Case Study: IT Audit Use Case for a Publicly Traded Company

Background

An independent cybersecurity consultancy conducted a comprehensive IT audit of a public company to assess its security posture, evaluate risks, and offer strategic guidance to strengthen enterprise-wide information assurance. The goal was to identify vulnerabilities, benchmark governance practices, and recommend enhancements to safeguard data and ensure operational continuity.

Overall Risk Rating: Critical

This assessment incorporated a combination of technical evaluations, policy reviews, and internal interviews. The company is undergoing a digital transformation with a complex IT footprint that includes cloud platforms, hybrid applications, and multiple regional sites.

Objectives

The primary goals of this IT audit were to:

  • Evaluate the maturity and completeness of the company’s Information Security Program

  • Identify exploitable weaknesses via External and Internal Vulnerability Assessments

  • Assess Application Security and data protection capabilities

  • Review Governance, Risk, and Compliance (GRC) structures

  • Evaluate Business Continuity and Disaster Recovery (BC/DR) readiness

  • Ensure alignment with key frameworks such as NIST 800-53, NIST 800-171, and ISO 27001

Audit Methodology

The assessment was structured around six core activities:

  • Security Questionnaire Review (NIST 800-53, NIST 800-171, CSF)

  • External Vulnerability Scanning – to detect internet-facing risks

  • Internal Vulnerability Assessment – for internal infrastructure gaps

  • Application Security Interviews – SaaS and enterprise app controls

  • Policy & Documentation Review

  • Onsite and Remote Interviews – across IT, operations, and HR departments

Key Findings

A. Strengths

  • Executive leadership is committed to cybersecurity enhancement.

  • Security awareness programs are in early adoption stages.

  • Encryption standards are generally followed for data in transit and at rest.

B. Areas of Concern
Governance & Policy Gaps

  • Incomplete or draft cybersecurity policies

  • Undefined security roles and responsibilities

  • Lack of legal/regulatory compliance tracking (e.g., HIPAA, GDPR)

Identity & Access Management Deficiencies

  • Inconsistent MFA usage across applications

  • Absence of a centralized IAM platform (e.g., Active Directory)

  • Overuse of administrative privileges at endpoint level

Vulnerability Management

  • No formal patch management program or vulnerability prioritization

  • Missing asset inventory and classification standards

Application Risks

  • Several key applications lacked enforced MFA

  • No formal process for user access audits

  • Vendor contracts lacked cybersecurity-specific clauses

Network Architecture

  • Flat networks with no segmentation across sites

  • No standardized configurations or baseline hardening guides

Incident Response & Recovery

  • Incomplete incident response playbooks

  • No enterprise-wide BC/DR framework or testing protocol

Risk Ratings by Category

Category + Rating

  • Security Program (NIST 800-53) + Critical

  • Compliance (NIST 800-171) rev 1 + Critical

  • External Vulnerability Exposure + Moderate

  • Internal Vulnerability Exposure + Moderate

  • Application Security + Severe

Recommendations

Focus Area + Priority + Description

  • Centralized IAM + High + Deploy Active Directory or equivalent to unify access control

  • Enforce MFA Organization-Wide + High + Mandatory across all platforms, especially remote access and VPN

  • Finalize Security Policies + High + Formalize and enforce cybersecurity policies and standards

  • Implement Network Segmentation + Medium + Redesign network topology to include logical segmentation

  • Adopt Unified Productivity Suite + Medium + Standardize on Microsoft 365 or Google Workspace with security features

  • Establish Formal Risk Management + Medium + Use COSO or ISO 31000 frameworks to drive structured risk oversight

  • Improve Vendor Risk Management + Medium + Include breach notification, liability, and audit rights in all contracts

  • Strengthen Endpoint Security + Medium + Enforce least privilege, deploy centralized EDR solution

  • Develop Incident Response Plan + High + Use NIST 800-61 as a framework, train staff on escalation procedures

  • Standardize Security Training + Medium + Role-based awareness with phishing simulations and compliance modules

Application Security Snapshot

A sample of enterprise and SaaS platforms revealed the following:

  • Several applications lacked enforced MFA.

  • Access reviews were infrequent or undocumented.

  • Some platforms had strong encryption and vendor certifications (e.g., SOC 2 Type II).

  • Critical applications lacked defined Recovery Time Objectives (RTO) or Service Level Agreements (SLAs) with vendors.

Compliance Overview

  • Gaps in ISO 27001-required documentation and practices

  • Missing policies: Acceptable Use, Access Control, Secure Development

  • No formal vulnerability management or logging strategy

  • Limited audit trail for regulatory compliance validation

Conclusion

The public company has several initiatives in place to address cybersecurity, but its posture remains critically vulnerable due to policy gaps, weak access controls, and inconsistent security implementations. Immediate efforts should prioritize unifying identity management, enforcing MFA, finalizing governance policies, and strengthening network security.