IT audit in the company from A to Z
Is an information technology audit the best friend of modern companies? Learn what an IT audit looks like and find out how the enterprise benefits from an IT audit report.
‘I’ for an information technology audit
As you probably know, an information technology audit is a reliable and comprehensive assessment tool of the current state of an IT system and plays two key roles in every enterprise: the role of an inspection and the look ahead role. It is used as a control tool due to the fact that it examines profoundly the strengths and weaknesses of the infrastructure, technology and all the know-how behind the product. On the other hand, the look ahead nature of an IT audit is reflected in a list of final recommendations which tell exactly what needs to be fixed to get your system back in shape.
In other words:
An IT audit is used to check whether and to what extent
given software is still functional, safe and compliant with modern standards.
And if the software system is not… a technology audit prompts the company what to do with it.
Technology audit in practice
If your company has an IT system (CRM, ERP, a data platform or an application) that has been in existence for at least 5 years and its bugs are clearly visible, do not ask yourself:
Is my company ready for an information technology audit?
The question you should ask yourself is:
Why haven’t I done it yet?
Many business owners and managers answer the above question:
Well, yes, but if the audit turns out badly, something will have to be done with this system… I will have to find the money for it and organise my team. While right now I’m barely getting on with replying to emails. I do not have time for it!
Unfortunately, this approach contradicts what is undeniable in business: if a company wants to remain competitive in the market, it simply has to find the time and money to think about the future and not just patch holes in the backup system ad hoc.
Note also that in the question we used the word expert for a reason. The truth is that many companies simply do not have enough IT resources to conduct a software technology audit on their own. Certainly, managers and employees can see that the system crashes, causes errors or returns inaccurate data, but to get a fully-fledged assessment of the current state of your IT solution, you need someone who is able to look inside and say ‘This and that is OK, but here is the technology that dates back to 10 years ago. Here it would be nice to modernize it, and here you must rewrite the code snippets’.
We have already covered a couple of subjects related to this topic:
- What is the problem of legacy systems and technological debt
- What are the possible legacy exit strategies (replacing the system with a new one vs. code rewrite vs. code refactoring)
- and we presented a full case study of how our company first carried out an IT audit of our clients’ system, and then on this basis, created a great, new web application.
Today, we take a closer look at the first step that should be taken when you start to think about the company’s future in business and want to exit the legacy system. In this article you will find answers to the following questions:
- What an IT audit process looks like and how long it takes
- What a company should prepare for the external auditor so that they can effectively assess the system
- What an IT audit report looks like
- What to do next with an IT audit report
What does an IT audit process look like and how long does it take?
Let’s start with understanding that the whole IT audit process is not one of those rough company experiences where you should feel judged or stressed. The process you go through with your co-workers is not anything like an ISO / IEC 27001 or 9001 certificate audit. The software house which you commission to evaluate your application asks specific questions and needs specific answers, but approaches you as a friendly consultant, not an enemy. The IT auditor does not judge people and their work. They only judge your software solutions.
A IT audit process usually follows a clear agenda:
- A company contacts a technology company and tells briefly what the problems of the system are.
- The technology company asks a few additional questions (e.g. what is the size of the system) in order to be able to estimate the cost of an IT audit and understand the system functions. If the financial proposal is accepted, the technology company sends a list of things to prepare for the audit.
- The company forwards the documentation and all the necessary information, and a date for the visit to the client’s headquarters is sheduled.
- During the auditor’s visit, which usually lasts one day (or several days for larger, more complex systems), the auditor is granted full access to the system infrastructure and tests it from different angles. For security reasons, this is rarely done remotely.
- After the visit, the technology company takes an average of 2 to 4 weeks to write an IT audit report.
The entire process therefore takes about 5 weeks, and its final result is a professionally written report, which will contain all the strengths and weaknesses of the system as well as recommendations for future fixes.
What is very important, the IT audit report becomes the property of the customer. It can be used whenever the company wants and can be forwarded to as many people the company wants. For example, if the audit report shows that it is necessary to build the entire system from scratch, the company does not have to outsource this task to an auditing software house. The customer can use this report to find a perfect supplier for the new solution.
Preparation for an information technology audit
It is good to know that a company that outsources an IT audit has to prepare a couple things. The list includes both technical and product documents as well as a suitable contact person.
List of 5 things to be prepared in a company before an information technology audit so that the auditor can do their job:
- Up-to-date product documentation — i.e. a description of a product specific objectives and business goals
- Current technical documentation — i.e. a description of the IT system architecture, data flow (requests), security and the entire infrastructure (VPN, hosting method, VMKA, dedicated machine / Cloud, separation at the network topology level, e.g. VLAN, etc.)
- Access to the code repository and / or physical access to the infrastructure
- Description of the software development and maintenance process — i.e. information on whether one or many people are involved in the process, and if many, how they work with each other, do they do code reviews, write tests or have established standards for creating the code?
- A person who knows this IT system well and with whom the auditor can talk about the topics related to the above points
What does an IT audit report look like? Example
As we mentioned above, the result of an information technology audit is a report. Depending on the size of the assessed system or application, it may be anything from several to several dozen pages in length. What is written in it is closely related to the characteristics of a specific software solution.
Example report
An IT audit report, which is made for a data-driven web platform, will focus on the description, evaluation and recommendations for:
- application infrastructure (the report will include a description of the current hosting and servers, characterization of facility of introducing changes and fixing bugs, the list of advantages and disadvantages of the current infrastructure, specific recommendations for its improvement)
- data collection and moderation (since it is a data platform, this IT audit report will have to describe in detail: all data sources and the way in which the application collects, processes and returns data. It means that the report will list also: a quantitative and qualitative evaluation of the data, the efficiency of the current data aggregation process, its strengths and weaknesses and of course recommendations for the future)
- frontend of the application (in this part, the auditor will assess whether the platform is useful and functional for the end user (he will do so called ‘UX audit’) and evaluate the administration panel).
The IT audit report will also contain final recommendations on the basis of which the company can make further decisions on what to do with this particular application.
What to do next with an IT audit report?
From the customer’s perspective, an information technology audit report is often not easy to accept. Customers usually don’t realize how far their systems lag behind modern standards. They assume that an IT audit report will reveal many weaknesses of their software, but they hope that everything will be easy and cheap to fix. And sometimes it will — in some cases it is enough to modernize the system a bit by refactoring the programming code in several places. Other times, it is worth planning a gradual code rewrite of the entire system to the new technology. And yet another time, in the final IT audit conclusions, customers find information that introducing changes in the current system will cost much more than rebuilding the system from scratch.
Then the task of the Chief Digital Officer or other product manager who is responsible for this system becomes to find funds for further work. They can do this by showing in tables the profitability of the investment in the long run (current maintenance costs vs. reduction or complete elimination of costs in the future) or by presenting financial simulations that prove to the management board that a new IT system will increase the company’s profit. A manager can also hide some of the investment expenses by entering them in the ROI of another project, which is somehow related to the legacy system (e.g. it has to extract data from it). If the funds are found, the only thing left to do is to find the right technology partner to implement the IT audit report recommendations.
You might also like:
