5 Questions IT Auditors Will Definitely Ask You

By | February 3, 2016

Many organizations still fail to answer fairly simple questions asked by external auditors about their security policy. While it may be easy to treat validation tests like a simple check-box exercise, the risks can be great if companies merely create an illusion of compliance rather than actually fulfilling the regulatory requirements. In fact, according to the 2015 Verizon Data Breach Report, there were 234 security incidents in the health care industry last year alone. If the companies involved in these violations maintained stricter compliance with HIPAA regulation, they could have avoided data losses and kept their patients’ information secure.


To prepare for an IT audit, consider these five common questions to determine if your organization is ready to face the auditors:

  • Do you have a documented security policy? Auditors need to make sure that policies and procedures are in place to maintain IT infrastructure security and proactively address security incidents. When evaluating the adequacy and reliability of a security policy, auditors will compare measures outlined in the policy with a company’s internal processes to ensure that they are being properly carried out.
  • Are access privileges in your organization adequately granted? Since a lack of control over privileged accounts continues to pose a risk to security, organizations need to prove that all of their permissions are granted in accordance with their existing security policies, in addition to individual employee requirements. IT auditors will not only verify who has access to what (and why), but they’ll also check a company’s ability to detect insider misuse or abuse of access privileges.
  • What methods do you use to protect your data? Most existing compliance standards focus on protecting sensitive data, such as confidential patient records. A company should be ready to present reports about its methods of data classification and segregation (e.g., placing data into a 24/7 protected network) and prove that its most valuable assets cannot be easily compromised.
  • Do you have a disaster recovery plan? A well-structured, clear, and viable emergency plan that describes what actions should be taken in the case of a security violation significantly increases a company’s chances of passing an external audit. A good disaster recovery plan includes information about employees’ roles and responsibilities, how they should react if a security breach occurs, and what they should do to stop data leaks and minimize their negative consequences.
  • Are your employees familiar with existing security procedures and policies? Practice shows that auditors are particularly interested in the methods that a company uses to encourage its employees to follow internal security policies. A company will often need to prove that its employees are regularly trained and are informed about existing security procedures.


Maintaining the security of a company’s IT environment is vital to passing HIPAA compliance audits, yet it still doesn’t give you 100% protection against cyber threats. Any compliance audit will demonstrate the state of an organization’s IT infrastructure at a certain point; however, data must be secured during the entire period between validation assessments as well. It’s critical that companies gain complete visibility into what is happening across their most critical systems and establish absolute control over each component of their IT security. Only then will regulatory compliance be considered a real opportunity to improve business processes and strengthen cyber security.


Contributed by Guest Author: Anastasia Antonova