Protiviti / SharePoint Blog

SharePoint Blog

March 15
5 Key Components of Your SharePoint Audit

While working with Microsoft SharePoint at various organizations on implementations or migrations, a question that often arises is regarding the need to perform regular audits of a SharePoint environment.  At Protiviti, while many of us focus on IT Consulting and SharePoint, approximately 50% of our business is related to performing Internal Audits.  Therefore, we have a unique perspective on the importance of performing SharePoint audit assessments.

Increasingly, SharePoint is used as an organization’s Intranet with sensitive data stored throughout the environment.  There is often sensitive legal documents or employee information stored on an organization’s SharePoint environment.  In addition, workflows are often incorporated to manage the flow of data (which may be sensitive in nature) to various departments.  In light of this, SharePoint can often be viewed similar to other ERP applications such as SAP, Oracle or PeopleSoft (just to name a few).  Almost all Internal Audit groups naturally see the need to perform audit assessments on these ERP applications; therefore, SharePoint should be viewed in a same manner.

Business Case for a SharePoint Assessment:

Over 80% of Fortune 500 companies use SharePoint for workforce collaboration, content management, and critical business applications. Yet few understand how it is deployed or make regular assessment of their SharePoint environment part of their audit plan.  Here’s why a SharePoint assessment may be important to you….

Clients store sensitive data in SharePoint but do not secure it:
  • At least 36% of surveyed SharePoint users are breaching security policies and gaining information to sensitive, confidential information that they are not entitled to access.
  • 79% of those surveyed said their organizations stored sensitive data in a SharePoint environment, but only 18 percent said they prevented access through the use of technical controls.
Clients are using SharePoint as a business application and therefore, it should be assessed as part of an Internal Audit program as such:

With the increasing flexibility and extensibility of the platform, business users are creating SharePoint-based applications to support business functions. Without proper Governance and Security plans in place, many of these systems are created without the awareness of IT or Audit. Examples of recent client discoveries include:

      • Employee On-boarding and Off-boarding: Processes that manage user permission changes, thus granting and removing access.

      • Vendor Management: Solutions that manage the entire vendor management lifecycle. This includes the vendor identification, risk assessment, contracting, and payment activities. 

      • Change Requests: Applications that manage changes to the firewall, ERP, and other critical systems. 

      • Incident Management: Systems that track operational activity that may introduce a compliance risk

Scoping the SharePoint Audit Assessment:

Generally, the area organizations focus is around the overall security of the SharePoint environment; as in, how accessible is the SharePoint environment to outside hackers. While this is an important component, there are other audit assessment areas that should be considered.

To help organizations assess their SharePoint environments, Protiviti recommends a comprehensive review process.  Below are the five key areas we recommend to be part of a SharePoint environment audit assessment:

1. Performance Health Check: Analyzing and optimizing SharePoint system performance.

2. Governance Planning: Understanding how to govern SharePoint (i.e., ensure all legal, technical, operational and functional concerns are represented) using people, processes and policies.

3. Information Architecture Scorecard: Ensuring information in SharePoint is presented intuitively and is easy for users to search and retrieve.

4. Privacy and Security Review: Validating that information and access risks are under control.

5. Usability Review: Engaging the user community to understand and identify opportunities for improved adoption of SharePoint in the organization.

While Protiviti recommends that all of these areas be covered in a single audit, organizations can tailor the audit scope to meet their specific needs and goals.  Depending on the size, number of users and extent of your SharePoint environment, an initial evaluation should be completed to determine if some or all of the above assessment areas need to be covered in an assessment. 

In summary, SharePoint environments have evolved into a key component of many organizations’ business applications.  Therefore, SharePoint environments should increasingly be considered as part of an Organization’s Internal Audit program.

Quick Launch

© Protiviti 2021. All rights reserved.   |   Privacy Policy