briteskies-knowledge-base

Performing an IBM i Audit Without an IBM i Professional On Hand - A Risk Assessment Analysis

Bill Onion
October 2020

Call us paranoid, but as infosec professionals our eyes are trained to identify risk. While it’s common for small to mid-range accounting firms to perform company audits for clients, many do so without a knowledgeable IT expert on hand – and this is a risk.  

While some firms have enough underlying IT knowledge to get by, things can get dicey when audits are performed on more intricate, detailed systems like the IBM i.  

Being as the AS/400 is able to be fully modified and customized, it can easily turn in to a web of tangled details and information, one that isn’t so simple to decipher, especially if you aren’t really sure what you’re looking at.  

Now, we’re not here to point fingers. We get it. Technology is constantly evolving, at a pace so quickly that many trained professionals can’t keep up mentally or financially. But having someone unfamiliar with the intricacies of your system perform the IT audit leaves you, as the auditor, open to liabilities and more at risk of missing and making big mistakes.   

Let’s break down a what-if scenario.   

Your firm is hired to perform a standard annual audit of a company. Your team moves in and begin working their way through the myriad of documents, processes, and accounts the company has on hand.   

Next you move on to the infosec infrastructure. Your auditors work together with the company’s IT department assessing databases, network infrastructures, policies, procedures, and various other modules for potential vulnerabilities. This tag team works well as long as both parties, the auditor and the IT professional, are on equal footing. But what if the auditor isn’t that familiar with the specific platform the company operates on? Even an IT trained auditor may not really understand what’s happening on the IBM iSo what happens when the auditor begins to “take their word for it” when working with the client. Will the auditor be able to recognize red-flags? Will he be able to decipher the free-form RPG code?  

These situations happen more frequently than not, and their risk valuation is sky-high. Many companies and auditors feel that because the IBM i is a relatively secure platform they can let their audits lapse or simply move through the “checkbox audit” and assume that everything is fine. But that is not always the case.   

And without the proper knowledge, it’s impossible to do a proper, full, subjective audit, leaving the company at risk for security breaches and you at risk for performing an incomplete and inaccurate audit. 

So what do you do when you’re presented with a platform that you aren’t familiar with? How can you confidently complete the audit? 

Well, that’s where Briteskies can help. We’re not accountants, and you’re not IBM i infosec professionals, and that’s okay. We work together, each handling our own area of expertise to create a comprehensive, accurate audit. We can white-label our work handling the IT section of the audit leaving your staff to handle the rest. Our information security professionals team up with your auditors to provide professional reviews and assessments of the system and hardware that your auditors are responsible for. We provide the needed expertise to make sure that when you put your stamp on the audit, you can stand by it confidently.   

Learn more about our offerings and professionals or contact us directly to learn more about our audit offerings.

Need more information? Contact Us!

A Great Offer, Just a Click Away

Lorem ipsum dolor sit amet, consectetur adipiscing elit

Subscribe by Email

No Comments Yet

Let us know what you think