by Scott Lewis

Companies are starting to understand the value of technology auditing. Historically companies simply viewed their technology as a means to an end or simply a cost of doing business. However, that is beginning to change. The impact that technology is having on your business can now be measured in real dollars and cents.

The oversight of the technology department still primarily falls under the accounting department within most organizations, so this could be a CFO or Controller. This is a long standing process that dates back to when accounting people were the only ones who had worked on computer systems. But the problem with this today is that technology departments being viewed as a means to an end typically lack overall structure, accountability and performance measurements around how they are servicing their customer the end users.

In 1969 the ISACA (Information Systems Audit and Control Association) was formed to help companies and organizations with a centralized source of information around technology auditing for computer systems. The overriding goal is to provide organizations and individuals with a resource to help better manage technology resources, provide more value to organizations and insure that proper guidelines are followed to provide a secure and productive computing environment. However, when I talk to CFOs, Controllers, business owners and technology professionals most have no idea that there is a technology framework or auditing process for technology or how to implement an accepted framework.

Why are the ISACA guidelines important to your organization? This framework is important because of the overall impact your technology department can have on your organization. Do not underestimate the dollars that mismanaged technology resources can have on your business financials. As dependency on technology continues to grow, having a long term strategy to ensure that your technology plan is actually supporting your business in a sustainable, measurable and productive manner with actual audit points can be a powerful business tool. It will, in turn, ensure that your technology dollars are supporting your business objectives.

There are many types of audits the vast majority that I see from technology auditors, which are historically done by technology companies that are not part of the ISACA or a Certified Information Systems Auditor. They are basically sales audits, which provide little value, little supporting documentation, and only show how they will come in and fix all your technology related issues. I do a lot of audits and all of our audits are based on the ISACA structure and the CoBIT standard with a pier group review to ensure that the audit is objective, supported by facts, and the raw data is provided within the audit itself. If you are considering a technology audit, ask to see a sample audit. This will help you understand the type of audit that company does and what you could expect from your audit. It will also show if the auditor is skilled in process management or if they are simply exploring sales opportunities under the premise of objectively auditing your technology.

Once you have gone through a technology audit, you should be provided with a clear baseline of the technology currently in-place within your company and a clear move forward plan with measurable, sustainable objectives.

Secondly, the audit should provide you with a business analysis on how your technology is supporting your business objectives and how you can build on your current technology investment to improve processes and productivity across your organization.

Third, the audit should be able to clearly show how you are or are not within industry best practices based on your industry and objectives outlined in the ISACA framework.

Lastly, and one of the most important factors, is how you are positioned from a risk mitigation processes through disaster recovery, business continuation, data management, policies and procedures to ensure that your business is protected from internal and external threats.

Technology auditing is very much a specialized area of expertise, and if you are considering a technology audit, it is important that you know the qualifications of the auditor. Do they have a history of performing technology audits, do they have an understanding of the industry standards, such as CoBIT and the ISACA framework, and can they clearly explain that framework? Once you have selected your auditor, the end product, if done correctly, can be a valuable tool to empowering your business and to have control and an understanding of how technology is serving your business. 

Scott Lewis is the President and CEO of Winning Technologies Group of Companies.  The Winning Technologies Group of companies is an international technology management company. Scott has more than 30 years of experience in the technology industry, is a nationally recognized speaker on technology subjects such as Collocation, Security, CIO level Management, Data and Voice Communications and Best Practices related to the management of technology resources, learn more about Winning Technologies at www.winningtech.com.