps for auditing the IT Asset Management process to ensure that IT
assets are managed in compliance with organizational policies and industry best practices.

3. Scope

This SOP applies to all IT assets within the organization, including computers, servers, network
devices, software licenses, and other technology-related resources.

4. Key Areas to Audit

 Asset Inventory Management

 Asset Procurement and Acquisition

 Asset Deployment and Configuration

 Asset Usage and Monitoring

 Asset Maintenance and Support

 Asset Decommissioning and Disposal

 Software License Management

 Asset Security and Compliance

5. Step-by-Step Audit Procedure

Step 1: Understand the IT Asset Management Process

 Objective: Familiarize yourself with the organization’s IT Asset Management process,

including the tools (e.g., Iris IT Asset Management) and policies in place.

 Actions:

o Review the IT Asset Management Policy.

o Understand the workflow for asset acquisition, tracking, usage, and disposal.

o Identify key stakeholders involved in the process (e.g., IT Asset Manager,

Procurement Team).

Step 2: Review Asset Inventory Management

 Objective: Ensure that all IT assets are accurately recorded in the asset inventory.

 Actions:
 o Review the asset inventory system to verify its completeness and accuracy.

o Select a sample of IT assets and cross-check their details against the inventory
records.

o Ensure that the inventory includes all relevant information, such as asset type, serial
number, location, and responsible personnel.

Step 3: Evaluate Asset Procurement and Acquisition

 Objective: Confirm that IT assets are procured following the organization’s procurement
policies.

 Actions:

o Review the procurement process for selected IT assets.

o Ensure that procurement requests are properly documented and approved.

o Check that assets are acquired from authorized vendors and that purchase records
are maintained.

Step 4: Assess Asset Deployment and Configuration

 Objective: Verify that IT assets are properly deployed and configured according to
organizational standards.

 Actions:

o Review deployment records for selected IT assets.

o Ensure that assets are configured as per the organization’s IT standards and
requirements.

o Check for any documentation of deployment activities, including user acceptance.

Step 5: Audit Asset Usage and Monitoring

 Objective: Ensure that IT assets are utilized efficiently and monitored regularly.

 Actions:

o Review usage logs and monitoring reports for selected assets.

o Ensure that assets are being used for their intended purpose and that usage is
monitored.

o Check for any unused or underutilized assets and investigate the reasons.

Step 6: Review Asset Maintenance and Support

 Objective: Confirm that IT assets are regularly maintained and supported.

 Actions:

o Review maintenance schedules and records for selected assets.

o Ensure that regular maintenance activities are performed, including updates and
repairs.
 o Check that support contracts or warranties are in place and utilized effectively.

Step 7: Evaluate Asset Decommissioning and Disposal

 Objective: Ensure that IT assets are securely decommissioned and disposed of when no
longer needed.

 Actions:

o Review the decommissioning process for selected assets.

o Ensure that data is securely erased from assets before disposal.

o Verify that disposal activities are documented and comply with environmental
regulations and organizational policies.

Step 8: Audit Software License Management

 Objective: Verify that software licenses are managed effectively to ensure compliance and
cost-efficiency.

 Actions:

o Review the software license management system.

o Ensure that all software used within the organization is properly licensed.

o Check for compliance with software vendor agreements and avoid any unlicensed
software usage.

Step 9: Evaluate Asset Security and Compliance

 Objective: Ensure that IT assets are secure and compliant with relevant regulations and
organizational policies.

 Actions:

o Review security measures in place for protecting IT assets (e.g., encryption, access
control).

o Ensure that assets are compliant with industry standards and regulations.

o Check for any incidents of asset theft, loss, or unauthorized access, and review how
they were addressed.

Step 10: Document Audit Findings

 Objective: Record and report any findings from the audit.

