IT Employment

General discussion


Justify additional resources with an IT audit

By debate ·
How often does your organization perform an IT audit? Have you used an audit to justify additional resources? Share your comments about using an IT audit to secure more funding, as discussed in the May 18 Government IT e-newsletter.

If you haven't subscribed to our free Government IT e-newsletter, sign up today!

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Audit must include justifications

by twatkins In reply to Justify additional resour ...

The first question you have to ask is "Who is the audit being done for?". If it is for the ITS manager, then he may want a TCO approach. If you are doing it for the VP of Sales, he may want you to take a CRM perspective. I most often consult with at the CEO or COO level and they are mostly concerned with the overall cost-effectiveness of investments in corporate infrastructure. That can give on a whole new meaning for an ITS audit.

This means that the "conduct of an IT audit" can have a very wide interpretation but as this article implies, most often it is seen as an examination of the ITS HW/SW in isolation or in relation to the demand of users. This may cause the audit to be weak or misguided in it's justification for corporate funding. An IT audit must be looked at in the context of the entire business process that it supports.

An IT audit must chronicle more than the ITS HW/SW and who uses it. In my consulting practice, I use an analytical approach that starts with an analysis of the primary products or output of the organization. Using a series of logical extrapolations, I can tie the "capability and capacity" of the ITS to the mission or productivity goals of the organization.
A gap analysis shows what is needed and a cost-benefits analysis justifies the cost differential.

Threats that might justify security investments must be quantified with respect to their degree of risk and the impact and cost of installing and not installing the security upgrade.

As a consultant, I have to have no emotional commitment to a client's ITS installation, so I
have to be completely objective as to whether or not the system gets additional investments or not. I have to give the client and base my recommendation purely on objective and quantified prioritization of options in the context of other choices and the goals of the organization.

An audit ought to be done every time there is a major change in one of these three factors: (1) A major change in available technology (cost, performance, size, reliability, etc.) (2) a significant change in the requirements of the organization (productivity, efficiency, funding, effectiveness, goals, performance, responsibilities, priority, etc.) and (3) a change in the physical or manpower environment (location, space, HRM, work hours, work infrastructure, etc.)

The final audit report should take the form of a linkage (flowchart) that ties business requirements to support needs using the flow of the primary product or service as the link and then shows the present versus desired or optimum support along with the costs relative to benefits.

In the case of intangible benefits (security, reliability, maintainability, etc.), I use industry benchmarks, standards or experience to do a risk assessment relative to a more tangible benefit (productivity, thru-put, cost-per-unit, etc.).

T. Watkins
Management Technology Consulting, Inc.

Applying the Science of Decision Analysis to Business

"You can't manage, what you can't measure"

Related Discussions

Related Forums