IT Audit
Independent assurance over the IT controls your business actually relies on.
ISO 27001
An IT audit is an independent, evidence-based examination of your IT environment, IT controls, and IT-related risks, measured against the international standards your organisation is genuinely held to, not against a generic checklist or self-assessment.
IT Audit
Independent review of infrastructure, security controls, and operational resilience.
Controls
The Challenge
The gap between documented controls and operating controls is almost always wider than expected.
Customers ask for SOC 2 reports and ISO 27001 certificates as a precondition for doing business. Regulators, under DORA, NIS2, and a widening range of sector-specific regimes require documented control effectiveness, not policy intent. Boards ask for independent assurance over cyber and IT risk because they are increasingly accountable for it.
The cost of getting it wrong is rarely the obvious one. It is the certification audit that surfaces gaps believed closed years earlier. The customer questionnaire that cannot be answered without a quarter of frantic reconstruction. The regulatory inspection that finds a documented control with no evidence of operation.
Our IT Audit service surfaces that gap before someone external surfaces it for you and turns a documented control environment into a defensible one.
“IT controls you can stand behind,
not just describe.”
The deliverable is a defensible audit position, not a policy document.
Team Certifications
Certified specialists, independent of the implementation teams whose work is being assessed and carrying no commercial agenda beyond the audit itself.
Output
A documented audit position you can present to auditors, regulators, customers, and your board, backed by evidence, not assertion.
What We Audit
Eight focus areas. Covered end to end.
The audit is scoped to the standards your organisation is genuinely accountable to and structured to surface the gap between documented intent and operational reality across every layer of the IT environment.
IT Governance & Organisation
Whether IT governance, accountability structures, policies, and risk management actually direct and constrain how IT is run, measured against the management-system clauses of ISO 27001 and the governance objectives of COBIT 2019.
IT Environment Understanding
A documented view of the applications, infrastructure, databases, cloud platforms, and processes that materially support the business, proportionate to complexity, complete enough to support the rest of the audit, and structured to survive review.
General IT Controls (GITCs)
Design and operating-effectiveness testing across access management, change management, and IT operations, the foundational controls that everything else in the environment depends on, aligned to ISA 315 Appendix 5 & 6.
Application & Automated Controls
Evaluation of automated controls embedded in business processes, calculations, validations, segregation-of-duties enforcement, and the configurations that make them operate as intended rather than as documented.
Information Produced by IT (IPE)
Reliability assessment of the reports, queries, dashboards, and spreadsheets used for management decisions, regulatory reporting, and external audit evidence, the layer most frequently assumed reliable and least frequently tested.
Third-Party & Service-Organisation Controls
Review of vendor and service-organisation assurance, SOC 1, SOC 2, ISAE 3402 reports, complementary user-entity controls, and bridge-letter analysis against the controls your organisation is actually relying on externally.
Cyber & Data-Risk Assurance
Targeted procedures over cyber-risk exposure, data-integrity controls, identity and access posture, logging, and incident detection and response, to support the overall audit response and satisfy the technical requirements of NIS2, DORA, and ISO 27001.
Business Continuity & Resilience
Assessment of business continuity, disaster recovery, and operational resilience controls against ISO 22301 and equivalent frameworks, including the IT components required under DORA’s operational resilience obligations.
Standards Anchored to Your Obligations
Measured against the standard you are actually held to.
Generic IT audits measure against a lowest-common-denominator checklist. Our engagements are anchored in the specific standards your organisation is accountable to selected against your regulatory obligations, your certification commitments, and your customer and board expectations. Not flattened into a single framework that does not apply.
A control that is gold-plated under ISO 27001 but a gap under SOC 2 is reported as such. The audit position we build is specific enough to be useful, and defensible enough to take to whoever asks for it next.
ISO/IEC 27001 & 27002 – Information security management system requirements and controls guidance.
NIST CSF & SP 800-53 – Cybersecurity framework for risk posture and comprehensive security control catalogue.
COBIT 2019 – IT governance and management objectives, accountability structures, and performance indicators.
PCI DSS · SOC 1 & 2 · ISAE 3402 – Payment security, trust services criteria, and service-organisation assurance standards.
DORA · NIS2 · HIPAA · GDPR – Sector-specific and cross-sectoral regulatory regimes where applicable to the engagement scope.
ISA 315 & ISA 402 – IT environment and GITC requirements for financial audit engagements and service organisation considerations.
What You Gain
An audit position you can stand behind.
An IT audit done properly delivers more than a gap register. It delivers the evidence base, the ranked remediation roadmap, and the documented audit position that holds up to whoever tests it next.
Clarity
An evidence-based view of where your IT controls hold up against the standard you are held to, and where they do not.
Defensibility
A documented audit position you can take to certification bodies, regulators, customers, acquirers, and your board backed by evidence rather than assertion.
Prioritised Remediation
A roadmap ranked by what actually reduces audit and operational exposure, scoped against what your organisation can realistically deliver, not by generic severity scores.
Audit-Readiness
Workpapers and evidence packs structured to support the next external audit, ISO certification or recertification, SOC 2 examination, regulatory inspection, or the IT component of a financial audit.
Resilience
The ability to detect control failures early through your own assurance cycle, not through a customer, a regulator, or an incident.
Foundation
A control environment that the next phase of the business, new markets, new regulators, new technologies, new acquisitions can actually be built on.
Complete the Picture
Pair IT Audit with our other assurance services.
IT Audit establishes the control baseline. Penetration testing proves resilience under attack. Threat modeling identifies what needs defending before gaps are exploited.
Ready to Begin
Let's establish what your IT controls actually look like under independent scrutiny.
Every engagement begins with a scoping conversation to understand your organisation’s IT environment, regulatory context, and audit objectives. We come back with a proportionate plan and fixed fee within 48 hours.
