How to audit your IT and where to focus

How to audit your IT and where to focus

Properly controlling IT is a challenge for small-to-medium sized businesses, who may not have the specialist resource or mature processes to help them manage the risk. Auditors, customers, regulators, and lots of other people want good IT controls.  At its most basic, these are controls designed to ensure that your technology is compliant, secure, and helps deliver the value and function you want from your investment in technology. 

 

Strong data information technology control comprises a combination of measures that relate to: 

People – making sure people understand their role and know what to do to manage and maintain data privacy. 

Process – making sure everyone is clear on what’s expected and how it should be delivered. 

Technology – implementing, configuring, using, and monitoring your systems in a safe and secure way. 

No set of measures will guarantee perfect information technology.  However, taking the right measures for your organisation will improve the measures you have in place and ensure they are in line with the expectations of your customers, clients, business partners and auditors.   

 

What to cover

Six areas to consider in your audit of IT controls are outlined below:

IT Management & Oversight 

As with any other function, your Board and senior management need to take an interest in IT.  Perhaps unlike most other functions, most Board members do not always understand IT risk and control. 

Ask yourself: 

  • Have you allocated board responsibility for IT?
  • Have you defined the aims and plans for IT?
  • How do you report on performance against these plans? 

IT is ubiquitous, and so the management and oversight of IT is an important part of an organisation’s system of operational management.  

IT Change Management 

Despite our best efforts, things go wrong when you change IT.  Systems break, you introduce new security weaknesses, the list of potential problems is never ending.  This is why we view IT change management as one of the most important areas of this review.   

Think about whether and how you: 

  • Record your changes.
  • Map the changes in a calendar to identify clashes and bottlenecks.
  • Test your changes.
  • Ensure you can reverse changes if you need to.

To many organisations, impatient to realise the value from a new function or technology, this may seem like bureaucracy and unnecessary paperwork.  However, if you are not in control of your changes, you are not truly in control of your systems.

IT Compliance & Security 

IT has become pervasive in most organisations.  There are a growing number of regulations and rules that apply to how you manage, configure and use technology.  

Think about how you: 

  • Manage compliance with external requirements of IT.
  • Design compliant systems.
  • Report compliance to senior management.

To manage your IT systems and data processing, you need to manage more than function and cost. 

IT Operations & Administration 

In the engine room of your IT function there will be people working hard to keep your systems available and secure. 

Talk to them and understand how they cover the following: 

  • Technology architecture and design.
  • Routine administration and preventative maintenance such as updates and patching.
  • Backup and testing.
  • Interfaces between systems and routine batch processing.

IT operations and maintenance is often ignored, but effective administration and operation are crucial to making sure systems work as they are expected to. 

IT Resilience 

Systems are expected to cope with several issues that could impact their resilience, from variable usage to component failure.  This is why they need to be designed and built with resilience in mind. 

How have you: 

  • Built resilience into your technical infrastructure.
  • Designed effective IT and business recovery plans.
  • Integrated the resilience of your major suppliers into your overall resilience stance.

More and more customers, clients and regulators expect your services to be resilient. If you rely on technology for this, then you should make sure you have the right control measures in place. 

IT Service Delivery 

IT is a service function.  By this we mean that IT provides a service to the business.  That service consists of systems needed to deliver your product to the end client or customers. 

As with any service, this needs to be properly managed.  Consider whether and how you: 

  • Have defined IT service
  • Manage and report against and agreed IT service level.

If you don’t manage IT as a service, then it’s likely your users will become frustrated at some point. If you do manage as a service, you’ll find it far easier to demonstrate value from your investment in IT. 

These are just some initial areas to consider.  If you review these, you’ll get a good understanding of IT control and its formality.  If you have an audit coming up, that is a good place to start to make sure you are prepared – if you want more detail, try out this free health check tool here.  If you prefer to talk to someone, please just get in touch.

Back to blog