These days, audits are rarely a source of solace, but finance executives who find IT daunting may actually be relieved to know that IT audits are suddenly in vogue, and provide exactly the sort of big-picture view that most CFOs need. IT audits are not, as you may have guessed, a matter of pure accounting. The term covers a lot of ground, but in general it can be thought of as the processes by which organizations evaluate virtually any aspect of their technology controls, capabilities, and performance. While IT audits have been conducted by some companies for years, they’re moving into the mainstream as regulatory compliance, risk management, and information security become higher corporate priorities.
If done properly, experts say, IT audits not only reveal weaknesses in compliance, security, and other areas but also help companies save money by finding ways to use IT hardware and software more efficiently and get a better handle on technology assets. Organizations can use IT audits to ensure that their technology initiatives are in sync with business goals and practices.
“These audits provide our CIO with an independent and objective review of his areas to ensure data resources are protected, appropriate internal controls are in place, systems are designed and developed to meet our business needs, and internal system resources are used effectively and efficiently,” says Ken Askelson, IT audit manager at retailer J.C. Penney Co. in Plano, Texas.
There are many types of IT audits that cover a broad range of technologies and processes. One type assesses IT governance, determining how well the IT department is managed and staffed, and how efficiently it supports business operations. Information-security audits examine security policies and such technologies as firewalls, as well as analyze the integrity of networks, databases, operating systems, Web servers, and applications.
Audits can focus on such major IT assets as ERP systems or on individual applications like payroll and accounts payable. Some audits evaluate the effectiveness of business-continuity and disaster-recovery programs, and others make sure that organizations have adequate and up-to-date software licensing in place. Still others are dedicated to ensuring that organizations are in compliance with such regulations as the Sarbanes-Oxley Act of 2002 and the Health Insurance Portability and Accountability Act.
IT audits frequently begin with a risk assessment, in which an organization obtains an overview of the major systems and applications used to support critical business processes. The intent is to identify existing or potential areas of risk that should be addressed in future IT audits, says Paul Rozek, director of technology services at Jefferson Wells International, a Brookfield, Wisconsin, consulting firm that has seen its IT-audit work increase by 40 percent between 2002 and 2003. Organizations can then prioritize the audits based on the level of risk. That initial assessment can also give executives a good sense of the systems the organization has in place, and whether the company has sufficient expertise and staff resources to conduct subsequent, more-focused audits. If not, the organization will have to consider getting help from an outside expert (see “Deciding Who Does What,” at the end of this article).