If you're like most people, audit is right up there with root canal on your list of Things to Avoid When Possible. But when done right, internal audits can be an incredibly powerful tool for increasing IT operational efficiency, preparing for disaster recovery, strengthening IT governance, and showing measurable improvement in your organization's IT health over time. Let's take a look at a simple audit framework for checking the three core areas of IT. I'll also provide some tips on how to conduct mostly painless audits.
A Simple IT Audit Framework
At the heart of an IT department are three core components: policies, processes and procedures, and operations. Policies are what you must do, processes and procedures are what you say you do and how you say you do it, and operations are what you really do.
Policies. Policies are the foundation of the IT department. Policies are expressed in written statements that contain the organization's official IT standards— everything from procurement to acceptable use—and that executive management has agreed to.
Processes and procedures. Processes and procedures describe and prescribe how the IT staff should comply with policies. Although the words process and procedure are often used interchangeably, there's a distinct difference in their meanings: A process is a broadly defined set of actions or functions that bring about a desired result, whereas a procedure is the specific series of steps that various employees must take to accomplish that goal. For example, your organization likely has both a process and a procedure for creating a user account for new employees. The process states that HR lets IT know about a new employee being hired and that an account is created for the new employee, whereas the procedure describes the exact steps for creating the new employee's account.
Operations. While policies provide the bylaws for information security, and processes and procedures outline the approved methods of compliance; operations are what IT managers and administrators actually do.
The simple audit framework I propose has the goal of determining to what extent your policies, processes, procedures, and operations are complete, comprehensive, and aligned. For each policy, locate the written processes and procedures and interview IT managers and staff to determine how well operations follow the prescribed procedures. Give each policy, process and procedure, and operation a summary and rating, using a simple scale such as the one shown in Table 1. Policies should be compared to industry best practices, such as ISO/IEC 17799:2005 for security and ISO 9000 for quality management. (Visit the ISO Web site at http://www.iso.org/iso/en/ISOOnline.frontpage for more information about these best practices.) To learn more about IT policy standards and audit frameworks, go to the Information Systems Audit and Control Association (ISACA) Web site at http://www.isaca.org.
This audit framework will help your organization set goals and track your progress in the areas that need improvement. It can also help you make apples-to-apples comparisons of IT health across different IT services.
5 Tips for a Mostly Painless Audit
There are few things that evoke more bitter feelings in IT managers than the thought of an internal auditor digging around their network, nitpicking the tiniest details. Unfair or not, these are the images that audits inspire. You should be sensitive to this reaction as you plan an IT audit. Although the goal of your audit isn't to find fault, audits inherently measure success and failure. That said, the following five tips can help make audits less painful for the employees whose work is being audited.
Clarify what your goals are. Always remember that the goal of an IT audit isn't to find fault or place blame but rather to improve the technology services offered by the IT department. By clearly stating your goals at the beginning of an audit, you can avoid starting off on the wrong foot. For a well-performing IT department, an audit can be a welcome opportunity to quantify its success.
Be specific about the audit target and criteria. No one likes to be judged against unknown standards—it's like being asked to take a test but not being told what the test will cover or how it will be graded. If you specify the audit criteria, IT managers and staff will be more comfortable because they'll have a sense of how prepared they are and what they need to do to be more prepared. Auditing specific services, such as an email application or a single line of business (LOB) application, is much easier and less time consuming for both the auditor and the audited than auditing an entire department.
Notify IT managers well ahead of time. Because the goal of an audit isn't to find fault or place blame, there's no need to ambush your employees. If you notify IT managers well ahead of time that their department is going to be audited, the IT staff will not only be able to make the appropriate changes, but will also be prepared to work with you to complete the audit. This will also minimize the disruption to your business.
Be positive. Avoid verbalizing shock or dismay if you find problems, even if they are indeed shocking. A negative reaction on your part will create an adversarial or threatening environment, which won't be conducive to your overall goals. Rather, document what you find, make positive suggestions about how to improve the situation, and listen for mitigating factors. There might be legitimate reasons for what you find, but you might not hear them if a negative relationship is created with the IT staff. For example, you might find policy violations with an intranet server, but the IT staff might have been told by management that securing this server is a lower priority than working on the Internet-facing Web server farm.
Share written findings with IT. Before you submit your written audit report to upper management, give the department that was audited time to review the findings and dispute any details they feel are incorrect or unfair and to fix the areas that need improvement. Ideally, you should work with the department to set a reasonable timeframe for coming into compliance and a process for reauditing the deficient areas.
Providing a Basis for Improvement
Audits don't have to be as scary or painful as a root canal—in fact, when positioned, managed, and executed properly, audits can be a key part of your organization's IT and business strategy. They can also provide a basis for measurable, continuous improvement—something that's difficult to establish in a discipline where the failures (such as an email server crashing) are more obvious than the successes (the email server being up the other 364 days and 23 hours of the year).