Context-Based IT Audits: Why Are They Not Standard Yet?

Approaches to IT auditing, a practice as old as the computer age itself, have remained largely stagnant, despite significant corporate failures linked to IT control weaknesses. Imran Khan, CISSP examines the evolution of IT audits and shares some of his best practices in context-based auditing.

In the early days, auditors leveraged IT General Controls (ITGC) to craft audit engagements. Following high-profile incidents such as the collapse of Enron in 2001 and, later, the bankruptcy of MCI WorldCom and Cisco's inventory woes highlighted the inadequacies of existing controls and showed the need for a paradigm shift in IT auditing.

The Rise of Regulation

The Enron scandal laid the foundations for the Sarbanes-Oxley Act in 2002, which mandates strict IT and effective internal reporting controls. This was one of numerous key regulations –from around the world – enacted both before and after Sarbanes-Oxley aimed at reducing preventable issues. These include:

• Gramm–Leach–Bliley Act (GLBA), 1999: GLBA mandates safeguards against threats to consumer information, to evaluate financial institutions’ unique risks.
• HIPAA (1996): This Act’s Security Rule emphasizes protecting electronic health information, which requires audits tailored to specific healthcare threats.
• GDPR and CCPA: These laws demand robust data protection measures, best assessed through audits aligned with organizational data flows and risks.
• New York DFS Part 500: This has been amended to mandate risk-based assessments and independent audits for covered entities. Crucial cybersecurity requirements were made mandatory based on context and/or a risk assessment.
• Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA): This Act reinforces the need for audits tailored to critical infrastructure risks.
• MAS TRM Notice 644: This Singaporean regulation emphasizes a risk-based approach to cybersecurity.
• Payment Card Industry Data Security Standard (PCI DSS): Defines security standards designed to ensure that all companies accepting, processing, storing, or transmitting credit card information maintain a secure environment.

Despite numerous pieces of legislation – all of them aligned at least to some extent with context-based auditing – high-profile breaches continue to occur. These include:

• Target (2013): Criminals infiltrated Target's point-of-sale systems, compromising millions of customer records.
• Equifax (2017): This data breach exposed the sensitive information of millions of Equifax customers.
• SolarWinds (2020): Hackers compromised SolarWinds’ Orion software update, impacting numerous government agencies and organizations. It is believed that several tactics were used, including but not limited to phishing, spray-and-pray credential stuffing, token theft and abuse of APIs. The hackers not only injected malicious code but created backdoors which enabled impersonation, exploitable for a supply chain attack.
• Colonial Pipeline (2021): In one of the highest-profile attacks on critical infrastructure to date, criminals compromised a major pipeline system transporting fuel, exposing weaknesses in cybersecurity practices such as weak credentials and inactive VPN accounts.
• MGM Resorts (2023): An elaborate vishing scheme was used to trick employees and help desks into divulging sensitive credentials.
• United Healthcare (2024): Unauthorized access was gained to Change Healthcare (a subsidiary of United Healthcare) systems, leading to significant disruption to billing, claim processing and prescription authorization across the U.S.

It’s my contention that the risks of each of these incidents occurring might have been mitigated through context-based auditing.

A Fundamental Change

Traditional IT audits focus heavily on internal controls, relying on documentation and predefined frameworks. However, such methods do not – cannot – foresee modern threats such as cloud vulnerabilities and Internet-of-Things (IoT) devices. These recent and emerging technologies introduce new attack surfaces that rigid controls-based audits are ill-equipped to address.

Reliance on outdated frameworks fosters a false sense of security within organizations. I have heard grandiose claims such as “we’ve never failed an audit”, which masked significant vulnerabilities that were later exploited by adversaries such as Black Basta, Fancy Bear, or even amateur cybercriminals. Moreover, the resource-intensive nature of controls-based audits often diverts time and funds from addressing actual risks.

By contrast, context-based IT audits step outside auditors’ comfort zones, creating a stark contrast by focusing on the client’s unique business context, risk profile and threat landscape. An auditor must delve more deeply into assessing controls’ effectiveness to mitigate exploitable threats in the wild. The Institute of Internal Auditors (IIA), in a 2023 report, described this shift, stating, "The context-based audit approach considers the internal environment, external environment and inherent risks to identify and assess risks at a more granular level.”

Armed with this deeper knowledge, IT auditors are equipped to custom-fit their audit engagements to target known vulnerabilities’ exploits. This approach is a wakeup call for all who believe in a “check the box” philosophy.

