Francis Tam has practiced public accounting and consulting since 1994. Tam can be reached at 310-295-3852 or francis.tam@mossadams.com.

IT security operates in a fast-moving and complex environment with new technology created daily. This means companies — regardless of size or industry — are increasingly susceptible to cyberattacks, requiring a flexible and proactive approach to cybersecurity.

This necessitates that companies continually assess and update their cybersecurity measures. The Internet of Things, for example, is defined as the interconnection via the Internet of everyday objects that can send and receive data. Although it makes the world easier to live in and control, it also provides new channels for criminals to access and steal important information.

Companies can employ an IT audit to help them respond to these threats and enact security measures and controls that safeguard every channel. This includes a two-step process: assessing areas of risk and identifying measures that can protect sensitive information.

There are myriad ways to protect against threats — it comes down to determining the resources a company is able to allot to its cybersecurity efforts. Regardless, an IT audit should be a key component of any company’s cybersecurity. It includes the following steps:

• Risk assessment. Develops a heat map of risks based on where sensitive information is stored, processed, and transmitted.

• IT assessment. Reviews areas of risk identified in the risk assessment and provides guidance on how to more securely store, process, and transmit sensitive information.


Companies can run into trouble when they fail to identify all areas of risk in their IT environment. These risk areas are different for every business and depend on the information that flows through the organization, but they always fall into two categories: external and internal.

While many companies know how to protect themselves from obvious external threats, they can unknowingly leave back doors open to criminals.

For example, a travel agency provides information to a client through its Web application — including a travel itinerary and flight details. This information is stored on a server, which the company believes is secured by a firewall. However, the company might have an unsecured wireless port connected to the Ethernet the server is on. A criminal only needs to use the unsecured wireless access port to enter the company’s network and access the database to download client data.

Threats to cybersecurity can also be internal — from employees or third-party vendors. This is why companies should only provide information and systems access on a need-to-know basis.

Employees: Access to information shouldn’t be given to employees who don’t need access to complete their job duties. This requires an assessment of each job function to determine which functions require different types of access. Once a company has that information, it can segment its database to allow for different access levels according to job function.

Third-party vendors: Controlling access for third-party vendors is often simpler. Most of the time, they don’t need to access a company’s internal network. They shouldn’t be allowed to use a company’s wireless internet either; instead, a company should install and configure a completely separate wireless router and network for third-party use. It’ll cost more, but ultimately make the IT environment more secure.


Once a company has determined its risk areas, an IT assessment identifies ways to strengthen its defenses. Common areas for review include:

• Networks

Francis Tam has practiced public accounting and consulting since 1994. Tam can be reached at 310-295-3852 or francis.tam@mossadams.com.

• Operating systems and databases

• Middleware

• Firewalls and other security measures

• Applications

The assessment results show a company its security profile. For example, many companies assume a firewall ensures their information is secure. However, an IT assessment might find the firewall is poorly configured, which is like having no firewall at all. company that knows its weaknesses is ultimately more capable of securely storing, processing, and transmitting sensitive information.


Most companies operate in industries and states that have enacted specific cybersecurity regulations dictating the frequency of IT audits and stringency of cybersecurity measures. For example, the Payment Card Industry Data Security Standard (PCI DSS) and HIPAA recommend audits be conducted annually or when a qualifying event occurs, whichever is more frequent.

These events should trigger an IT audit:

• New compliance measures

• Significant changes to a company’s IT environment

• Implementation of a new business model

• A security event or breach

Cybersecurity ultimately comes down to cost versus security. If a company is willing to spend more, its IT environment will be more secure. An IT audit, whether performed regularly or after a qualifying event, is a cost that helps ensure a company stays apprised of their risk profile as well as identifying what defenses may be needed to guarantee sensitive data is stored, processed, and transmitted securely.