 Actions:

o Document any gaps, non-compliance, or weaknesses found in the IT Asset

Management process.

o Provide recommendations for improvement.

o Prepare an audit report summarizing the findings and submit it to the relevant
stakeholders.
Standard Operating Procedure (SOP) for Auditing the IT Governance Process

1. Introduction

IT Governance involves the framework, policies, and practices that ensure IT aligns with business
goals, delivers value, and manages risks effectively. Auditing this process verifies that IT governance
structures and processes are in place to support the organization’s strategic objectives and comply
with regulatory requirements.

2. Purpose

This SOP provides detailed steps for auditing the IT Governance process to ensure that IT strategies,
policies, and practices are aligned with the organization’s goals and are effectively managed and
monitored.

3. Scope

This SOP applies to the entire IT governance framework within the organization, including IT strategy,
risk management, compliance, resource management, and performance measurement.

4. Key Areas to Audit

 IT Governance Framework

 IT Strategy Alignment with Business Objectives

 IT Risk Management

 IT Compliance and Regulatory Requirements

 IT Resource Management

 IT Performance Measurement and Reporting

 IT Policies and Procedures

 IT Governance Committees and Roles

5. Step-by-Step Audit Procedure

Step 1: Understand the IT Governance Framework

 Objective: Familiarize yourself with the organization’s IT Governance framework, including

the structures, policies, and roles in place.

 Actions:

o Review the IT Governance Policy and related documents.

o Understand the organizational structure, including IT Governance committees and

roles.

o Identify key stakeholders involved in IT Governance (e.g., CIO, IT Steering Committee,

Risk Committee).

Step 2: Evaluate IT Strategy Alignment with Business Objectives

 Objective: Ensure that IT strategy is aligned with the organization’s business objectives.
  Actions:

o Review the organization’s IT strategy and its alignment with overall business goals.

o Ensure that IT projects and initiatives support business priorities and objectives.

o Check for regular review and updates to the IT strategy to reflect changing business
needs.

Step 3: Assess IT Risk Management

 Objective: Verify that IT risks are effectively identified, assessed, and managed.

 Actions:

o Review the IT risk management framework and processes.

o Ensure that IT risks are regularly identified, documented, and assessed.

o Check for the implementation of risk mitigation strategies and monitoring of key
risks.

Step 4: Review IT Compliance and Regulatory Requirements

 Objective: Confirm that IT activities comply with applicable laws, regulations, and industry
standards.

 Actions:

o Review the organization’s IT compliance framework.

o Ensure that IT systems and processes comply with relevant regulatory requirements
(e.g., data protection, cybersecurity).

o Check for any recent audits or assessments related to IT compliance and how
findings were addressed.

Step 5: Audit IT Resource Management

 Objective: Ensure that IT resources, including personnel, technology, and budgets, are
effectively managed and utilized.

 Actions:

o Review the IT resource management process, including budgeting, staffing, and

technology investments.

o Ensure that IT resources are allocated based on business priorities and strategic
goals.

o Check for any resource constraints or inefficiencies and how they are managed.

Step 6: Evaluate IT Performance Measurement and Reporting

 Objective: Verify that IT performance is regularly measured and reported to relevant

stakeholders.

 Actions:
 o Review IT performance metrics and KPIs used to measure success.

o Ensure that performance reports are regularly generated and reviewed by IT

governance bodies.

o Check for actions taken based on performance analysis to improve IT services.

Step 7: Review IT Policies and Procedures

 Objective: Ensure that IT policies and procedures are well-documented, communicated, and
followed.

 Actions:

o Review the key IT policies and procedures in place.

o Ensure that these policies are regularly reviewed and updated as needed.

o Check for awareness and adherence to IT policies across the organization.

Step 8: Assess IT Governance Committees and Roles

 Objective: Confirm that IT Governance committees and roles are well-defined and function
effectively.

 Actions:

o Review the composition, roles, and responsibilities of IT governance committees

(e.g., IT Steering Committee).

o Ensure that these committees meet regularly and effectively oversee IT governance
activities.

o Check for documented decisions, actions, and follow-ups from committee meetings.

