IT Audit: Purpose, Value, Scope, and Software Audit Checklist
What is an IT audit?
Source: Harvard University
What you may need a software audit for?
Besides monitoring software KPIs, it’s useful to get a comprehensive knowledge about the current overall health of your IT system from time to time. Software audits are absolutely crucial when you need to
- Spot the bottlenecks causing performance issues
- Prevent security breaches, data loss, or system downtime by timely identifying the vulnerabilities and mitigating the risks
- Ensure legal compliance regarding both the software licenses and the industry standards
- Optimize the costs, e.g. by identifying unused or underutilized software licenses or subscriptions, by AWS data transfer cost optimization, etc.
- Hire app developers to extend your team, or change your IT vendor, so you are aware of the current IT system condition, can easily assess its development progress and manage your software vendors.
In this article we’ll focus more on the technical aspects of software you should pay attention to during the IT audit, including architecture, infrastructure, quality assurance, security, UX/UI design.
Software architecture audit
Apiko: How to Build a Successful Solution Architecture: Case Study
Here’s a suggested software audit checklist to make sure the app architecture is well-configured, satisfies the project needs and requirements, and enables flawless app performance.
- Is there up-to-date IT architecture documentation with a change log?
- What are the key components of your solution architecture, and which app functionality do they enable?
- Is the choice of software architecture type well-reasoned?
- In case of SaaS architecture, is a single-tenant or multi-tenant pattern implemented? Is this choice well-reasoned?
- How well does such architecture configuration satisfy the needs of the application end-users and stakeholders?
- Does the application always work as expected?
- Is the amount of allocated computing resources optimal for excellent software performance and impeccable user experience? They shouldn’t be lacking or in significant excess to avoid dysfunctions or extra costs respectively.
- Check the scalability and robustness: can the app architecture handle higher loads, tech stack and features updates, new app modules deployments, etc.?
- What are the protection mechanisms against data breaches, malware attacks, etc., if any?
- Assess the software architecture cost efficiency: the higher the cost, the better performance you can achieve, so it’s necessary to make sure you found a reasonable balance
- Is there any unnecessary architecture complexity?
- What is the risk of technical debt with the chosen architecture configuration for particular software requirements and business objectives?
IT infrastructure audit
Apiko: Legacy Application Modernization Case Study: IT Infrastructure Modernization
IT infrastructure directly influences the cost, scalability, and performance of your information system, so it’s necessary that it is optimal for your needs. For instance, check out the case study of AWS data transfer cost optimization: decreasing the daily cost from about $12 to $0.75 was a drastic change!
Those are DevOps engineers who are responsible for configuring and setting up IT infrastructure. They also ensure its monitoring, robustness, safety, and proper functioning, as well as setting up continuous integration and delivery (CI/CD).
As an integral part of software audit, infrastructure audit checklist is presented below.
- After deploying new functionality, assess its performance regarding the amount of resources it needs, errors or dysfunctions if any, etc.
- For each server, check CPU, RAM, Disk performance, and peak loads values
- Analyze the peak and average incoming traffic values over a period of time, e.g. month, to understand if the current resources are enough, and to find anomalies if any
- As for security considerations, make sure the multi-factor authentication (MFA) is enabled for all users
- Check the number of server ports and their access regulations
- In case of AWS cloud infrastructure, define the number of AWS users and their access permissions: it’s a good security practice to give only necessary permissions
- Monitor the quantity of application logs, inspect them for errors and unnecessary data
- Analyze your IT infrastructure cost per day, spot the peak values and figure out what caused them
- Configure budget alarms for daily and monthly expenses
- 🔍 Free Infrastructure Audit: Assess your infrastructure for improvements across architecture, code, monitoring, security, and more.
- 🚀 Monthly Subscription Plan: Gain full control with continuous infrastructure audits, emergency support, and 24/7 issue resolution (starting at $300/month).
- 🔧 On-Demand DevOps Work: Access expert assistance at $60/hour.
