Internal Audit on IT Department - What to Audit??

G

Glen D

I need to perform an audit on the IT department but not entirly sure what to audit during a general audit?

I was talking with a company director yesterday and we were struggling to come up with what to audit as i know the department does not keep many records or documents (They are not the best IT department in the world!) from when i wrote the Control of documents and records procedures.

Could anyone give some sort of pointers or guidance as i'm not the best with IT

Many thanks

Glen
 
J

Jerome

Re: Internal Audit on IT dept...What to Audit??

Start with the question: "why do I want to audit the IT department?" (and don't say 'because my quality manual say so...' :) )
If there is really nothing documented on the workings of this department start of with a process map on what the company expects from the department or how the department should work.
Think about:
- how does a project get started and ended (who initiates, who manages the projects, release criteria etc.)
- what is the flow of events regarding development (user requirements, functional req., design, risk assessments, (in)formal testing, reviews, etc...)
- how do you measure software quality
- what quality controls are/should be in place (coding conventions/standards, design and/or code review, verification and validation etc.)
- Who is qualified for what and how is that managed
- audit on change control / configuration management

Many general items from your QMS also apply to your IT deparment.
Come to think of it... I'm assuming it produces software as a product (or part of).
But your IT dept. could just as well handle the infrastructure of an institute...

So, what type of IT dept are we talking about here?

Also, is not having documented how the dept. should work a flaw of the dept. or the management system supporting it?
 

somashekar

Leader
Admin
Re: Internal Audit on IT dept...What to Audit??

I need to perform an audit on the IT department but not entirly sure what to audit during a general audit?

I was talking with a company director yesterday and we were struggling to come up with what to audit as i know the department does not keep many records or documents (They are not the best IT department in the world!) from when i wrote the Control of documents and records procedures.

Could anyone give some sort of pointers or guidance as i'm not the best with IT

Many thanks

Glen
Dear Glen D.
Take some time to read thru THIS thread for more information.
 
Last edited by a moderator:
G

Glen D

Re: Internal Audit on IT dept...What to Audit??

Jerome - Company is approx 200 people over 4 sites (150 at one site) with 2 IT persons at the main site.

It is just to support the business with Radan/CAD department, an in house built Asset management system and many other PC's within the business.

The question of auditing was put to me as the IT department are failing to support the business and progress is being held back as a consequence of IT either not completing tasks or not completing them correctly.

MD/CEO is blind to this and would maybe resond better to objective evidence from me as requested by another director.

Somashekar - thanks for that!
 

qusys

Trusted Information Resource
Re: Internal Audit on IT dept...What to Audit??

Jerome - Company is approx 200 people over 4 sites (150 at one site) with 2 IT persons at the main site.

It is just to support the business with Radan/CAD department, an in house built Asset management system and many other PC's within the business.

The question of auditing was put to me as the IT department are failing to support the business and progress is being held back as a consequence of IT either not completing tasks or not completing them correctly.

MD/CEO is blind to this and would maybe resond better to objective evidence from me as requested by another director.

Somashekar - thanks for that!

In addition to what the other Covers rightly said, I would suggest to audit contingency plans for IT , considering that a down of the system could potentially affect production line.
I would check the process as a whole in terms of responsibility, procedures, tools, competency, records, measurement.
 
A

adickerson

I would also audit backups. Important records should always be made on a regular basis. If they are supposed to be doing this you can audit to see if it really is happening on the frequency it is supposed to. Weekly sounds reasonable and a lot of this can be automated.

:2cents: I would also make them show you how to retrieve the backup files and they should have a work procedure for the process. Make sure it works and can be done by someone outside of the IT department. Furthermore make sure that the backups are occasionally stored on a flash drive or CD and kept in a fire proof box with keys controlled by a member of management. There are a lot of organisations that never recover from massive data loss. If your IT department is less then you expect then be prepared because I would not trust them.
 

Randy

Super Moderator
It's no more complicated than the following.

What's supposed to be getting done?

Is it being done as planned?
 

Jen Kirley

Quality and Auditing Expert
Leader
Admin
It's no more complicated than the following.

What's supposed to be getting done?

Is it being done as planned?
I've run into trouble with people who just don't understand what needs to be done - no understanding, no plan. After awhile of my explaining it to them, I believe they are on the right track though.
 
G

Glen D

I've run into trouble with people who just don't understand what needs to be done - no understanding, no plan. After awhile of my explaining it to them, I believe they are on the right track though.

Exactly...i'm no IT expert so thought i'd ask those with a bit more knowledge in the area.

I hadn't thought about a disaster recovery plan :rolleyes:

Thanks for the comments so far. any other areas that could be looked at?

Glen
 
Top Bottom