Imagine you weren’t forced to take your car for an annual MOT, and you could continue to drive it whatever condition it’s in. Whilst I know enthusiasts and petrol-heads could keep a car in a safe and working order, without the help of a trained mechanic I wouldn’t have a clue when it’s time to change the brake discs or the oil-filter. Without my MOT, I wouldn’t have the confidence to know that I’d stop if I had to slam on the brakes, or that my airbag would deploy properly if I actually had a collision.
Security wise, what if I had a car alarm installed and one of my passengers left a window open, thereby circumventing my diligence?
Of course, with these examples I’m alluding to disaster recovery and security, the first things an IT professional might think of when discussing an IT risk audit. Whilst recoverability is an important facet of an appraisal, wouldn’t it be better if your infrastructure had enough inherent resiliency that if something did fail, the rest of the system could carry on servicing the business?
Tailoring the scope
Our approach to IT auditing begins by tailoring the scope of the audit to the business requirements. Some businesses desire a comprehensive review of all IT services and technologies in use, whilst others might prefer to focus on a subset that for one reason or another the business has a cause for concern over. The audit might be purely technology focused, or could optionally include a detailed service maturity assessment; a review of people, process and technology to assess the level of proactivity, value and best practice demonstrated by the current IT service.
In either case, the first step is usually a verbal discovery exercise, giving stakeholders an opportunity to air concerns and contribute to the initial focus of the exercise. This is of particular importance where an audit does not form part of our on-boarding process to a managed service agreement. Sometimes we are asked to perform an audit for compliance or insurance related reasons but often it’s because there is an issue key stakeholders are concerned about. The audit doesn’t focus solely on risk – opportunities for efficiency improvements or cost savings will also be included as recommendations.
The exercise must be conducted impartially. Often the on-site IT staff will have the best ideas to feed into a programme of change, so engaging these key staff at the outset and satisfying them that this is a means to improvement will often ensure they are willing to positively contribute to the output.
It’s important to us that we understand the needs of the client. The advice we offer will be bespoke to the needs, culture and risk appetite of the business. For example, where a security-focused company would find it unacceptable for non-corporate devices to appear on a network and require a technical solution to prevent this, another business with a 'Bring Your Own Device' culture would find the same solution less than useless!
An audit will typically involve a number of days of information-gathering, both on-premise, where we can speak with staff and understand the business, and remotely where appropriate. The amount of time required is determined by the scope, and will broadly depend on the size of the business and the IT estate, the complexity and diversity of the business applications used, and the number of sites involved.
By nature, there is a fair amount of technical detail in an IT audit, since specific risks need to be described accurately and it would be hard to justify recommendations for improvement, particularly where expenditure might be required. In most cases, an IT audit will act as a catalyst for change, often demonstrating to the business why investment is required in certain areas. It’s therefore critical that the report be summarised for a non-technical audience, and that technical content is accompanied with dialogue to explain the bottom line.
Consistent throughout all our audits is our executive summary. Many businesses find this ‘de-mystifies’ IT in an organization - often for the first time! It can provide clarity at board level of good practice, risk, and opportunities for improvement. In particular, our R-A-G (Red-Amber-Green) status provides a one or two-page summary of an IT infrastructure to provide stakeholders a snapshot of IT.
Key recommendations are also summarised and presented with an indicative business value and cost. Where relevant and appropriate, a high-level action plan might also be included for the short, medium, and long-term. A summary may also be presented to stakeholders, providing an opportunity for dialogue and further clarification of certain aspects.
As time goes on and a service improvement plan is carried out, the IT infrastructure can be measured against the initial baseline from the audit to demonstrate progress, and the value that has been delivered to the business.
Ensuring a return on your IT investment
There are plenty of businesses large and small whom we have been able to help give direction to their IT strategy. For every business, there have been a series of quick-wins to provide immediate risk mitigations and improvements to the business for minimal cost and effort. As well as providing easy mitigation, these quick wins often create the necessary momentum within the business to tackle larger scale improvements. Where longer term strategy is required or higher expenditure is involved, the business can then make an informed decision on whether the associated risks are acceptable, or whether enough value will be derived to plan changes into the IT budget.
Not every car-owner needs a mechanic to tell them what needs fixing. In the same vein, with discipline, the right technical skills, and the available time, IT departments can be capable of carrying out their own health-checks. However, where time or skills are an issue, where an independent opinion is needed to validate risks, to highlight to the business where there is a need to invest, or to understand new solutions that are available, it can be beneficial to engage the services of a trusted IT partner.