Step 9: Document Audit Findings

 Objective: Record and report any findings from the audit.

 Actions:

o Document any gaps, non-compliance, or weaknesses found in the IT Governance

process.

o Provide recommendations for improvement.

o Prepare an audit report summarizing the findings and submit it to the relevant
stakeholders.
Standard Operating Procedure (SOP) for Auditing the Business Continuity Planning (BCP) and
Disaster Recovery (DR) Process

1. Introduction

The Business Continuity Planning (BCP) and Disaster Recovery (DR) process is critical for ensuring
that the organization can continue its operations and recover IT systems and data in the event of a
disaster or significant disruption. Auditing this process ensures that the plans are effective, up-to-
date, and regularly tested.

2. Purpose

This SOP provides detailed steps for auditing the Business Continuity Planning and Disaster Recovery
process to ensure that the organization can maintain operations and quickly recover from disruptions
in compliance with organizational policies and industry best practices.

3. Scope

This SOP applies to the entire BCP and DR framework within the organization, including all critical
business processes, IT systems, data, and infrastructure that are essential for business continuity.

4. Key Areas to Audit

 Business Continuity Plan (BCP) Documentation

 Disaster Recovery Plan (DRP) Documentation

 Risk Assessment and Business Impact Analysis (BIA)

 BCP and DR Plan Testing and Exercises

 BCP and DR Plan Review and Maintenance

 Communication and Incident Response

 Backup and Restoration Alignment with DRP

 Third-Party Dependencies and SLAs

5. Step-by-Step Audit Procedure

Step 1: Understand the BCP and DR Framework

 Objective: Familiarize yourself with the organization’s BCP and DR framework, including
policies, plans, and roles in place.

 Actions:

o Review the BCP and DR Policies and related documents.

o Understand the organizational structure, including the roles and responsibilities of

BCP and DR teams.

o Identify key stakeholders involved in BCP and DR (e.g., BCP Coordinator, IT DR Team).

Step 2: Review BCP Documentation

 Objective: Ensure that the Business Continuity Plan is comprehensive and up-to-date.
  Actions:

o Review the BCP to ensure it covers all critical business functions and processes.

o Verify that the BCP includes detailed recovery strategies, resource requirements, and
continuity procedures.

o Ensure that the BCP is regularly reviewed and updated to reflect changes in the
business environment.

Step 3: Review DRP Documentation

 Objective: Ensure that the Disaster Recovery Plan is comprehensive and up-to-date.

 Actions:

o Review the DRP to ensure it covers all critical IT systems, data, and infrastructure.

o Verify that the DRP includes detailed recovery procedures, RTO (Recovery Time
Objective), and RPO (Recovery Point Objective).

o Ensure that the DRP is regularly reviewed and updated to reflect changes in the IT
environment.

Step 4: Assess Risk Assessment and Business Impact Analysis (BIA)

 Objective: Confirm that risk assessments and BIAs are conducted to identify potential threats
and their impact on business operations.

 Actions:

o Review the risk assessment process to ensure all potential risks are identified and
documented.

o Verify that a Business Impact Analysis (BIA) has been conducted to prioritize critical
business functions and processes.

o Ensure that the findings from risk assessments and BIA are incorporated into the BCP
and DRP.

Step 5: Evaluate BCP and DR Plan Testing and Exercises

 Objective: Verify that BCP and DR plans are regularly tested through drills and exercises.

 Actions:

o Review the schedule and results of BCP and DR plan tests, including tabletop
exercises and full-scale drills.

o Ensure that test results are documented, and any gaps or issues identified during
testing are addressed.

o Check for participation and involvement of relevant teams in the testing exercises.

