Why Startup Founder Should Know IT Audit
Run out of cash, out of the competition and legal issue is among top startup failure reason [1]. IT Audit is a process to assist founders to prepare for that area. While a full-fledged audit framework is too much for a startup, newer technology can help implement the core of IT audit with much less effort.
What Is IT Audit
In a startup fast-paced culture, we can simplify an IT Audit is a process to evaluate your IT environment to make sure it is operated as intended and following the industry’s best practice. In detail, an IT audit is an examination of the management controls within an IT infrastructure and business applications. The evaluation of evidence obtained determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization’s goals or objectives [2]. If not done effectively, the process will be long and complex
The core benefit of IT Audit is to improve internal system design and effectiveness. The area of improvement is including development, operation, and security. Pragmatically, it’s easy to understand what is the benefit of IT Audit. The problem is usually in the prioritization of founder resources. Delay an IT Audit in a later stage is commonly observed in startup culture. But it will only make the process more complex later on to remediate the technical debts. Making IT Audit part of the startup culture is more beneficial to avoid technical debts and preparing company growth.
What Will Happen Without IT Audit
Unnecessary spending leaks
With the proper IT Audit, we can observe all assets in the company. From there, assets can be identified which one is not optimized. The operational activities also can be observed in IT Audit. Inefficient operational can be replaced with automation. And more importantly, is outdated technology can be identified early. Newer computing technology offers a better cost-performance ratio [3]. This entire process will help startups to have a cost-optimized mindset from the beginning of the startup journey.
System failure risk
Management complexity is a common reason for system failure or downtime [4]. Managing 2 servers in early product development might be easy. But managing a hundred or thousand servers is a difficult task if not prepared accordingly. IT audit process will help to scale preparation. The output of the IT audit will indicate how many assets companies have and how they manage them. From there, we can evaluate best industry best practices to get recommendations on how to manage them properly [5]. This way, system failure can be avoided as early as possible.
Investors move away
Currently, startup thousand startups are created every month around the world. There is a finite number of startups that receive investment. And founder that hasn’t receive investment previously will have more difficulty getting one [6]. In the situation where two startups are competing for investment, both have a great business idea and decent takeoff. But one of them has a proper technical scaling plan by IT Audit process. Investors surely will tend to invest in a startup that already does the due diligence internally to prepare for future growth.
Cybersecurity attack
Developing an application for solving a problem is not easy. Managing production operations is harder. But protecting the operation from cyberattacks is the hardest one for startups [7]. Mainly because startups do not have the resource and knowledge to do security hardening. To build security posture, an IT Audit is the right step to do. The output of IT Audit is a recommendation of the existing operation compare to best practices in the industry [5]. Meaning a company can start protecting from a cybersecurity attack.
How To Do IT Audit
COBIT and ISO are prime examples of IT Audit frameworks [8], [9]. It is widely used globally by the enterprise. The framework explore every area of the enterprise environment. That approach is too much for a startup. Startups do not have a dedicated team to do Audits nor the time to follow every step in the framework. With the availability of automated auditing tools, the startup can do the core process of IT audit without sacrificing valuable time and resources [10].
List every system in the environment
Start with writing down every system used in the company. Most companies at least have an email system for communication internally and a cloud provider to run their workload. Add more systems as the company moving forward. Create the list as a living document that can be updated in the future. The idea of this step is to ensure the company knows where most of its data is operated. In this step, some assets maybe not be identified because the asset is a self-managed asset that needs to be maintained manually. That’s why a self-managed asset from an IaaS provider is not the best choice if the SaaS counterpart is available. Using more SaaS will lessen the operational effort of a startup [11].
Configure audit feature on the system
The most modern system already has a built-in audit feature. It’s a standard feature for business SaaS. Amazon Web Service has AWS CloudTrail and AWS Config to ensure all the access and assets are monitored and following the compliance standard [12]. Office 365 have all required feature to manage identity, email, and document within the company [13]. Follow each system documentation to configure the auditing feature.
It’s rare to see a business SaaS that does not have this type of functionality. If the system that the company uses does not have this functionality, it’s recommended to move away from that system because in the future governing and auditing activity in that system will be a major issue.
