Auditing a Company’s IT Strategies

Today’s IT solutions are complex, and they are getting more challenging to implement all the time. One of the great questions for management at any company these days is simply whether all the investment in those systems is worth it. Internal auditing can play a critical role there, measuring and inspecting how the IT investment process—specifically, how IT investment is managed—works.

There are two distinct elements to most IT investment audits. They are the evaluation of:

(1) How that management process is “scoped out,” designed, and implemented; and

(2) How that management process then operates, including an assessment of the business priorities currently being addressed.

An audit of IT investment management should identify whether the various management processes involved are operating well and what the key opportunities for improvement would be. The audit should evaluate whether management has an effective investment prioritization process in place, including the ongoing identification of changes in business priorities and new business opportunities. IT investment management also involves the evaluation of performance of IT initiatives, and the audit should assess the performance monitoring completed by management.

In general, an audit of investment management should let internal auditors provide an opinion on process effectiveness, an assessment of the organization’s efforts to align IT with business priorities, and assurance to the board and management that the organization is working on the right projects.

Ten Questions to Answer

Audits of any IT system, and especially audits of how IT investment is working, will have many questions. Exactly which ones you’ll need to answer and include in your audit planning will depend on your company’s specific circumstances, but I’ve listed 10 of the most important ones below.

1. Are the organization’s planning activities appropriate to its needs? The planning process should support management’s awareness of, and response to, new and emerging business opportunities. The scope and formality of planning needs to be in line with the organization’s needs and complexity.

2. Has an effective IT investment management process been developed and implemented? Every company needs a process to decide which initiative gets funding. Every company should also consider a balanced investment in operational, tactical, and strategic IT areas. Of course, the level of funding in each category will vary widely depending on the business environment a company faces and the strategic direction it is taking. But all of those areas should at least be considered, even if the dollars devoted to any specific one is zero.

3. Is accountability well established, and acknowledged by those to be held accountable? Management and staff need to know what they are responsible for. When it comes to management of IT investment management, we want to ensure that IT investments support the company’s business and business efforts. This requires an investment decision-making process that is clear and relatively transparent. Identify the people at your company who participate in that process, and make sure they understand the consequences when the decisions they make produce bad results.

4. Are there appropriate systems, policies, procedures, and guidelines relating to IT Investment management? Describing how things get done is always beneficial. For something as important as, “Are we working on the right projects?” formal policies and procedures are worthwhile.

5. How successful is IT in meeting business needs? Assessing whether your company is effective overall is always challenging. Perhaps the best we can achieve is determining what the key opportunities for improvement are.

6. Do we need to increase the alignment of IT efforts and business efforts? If so, what else needs to be done? At the end of the day, a company and its IT department must do everything necessary to get a grip on the organization’s IT investment priorities to ensure the company is focused on business priorities—rather than on IT systems.

7. Does management have a strategic IT plan that is updated regularly and supports the annual plans, budgets, and priorities of the various IT projects? Companies should define the long-term direction of their IT needs, and auditors should be able to see a rationalization of what the company’s IT spending priorities are, and why. Ideally, an IT strategic plan would be developed and approved by the board, although the documentation may take many forms such as a separate IT plan combined with the organization’s overall business plan, or a series of business case submissions over time. The auditor should look for a demonstration of an overall strategic planning process regarding IT investment and IT spending prioritization. Also remember that business planning should drive the IT priorities and IT investment decisions, which means both corporate management and IT management will need to be interviewed.

8. What level of investment in IT and IT security has occurred over the past two to three years, and what is planned for the next two to three years? In other words, are IT expenditures reasonable compared to the overall operating and capital budgets? While no specific level of investment in IT is deemed to be appropriate, the auditor should assess the reasonableness of the IT and security expenditures in relation to the overall capital and operating budgets. They should also review whether the expenditure trend line can be explained by the business and IT plans. Is there a process in place to manage the expenditures involved with IT and IT security?

9. Have performance indicators for the IT function and IT security been developed? Are those indicators periodically reported to the board? Auditors should know what major issues have been reported regarding IT and IT security. A healthy debate should exist at the board level when these issues are presented by management (and, yes, management should be presenting these issues to the board).

10. Does management monitor IT’s performance, as well as its capability to continue providing the services upon which the organization relies? This question explores the monitoring of IT operations that management performs—and whether it is outsourced or managed internally, monitoring should be done. The formality of the monitoring can vary greatly, although outsourced arrangements probably need more monitoring, and so it should happen more frequently.

The bottom line is that management of IT investment must be integrated into the organization’s ongoing strategic planning effort and ensure that IT efforts consistently contribute to the organization’s priorities. Perhaps it’s time executive management revisited how it defines IT investment priorities. An audit is a good place to start.