These types of audits were formerly known as computer audits and were much less extensive prior to the widespread use of the Internet. The Internet opened up whole new areas of concern such as hacking, malware and related items.

Audits can be initiated from several sources. Management companies often have an established schedule of IT systems review. These can be performed by internal audit staff or by an outside auditing firm.

Owners sometimes maintain an auditing staff and can plan to audit the property, but this is less common than management being the lead. Franchise companies are becoming more involved in the process and can perform audits on certain properties.

One of the biggest things auditors are looking for is PCI (payment card industry) compliance.  This has become the most important item in the process.  While most all properties have made a strong effort to comply, an audit can uncover areas that can make the hotel fall into non-compliance.

But an IT audit is more than just PCI compliance.  It is an evaluation of the security of all data, not just credit cards.  In addition to security, auditors look at the ability of the hotel to provide timely and accurate information to guests, management and staff.  Also, the physical security in the hotel is an important part of any review. This includes the frequent changing of passwords and interrogating electronic locks. The use of security cameras can also be reviewed.

The most time consuming aspect of an audit can be the preparation time required to get ready for the auditors. Most auditors prepare a checklist of items for the hotel to complete ahead of time. Below is a partial list of items that should be completed prior to an audit.

• All relevant personnel, from the general manager on down, should be participating in the appropriate way.  This includes accounting, human resources, food and beverage, in-house security, front office, and on-site and/or corporate IT staff.
• Locate or create a network diagram (for admin network and guest network) if the admin network and guest network are separate, contact the guest network vendor for a network diagram.  Make sure that the diagram includes all MDF and IDF closets.
• Straighten up data centers (server rooms) including any untidy wiring.  Be sure that cooling systems are working properly.
• All data centers should have limited access including electronic locks that can be interrogated and are monitored by a security camera.   
• Identify all network devices such as core switches, routers, firewalls, and servers (examples: OA server, domain controller, guest lock server, POS Server, PMS server, reader board controller). Determine who manages network devices (could be onsite IT team, third-party vendor, management company IT team).
• Make sure no routers, switches, printers or network devices have default or manufacturer set passwords. Ensure all passwords are unique to a single property and not shared among a brand or group of properties. If unsure, change the passwords.
• Contact all third-party vendors who have devices or items on guest network and request a PCI compliance certificate. (This can pertain to parking lot ticket machines, guest lobby computers handled by a third party, gift shop vendor and anyone who processes credit cards via the guest network.)
• HR, security and all other department heads need to self-audit user (employee) access to all applications and servers accepting credit cards, storing credit cards, or with access to admin network and privileged data (POS, PMS, email accounts, domain accounts, key machine, etc.) A report can usually be printed in each application with the list of users and their individual access rights. Make sure all terminated employees are removed and verify all current employees having only their required level of access.
• Create or locate policy on how onboarding and off boarding employee access is handled (usually handled by HR)
• Prepare to provide auditors with documentation showing quarterly PCI scan results and proof that the property is performing quarterly PCI scans along with the property’s most recent PCI self-assessment questionnaire (SAQ).

IT audits can take from several hours to several weeks, depending on who is performing the audit and the scope. During the process, the property should be as cooperative as possible without interrupting day to day operations.

In some cases, corporate IT personnel may decline to share certain information with the auditors because of confidentiality and other concerns.

Once the audit is complete, the auditors will meet with management to review the results and a written report will be issued.

The hotel should react immediately on any weaknesses in security, especially PCI compliance.  Less critical areas, such as equipment age and performance, untidy wiring, and updates to server operating systems can be phased in over time.