IT audit, part 3: Final steps for a full‒scope IT audit

Security is a critical component of any system audit. When taking over software operations, it is especially important to gain a clear understanding of the system’s vulnerabilities and the risks that may need to be addressed moving forward.

Identifying a software system’s security vulnerabilities can be approached from multiple angles and with a wide range of tools.

Analyzes the source code to detect security flaws and code quality issues before runtime. Common problems include: SQL injection vulnerabilities, cross-site scripting (XSS), improper password storage, hardcoded API keys or private keys

Detects known vulnerabilities and outdated components in the software stack.

Focuses on identifying issues listed in the OWASP Top 10, such as SQL injection, XSS (Cross-site Scripting), CSRF (Cross-site Request Forgery)

Simulates real-world attacks, manually or in an automated fashion, to test the system's actual resistance to intrusion.Requires coordination with current operators. Must be performed carefully to avoid service disruption or data loss

Assesses the exposure of the network layer, identifying open ports, misconfigured firewall rules or encryption weaknesses

In addition to the above, having access to previous penetration test (pentest) reports can be highly valuable. It is worth reviewing which vulnerabilities were identified in the past and to what extent they have been remediated.

This historical data provides deeper insight into the system’s security posture over time and contributes to a more informed and realistic assessment of current security risks and the effectiveness of past mitigation efforts.

When taking over the operation of a software system, it is essential to have a clear understanding of the relevant legal requirements and industry standards that must be observed during both operation and development.

Assessing the data protection obligations related to the software - and verifying whether the current system complies with them - is a top priority. Any gaps identified during the audit must be addressed as part of the operational handover.

Does the system’s data collection, storage, and processing comply with GDPR requirements, such as purpose limitation and data minimisation?

Does the system allow users to exercise their data subject rights, such as access, deletion (right to be forgotten), and data portability?

Is there a documented and tested process for reporting and handling data breaches?

What measures are in place for encryption, anonymisation, access control, and activity logging?

Are user consents properly logged, and can they be easily withdrawn?

Beyond data protection, it is essential to identify which industry-specific standards or legal regulations apply to the software. As part of the audit, the system’s degree of compliance with these requirements must be thoroughly reviewed.

Depending on the sector, the software may be subject to specific regulations from fields such as finance (e.g. PCI DSS, SOX), healthcare (e.g. HIPAA, HITECH), telecommunications (e.g. ETSI standards, national regulatory requirements)

Finally, during the handover process, it is essential to thoroughly review the license terms of all systems, frameworks, and libraries used within the project.

If any components are used under a commercial license, it must be clearly defined who is responsible for covering the associated costs and what the terms are for maintaining or renewing these licenses.

AI-powered tools can be highly effective in exploring and analyzing software systems, offering significant support during audits. These tools are capable of scanning and evaluating the entire codebase, helping to identify vulnerabilities and critical code segments, opportunities for refactoring and optimisation and missing or incomplete documentation.

Some even allow users to interact with the system through a chat interface, answering technical questions based on code context.

However, before using such tools, it is essential to clarify with the software owner under what conditions they may be applied. Many tools require access to the entire source code, which raises concerns about data privacy, intellectual property, and code usage rights.