Evaluate audit report
Once configuring the audit feature in the system, review the report. Three activities need to be done on each finding; remediation, prevention, and monitoring. Remediation is an activity to fix the finding based on compliance or best practice. Prevention is the activity to create a rule/condition that prevents non-compliant action to be executed. This is the recommended first action to ensure the finding does not appear again. Most systems have this rule checking functionality available, users have to enable which rule is relevant to their company. Monitoring is activity to monitor every activity in the system. This is a very important activity where preventing non-compliant action is possible.
To remediate a finding, there are two approaches; automated and manual. Some findings can be remediated automatically [14]. It depends on system capability and finding complexity. Wherever automatic remediation is available, use it, else remediate manually.
Conclusion
IT Audit for a startup is the right to do to prepare for company growth. Delaying auditing to a later stage will only add more technical debt along the journey. The effort to do IT audits nowadays is reduced significantly due to audit feature availability in most modern SaaS. On top of that, automated remediation is also possible in some cases. Following is the flowchart to visualize the IT audit for a startup.
Reference
[1] CBI Insight, “The Top 20 reasons Startups fail,” CB Insights, vol. 1, 2020.
[2] B. R. Aditya, R. Hartanto, and L. E. Nugroho, “The Role of IT Audit in the Era of Digital Transformation,” IOP Conf. Ser. Mater. Sci. Eng., vol. 407, no. 1, p. 012164, Aug. 2018, doi: 10.1088/1757–899X/407/1/012164.
[3] Q. Jiang, Y. C. Lee, and A. Y. Zomaya, “The Power of ARM64 in Public Clouds,” Proc. — 20th IEEE/ACM Int. Symp. Clust. Cloud Internet Comput. CCGRID 2020, pp. 459–468, May 2020, doi: 10.1109/CCGRID49817.2020.00–47.
[4] A. Basiri et al., “Chaos Engineering,” IEEE Softw., vol. 33, no. 3, 2016, doi: 10.1109/MS.2016.60.
[5] Amazon Web Services, “AWS Security Best Practices,” AWS Cloud Comput. Whitepapers, no. August, 2016.
[6] S. Xu, Q. Zhang, L. Lü, and M. S. Mariani, “Recommending investors for new startups by integrating network diffusion and investors’ domain preference,” Inf. Sci. (Ny)., vol. 515, 2020, doi: 10.1016/j.ins.2019.11.045.
[7] R. Kalaiprasath, R. Elankavi, and R. Udayakumar, “Cloud security and compliance — A semantic approach in end to end security,” Int. J. Smart Sens. Intell. Syst., vol. 2017, no. Specialissue, 2017, doi: 10.21307/ijssis-2017–265.
[8] A. Mutiara, Prihandoko, E. Prasetyo, and C. Widya, “Analyzing cobit 5 it audit framework implementation using ahp methodology,” Int. J. Informatics Vis., vol. 1, no. 2, 2017, doi: 10.30630/joiv.1.2.18.
[9] A. Purba and M. Soetomo, “Assessing Privileged Access Management (PAM) using ISO 27001:2013 Control,” ACMIT Proc., vol. 5, no. 1, 2019, doi: 10.33555/acmit.v5i1.76.
[10] P. Goodman and A. Dinaburg, “The Past, Present, and Future of Cyberdyne,” IEEE Secur. Priv., vol. 16, no. 2, 2018, doi: 10.1109/MSP.2018.1870859.
[11] F. Doelitzscher, A. Sulistio, C. Reich, H. Kuijs, and D. Wolf, “Private cloud for collaboration and e-Learning services: From IaaS to SaaS,” Comput. (Vienna/New York), vol. 91, no. 1, 2011, doi: 10.1007/s00607–010–0106-z.
[12] B. McLaughlin and S. Perrott, “AWS Config,” in AWS Certified SysOps Administrator Study Guide, 2E, 2020.
[13] M. Grysiuk CRM, CIP, “Out of the Box: Why Organizations Are Jumping To Office 365/ Sharepoint Online,” Inf. Manag., vol. 52, no. 5, 2018.
[14] L. Banica, P. Polychronidou, C. Stefan, and A. Hagiu, “Empowering IT Operations through Artificial Intelligence — A New Business Perspective,” KnE Soc. Sci., 2020, doi: 10.18502/kss.v4i1.6003.