Track IT, cut cost

It never ceases to amaze me that in spite of the widely reported cases of hacking, data theft and misuse of companys IT resources, many enterprises have not taken the initiative of conducting internal IT audits, let alone think of conducting an external one. This scenario has especially been observed in smaller business organisations.

First, let us see why smaller organisations should be concerned about doing an internal IT audit.

IT users in organisations, intentionally or unintentionally, misuse the companys IT resources in terms of bandwidth, Internet usage and what they store on their hard drives. Now, just as an organisation will not like their monetary resources to be misused, they cannot accept the misuse of their IT resources.

The question now arises as to who should conduct the internal IT audit? If cost and manpower are not a constraint, then ideally, there should be a dedicated internal IT audit team or specialist. But what does the IT department do when either the cost or lack of initiative from the management poses a problem?

In such a case, even though it goes against the basic tenet that a person should not audit ones own work, I feel that someone of the rank of an IT manger, or above, should take the initiative. It is better to conduct an internal IT audit than carry out no audit at all.

Get the managements buy-in
The first step will obviously be to educate and convince the senior management for their support. The IT manager will need to explain the requirements of conducting internal IT audits and its advantages. Its important to point out how IT resources are being wasted or misused and what threats and risks the organisation faces, preferably backed by statistical data.

Ideally, all this should be in form of a written communication, followed by a presentation to the management.

Once the management gives the go-ahead for conducting an IT audit, the next step is to convince them to appoint a small IT steering committee, comprising of senior people, to oversee the functioning of the IT audit, and to frame the IT policies and guidelines to be followed. The internal IT auditor will report to this committee.

Adopt a framework
The next step is to adopt a framework such as the ISO 27001 standard. This will ensure that the major areas are addressed by the internal auditor. Although the current ISO 27001 standard does not address issues such as Wi-Fi technology and Green IT, it nevertheless does not deter a company from including additional points in the audit guidelines.

The internal IT auditor will need to be educated on auditing skills. Ideally, the person should undergo a professional training such as CISA or the ISO 27001 Lead Auditor program. At the same time, it goes without saying that upgrading of technical skills will remain a continuous process.

Another important thing that the internal IT auditor should be monitoring closely is the laws relating to IT. This is generally overlooked, and can lead to serious problems.

Develop soft skills
It is important to remember that as an auditor, IT managers should not just have an excellent understanding of technology, they also need to be a good communicator. In case the IT auditor is unable to communicate clearly and effectively with the management and employees, the audit process is bound to fail. Other soft skills such as leadership and interpersonal skills are also important.

Finally, when it comes to acquiring software tools for auditing, if the organisation is not willing to invest in licensced software, there are a plethora of free auditing tools available online. The IT manager (now in the shoes of an internal IT auditor) will need to evaluate such tools and deploy the ones that best suit his organisations requirements.

The role of an internal IT auditor can be interesting, yet challenging for the IT manager. The biggest challenge perhaps will lie in disclosing the true findings of an audit to the management in such a manner that ultimately it benefits the organisation.

If communicated correctly and in a positive manner, these findings will garner further management support for strengthening the auditing process and curbing the misuse of IT resources in the organisation.

Firefly