Dalton, Walton, & Carlton, Inc., a vibrant architecture firm, currently faces some challenges in terms of securing its It infrastructure and making it more effective. This paper presents the first steps in auditing the company’s virtualized environment and also its cloud computing and outsourced operations.
Auditing Virtualized Environments
When auditing virtualized environment for Dalton, Walton, & Carlton, Inc., I would start by documenting the overall virtualization management architecture including hardware and supporting network infrastructure (Davis, Schiller & Wheeler, 2011). To achieve this, I would review and discuss with the company’s systems administrator to ascertain that the management and document structures are in accordance with up to date corporate standards. Hoelzer (2009) recommends that auditors check the storage devices and networking between the computers. I would perform this procedure and then document these infrastructural components. This step is a pre-requisite to help me to interpret the results of the next audit steps.
Auditing Cloud Computing and Outsourced Operations
When auditing for cloud computing and evaluating the requirements for outsourcing operations for the company, I would start by evaluating the auditing done doe other functions such as virtualized environments. I would do this auditing by reviewing the basic controls that are involved in an internally outsourced function. To enhance integrity, confidentiality, and availability of that function say a business application, I would ask the software vendor to run a set of read-only scripts that involve key system configuration information from their environment after which I receive the output. Champlain (2003) advises on the importance of requesting for a Statement on Auditing Standards on service organizations (SAS -70) report from the software vendor. After receiving this document, I would enlist the help of procurement, operations and legal groups to increase transparency from the supplier and, therefore, the security of the software in general. This step would help me determine which risks and audit steps are applicable to the auditing at hand.
Champlain, J. J. (2003). Auditing information systems (2nd Ed.). Hoboken, N.J.: John Wiley.
Davis, C., Schiller, M., & Wheeler, K. (2011). IT auditing: using controls to protect information
assets (2nd Ed.). New York: McGraw-Hill.
Hoelzer, D. (2009). Audit Principles, Risk Assessment & Effective Reporting. SANS Press.