It was our turn last month! Bryan and Daniel from our very own Risk Advisory Services Team did our annual IT Assessment. Like most of our clients, I had a pretty good idea of where we need some improvement. But the great part of this exercise is putting it down on paper and having to make ourselves responsible for correcting noted issues. Yes, it was a nerve racking experience but when it was over, I felt great about where we were going with our IT processes.
The whole point of a Business IT Assessment is to develop an action plan. In most IT Departments there never seems to be much time for the mundane. A server goes down, you fix it; the network is slow, you run some tests and correct the problem; and there is the constant barrage of helpdesk calls for any number of things. So when it comes time to planning and managing the department gets put on the back burner.
It’s confession time: we need to beef up some of our policies. As I always say, policies are how management communicates their expectations. Like most small departments and companies, we have ways of doing things that everyone understands, it’s just not fully documented. Of course this is just an excuse and my Dad always told me that a bad excuse is no different than a good excuse. We need to improve and we will. If we have no documentation of policies how could a new person understand what is expected.
We also lack some systems documentation and monitoring. Sometimes in a small IT department it seems overly burdensome to document what is on the network or who manages what program but really a small department needs this even more. If the department has one network manager and she decides to leave the company, all the knowledge goes with her. Along the same lines, monitoring seems like a big task when it is a small department but our goal is to improve efficiency so monitoring will help find issues before they grow into big problems.
At the end of the assessment we put together an action plan. This will be a great document to work from. We have listed all the items that need addressed, made assignments, set due dates, and will report on this at each IT Steering Committee meeting until all tasks are completed.
This assessment process was done, not to identify what has been done wrong, but as a way of creating a plan to improve. The intent of a Business IT Assessment, as well as an IT Audit, is to both find ways to improve and to better understand the IT function. Roles and responsibilities are identified and those responsible for governance get a better understanding of an area of the business that is often the least understood and the most relied upon.
It is a good experience for an auditor to be audited. There used to be a story about the cobbler’s children being the only kids in town that went bare-foot. We don’t want to be like that so we practice what we preach and audit our own IT Department.
Give us a call if you would be interested in hearing more about Business IT Assessments and how we may be able to help you better manage your IT function.