Step 6: Review BCP and DR Plan Review and Maintenance

 Objective: Ensure that BCP and DR plans are regularly reviewed and maintained.
  Actions:

o Review the process for updating BCP and DR plans to ensure they reflect current
business and IT environments.

o Verify that plans are reviewed periodically and after significant changes or incidents.

o Check that plan updates are communicated to all relevant stakeholders.

Step 7: Audit Communication and Incident Response

 Objective: Ensure that there is an effective communication strategy and incident response
plan in place.

 Actions:

o Review the communication plan for notifying stakeholders during a disruption or

disaster.

o Verify that incident response procedures are well-documented and include roles,
responsibilities, and escalation paths.

o Ensure that communication tools and channels are tested regularly.

Step 8: Evaluate Backup and Restoration Alignment with DRP

 Objective: Confirm that backup and restoration processes align with the DRP.

 Actions:

o Review backup schedules, storage locations, and restoration procedures to ensure

alignment with DR objectives.

o Verify that critical data and systems can be restored within the RTO and RPO defined
in the DRP.

o Ensure that backups are regularly tested for integrity and restoration capability.

Step 9: Review Third-Party Dependencies and SLAs

 Objective: Ensure that third-party dependencies are managed and SLAs are in place to
support BCP and DR.

 Actions:

o Review contracts and SLAs with third-party vendors to ensure they include provisions
for business continuity and disaster recovery.

o Verify that third-party DR capabilities are tested and align with the organization’s
DRP.

o Ensure that critical third-party dependencies are identified and managed as part of
the BCP.

Step 10: Document Audit Findings

 Objective: Record and report any findings from the audit.

 Actions:

o Document any gaps, non-compliance, or weaknesses found in the BCP and DR

process.

o Provide recommendations for improvement.

o Prepare an audit report summarizing the findings and submit it to the relevant
stakeholders.
Standard Operating Procedure (SOP) for Auditing System Hardening

1. Introduction

Auditing system hardening involves evaluating the security configurations of systems to ensure they
are adequately protected against vulnerabilities and unauthorized access. This SOP outlines the steps
to audit system hardening measures, ensuring compliance with security policies and best practices.

2. Purpose

The purpose of this SOP is to provide a structured approach for auditing system hardening
procedures. It aims to identify gaps, assess the effectiveness of hardening measures, and ensure that
systems are configured securely to minimize risks.

3. Scope

This SOP applies to the auditing of all IT systems within the organization, including servers,
workstations, network devices, and applications. It covers the evaluation of system hardening
processes, configurations, and adherence to security standards.

4. Key Areas to Audit

 System Inventory and Baseline Configuration

 Operating System Hardening

 Application and Service Hardening

 Network Configuration Hardening

 User Account and Access Control

 Patch Management and Updates

 Logging and Monitoring

 Backup and Recovery Procedures

5. Step-by-Step Audit Procedure

Step 1: Plan the Audit

 Objective: Define the scope and objectives of the system hardening audit.

 Actions:

o Review the organization's security policies, standards, and hardening guidelines.

o Identify the systems and environments to be audited.

o Define the audit timeline, resources, and stakeholders involved.

o Prepare an audit plan outlining the key areas and controls to be tested.

Step 2: Review System Inventory and Baseline Configuration

 Objective: Ensure that a comprehensive inventory of systems exists and baseline

configurations are established.
  Actions:

o Obtain the system inventory and verify its completeness and accuracy.

o Review baseline configurations for systems to ensure they reflect secure settings.

o Compare current system configurations against the established baselines to identify

deviations.

Step 3: Evaluate Operating System Hardening

 Objective: Assess the effectiveness of operating system hardening measures.

 Actions:

o Review operating system settings for compliance with hardening benchmarks (e.g.,
CIS Benchmarks).

o Verify that unnecessary services, features, and default accounts are disabled or
removed.

o Check file system permissions to ensure critical directories and files are secured.

Step 4: Assess Application and Service Hardening

 Objective: Verify that applications and services are securely configured.

