Many IT organizations are good at establishing policies but
have an uneven ability to get their staff to follow them. It is important that
an organization be able to enforce policies. If the policies are important
enough to create and approve, they are important enough to enforce. In fact,
when I coach managers on their governance process (the ability to enforce
standards and policies) I tell them that if they are not prepared to enforce a
policy, there is really no reason to create it to begin with.

The best way to make sure your organization follows your
defined policies is to initiate a policy audit. On the surface, a policy audit
might seem daunting. However, it is not so hard. Follow this simple process to
execute an audit to ensure your IT policies are being followed.

  1. Inventory
    your policies.
    You can’t do a policy audit if you
    are not sure what your policies are. The first thing to do is to inventory all
    of the policies in the IT organization.
  2. Pick the policies that are most important, and then a few more.
  3. You could audit every policy in
    your inventory but you don’t need to. You should pick out the policies that are
    important to you; such as your email policies, your Internet usage policy, and
    your hardware procurement policy. Then pick out a couple more policies more or
    less at random. The reason for picking both is that you want to ensure that
    your most important policies are being followed, plus you want to check some
    others to make sure that your organization seems to be following all policies, not just the important one.

  4. Talk to the business owners of each policy. Start by identifying the business
    owner of each policy and have a discussion with them about each policy.
  5. Validate automated enforcement. Ask the policy owner whether there
    are any enforcement mechanisms that ensure that the policy is followed. For
    instance, you may have a policy for virus scanning of all inbound emails. When
    you talk to the email group, you may discover that this policy can be enforced
    systematically since this group owns the email servers and they can ensure that
    all incoming emails are scanned. If a group can enforce a policy
    systematically, they need to prove that the policy is being enforced in all
    instances. If they can, you are fine for that policy. If they cannot validate
    that the policy is being enforced in all instances, then document this policy
    as one that needs further scrutiny.
  6. Manually audit the remainder of the
    Most policies cannot be enforced
    systematically. Work with the policy owner to determine the best way to
    validate that the policy is being followed. Depending on the policy, this could
    take many forms. For instance:

    • You could look at the paperwork for 25 turnover
      instances to validate your production turnover policy.
    • Your teleworking policy may require that you
      identify 5 teleworkers and interview them and their managers.
    • You could analyze a cross-section of 20
      workstations from around the company to determine whether your workstation
      policies are being followed.
  7. Prepare general conclusions. After
    you have completed all of the individual audits, you can make some overall
    conclusions. For instance, if the results of the individual policy audits
    are all generally favorable (perhaps not prefect, but generally favorable)
    then the CIO should feel confident that policies are generally being
    followed. If the results of most of the specific audits were unfavorable,
    then the CIO should have reason for concern that policies in general are
    not being followed. There will be some follow-up necessary to determine
    why the policies are not being followed, and then an action plan will need
    to be put into place to turn ensure your organization does follow defined

You don’t have to audit every policy and every instance to
make an overall conclusion on whether your organization is following your
documented policies. Based on the results of this policy audit you can
determine if you are okay in how your organization follows policies or whether
you have more work to do.