In my previous engagements as an IT auditor, I concluded that implementing context-based audits mandates heightened collaboration between the organization and auditors. Below are my recommendations for effective collaboration, based on previous experience auditing financial services firms and healthcare providers.

Steps for Organizations

1. Comprehensive Process Mapping: In my experience, comprehensive process mapping is crucial for operating efficiently, making informed decisions and gaining a deeper understanding of data. I see this as a foundational step before data mapping, which involves identifying where data is stored, who has access to it, how it flows and what protections are in place throughout its lifecycle. In my view, effective data mapping should also include security classification, usage restrictions and lifecycle management. This should cover both live and archived data. Additionally, I’ve found that identifying and managing “special purpose” data, such as data on legal hold, separately from other types of data is essential for maintaining proper governance and compliance.
2. Data Inventory: Classify, tag and align data with relevant regulatory and retention requirements. Identify assets that process, store and transmit sensitive data. It’s necessary to re-certify access to the data periodically, akin to user access recertification which helps to ensure that data is being accessed only by known individuals with a right to access. I cannot recall how many times, even in regulated industries, I have witnessed improper/excessive data access privileges in my audit engagements.
3. Integrate Threat Intelligence with Organization and IT Operations: As a contextual auditor, I found it helpful to stay up-to-date with new, prevailing threats and to adapt security posture based on the impact to the organization.
4. Risk Assessment: We frequently used historical incidents, vulnerabilities and threat intelligence to prioritize focus areas for the audits. I perceived these as indicators of control weaknesses. The objective was also to validate that the teams’ modus operandi evolved with lessons learnt from historical events. 

Steps for Auditors

1. Understand the Environment: Familiarize yourself with the organization’s business model and regulatory landscape, including new/emerging regulations.
2. Analyze the Threat Landscape: Identify industry-specific and emerging threats in the wild.
3. Familiarity with Regulatory Environment: Gain a comprehensive understanding of current and emerging regulations impacting the business.
4. Proactive Monitoring and Data Analytics: Use continuous monitoring tools to identify vulnerabilities dynamically.
5. Adopt Zero Trust Principles: Focus on least-privilege access, robust identity management and continuous activity monitoring.

The Auditor Journey Map

Establish Zero Trust Networks

In 2016, hackers orchestrated a meticulous scheme to exploit vulnerabilities in the Bank of Bangladesh’s IT environment. They gained access to the bank’s SWIFT system and successfully transferred $81 million, prompting the Society for Worldwide Interbank Financial Telecommunication (SWIFT) to publish enhanced security requirements for member banks to prevent future heists. The new SWIFT Cyber Security Practices (CSP) aligned to zero trust principles like multi-factor authentication, network segmentation, and continuous monitoring.

In a zero trust environment, traditional methods of auditing have diminished relevance as the auditor should concentrate efforts on least privilege access controls, data governance and continuous monitoring of user activity, as well as system configurations.

Audits should:

1. Be based on a risk-based approach with emphasis on risk to critical assets and data.
2. Consider IT value-add and integration with business processes.
3. Ensure implementation of efficient and repeatable monitoring of user activity, security & operational events.

Resolve Differences and Embrace Context-Based Audits

Often, organization and audit functions view each other as adversaries. To minimize “audit fatigue”, it’s essential that organization and audit functions build a strong working relationship with open communication, while preserving independence requirements of the auditors. Organizations should be open and forthcoming with requests for information/evidence. Auditors, on the other hand, must come to an engagement with open minds and provide continuous feedback to the organization during the audit engagement.

Overcome Challenges

Effective adoption of context-based audits requires bridging gaps between auditors and organizations. Audit findings should serve as collaborative tools rather than adversarial critiques. Organizations must provide transparent access to data and processes, while auditors should approach engagements with open minds and proactive feedback.

Context-based IT auditing is a deviation from the “normal” yet antiquated practice. I foresee cyber threats evolving at an alarming pace, fueled by rapid advancements in technology. The time to act is, therefore, now. Embracing context-based audits is not just a strategic move, it’s a necessity for businesses to survive and thrive in an era where high-profile breaches are the norm. Let’s take decisive action to stay ahead of these threats and safeguard our future.

Imran Khan, CISSP has over 16 years of experience financial services, life sciences and healthcare. He has held management and technical roles, with responsibility for risk management, data security, regulatory compliance, audits and application development.

Related Insights

• CGRC – Governance, Risk and Compliance Certification
• Meet the Bots – Our NextGen Technology Auditors
• Technology and Risk: Elevating Cybersecurity Strategies to the C-Suite and Board