If you're a chief information officer or IT leader, the outside IT audit is almost always an unpopular project.
You think about how much time it’s going to take from critical projects and about the impact on your most valuable personnel, who will be getting asked questions about documentation and procedural details that, aside from security, are seldom revisited in the course of a day.
These audits, which almost always yield some findings, are also unpopular topics for CIOs and IT leaders to discuss with the board of directors.
Despite these feelings, there are useful ways that outside IT audits can be employed to assist in improving IT throughout the company, which can ultimately benefit both strategic and operational goals. Here are nine ways to put them to your advantage:
1. Gap analysis
At one company, an IT audit confirmed airtight security on central IT assets but detected loose security policies and protections in several field offices. Unbeknownst to IT, users in these offices had brought in some of their own equipment without taking proper security precautions. The policies were there, but the practice wasn’t. An audit security and vulnerability test revealed the exposure -- and with it, a gap in IT’s security coverage that didn't go far enough in adequately monitoring and enforcing security in remote field offices.
Would IT have seen this gap on its own? Probably. But the question is, when would that gap have been discovered?
In another case, a written policy for bring your own device (BYOD) hadn’t been updated for three years. The auditor called out the need for an update. Would IT have gotten to a review of this policy without being prompted? Probably at some point -- but when?
In both cases, an outside audit firm whose charter was to find the gaps, found flaws before a malicious attack could occur.
2. Best practice suggestions
An IT auditor reviews policies, procedures, system execution and IT workflows.
With newer technologies like AI (artificial intelligence) and IoT (Internet of Things) coming onboard, coupled with the emergence of new approaches like DevOps and the emergence of citizen developers, companies have to rethink how they operate and support their IT.
Many have still not settled on IT organization deployment and operations for these newer functions and are operating somewhat informally.
An outside audit firm, which oversees the operations of many different organizations, can offer best practices that assist IT in defining the best organizational structures and support approaches for new methods and systems.
3. Spot consulting
Outside audit firms bring more than expertise in system, policy and procedure reviews. They also have experts on staff in areas such as IT security.
For small- and medium-sized companies in particular, there is an opportunity to engage an audit firm in “spot” consulting for staff in an area such as IT security, the setting and administration of proper security controls, and the design of security policies and procedures.
4. Seminars and courses
Outside audit firms offer seminars and courses in the areas of security and compliance. This training is particularly useful for companies that have an internal audit function, and/or for IT departments that perform internal audits of systems and networks as part of their normal workload. Additionally, participating periodically in an audit firm’s seminar or briefing can alert IT to new types of security threats and contribute to IT’s preparedness for these threats.
Participating in auditors’ seminars can also save companies legal costs that they would otherwise incur when they must consult an attorney for regulatory and compliance changes that affect their industries. The costs are saved because companies can become aware of these changes themselves. This gives them the opportunity to take the knowledge and update their systems to reflect regulatory and compliance revisions.
5. New technology pre-deployment security reviews
Whether it is a compliance verification check, a security check, or a verification that all policies and procedures supporting a new system or method are in place, it is often a good idea to request an outside audit firm to review all of these areas in advance of a major system or method deployment.
The outside review assures that no critical security, compliance, policy and procedure areas have been missed, and it contributes to a smooth installation of the system or method.
6. Vendor recommendations and reviews
During the RFP (request for proposal) process, it is critical to assure that the vendors you are considering are compliant with your industry standards, and that they support the levels of security and governance that you expect.
If there is any doubt about this, or if you want a set of “outside eyes” to evaluate the vendor, an outside audit firm can be a good place to turn to.
7. Policy procurement
When I was a CIO, there were several times during IT audits when our outside auditor identified a policy or a procedure that we were missing.
In almost every case, I asked the auditor for an example policy and procedure, and they provided it. This was a great help. It eliminated our need to develop these policies and procedures “from scratch,” and it provided access to best practice policies and procedures in the areas where we needed them.
8. Documentation reviews
Documentation is the bane of IT. Consequently, IT documentation is either poor or missing altogether.
A lack of good documentation impacts time to resolution when a system problem occurs. This creates downtime for the system, its users, and the business. Meanwhile, system support programmers must try to decipher undocumented or poorly documented routines to figure out where the routines are failing and how to fix them.
Since downtime is something that companies can't afford, a review of documentation and the identification of deficient areas by an outside audit firm can help. The audit firm can review documentation of applications, policies, procedures and operations of IT staff in systems, applications, database, networks, and any other area that you request.
9. User area IT reviews
With the growth of citizen developers, shadow IT and edge computing, outside IT audit firms can review the health of these systems that are deployed in end-user areas.
The systems can be reviewed for security, policies, procedures, governance and compliance. This can be a tremendous aid to companies that have large-scale shadow IT that may be opening independently of IT, because the audit firm can identify gaps and vulnerabilities that may have been overlooked.
Follow up with these articles on IT strategy and best practices: