Facing an IT Audit - How would your institution fare?
It's always sitting there like the 800-pound gorilla in the room - the upcoming IT Audit at the institution. No one asks if it's still there, because we all know it is. We've all gone through at least one IT audit, some successfully, others of us have been handed a list of recommendations from our auditors.
See Also: Alleviating Compliance Pain Points in the Cloud Era
One of the drivers behind an IT audit is the list of 114,000 new regulations (according to the OMB) passed in the U.S. since 1981, and these regulations include the Sarbanes Oxley Act (SOX). SOX is more than just 404 documentation. From proper retention, retrieval and disposition of audit data to corporate responsibility for financial reports to real-time disclosure, SOX places a comprehensive compliance burden on a financial institution. This is one of the reports that may be expected to be available during an IT audit.
What are some of the other items an auditor would expect to see during an institution's IT audit? Here's questions you'll need to have answers for when the auditors arrive. The average auditor, if they're proficient at what they do, will want to see the following in place. (This list is by no means comprehensive, but will be a good place to start when preparing for your next IT audit.)
- Existence of an IT Strategic Plan, in line with organization strategic plan - Make sure it reflects the latest changes in your IT systems and isn't the one produced right after your last IT Audit.
- Personnel policies, including job descriptions, performance evaluation, training and development, and succession planning. Auditors may spring a question on you about succession planning for different areas of your organization. This is often forgotten about at busy institutions, but needs to be addressed. Who is the successor to head of IT? Remember, if any key people leave, you can't always expect to get that kind of talent off the street.
- A documented IT risk assessment and management process and adherence to IT control framework (e.g. COBIT). The framework doesn't necessarily have to be COBIT, it could be something else, (think ISO 17799 or ITIL) and it's not enough to document it, make sure you're doing it.
- Have appropriate insurance coverage for any of the risks identified in the assessment in case they materialize. (Think of the unthinkable, for example, what you'd be faced with if your data center was no more.)
- Follow-up and implementation of audit and other examiner recommendations - This is key: you need to follow up and implement audit recommendations as soon as possible. You'll also need to show that you've followed up on previous audit recommendations. Any outstanding audit recommendations that haven't been acted upon should be poised to implement. It's a "career limiting move" if you have outstanding audit recommendations that you're not moving on, and any CEO will agree with that statement.
- You'll want to have an IT Steering Committee with key stakeholders from business groups to ensure direction of IT is in alignment with business strategy. Remember, IT works for business, so listen to what your committee has to say, and make sure all key areas of your institution are involved in IT decisions.
- Performance metrics and measurements - Measure things that are important, and you need to be able to back up your numbers. Examples of efficiency measurement could be percentage of a system's total uptime, product delivery time; total number of production system defects. Whatever you decide to measure, do it on a regular basis and you need to be able to show improvement over time.
- IT portfolio management - to ensure key IT projects meeting critical business requirements are managed and controlled. This is where many IT projects are done, and some may be found that aren't meeting the business's requirements. List all projects and their return on investment. You can expect to have the auditor ask for justifications as to what these are and how they meet the needs of your business.
- Establish an IT configuration database to define and classify all IT components. Be sure you know what components touch other systems, and how they interrelate. Be prepared to answer questions about it from an auditor.
- Process for IT asset management. Do you know where equipment is located? And do you have a system in place to track all equipment?
- IT budget and cost allocation processes. Do you know exactly where that money is being spent? Do you have policy and processes in place to manage assets, and can you show how IT is accountable for the cost?
- Quality measurement and review - This includes measurements over time, not just in the short term.
- Finally, you'll probably also need to show project management methodology, including: Project phase authorization for each phase; Integrated project plan to guide project execution; Resource allocation; Risk management (and fallback mechanisms if something doesn't work right in production); Regular formal checkpoints against plan; and also a post project implementation review process. Be able to show where you refined the project and saved money/time on subsequent projects.