IT Essentials — Physical and Environmental Controls

            Questions to Facilitate Audit Planning

            The following questions will facilitate the process of planning the audit.

               •  Where are the management consoles located? How are they accessed, and by whom?
               •  What information is deemed critical or confidential on these systems, and why?
               •  What is the value of the data (to fraudsters, competitors, etc.)?
               •  Where is the information accessed, processed, and stored?
               •  How is information transmitted?
               •  What is the extent of rigor followed to grant and revoke access?
               •  Have access levels been determined by role, and what roles have administrative access?
               •  How is access assigned, approved, monitored, and removed?
               •  How well-protected is the information to unauthorized access?
               •  What type of testing is performed (penetration, access, tracked changes, etc.)?
               •  How is each risk monitored for those employees who have functional access to critical
                   information?

            If not already documented in the business continuity plan (BCP) or the disaster recovery plan (DRP),
            management should consider performing a business impact analysis (BIA) to classify, prioritize, and
            document the population of critical systems, data, and resources necessary for recovery and
            possibly prosecutorial efforts. The CAE can utilize the business impact analysis (BIA) results to
            determine if the internal audit plan sufficiently covers systems that contain critical information, and
            confirm that it includes systems used for managing physical security and environmental controls.
            The CAE can then disclose to the board the areas where assurance may or may not be currently
            provided, and the plans to provide coverage.

            Audit Fieldwork

            Many internal auditors approach the physical and environmental security audit by performing a
            walkthrough, as previously described.

            The walkthrough will give the internal auditor the opportunity to note the physical location of, and
            access to control methods in place.

            The auditor should tour, at a minimum, the following locations in-person or by camera:
               1.  Guard shack or office (where building monitoring takes place).
               2.  Computer rooms.
               3.  Wiring closets.
               4.  Battery backup room.
               5.  Diesel generation room.
               6.  Locations where all physical and logical hardware is located or administrative/monitoring
                   functions are performed.
               7.  Locations where all physical cameras, card readers, and biometric readers are placed.
               8.  Locations designated as restricted access.


            Copyright © 2021 by The Institute of Internal Auditors, Inc. All rights reserved.