As an IT auditor, I have always tried to help rather than hurt the IT areas I review. In most cases, my findings were already known by management, but the problems had not been sufficiently documented to do anything. And in most cases, my recommendations are accepted. Maybe not happily, but as something that does need to be addressed.
I have seen IT managers use my audits exactly as the article suggests -- as a means of getting additional resources to complete a project or to staff up forbetter coverage. The benefits work both ways, too. By using an audit to their own benefit, clients encourage future auditees to be more open and cooperative when I review them. Thanks for a good article.
Discussion on:
View:
Show:
I have seen folks try to make an audit report worse than it actually is to try to achieve some other objective. You need to remain aware of the full audience of an audit report (regulatory agencies, customers, financiers, etc.) and all the ramifications if something is made to appear worse than it actually is.
Great article and the timing is perfect. I am about to go into my first IT audit next month and didn't know what to expect. Not only will this reinforce solutions needed in IT but not implemented due to the owner wearing money blinders, but it will also raise some much needed respect and awareness of my department. A couple of bad admins have made life hell in IT here, this may change a lot of things for the better. thanks!
We had an audit done, but the report is very "vanilla." It states the things (mostly) that we knew were "broken," but there are no suggestions on what the replacements should be. When you do an audit and say, for example, that a new technology should be employed, do you also offer suggestions as to what that technology should be? Does anyone have a GOOD audit report they would be willing to share (redacted of all personal information, of course). Thanks.
I cannot share an audit report from the clients we have and the ones we get auditing our business are useless except to research and lab people as we are useing now technology you might get in the next year or so if then as it may prove not viablein the marketplace and is thus not profitable to manufacture on a retail basis;
An audit report should contain the fact that there is a problem and document it in the manner that the documents exist and they are at this location this, at the least, appears to be the problem and if possible this is the cause, what you said in that a recommendation to try new or another technology is usually all you will get as the auditors are a type of accountingers and not technitions in the feilds they address almost all the time and 'ARE' great at finding and recommending that things are there.
It is more complex than that and I know it but I'm not an auditor.
RIVER FREIGHT
An audit report should contain the fact that there is a problem and document it in the manner that the documents exist and they are at this location this, at the least, appears to be the problem and if possible this is the cause, what you said in that a recommendation to try new or another technology is usually all you will get as the auditors are a type of accountingers and not technitions in the feilds they address almost all the time and 'ARE' great at finding and recommending that things are there.
It is more complex than that and I know it but I'm not an auditor.
RIVER FREIGHT
I too agree wholeheartedly. But I?d like to add a few comments of my own.
1. An area ignored in the article is disaster resilience/business recovery plans. I can assure you that IT auditors give this considerable weight.
2. I too have used auditors? observations to press some points a bit more with senior management. All IT managers should know in advance where the weaknesses are in their areas, and should not wait for an audit to point them out. I have been laying the groundwork with my management team for a number of improvements in a number of areas, and the fact that the IT audit makes a recommendation that I have been asking for re-enforces my point. Of course, I don?t say ?I told you so.?
3. IT auditing has become a complex but well defined art. Good auditing today probably incorporates much of the COBIT (Control Objectives for Information and Related technology, established by the Information Systems and Audit Control Association) methodology. It is well worth reading up on this ? all IT managers should know the basics. Much is available free at this site:
http://www.isaca.org/Template.cfm?Section=COBIT6&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=55&ContentID=7981&CFID=124620&CFTOKEN=55481391
Ed Brandon
IT Manager
CIMMYT, Int.
Mexico
1. An area ignored in the article is disaster resilience/business recovery plans. I can assure you that IT auditors give this considerable weight.
2. I too have used auditors? observations to press some points a bit more with senior management. All IT managers should know in advance where the weaknesses are in their areas, and should not wait for an audit to point them out. I have been laying the groundwork with my management team for a number of improvements in a number of areas, and the fact that the IT audit makes a recommendation that I have been asking for re-enforces my point. Of course, I don?t say ?I told you so.?
3. IT auditing has become a complex but well defined art. Good auditing today probably incorporates much of the COBIT (Control Objectives for Information and Related technology, established by the Information Systems and Audit Control Association) methodology. It is well worth reading up on this ? all IT managers should know the basics. Much is available free at this site:
http://www.isaca.org/Template.cfm?Section=COBIT6&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=55&ContentID=7981&CFID=124620&CFTOKEN=55481391
Ed Brandon
IT Manager
CIMMYT, Int.
Mexico
In this case you are bringing in the auditor(s) to justify?
If this is the case then look at another approach: If your company has in-house auditors then a reveiw of the work they have on file can be very revealing, also, you can bring in outside auditors and again they can go over what is and what was and be very revealling.
RIVER FREIGHT
If this is the case then look at another approach: If your company has in-house auditors then a reveiw of the work they have on file can be very revealing, also, you can bring in outside auditors and again they can go over what is and what was and be very revealling.
RIVER FREIGHT
While using the IT audit to justify additional resources is important you have to bear in mind that some of the findings may not be to IS management's liking.
The key things that you really should be focussing is the "IT Value for Money" question.
Generally value comes from the two key roles of IT:
a) Investing for Advantage - Creating Economic Value e.g. If investments are made in the wrong initiatives then economic value may be destroyed.
b) Keeping the lights on - Running the systems e.g. If the lights are not on, then the business will incur extra cost, customer service is reduced, IT user staff become unproductive and management are not able to make rapid decisions.
Where IT auditors can help significantly is addressing the above two areas which generally aim to improve performance and bottom line profitability.
If you look at a) then the introduction of new/amended systems may help with supporting process change and improving business performance.
Auditors whether internal or external (generally they will have access to a wider knowledge base and experience of process benchmarking, etc) could bring new perspectives and hopefully specific recommendations (pragmatic also) that have been discussed with management. Point b) should seek to reduce IT costs and improve IT services to internal and external customers through IT benchmarking or using TCO to measure performance as we all know there are always areas where we could be performing better. If you can show business management that you are identified savings along the line they are more likely to provide you with the cash to help improve the current ways of working (even in a though climate).
The key things that you really should be focussing is the "IT Value for Money" question.
Generally value comes from the two key roles of IT:
a) Investing for Advantage - Creating Economic Value e.g. If investments are made in the wrong initiatives then economic value may be destroyed.
b) Keeping the lights on - Running the systems e.g. If the lights are not on, then the business will incur extra cost, customer service is reduced, IT user staff become unproductive and management are not able to make rapid decisions.
Where IT auditors can help significantly is addressing the above two areas which generally aim to improve performance and bottom line profitability.
If you look at a) then the introduction of new/amended systems may help with supporting process change and improving business performance.
Auditors whether internal or external (generally they will have access to a wider knowledge base and experience of process benchmarking, etc) could bring new perspectives and hopefully specific recommendations (pragmatic also) that have been discussed with management. Point b) should seek to reduce IT costs and improve IT services to internal and external customers through IT benchmarking or using TCO to measure performance as we all know there are always areas where we could be performing better. If you can show business management that you are identified savings along the line they are more likely to provide you with the cash to help improve the current ways of working (even in a though climate).
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
