Home
News
Breaking News
Executive Profile
Technology
South Asian Connection
Health & Medicine
Franchise & Hospitality
Focus: Emerging Markets
Venture Capital Supplement
Guest Columns
Personnel File
Opinion
Editorial
Advanced Search
Archives
Community Calendar
Order REPRINTS
INDIA New England
Media Kit
To Advertise
Become a Partner
Letter to the Editor/Feedback
Submit a Story Idea
Send Press Release
Post Calendar Event
Submit List Entries
Editorial
Subscriptions/ Circulation
Production
Franchise Directory

 
 
Issue Date: January 2009, Posted On: 1/16/2009

Planning ahead will help make IT audits painless

By Vin D’Amico

 
 

Vin D’Amico

The economy is in hibernation. The stock market is in denial. Your IT department is in flux. What is next, an IT audit?

Unfortunately, the answer is likely to be “yes.” Tight money, increased government regulation and heightened turmoil in many industries mean IT audits will be on the increase. The end of the year is a good time to prepare for the tough questions that lie ahead.

I am using the phrase “IT audit” in a broad sense because there are many types of audits (or reviews) that can take place within IT. They may be for due diligence or they may be in response to a problem. Consider these examples:

  • A company performs annual accounts receivable audits for Sarbanes-Oxley Act compliance. Because all the data is contained in IT systems, IT infrastructure and procedures must be reviewed and certified.
  • A million dollar IT project is way over budget and late. Management demands an accounting of where the money and time went.
  • Patient health information is inadvertently disclosed outside the company. This is a Health Insurance Portability and Accountability Act violation and could result in an in-depth assessment of how information is handled.

In any of these situations, your team will be asked to supply documentation for systems, software applications and associated procedures. If you have formal guidelines and processes in place, you have nothing to fear from an audit. In fact, it may be helpful in making improvements to your operations.

If your team operates ad-hoc with few controls and little tracking, you could be in deep trouble. I am not an advocate of writing mountains of documentation or saving every scrap of e-mail and instant messaging. However, you must be able to show that your operation is disciplined and under control.

Here is what you can expect from an audit and what you should do to make it go smoothly.

A Closer Look

Tight budgets and increased government regulation are increasing IT audits.

If a company operates with few controls and little tracking it could be in trouble.

Documentation is crucial. The better things are documented, the better the audit will most likely go.

  
IT audits may be conducted by someone inside or outside of the organization. Ask to meet with the auditors before the audit begins. Find out exactly what they intend to audit and what they will be looking for. Ask about tools and facilities they will need and how long the audit will take.

Request a list of the documentation they will need to review. Keep in mind that documentation is critical. Auditors love it. The better things are documented, the easier the audit.

Now that you know what to expect, assign someone on your team to be the point person. Auditors will have lots of questions and will need almost constant supervision. You do not want them wandering around asking questions. The point person must be able to lead the way and get answers to questions quickly.

Strongly consider giving the auditors a formal presentation on their first day. Show them the IT infrastructure and the software in use. Explain how the systems are used and where the data resides. Give them a sense of where data moves and how work flows.

Security is part of every audit so explain how user authorization works. Describe security controls and encryption mechanisms. If there are weaknesses in your infrastructure or security, you should admit to it. Auditors are very good at finding these issues and, sometimes, blowing them out of proportion. Get the issues out in the open and explain what is being done about them.

Let the audit begin. Be supportive and try to give the auditors what they need. Arguing only makes it appear that you have something to hide causing them to dig deeper. (By the way, if the auditors are outsiders, be sure they signed a non-disclosure agreement.)

They are likely to require login access to some key systems. Read-only rights should be sufficient. There is no reason for them to be changing anything.

As the audit nears completion, a wrap-up meeting is a good idea. It gives you an opportunity to explore preliminary findings and correct misinterpretations. The final result of the audit will be a report. Ask if you may see a draft copy before publication.

Every audit uncovers deficiencies. You may be tempted to explain how you will correct these issues but be careful. Anything you say can and will be used against you in a future audit. Be conservative with your commitments.

Once the auditors leave, meet with your management team and your IT team to determine what most urgently needs to be addressed. I cannot stress “urgently” enough. There are likely to be many issues large and small that need attention. Trying to fix them all at once will lead to chaos.

Put a plan together to address issues that are costing the company money or placing it at risk. Follow through and document the results. Add this information to the file for next year’s audit.

With a little planning, IT audits can help improve IT operations. As for those who operate completely ad-hoc, consider spending time planning your next career move instead.

Vin D'Amico is president of Damicon. He specializes in agile processes and freelance writing. He can be reached at vin@damicon.com.
Log In - About Us - Search - Archives

Copyright © 2010 IndUS Business Journal All rights reserved.  | Console Login