Abstract
Cybercrime, data breaches, and fraud represent evils that significantly threaten businesses. Companies have, in the past, lost much to these crimes and, hence, must come up with plans to prevent such future occurrences. In this paper, the processes information technology security audits entail and how such audits enhance organizational IT security will be dealt with. According to research on the subject, IT security auditing constitutes a significant step in the safeguarding of corporate data against cybercrime, data breaches, and fraud. It must be performed from time to time in the form of a methodical analysis by an outside specialist on compliance, for identifying any chinks in the armor of the company's information technology system.

Introduction

ICT advancements have meant the availability of vast quantities of data, which also creates considerable risks to the data itself, computer systems, and critical infrastructures and operations it supports. Despite developments in information security, numerous information systems continue to display susceptibility to both external and internal breaches (Suduc, Bîzoi & Filip, 2010). Internal information security auditing enhances the likelihood of implementation of suitable security measures for averting such breaches and reducing their adverse impacts.

Security risks

Two classes of risks exist, against which corporate information systems require protection: logical and physical. The latter, more to do with devices as compared to the actual information system, encompasses natural calamities like floods, earthquakes, typhoons, among others, terror attacks, vandalism, fire outbreak, illegal tampering, power surges, and break-ins. Vlad and Lenghel (2017) put forward a collection of controls defending information systems from such physical threats.

The controls include different kinds of locks, hardware insurance coverage, and coverage of information recreation costs, having processes in place for everyday data and information system backups, tested, state-of-the-art disaster recovery interventions, and rotation and off-site backup data storage in a secure place. Logical risks denote illegal access and purposeful or inadvertent modification or destruction of information or the whole information system. Such threats may be reduced using logical security controls, limiting user system accessibility, and averting unauthorized system access. All of the precautions above prove ever more salient when one is dealing with central information systems.

Suduc and colleagues (2010) claim that modern-day corporations need to deal with the following major kinds of information technology risks: availability, security, compliance, and performance risks. Security risks constitute accessing data without permission, including information leakage, fraud, endpoint security, and data privacy. This class also encompasses broad threats from external sources (e.g., viruses), and more focused attacks on particular users, data, or applications. A survey performed by Ernst and Young revealed security incidents costing as much as 17-28 million dollars per case to organizations (Suduc et al., 2010). A second study conducted over 13 years using the assistance of a total of 522 American IT security experts revealed virus incidents as being the most frequent risk (49 percent of respondent firms). The next most commonly occurring event was insider network abuse (44 percent) and, subsequently, mobile device (including laptop) theft (42 percent) (Suduc et al., 2010). Even corporate security measures concentrate on external threats owing to their disturbingly high incidence (sometimes more than half the sum total of risks) and to their origins lying in legal network use.

Audit for IS Security

Khan (2017) reports that despite significant developments in the field of information security, like object/subject access matrix model, star-property- and information flow- reliant multilevel security, access control lists, cryptographic protocol, and public-key cryptography, several information systems continue to be at risk of internal as well as external attacks. Security setups are a time-consuming process and do not play any part in helpful output; hence, nobody will realize until an audit is done or the system is attacked, in case of an overly permissive setup. The above finding underscores the need for internal IT security auditing in all companies.

According to a Security Administrator and System Auditor having nearly two decades of experience, it is imperative to routinely monitor the following computer activity domains: user access control, audit trail, and system activity monitoring (Davis & Yen, 2019; Suduc et al., 2010). The abovementioned tasks are not open to primary security measure adoption mechanisms put forward by Suduc and coworkers (2010). These security measures include authenticating principals (including who said it, or which entities have access to that data – i.e., individuals, groups, programs, or devices). Moreover, these measures also include authorizing access ("Which entities are permitted to carry out what operations on a given object?") and decision auditing ("what occurred and what was the reason for its occurrence").

The goal of user access control security is the optimization of productive computing time, guaranteeing data confidentiality, mitigating fraud and error risks, and preventing unauthorized access. Further, permanent monitoring of system activity is vital, as malicious fraud and sabotaging will more likely take place in case of the low likelihood of detection. The following questions need to be posed concerning potential risk areas: (1) Can this event occur here? (2) In what form will it transpire? (3) Do security measures prove sufficient in threat prevention/detection? (4) How can the measures be improved upon? (Suduc et al., 2010). The application of sound system controls and security may, to a great extent, decrease risk event occurrence and adverse effects through improving chances of detection and prevention.

Maintenance of thorough logs of access time, credentials of the accessing individual, and whether a security breach was attempted constitutes a second essential security action. The above details prove highly informative to system auditors.

Audit frameworks

i. ISO 27001 Framework

ISO 27001, a kind of taxonomy of potential controls, outlines conditions for the establishment, adoption, monitoring, maintenance, operations, review, and improvement of a documented ISMS (Information Security Management System) for overall organizational risks. This standard aims at ensuring appropriate, reasonable security controls are chosen to safeguard data assets and create trust among interested entities. Accompanying it is the ISO 27002 standard (Almatari et al., 2018), setting down general rules and guidelines for the initiation, adoption, improvement, and maintenance of organizational information security...…unplanned, spontaneous auditing, or audits performed in non-office hours.

Auditing methods adopted in this regard may encompass automated audit instruments such as off-the-rack security auditing systems or auditor-developed instruments, or even manual review methods like auditing checklists and social engineering attack checklists.

Audit processes involve several steps. According to 3D Networks, auditing is a 7-step process (Suduc et al., 2010), the steps being as follows: (1) vulnerability scanning – which entails scanning of infrastructure, (2) security architecture auditing – which involves auditing of extant security infrastructure, (3) report auditing – covering auditing of reports such as logs and unauthorized entry/breach detection system reports, (4) workflow and internal control auditing – auditing of extant workflow, (5) baseline auditing – encompassing auditing of organizational security setup in order for ensuring that it conforms to the company's security baseline, (6) risk/threat analysis – evaluation of the many threats and risks the information systems of the organization encounter, and (7) policy auditing – which is an audit of the firm's security policy for making sure it is aligned with the firm's business aims.

In the course of, as well as, after the culmination of, security auditing, a succession of reports can be described, including reports identifying susceptibilities in the information system of the company, reports addressing the risks and threats encountered by the firm owing to extant susceptibilities such as infrastructure and faulty policy, and audit reports that present security overview as well as audit results.

Suduc and colleagues (2010) offer a second view on the subject of security auditing, segregating the process into the following six steps: (1) planning – for the ascertainment and selection of sound, successful techniques to conduct a security audit and procure all desired data; (2) collection of audit information – in order to ascertain the kind and quantity of data to be procured, and how this data, as well as audit logs, are to be filtered, stored, accessed, and analyzed; (3) performance of audit tests – a broad examination of current security standards, policies, technical tests, or security configurations; (4) audit outcome reporting – presenting the existing security environment in the organization; (5) safeguarding of audit instruments and information – ensuring the safety of audit instruments and information for use in the future or the subsequent audit; (6) follow-up and improvements – undertaking corrective action where needed.

As information systems grow ever more sophisticated, security auditing is becoming increasingly challenging; however, security auditors have automated audit tools at their disposal to facilitate the process.

Conclusion

A variety of different security methods may be adopted. The choice of security process set depends on likely risks. However, for proper, successful company asset protection, there is a need for assessing its security measures. Both external and internal security audits form an ideal means of ascertaining the firm's security efficacy. Numerous security auditing standards exist that outline procedure to adhere to for guaranteeing adequate protection of a company's IT resources. Firms suffering from huge losses on account of inadequate information system security should…