IT audit is an independent examination of the current state of the client’s IT infrastructure, its technical debt, determining the degree of its consistency with the required criteria and performance indicators in accordance with best practices and allowing to form a strategy for further development of the IT infrastructure and optimize the cost of ownership.
Objectives of IT infrastructure audit
As a result of the audit, the client receives an objective assessment of the state of its IT infrastructure and recommendations for improving its quantitative and qualitative indicators. Obtaining an objective assessment is the main goal of the audit. In the process of achieving this goal, various components of the system are evaluated according to numerous criteria.
It should be understood that the concept of “IT infrastructure audit” is quite extensive, as it includes audits of:
- information security;
- virtualization infrastructure;
- server infrastructure
- network infrastructure;
- data storage systems and storage network;
- platform services;
- external services.
Each type of audit requires separate preparation and different ways of conducting audits. But ideologically, all of them are aimed at finding problems in one or another part of the IT infrastructure. Summarizing the criteria by which these audits are conducted, the following points can be distinguished:
- security assessment. Checking whether IT infrastructure security measures are in place and effective. This includes identifying vulnerabilities, assessing risks and recommending improvements to the security of data and the overall system;
- resource utilization. Finding inefficient utilization of resources such as servers, data storage, networking equipment, cloud storage;
- Compliance with standards and laws. Checking IT infrastructure compliance with existing regulations, laws and standards, and regulatory requirements;
- Business process efficiency. Analyzing the IT system in terms of its impact on business processes. Identifying bottlenecks and opportunities to improve performance and automate business operations;
- Ensuring reliability and availability. Ensuring that the IT infrastructure is capable of providing high availability and reliability of services and applications to users;
- risk management. Assessing risks associated with the IT system and developing strategies and activities to mitigate or manage them;
- development and strategic planning. Providing information and recommendations that can help an organization develop a strategic plan for future IT infrastructure development;
- documentation and standardization. Creating documentation and standards that will help ensure consistency and quality of work in the IT system;
- improving project management. Evaluating IT project management practices and providing recommendations for improvement;
- Cost control. Identifying unnecessary costs and opportunities for resource and cost savings.
Audit preparation
- Gathering client information. Prior to beginning work, the auditor conducts remote interviews with the client’s employees. During these interviews, familiarization with the existing information systems, analysis and recording of necessary information, as well as familiarization with documentation is performed. The preliminary plan of employee interviews consists of the following items:
- interview with employees responsible for business processes for which the audited IT infrastructure is used;
- interview with employees responsible for ensuring information security. In the course of this interview, information is collected about the existing processes for ensuring information security of the information system in the audited area and familiarization with IS documentation;
- interviews with employees responsible for functioning and administration of information system components. During these interviews, information is collected about the information infrastructure components and their settings that are in the audit area.
- Preparation of the audit team. The selection and preparation of the audit team is critical to the success of the audit. Auditors must have the appropriate skills and experience in auditing the required IT infrastructure. They should also be familiar with the technologies and tools used by the client.