Compliance requirements and consumer expectations are constantly evolving, where organisations can no longer simply focus on the IT controls protecting some data, or some key business applications. A more holistic approach is required. 

IT audit and/or assurance engagements from RSM provide organisations with an effective and affordable point-in-time assessment of the organisation’s internal IT controls and IT risk management practices.

RSM seeks to provide a balanced view of the key IT controls in place against known information technology and information security better practices. We feel it is critical to capture both the IT controls that are designed and operating effectively, as well as what controls require uplift, or do not exist for an organisation to gain a true understanding of where to focus its efforts. 

Overview of Services

Our IT Audit and assurance services seek to provide organisations with a sound understanding of their IT environment against numerous standards and frameworks.  Some examples of what we can deliver include:

• Control design and operating effectiveness assessments of IT controls addressing key business systems, specific risks and/or processes. These are typically referred to as IT general controls assessments against  IT security policies and security management procedures, logical access, change and release management, IT physical and environmental security, incident and problem management, and disruptive conditions to disaster recovery and backups. These can be delivered as a once off, or an internal audit, and/or in alignment with your organisation’s end of financial year external audit; 
• Assessments of third-party organisations against a contract or service level agreement, or defined controls such as ASAE 3402, or APRA’s CPS 234;
• Audits and pre-certification assessments for a range of standards such as ITIL, COBIT, PCI DSS, ISO/IEC 27001, ISO/IEC 27701, ISO/IEC 27017, ISO/IEC 27018, amongst others;
• Identity and access management, privileged access allocation and the monitoring of account activity against your policies, and known standards;
• IT governance and IT project governance assessments for the purposes of determining adequate stakeholder involvement, reporting, alignment to business and technology requirements, and ensuring compliance with methodologies where applicable; 
• Pre- and post-implementation reviews of new software, including technical security testing; 
• Maturity assessments and modelling against specific standards and frameworks, such as The ACSC Essential Eight Mitigation Strategies, CIS Top 18 Security Controls, NIST Cyber Security Framework, and SOC 2, amongst others; 
• Audits against the FIRB Data Conditions, and subsequent No Objection Notifications, Exemption Certificates and Variations Decision Letters (where applicable); and
• Business Impact Assessments, recovery strategy selection, assistance with the development and implementation of IT Disaster Recovery Plans and Business Continuity Plans, including in-person simulation sessions with key stakeholders.

Whether you need all of the above, some of, or perhaps a customised IT audit and/or assurance report, RSM can assist. 

KEY CONTACTS