There are many forces that may drive a business to conduct an IT audit. Compliance agencies, prospects, or even software developers may require one. Or you, as a business owner, may be proactively seeking ways to improve or better leverage your existing IT investments. Let’s expand on each of these briefly:
● Compliance agencies: A growing number of sources—including HIPAA (healthcare), PCI (payment card/transaction), Sarbanes-Oxley (internal financial controls), and state privacy acts—have generated an increase in audits by accounting firms and related agencies.
● Prospects: Increasingly, customers or prospects will request documented confirmation of the quality of your infrastructure, policies, and procedures, especially if you are doing business with larger corporations and leveraging EDI (Electronic Data Interchange).
●Software developers: Small businesses aren’t usually targeted, but it is not uncommon for a disgruntled employee to raise a flag triggering a software licensing audit, whether warranted or not.
● You, the business owner: IT can be something of an unknown entity. A proper IT audit will answer questions such as: Do I need to expand? Or, conversely, have I invested in unnecessary, inefficient, or outdated IT resources? Might outsourcing my IT be a better solution?
What’s in an IT audit?
All IT audits are focused on identifying risks of one type or another. An IT audit could be strictly financial, more broadly focused on policies and procedures, or narrowly targeted toward the physical IT infrastructure itself.
Financially-oriented IT audits are usually internally driven. Management may be questioning the ROI (Return on Investment) of existing labor investments. Are IT staff workloads increasing, while total employee headcount or sales remain static? Are equipment upgrades being requested that budgets can’t support? Are you experiencing project budget overruns, or have past projects not met expectations? The IT audit process can answer these financially-oriented questions.
IT audits related to privacy policy may originate from either the Human Resources department or the IT department itself. Issues of privacy are in the news almost daily. Do you have a written privacy policy detailing how you manage and maintain employee and client data? What controls are you leveraging to manage and mitigate a potential breach of your systems and potential loss of data considered private? Do you have both a written policy and the necessary associated controls to manage your employees’ use of email and the internet? An IT audit can be used to review and update, or to create these policies.
Change management is not just an IT or Human Resources process, but a company management process. As employees come and go, is your IT department aware of all staff changes? Are procedures in place to insure that terminated employees or interns no longer have access to your technology? Do active employees have access only to the data and systems needed to perform their jobs? What is your process for upgrading your primary line of business applications? Is it as controlled as it should be? Do you have an adequate “fall back” position in the event the upgrade goes south? An IT audit can be used to tighten up these change management procedures.
Technical IT audits evaluate physical infrastructures: security systems; infrastructure design and configuration; equipment age and supportability; licensing compliance… The list can go on and on. Even if the physical components of your IT infrastructure make the grade, auditors will also want to understand your IT processes and procedures. The absence of processes and procedures, or inconsistency in executing them, will draw the attention of auditors, but even more importantly, will increase your risk of business system outages. At its core, an IT audit, however granular it may become, should be focused on understanding security vulnerabilities, capacity and end-of-life equipment risk, and disaster recovery / business continuity metrics.
Should you be considering an IT audit?
If you’ve found that you yourself, your internal IT team, or your outsourced provider are unable to answer many of the above questions, or if you’re just not satisfied with the answers you receive, now is the time to begin planning an IT audit or Network Assessment of your systems, processes, and procedures. The insights you will gain from this effort, whether you perform it yourself, or outsource it, will empower you to act from a position of greater strength. The net result will be a clear picture of your operations, with discrete action items that will improve your business.
