An audit! Among IT professionals, audits have a bad reputation. They are believed to be something to be dreaded, lying somewhere in the continuum of suffering between a root canal and being mauled by a bear. Auditors are seen as being either sadists who enjoy inflicting pain on their victims or zombie-like beings devoid of any measure of human compassion or humor.
Let’s take a quick look at audits from an IT perspective and consider whether or not those views are valid. We should start with a review of what audits are, their objectives, and their methods.
Ultimately, the goal of an audit is to verify that an organization’s records (e.g., financial reports) are accurate, that there are adequate controls in place to protect the organization’s assets, and that policies and procedures being followed.
When the auditors come knocking on your door, they want to verify that all of the assets assigned to IT actually exist and can be located. The assets include hardware, software, and all other assets. They will also want to verify that adequate controls exist to protect those assets from misuse or theft.
The processes followed by auditors are actually a compromise. In a perfect world, with an unlimited budget for the audit, the auditors would personally inventory every asset and examine every piece of supporting documentation. Of course, that would be incredibly expensive and no organization could afford such an audit. Instead, auditors examine records (for example, an equipment inventory). Next, they test the accuracy of those records with spot checks in which they actually examine the things on which those records are based.
It is true that an audit is disruptive, whether in IT, accounting, or any other department. There are strangers requesting information. Responding to those requests represents additional work for people whose schedules are already very full. Of course, in these situations, IT can be its own worst enemy or, to quote Pogo, “We have met the enemy and he is us.” While an accounting department’s practices are based upon centuries of experience, IT has only been around for a few decades. Most IT departments are not prepared to respond efficiently to requests from auditors. They often lack the necessary discipline, documentation and records. Their discipline is centered around keeping thisngs running. Therefore, every request from an auditor turns into a labor-intensive task. Furthermore, the longer it takes to respond to a request, the less credible the answer seems.
If IT departments want to make audits less painful, they must be better prepared for the audits. They must automate the recordkeeping and test the accuracy of their records throughout the year—not just when the auditors arrive. By doing so, they can identify and resolve problems before the auditors discover them. Furthermore, this will pay real benefits for the department and the business, such as:
- Identify missing or misplaced equipment
- Ensure accurate accounting records (assets and depreciation)
- Minimize warranty and maintenance costs
- Minimize software license costs
- Increase the accuracy of the data used for IT operations
In the end, while you still may not want an auditor as your best friend, it is possible to minimize the pain of an audit and reap other benefits for the business.
Join me and Andrew McGovern, Director of Global Solution Consulting at Kaseya, on October 15th at 2 PM eastern for an indepth one-hour discussion on effective auditing processes and techniques to dramatically reduce the pain of IT audits.
This guest blog post was written by Rick Sturm, founder and CEO of analyst firm, Enterprise Management Associates.