An information technology audit evaluates a business' technical infrastructure and operations in order to identify technologies that are aging and need to be upgraded or replaced. As technology ages, it can start to create unnecessary costs, security vulnerabilities, and prevent continued progress and efficiencies within the business. That is why we recommend periodic technology audits for our clients. These audits can be done internally by a qualified employee our outsourced to an IT auditor.
What to look for in a technology audit
There are two key components that we want businesses to review: hardware infrastructure and the underlying technology that applications are running on. In reviewing these areas, the business will want to assess the following:
- License agreements: The key here is to document terms, scope, dates, and costs of any hardware and software licenses.
- Versions and upgrades: Components of your infrastructure will have a prescribed life cycle. This will affect the type of support and availability of updates.
- Compatibility: Checking the underlying technology, such as PHP, web servers, operating systems, etc. for compatibility will help your technology team with future expansion and upgrades.
- Potential misuse and abuse: The technology audit presents a great opportunity to ensure that employees and vendors are not misusing the technology -- which can create security vulnerabilities -- and that no abuse is going on, causing unnecessary costs and potential harm to data and other sensitive information. It is important to identify a ‘need to know’ type of access to data and user permissions, and your technology audit is a perfect time to review these guidelines and make changes in order to protect sensitive data.
- Training and Certifications: Often, vendors require training and certification as part of maintenance and purchasing agreements. Periodically verifying this can save the company money and potential losses from a lapse in maintenance agreements.
- Data Protection: Assess your infrastructure’s design to ensure that data is protected and backed up and that your networks contain the proper redundancy to maintain operations during maintenance and any outages, ensuring that all data -- and most importantly, sensitive data -- is protected and kept up to date.
- Audit Documentation: All of the above items need to be fully documented. We also recommend keeping a good audit checklist and keeping records of all audits, findings, and corrective actions taken.
- Cost Analyses: A technology audit will present opportunities for upgrades and brand new solutions. As part of your audit process, we recommend putting together a cost-benefit analysis of these opportunities to ensure that your business stays up to date, that your team remains as efficient as technology allows, and that you are keeping up with competitors and the market.
We recently ran into a case involving what should have been a simple data migration. However, once we got into the underlying technology, we discovered outdated and unsupported versions of their software platform, their operating system, and their web server. This all combined to create the perfect storm of outdated and abandoned cryptography, turning a simple data migration into a major technology project. Of course, this was a big surprise to the client. The lesson here is that regular technology audits can keep your business from these surprises while ensuring that your systems are safe, current, and easily maintained.
When are audits required?
The frequency of technology audits is dependent on your business. For example, businesses that need to maintain compliance with HIPAA and PCI may undergo random, external audits in addition to regularly scheduled audits. Certain events can also trigger an audit, such as a data breach, attempted hacking, business acquisitions, and expansion of the team. Aside from those cases, you should schedule a technology audit at least annually -- no less than every two years -- but verify that with your technology team. There are also cases where some items were left incomplete from your previous audit. Don’t let those linger until the next audit. Plan time and budget to get those items completed as soon as possible.
Signs that you need to do an audit
The first symptom of a heart attack is often...the heart attack. The same goes for a technology audit. The first sign that an audit is needed is the absence of any previous auditing. If you have not audited your technology, make that a priority. Aside from that, other signs or symptoms that your business might need an audit are:
- Regularly released patches to software stop showing up
- You experience outages or breakages in areas that were previously working just fine.
- Technology starts to slow down, bogging down your processes
- You’ve expanded your team significantly
- You notice your competition starting to implement new technologies and gaining an advantage
A note on cloud-based software
Technology that is based in an external cloud is generally outside of the scope of your technology audit. However, if cloud-based software is integral to your operations, then you’ll want to include a review of that as part of your analysis. For example, we recently brought on a new client who uses a scheduling platform to set appointments. One of the issues they were having was that the information received from this software had to be entered multiple times into their own internal systems. The result was that their own customers had to fill out redundant information several times during initial appointments. A review of their technology identified this, and we were able to iron out that kink, creating more efficient information processing and happier customers.
Companies need to get in the habit of conducting regular information technology audits for both their infrastructure and underlying application technologies, just the way they do with their financials and inventory. A good, regular audit will help prevent potential catastrophes while also ensuring that your business stays ahead of the game in the market.
Contact us now to discuss your current technology.