 Actions:

o Review installed applications to ensure only necessary software is present.

o Check that applications and services are configured with secure settings, including
authentication and encryption.

o Evaluate the removal of default credentials and the application of secure password
policies.

Step 5: Audit Network Configuration Hardening

 Objective: Ensure that network configurations are hardened to protect against external and
internal threats.

 Actions:

o Review firewall and network device configurations to ensure they restrict access
appropriately.

o Verify that unnecessary network protocols and ports are disabled.

o Assess the use of secure communication channels (e.g., SSH, SSL/TLS).

Step 6: Evaluate User Account and Access Controls

 Objective: Assess the management of user accounts and access permissions.

 Actions:

o Review user accounts to ensure they are unique, necessary, and have the least
privilege.
 o Check that strong authentication methods are in place, including multi-factor
authentication where applicable.

o Verify the regular review and removal of inactive or unnecessary accounts.

Step 7: Review Patch Management and Updates

 Objective: Confirm that systems are regularly updated with security patches.

 Actions:

o Review the patch management process and schedules.

o Verify that critical patches and updates are applied promptly to all systems.

o Check for any missing patches or outdated software versions that could pose security
risks.
Standard Operating Procedure (SOP) for Auditing IT Vendor Management

1. Introduction

IT Vendor Management involves overseeing third-party vendors that provide IT services, software,
hardware, or support. Effective vendor management is crucial to ensure that vendors meet
contractual obligations, maintain security standards, and mitigate risks associated with outsourcing.
Auditing IT Vendor Management ensures that the organization manages vendor relationships
effectively, minimizes risks, and complies with policies and regulations.

2. Purpose

This SOP provides a structured approach for auditing the IT Vendor Management process to verify
that vendors are managed in line with the organization’s policies, contractual terms, and best
practices. The audit aims to assess the effectiveness of vendor selection, performance monitoring,
risk management, and compliance with agreements.

3. Scope

This SOP applies to the audit of all IT vendor management activities within the organization,
including vendor selection, onboarding, performance monitoring, risk assessment, compliance, and
contract management.

4. Key Areas to Audit

 Vendor Selection and Onboarding

 Contract Management and Compliance

 Performance Monitoring and Reporting

 Risk Assessment and Management

 Data Security and Privacy

 Incident Management and Escalation Procedures

 Vendor Offboarding and Contract Termination

5. Step-by-Step Audit Procedure

Step 1: Plan the Audit

 Objective: Define the scope and objectives of the IT Vendor Management audit.

 Actions:

o Review the organization's vendor management policies, procedures, and standards.

o Identify key vendors and IT services outsourced to third parties.

o Define the audit timeline, resources, and stakeholders involved.

o Prepare an audit plan outlining the key areas and controls to be evaluated.

Step 2: Review Vendor Selection and Onboarding

  Objective: Ensure that vendor selection and onboarding processes are thorough and aligned
with organizational standards.

 Actions:

o Review the criteria and processes used for selecting IT vendors.

o Verify that due diligence, including financial, security, and compliance checks, is
performed before vendor onboarding.

o Check that vendor onboarding includes a review of relevant contracts, service level
agreements (SLAs), and security requirements.

Step 3: Evaluate Contract Management and Compliance

 Objective: Assess the management of vendor contracts to ensure compliance with terms and
regulatory requirements.

 Actions:

o Review a sample of vendor contracts to verify they include clear terms, conditions,
SLAs, and security requirements.

o Check that contracts are reviewed and updated regularly to reflect any changes in
scope or requirements.

o Verify that compliance with contractual terms, including SLAs and regulatory
obligations, is monitored and enforced.

Step 4: Assess Performance Monitoring and Reporting

 Objective: Confirm that vendor performance is regularly monitored and reported to ensure
services meet expectations.

 Actions:

o Review the process for monitoring vendor performance against agreed SLAs and key
performance indicators (KPIs).

o Check that performance reports are regularly generated, reviewed, and

communicated to relevant stakeholders.

o Verify that issues with vendor performance are identified, documented, and
addressed promptly.

