When did you last have an IT Audit?

Probably never, most organisations have never had an independent assessment of the state of their IT. Given that most organisations rely on IT for their ability to operate this might seem surprising, but many organisations simply don't know what to expect or ask for.

 

Some have had an “IT Audit” free from an IT supplier or prospective supplier, but ultimately these are nothing more than lead-generation opportunities, they are free only because the supplier generates business opportunities from being able to take a look behind the scenes, and they are often worthless because few IT suppliers have actually done the job of running corporate IT.

So what should you expect? An IT Audit may cover a wide range of considerations: 

• Systems and Applications: An audit to verify that systems and applications are appropriate to the organisation’s needs, are efficient, and are adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a system's activity.
• Information Products: An audit to confirm that the computer generated information being used by the organisation is accurate, is appropriate to the organisation’s needs, likely including a gap analysis identifying how information products may be improved.
• IT Strategy: An audit to verify that the current IT strategy for the organisation meets the current and projected business needs of the organisation’s business strategy, and to propose corrections as necessary.
• Skills: An audit to determine whether the skills available from the IT team are adequate and well matched to the organisation’s current and future needs, likely including a gap analysis.
• Service: An audit to determine whether the level of service being provided by the IT function to its users is adequate and efficient, whether the service management methods are appropriate and efficient, and whether there are opportunities for systemic improvements to reduce the cost of service both in the IT function and to the organisation as a whole.
• Risk: An audit to verify that the processing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions, including assessment of threats from mismanagement, system failure, “disaster”, and security breaches.
• Systems Development: An audit to verify that the systems under development meet the objectives of the organization, are being developed efficiently, and to ensure that the systems are developed in accordance with appropriate controls to ensure satisfactory outcomes.
• Management: An audit to verify that IT management has developed an organizational structure and IT management / operational procedures to ensure a controlled, efficient and low risk environment for information processing.
• Information Security: An audit to ensure that appropriate mechanisms and processes are in place to reasonably ensure the security of information / data held by the organisation.
• Data Protection: An audit to ensure that the data protection practices of the organisation comply with statutory requirements for the protection of personal data.

This list covers the general areas which may be included in an IT audit, but it is far from complete. Depending on the technology employed by an organisation, and its use of that technology, there may be a need for more specialist examination, for instance Information/Data Architecture or Information Asset Management.

Clearly the breadth of IT Audit is such that a comprehensive examination of an organisation’s IT systems and capabilities may be a significant undertaking, so it is important when seeking the assurance of an external advisor that you know which aspects of of your organisation’s IT you want to validate. When you engage an IT expert to audit your systems you should be able to give them a clear brief of what needs to be in scope in order to meet your objectives.