Online backup service providers claim that they offer integrity of applications and infrastructure and that their systems are periodically audited with third-party scans and audits. If that is so, audits and scans must reveal to the end user, the current status of the infrastructure and also provide them with a true picture of what is the actual infrastructure available with the online service providers. The unbiased third-party evaluation should also help online backup service providers ensure that they build up the necessary security and infrastructure that will meet with the approval of the auditors. The reputation of the business depends on it. So, what does the audit of the infrastructure cover?
Information technology audit, also known as automated data processing audits or computer audits, is an audit of the online backup service vendor’s infrastructure. It is an evaluation of the organization’s systems, practices and operations. The audit evaluates whether the vendor is safeguarding assets, maintaining data integrity and operating effectively to achieve the goals and objectives of the clients who have entrusted their data to the organizations keeping. This periodic third-party scan and audit may be performed in conjunction with financial audit, internal audit or in any other form of attestation engagement.
Information technology audit is an audit of the internal control design and its effectiveness under varying circumstances. The audit covers efficiency and security protocols, development processes and also IT governance or oversight. The audit gives the organization a good chit only if the organization’s computer systems are available for business 24 x 7 x 365; if the information system maintains confidentiality and the information stored and accessed by users is always accurate, reliable and timely. The audit also determines possible risks associated with information assets and evaluates the effectiveness of the current controls in reducing or mitigating the risks.
There are several taxonomies for IT audits. Some audits deal with “technological innovation and processes” and constructs risk profiles for existing and new projects. There are “innovative comparison audits” which analyze the innovative abilities of the company and compares it with the competition. There are technological position audits that review the technologies being deployed by the online service provider and gives and overview of what needs to be added to make the IT systems more effective in the niche. Other audits could be on systems and applications; information processing facilities; systems development; management of the service and on client/server controls that are in place.
It is clear from the above that different audit reports on IT can be of immense value to the end user evaluating the services of online backup service providers or for deciding on which service provider will suit their needs the best. These reports will also address many of their concerns about the safety and security of their data. The audit methodology that is risk based and risk driven will provide the user with an overview of the culture of the online service provider organization; the key business risks that need control; the strategic planning within the organization; the priorities; the functions and finally their ability to sustain the business and effectively provide the services that they promise their clients such as redundancy of data; replication of data; de-duplication of data; virtual and physical security of data and so on.
Audit of Information technology systems and the integrity of applications and infrastructure by third parties is also a requirement of law in many countries. The fact that regular third-party audits are conducted in an online service provider organization builds trust and indicates that the service provider is serious about their business. It implies that you can rely on such provider to take care of your data while you take care of your business.