Step 5: Evaluate Risk Assessment and Management

 Objective: Ensure that risks associated with IT vendors are identified, assessed, and
managed effectively.

 Actions:

o Review the risk assessment process for IT vendors to confirm that potential risks are
identified and documented.

o Verify that risk assessments are updated periodically and after significant changes
(e.g., changes in vendor services or market conditions).
 o Check that risk mitigation measures are in place and regularly reviewed for
effectiveness.

Step 6: Review Data Security and Privacy

 Objective: Assess the protection of data handled by IT vendors to ensure compliance with
data security and privacy requirements.

 Actions:

o Verify that data security requirements are clearly defined in vendor contracts and
SLAs.

o Review vendor security practices to ensure they align with organizational standards
and regulatory requirements.

o Check that data privacy agreements are in place, especially when vendors handle
sensitive or personal data.

Step 7: Audit Incident Management and Escalation Procedures

 Objective: Ensure that vendors have effective incident management and escalation
procedures.

 Actions:

o Review vendor incident management policies to confirm they include detection,

reporting, and response procedures.

o Verify that incidents involving IT vendors are reported in a timely manner and
escalated according to defined protocols.

o Check that incident resolution is tracked and that corrective actions are
implemented.

Step 8: Evaluate Vendor Offboarding and Contract Termination

 Objective: Assess the processes for offboarding vendors and terminating contracts to ensure
proper closure and data protection.

 Actions:

o Review the offboarding process to verify that access to systems and data is promptly
revoked upon contract termination.

o Check that final assessments are conducted to ensure all contractual obligations,
including return or deletion of data, are fulfilled.

o Verify that lessons learned from vendor offboarding are documented and used to
improve vendor management practices.

Step 9: Document and Report Audit Findings

 Objective: Record and communicate the results of the IT Vendor Management audit.

 Actions:
o Document all findings, including gaps, non-compliance, or weaknesses in vendor
management practices.

o Provide recommendations for addressing identified issues and improving the vendor
management process.

o Prepare a comprehensive audit report and present it to relevant stakeholders for

review and action.
Standard Operating Procedure (SOP) for Auditing Endpoint Security, VPN, AV, DLP, AD, and Email
Security

1. Introduction

This SOP outlines the steps for auditing key security areas, including Endpoint Security, Virtual Private
Networks (VPNs), Antivirus (AV) solutions, Data Loss Prevention (DLP) systems, Active Directory (AD),
and Email Security. These components are essential for protecting organizational assets from cyber
threats and ensuring compliance with security standards and regulations.

2. Purpose

The purpose of this SOP is to provide a structured approach for auditing the security controls in place
for endpoints, VPNs, AV, DLP, AD, and email systems. The audit aims to identify gaps, assess the
effectiveness of the security measures, and ensure that these controls are properly managed and
maintained.

3. Scope

This SOP applies to the audit of all systems and processes related to Endpoint Security, VPN, AV, DLP,
AD, and Email Security within the organization. It covers the evaluation of configurations, policies,
monitoring, and compliance with security standards.

4. Key Areas to Audit

 Endpoint Security Controls

 VPN Configuration and Management

 Antivirus Deployment and Management

 Data Loss Prevention (DLP) Controls

 Active Directory (AD) Security

 Email Security Controls

5. Step-by-Step Audit Procedure

Step 1: Plan the Audit

 Objective: Define the scope and objectives of the security audit.

 Actions:

o Review the organization's security policies and standards related to Endpoint

Security, VPN, AV, DLP, AD, and Email Security.

o Identify the systems, applications, and environments to be audited.

o Define the audit timeline, resources, and stakeholders involved.

o Prepare an audit plan outlining the key areas and controls to be evaluated.

