For many small to medium size businesses (SMBs), the notion of auditing their IT infrastructure sounds like overkill. 

Why not look at it another way? You get better productivity from your staff if your IT infrastructure and processes are designed to deliver that productivity. 

The truth is that technology changes constantly and so does your business. You may have upgraded your systems only a few years ago, but that technology could be what’s constraining your growth today, by preventing you from doing business more flexibly, or by making you lose your competitive edge. 

We see this happening all the time with businesses, especially those which are growing but haven’t taken the time to plan an IT roadmap.
 

1. Why an IT Audit?

   Large enterprises conduct IT audits on a regular basis. Recently, smaller companies have started paying more attention to IT infrastructure planning too. As more business functions move online, issues such as information security, regulatory compliance, and risk management become higher priorities, not just for CIOs but also for CFOs.
   
   When companies audit their IT infrastructure, it’s usually because they’re interested in saving money and/or using existing assets more effectively:
   •    A comprehensive inventory of technology assets provides a baseline for plans to improve the efficiency of current and future systems. 
   •    A review of weaknesses in procedures, compliance, and security reveals issues that hamper efficiency or add unnecessary cost. 
   •    A business analysis of findings let you know whether existing usage or planned technology initiatives are aligned with business goals and mandates.
    

2. What exactly is an IT audit?

   An IT audit is a structured process for evaluating a company’s technology, processes, controls, capabilities, and performance. It’s a snapshot of your current IT capabilities at a point in time; it helps you understand what’s affecting your IT infrastructure’s performance and in turn, your organization’s business performance. 
   
   There’s plenty of scope for overkill so the first step is to determine which type of audit(s) you need to support your business planning. 
   
   Assets: an inventory of hardware and software (OS and applications) including version and serial numbers, licenses and licensing status, SAAS subscriptions, configuration of each computer and installed software
   Governance: focuses on IT performance and risk management with the goal of ensuring that IT investments generate business value, and to mitigate risks associated with IT; in other words, how effectively is the IT department managed and staffed for supporting current and future business operations. 
   Information Security: examines security, from physical security of IT assets down to logical security of data files. This includes: security policies, adherence to policies, technologies (i.e. firewalls) and the integrity of networks, Web servers, operating systems, databases, and applications. 
   Business-continuity: looks at backup and disaster-recovery procedures to assess an organization’s ability to resume operations after a disaster. 
   Compliance: reviews an organization's adherence to regulatory guidelines. Between the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley, compliance has become high-profile.
    

3. Why get an outside firm to audit?

   Even if there is someone on your staff who is experienced in IT audits, it makes sense to bring in an external resource. At large corporations where they conduct regular IT audits internally, they will get outside help periodically to validate internal findings. 
   
   The reasons for hiring an outside consultant are simple: 
   •    A comparison of your environment against Industry standards and best practices are part of the assessment, implicitly or explicitly. An outside resource whose job is IT audits will be current with these practices, including costs and budgets.
   •    Your own people may be too close to the business. Sometimes they won’t question certain procedures because “we’ve always done it this way.”
   •    Time. The IT staff at most SMBs are so busy with the Help Desk and making sure systems are patched and secure that they lack the bandwidth to take on yet another project. 
   •    Fresh eyes and deeper insights. Your staff has experience with your environment. An outside resource has accumulated knowledge from working with other companies; the consultant can spot issues sooner and recommend solutions you hadn’t considered.  
   •    It’s an objective assessment. Your own staff will be reluctant to suggest changes that affect their jobs. 
   
   What we have observed is that the IT staff’s work actually becomes more rewarding when an audit is able to:
   •    Identify ways to streamline Help Desk requests through protocols, prioritization, or Help Desk software 
   •    Reduce workload that consists of tedious, laborious tasks through more efficient processes or outsourcing
   •    Gain support to add more resources to IT through cost-justification and budgeting
   •    Gain confidence and peace of mind that IT processes meet best practices and have executive level support 
    

4. How to Prepare for an IT Audit

   It’s really worth making the effort to update your documentation before an IT audit. It’s a good way to re-familiarize yourself with what you have. It may prompt you to do some housekeeping, which helps smooth the way for the audit. Most importantly, it’s a good time to jot down any issues you run across and add them to the list of questions or goals for the audit.
   
   Some of the information you should have on hand for the IT audit include:
   •    List of hardware assets including model, serial number, purchase date and/or equipment age
   •    List of software installed on each machine and license status, operating system version, security software, and patch level
   •    List of SAAS subscriptions, subscription plan and cost, expiry dates
   •    Network diagram including wireless connections, ISP connections, VPN connections to remote offices/users
   •    Security environment including software, policies and procedures 
   •    A disaster recovery plan 
    

5. In conclusion

   An IT infrastructure audit is not just a matter of taking inventory. It’s a process for evaluating aspects of your technology, its capability, performance, and the controls that are in place. The report at the end of the process is the deliverable you want. The recommendations are what will help you save money, use your IT assets more effectively and securely, and improve performance.
   
   It does all come down to productivity. Technology is getting cheaper but human resources are not. Technology and processes that hinder employee productivity erode the investment you’ve made in your staff. Contact us if you would like more information about Smartt’s engagement process for IT infrastructure audits.