What is The Difference Between an Information Technology Audit and a Technology Assessment?
The term Information Technology (IT) Assessment is often convoluted because it is so often portrayed as the simple and easy process of scanning an organization’s existing network. However, this could not be further from the truth. It is important to remember that a formal Technology Assessment is not a Technology Audit. The use of terminology is not just about semantics, but rather expectations. An audit is a required procedure conducted to validate a process established by an organization for instance, a financial audit, a tax audit, an HR audit, etc.
Assessment vs. Audit: In the IT world, audits are required of organizations that are subject to compliance or are regulated by State or Federal agencies (Banks, Credit Unions, Hospitals, Publicly Traded Companies). We are all too familiar with HIPAA and Sarbanes Oxley, however, in some other cases, organizations can also be subjected to industry-specific requirements such as PCI-DSS (credit card payments). PCI-DSS requires strict validation and compliance reports on a quarterly/annual basis.
Other contrasts between a technology assessment and audit is the ultimate goal achieved. An assessment focuses on discovering and providing information related to the state of an organization’s IT, not validating their compliance.
Identifying the Need: Interestingly enough, based on our 25+ years’ experience with conducting technology assessments, the demand for technology assessments are normally driven by executive leadership who recognize their business is expanding, but unsure if the existing technology is scalable to support their growth. Other common situations involve conducting an assessment as part of a potential business merger or even diagnosing technical problems plaguing an organization’s productivity.
Rarely are requests driven from the organization’s IT Staff (if any); perhaps there is concern that a negative assessment could reflect poorly on their performance, despite the fact that most cases reveal they are not responsible for the lack of interest in technology investments for the organization.
A frequent misconception is that a technology assessment is an assessment of the software applications that a client is using. Application software is selected by a client based on their business needs and costs. The role of the technology assessment is to make sure that the technology in place is capable of supporting these applications, not the other way around.
What a Real Technology Assessment Entails: A proper technology assessment will leave no stone unturned; if it is related to the company network infrastructure, this could include hundreds or thousands of computers and network devices in the end.
With such an involved examination, the time to complete an assessment can vary; for existing TSI clients, the review can be a relatively short process because we are familiar with the organization’s environment.
Step 1: For new client engagements, the assessment can take between 1-3 days. The first step includes a questionnaire with a roughly half hour on-site visit. During the initial site visit, one of our highly skilled technical experts go over a series of questions so that we are able to better understand how the technology is used in the organization. The questions are not technical in nature, rather they are directed to the Points of Contact at the company. The questionnaire serves as a great tool for us and the client, establishing the parameters needed during the assessment. Primarily, the acting as a foundation where we can document all the concerns an organization has. If any questions are unanswered during the initial visit, fear not, we will be sure to address them after the assessment.
Step 2: Following the questionnaire, our team begins a physical review of the facility; including wiring closets, computer rooms, etc. to identify all elements of the network (cabling, servers, network devices, firewalls, as well as wireless access points).
Step 3: The “discovery” phase involves using our computers to collect data about your entire network, inventorying all the information and storing it all on your own servers or machines. Discovery is an intensive process that includes three elements:
Physical Discovery: We examine and document the critical elements of the network such as connectivity (cabling), file servers, firewalls, power protection, and mission essential network devices.
Electronic Discovery: We collect data from every individual computer and network device on the network. This data includes information about computers and details pertaining to application software, versions, licenses, etc.
Processes Discovery: We gather and document the existing internal processes, such as backup, disaster recovery, patch management, anti-virus, group policies, internet policies, remote access, wireless access, administrative rights for each user, etc.
Step 4: After the discovery phase is complete, we evaluate the network performance and tabulate information to allow us to measure whether the network is performing optimally against the benchmarks set by similar industries and/or size.
Step 5: The conclusion of the assessment includes the delivery of a final detailed report highlighting all of the findings, as well as our expert recommendations. Normally hand-delivered two weeks following the conclusion of the assessment and careful internal analysis. We have found the report to be a bit overwhelming with the level of information provided, which is why we always recommend setting aside some time while we are there to review the report and answer any questions.
Having a Trusted Partner: When providing technology assessments to existing client, Managed Service Providers (MSP) like TSI are uniquely positioned to provide regular evaluations. In most cases, MSP’s have deployed agents to many of their client’s servers, computers, and network devices that can identify, as well as report on any of the elements of their client network which doesn’t meet the minimum performance specifications of their network infrastructure.
These assessments should be conducted on a regular basis, following any major upgrade or change to the company infrastructure. Technology assessments conducted on a routine basis are not nearly as long or costly to conduct as some imagine; in fact, they are highly effective tools for assisting with properly allocating budgets for IT costs, as well as understanding shortcomings.