The economy is in hibernation. The stock market is in denial. Your IT department is in flux. What next, an IT audit?
Unfortunately, the answer is likely to be 'yes'. Tight money, increased government regulation and heightened turmoil in many industries mean IT audits will be on the increase. The end of the year is a good time to prepare for the tough questions that lie ahead.
I am using the phrase "IT audit" in a broad sense. There are many types of audits (or reviews) that can take place within IT. They may be for due diligence or they may be in response to a problem. Consider these examples.
A company performs annual accounts receivable audits for SOX compliance. Because all the data is contained in IT systems, IT infrastructure and procedures must be reviewed and certified.
A million dollar IT project is way over budget and late. Management demands an accounting of where the money and time went.
Patient health information is inadvertently disclosed outside the company. This is a HIPAA violation and could result in an in-depth assessment of how information is handled.
In any of these situations, your team will be asked to supply documentation for systems, software applications and associated procedures. If you have formal guidelines and processes in place, you have nothing to fear from an audit. In fact, it may be helpful in making improvements to your operations.
If your team operates ad-hoc with few controls and little tracking, you could be in deep trouble. I am not an advocate of writing mountains of documentation or saving every scrap of email and IM. However, you must be able to show that your operation is disciplined and under control.
Here is what you can expect from an audit and what you should do to make it go smoothly.
IT audits may be conducted by someone inside or outside of the organization. Ask to meet with the auditors before the audit begins. Find out exactly what they intend to audit and what they will be looking for. Ask about tools and facilities they will need and how long the audit will take.
Request a list of the documentation they will need to review. Keep in mind that documentation is critical. Auditors love it. The better things are documented, the easier the audit.
Now that you know what to expect, assign someone on your team to be the point person. Auditors will have lots of questions and will need almost constant supervision. You do not want them wandering around asking questions. The point person must be able to lead the way and get answers to questions quickly.
Strongly consider giving the auditors a formal presentation on their first day. Show them the IT infrastructure and the software in use. Explain how the systems are used and where the data resides. Give them a sense of where data moves and how work flows.
Security is part of every audit so explain how user authorization works. Describe security controls and encryption mechanisms.
If there are weaknesses in your infrastructure or security, you should admit to it. Auditors are very good at finding these issues and, sometimes, blowing them out of proportion. Get the issues out in the open and explain what is being done about them.
Let the audit begin. Be supportive and try to give the auditors what they need. Arguing only makes it appear that you have something to hide causing them to dig deeper. (By the way, if the auditors are outsiders, be sure they signed a non-disclosure agreement.)
They are likely to require login access to some key systems. Read-only rights should be sufficient. There is no reason for them to be changing anything.
As the audit nears completion, a wrap-up meeting is a good idea. It gives you an opportunity to explore preliminary findings and correct misinterpretations. The final result of the audit will be a report. Ask if you may see a draft copy before publication.
Every audit uncovers deficiencies. You may be tempted to explain how you will correct these issues but be careful. Anything you say can and will be used against you in a future audit. Be conservative with your commitments.
Once the auditors leave, meet with your management team and your IT team to determine what most urgently needs to be addressed. I cannot stress “urgently” enough. There are likely to be many issues large and small that need attention. Trying to fix them all at once will lead to chaos.
Put a plan together to address issues that are costing the company money or placing it at risk. Follow through and document the results. Add this information to the file for next year’s audit.
With a little planning, IT audits can help improve IT operations. As for those who operate completely ad-hoc, consider spending time planning your next career move instead.
Vin D'Amico is Founder and President of DAMICON, your ADJUNCT CIO. He helps companies avoid the subtle mistakes that cause missed deadlines, lost opportunities and fragile results. He shows them agile approaches that slash risk and cut development time so they get to market 25-50% faster. He helps them carry that momentum into the sales cycle using white papers and case studies that accelerate the selling process.
This article appeared in Vin's monthly Virtual Business column for the IndUS Business Journal in December 2008.
To learn more about how DAMICON can help your business, please take a look at our service programs.
This column appears monthly in the IndUS Business Journal.