Code audit
It’s crucial that the application code is performant, secure, well-organized and readable to software engineers, even those not engaged in that particular project development. That’s why at Apiko, besides using automated tools for maintaining code quality, we practice code review on a constant basis.
Here is a code audit checklist we use, e.g. when taking over someone’s projects.
General code audit
- Is the codebase well-organized and consistently structureCfifd?
- Are there any unused or redundant files, variables, or functions?
- Is the naming convention clear, consistent, and descriptive?
- Are there clear and concise comments explaining complex or non-obvious code?
- Is there a consistent coding style, and does it adhere to coding best practices?
Front-end code audit
- Is the HTML structure semantic, i.e. does it use elements that convey the purpose or meaning of the content, like <header>, <footer>, <p>, <h1>, <h2>, etc.?
- Is the HTML structure accessible, i.e. can users easily perceive, understand, navigate, and interact with the content?
- Are CSS styles efficiently organized and optimized for performance (e.g., minimized use of redundant or overriding styles)?
- Are JavaScript files modularized and organized logically?
- How is the front-end code handling browser compatibility and responsiveness?
- Are there any security vulnerabilities in the front-end code (e.g. sensitive data exposure, cross-site scripting, etc.)?
Back-end code audit
- Is the server-side code structured logically and modularized for maintainability?
- How are data validation and error handling implemented?
- Is there efficient database interaction, with optimized queries and proper indexing?
- Are there any security vulnerabilities in the back-end code? For example, is the data transmission secure, is the encryption adequate, etc.?
- How is user authentication and authorization handled?
- Is the API design consistent, and does it follow RESTful principles (if applicable)?
Code performance audit
App performance testing is necessary to make sure your app meets the highest industry standards, including such KPIs as the number of transactions per second (TPS), CPU and memory usage, latency, response time, and others. To assess the code performance, it’s important to answer the following questions:
- Are there any bottlenecks or performance issues in the code?
- Is the code optimized for efficiency, with minimal redundancy and unnecessary computations?
- How are asynchronous operations handled for optimal performance?
Automated testing audit
Generally speaking, automated testing should ensure that all parts of your software function perfectly well both on their own (unit testing), all together as a whole (end-to-end testing), and even under high loads (load testing). Test automation strategy greatly depends on the peculiarities of each specific project and industry it’s being developed for. It’s a proven best practice to intertwine digital quality assurance services into your software development life cycle.
Some of the fundamental questions on testing audit checklist are the following:
- Are there comprehensive unit tests covering critical functionality?
- Is there integration testing to ensure different parts of the application work together as expected?
- Are there any end-to-end tests for testing the application flow?
Security audit
Security practices should be implemented at all levels of the IT system, and some of them have already been mentioned in the checklists above. Here you will find some more points an IT auditor should consider.
- Is user authentication secure? (e.g., strong password policies, multi-factor authentication)
- Are access rights appropriately assigned and revoked?
- Is sensitive data protected from unauthorized access?
- Is sensitive data encrypted both in transit and at rest?
- Is data integrity ensured through proper validation mechanisms to prevent injection attacks?
- Is SSL/TLS implemented correctly for secure communication?
- Are secure communication protocols (e.g. HTTPS, SSH) enforced?
- Are error messages handled securely to avoid leaking sensitive information?
- Are logs stored securely and regularly reviewed for anomalies?
- Are session tokens generated securely and invalidated after logout or a period of inactivity?
- Are third-party libraries and components regularly updated and patched?
- Does the software comply with relevant industry standards and regulations (e.g., GDPR, HIPAA)?
- Are backups taken regularly and stored securely to facilitate recovery from security incidents?
- Is there comprehensive documentation covering security features, controls, and procedures?
UX audit
Apiko: How To Do A UX Audit: A Comprehensive Guide [UX Audit Checklist Included]
Let's sum it up!
IT audit is a good way to ensure that your IT system is up and running flawlessly, and will do so in the near future. It allows for identifying the areas which require optimization, and thus can be further improved to conform to the latest technical standards and business requirements. Software audit gives you the keys to informed decision-making and proactive management of your IT system, and mitigation of the related risks.