Step 2: Audit Endpoint Security Controls

 Objective: Ensure that endpoint security measures are implemented and effective.
  Actions:

o Review the endpoint security policy to verify it covers all required aspects, including
device management, patching, and threat detection.

o Check that endpoint protection solutions (e.g., EDR, antivirus) are deployed across all
devices.

o Assess the configuration of endpoint security tools for compliance with best
practices (e.g., real-time scanning, regular updates).

o Verify that endpoints are regularly scanned for vulnerabilities and that identified
risks are mitigated.

Step 3: Evaluate VPN Configuration and Management

 Objective: Assess the security of VPN configurations and management processes.

 Actions:

o Review VPN policies to ensure they enforce secure connections, strong

authentication, and encryption.

o Verify that VPN access is restricted to authorized users and devices only.

o Check the VPN configuration for compliance with security standards, including the
use of secure protocols (e.g., IPsec, SSL/TLS).

o Assess the monitoring and logging of VPN connections to identify unauthorized

access attempts.

Step 4: Review Antivirus (AV) Deployment and Management

 Objective: Confirm that antivirus solutions are effectively deployed and managed.

 Actions:

o Check that AV solutions are installed on all endpoints, servers, and other critical
systems.

o Verify that AV definitions are updated regularly and that the solution is configured
for automatic updates.

o Review AV policies to ensure they include scheduled scans, real-time protection, and
incident response procedures.

o Assess the reporting and alerting capabilities of AV solutions to detect and respond
to threats promptly.

Step 5: Assess Data Loss Prevention (DLP) Controls

 Objective: Evaluate the effectiveness of DLP controls in preventing data breaches and
unauthorized data transfers.

 Actions:
 o Review the DLP policy to ensure it covers critical data protection requirements,
including data classification, monitoring, and control.

o Verify that DLP solutions are configured to monitor and control data movement
across endpoints, networks, and cloud services.

o Assess the effectiveness of DLP rules and alerts in detecting and preventing
unauthorized data transfers.

o Check that DLP incidents are logged, reviewed, and responded to according to
established procedures.

Step 6: Audit Active Directory (AD) Security

 Objective: Ensure that AD is securely configured and managed to protect access to

organizational resources.

 Actions:

o Review AD configurations for compliance with security best practices, including

password policies, account management, and access controls.

o Verify that privileged accounts are strictly managed and that administrative access is
limited to authorized personnel only.

o Check for the implementation of multi-factor authentication (MFA) for AD access,

especially for privileged accounts.

o Assess the logging and monitoring of AD activities, including changes to user

accounts, group memberships, and security settings.

Step 7: Review Email Security Controls

 Objective: Evaluate the security measures in place to protect email communication from
threats such as phishing, malware, and spam.

 Actions:

o Review the email security policy to ensure it includes measures for filtering,
encryption, and threat detection.

o Verify that email security solutions (e.g., secure email gateways, anti-phishing tools)
are deployed and configured according to best practices.

o Check that email communication is encrypted using secure protocols (e.g., TLS) and
that sensitive information is protected.

o Assess the monitoring of email traffic and the response to detected threats or
suspicious activities.

Step 8: Document and Report Audit Findings

 Objective: Record and communicate the results of the security audit.

 Actions:
o Document all findings, including gaps, non-compliance, or weaknesses in security
controls.

o Provide recommendations for addressing identified issues and improving security

measures.

o Prepare a comprehensive audit report and present it to relevant stakeholders for

review and action.
Standard Operating Procedure (SOP) for Auditing IT Human Resources

1. Introduction

The IT Human Resources (HR) function manages the recruitment, development, and retention of IT
personnel. Auditing IT HR processes ensures that these practices align with organizational goals,
comply with legal and regulatory requirements, and support a secure and efficient IT environment.

2. Purpose

This SOP provides a structured approach for auditing IT HR processes to verify that the recruitment,
management, and retention of IT staff are conducted in accordance with established policies and
best practices. The audit aims to identify gaps, assess the effectiveness of HR processes, and ensure
compliance with relevant regulations.

