In any organization, auditing is too important a task to be left to auditors. Auditing is a two-step process – firstly, your organization’s internal auditors must approve of the financial transactions, which are then scrutinized by external auditors. Before internal auditors look into your finance sheets, it is advisable to do a self-audit. There are several benefits of a self-audit including

1.Monitoring cost overruns on any project and avoiding (or at the least minimizing) them
2.Keeping within the budget
3.Accounting for every cent spent and earned, especially petty expenses which are often hard to document
4.Being prepared for contingencies by knowing your department’s financial health

How do you go about an audit?

First of all, collect and file together all the relevant documentation pertain to the finances of your organization. Much of this documentation will be available with your internal auditors.

Secondly, determine the areas of concern in your department. Some of these might be -

1. Are your IT operations areas (such as network operations center, data center) restricted only to relevant staff, and their comings and going recorded?
2. Is access to your data password protected, and are anti-hacking measures in place?
3. Is there a process for regular back-up of data?
4. Do you have a disaster recovery plan in place?

A self-audit is a good way of knowing how much governance is already in place. If you have a lot of “no” answers to the self-audit, your organization probably has too little IT governance in place. You may wish to schedule a meeting with your auditors and find out what are the major pending issues that need to be addressed, so that your governance is in full force.

The IT Governance and Compliance Toolkit includes a detailed questionnaire to help you carry out the self-audit.

Many people find it difficult to deal with auditors. An auditor’s job is not to get you into trouble, but to establish a vigilance system that ensure your organization remains viable. The auditor’s relationship with the IT department revolves around ensuring that it does everything it reasonably can to prevent tampering or destruction of business data, unauthorized access to business data, and to prevent or react in a timely manner to business disruptions.

The toolkit includes a number of tips on how to deal with auditors.

The next few blogs will address how you go about establishing individual policies.