3. Scope

This SOP applies to the audit of all HR processes related to IT personnel within the organization,
including recruitment, onboarding, training, performance management, access control, and
offboarding.

4. Key Areas to Audit

 Recruitment and Hiring Processes

 Onboarding and Training

 Performance Management and Evaluation

 Access Control and Privilege Management

 Compliance with HR Policies and Regulations

 Offboarding and Exit Procedures

5. Step-by-Step Audit Procedure

Step 1: Plan the Audit

 Objective: Define the scope and objectives of the IT HR audit.

 Actions:

o Review the organization’s HR policies, procedures, and standards related to IT

personnel.

o Identify key HR processes, including recruitment, onboarding, and offboarding, to be

audited.

o Define the audit timeline, resources, and stakeholders involved.

o Prepare an audit plan outlining the key areas and controls to be evaluated.

Step 2: Review Recruitment and Hiring Processes

 Objective: Ensure that recruitment and hiring practices for IT positions are effective and
compliant with policies.
  Actions:

o Review the recruitment process to verify it includes clear job descriptions, required
qualifications, and skills assessments.

o Check that background checks, reference verifications, and relevant screenings (e.g.,
security clearances) are conducted for all IT hires.

o Assess the use of standardized interview processes and evaluation criteria to ensure
fair and consistent hiring practices.

Step 3: Evaluate Onboarding and Training

 Objective: Assess the onboarding and training processes for IT personnel to ensure they are
well-prepared for their roles.

 Actions:

o Review the onboarding process to ensure it includes comprehensive orientation and

introduction to organizational policies and security protocols.

o Verify that IT-specific training, including security awareness and technical training, is
provided during onboarding.

o Check that training records are maintained and that ongoing training requirements
are identified and fulfilled.

Step 4: Assess Performance Management and Evaluation

 Objective: Confirm that performance management processes are in place and effectively
evaluate IT staff performance.

 Actions:

o Review the performance evaluation criteria and processes used for IT personnel.

o Verify that performance reviews are conducted regularly and that feedback is
documented.

o Assess the alignment of performance goals with organizational objectives and the
role-specific responsibilities of IT staff.

Step 5: Audit Access Control and Privilege Management

 Objective: Ensure that access controls are properly managed for IT personnel to protect
sensitive information and systems.

 Actions:

o Review the access provisioning process to verify that access rights are granted based
on the principle of least privilege.

o Check that access reviews are conducted regularly to validate the appropriateness of
access levels for IT personnel.

o Verify that changes in job roles or responsibilities prompt updates to access rights
and permissions.
Step 6: Evaluate Compliance with HR Policies and Regulations

 Objective: Assess compliance with HR policies, labor laws, and regulatory requirements
related to IT personnel.

 Actions:

o Review HR policies to ensure they are up-to-date and compliant with applicable
regulations, such as data privacy and employment laws.

o Verify that HR records, including employment contracts and personal data, are
maintained securely and in compliance with data protection regulations.

o Check that HR practices, including leave management and employee benefits,

comply with organizational policies and legal requirements.

Step 7: Review Offboarding and Exit Procedures

 Objective: Ensure that offboarding processes are effective in protecting organizational assets
and information.

 Actions:

o Review the offboarding process to verify that access to systems and data is promptly
revoked for departing IT personnel.

o Check that exit interviews are conducted, and that feedback is documented and used
for continuous improvement.

o Assess the retrieval and secure handling of company property, including devices and
access cards.

Step 8: Document and Report Audit Findings

 Objective: Record and communicate the results of the IT HR audit.

 Actions:

o Document all findings, including gaps, non-compliance, or weaknesses in HR

processes related to IT personnel.

o Provide recommendations for addressing identified issues and improving HR

practices.

o Prepare a comprehensive audit report and present it to relevant stakeholders for

review and action.