IT management audits serve to validate compliance with policies and analyze operational conditions for improvement recommendations. The planning process involves defining goals, adapting standard practices, and setting expectations to ensure effective and non-disruptive audits. Effective communication and cooperation are crucial for the audit's success and its results should be openly communicated for further improvement.

1. 2/29/2016 IT Management Audits - IT Management Templates
http://it-toolkits.org/blog/?p=76 1/2
IT Management Audits - IT Management Templates
Role and Purpose of the IT Management Audit
IT management audits can serve multiple purposes and provide many benefits. First, audits are used
to validate compliance with established technology related policies, programs and procedures. Then,
audits are also used as an investigative tool, to gather information and analyze current operational
conditions for the purposed of recommending specific “policies, programs and procedures”. The
primary purpose of a given audit will determine the scope and related execution planning. Validation
audits are likely performed on a regularly scheduled basis, with a standardized scope and set of
executing procedures. Investigative audits are likely triggered in response to a specific need, and
planning will be shaped by unique goals and circumstances. Whatever the purpose, the goal is to
ensure that audits serve a purpose, are planned for minimal disruption, and that all results are used
to maximize IT value.
Simple Steps for IT Management Audit Planning
Step 1: Define Goals, Objectives and Scope
The first step in planning an IT management audit is to create a clear statement of goals and
objectives, defining the purpose of the audit, expected benefits and desired results.
These are the questions you have to ask…
Who will conduct the audit? (organizationally and individually)
Why is the audit being conducted? (trigger and expected benefits)
What is the audit scope? (inclusions and exclusions)
What are the audit goals and objectives? (the audit “mission”)
Management audit specifics (based on the questions above) will establish the audit scope, defining
the exact “subjects” of the audit process and the overall work effort required to complete auditing
tasks and activities. These specifics will vary based on the structure and charter of the specific
organizational entity involved, the subject “service portfolio”, technology in place, available time,

2. 2/29/2016 IT Management Audits - IT Management Templates
http://it-toolkits.org/blog/?p=76 2/2
subject matter complexity, and overall audit goals and capabilities.
Step 2: Adapt and Apply Standard Auditing Practices
Once you have defined your audit goals and objectives, you will need to specify the audit process –
i.e. how your audit will be conducted. Standardized auditing practices will establish the means by
which audits are to be planned and executed, covering scheduling, communication, procedures, roles,
responsibilities and required deliverables. Individualized audit procedures will vary based upon the
audit “subject matter” and the size and scope of the audit itself. In addition, standardized auditing
practices will establish the actual procedures and techniques used to collect required information and
determine related conclusions.
In common practice, auditing procedures (steps taken to validate and/or investigate) can include one or more of
the following:
Testing and validation of all established operational and administrative procedures.
On site inspections of IT operational facilities (including server rooms and wiring closets).
Interviews with IT staff members, managers and consultants.
Physical reviews of technical documentation, logs and systems reports.
Interviews with members of the end-user community.
Step 3: Set Expectations and Get Ready to Begin
Audits should not be surprise attacks … they should be scheduled events. It is very difficult to fake IT
compliance, and very little can be gained from unscheduled audits. If a pending audit causes IT staff
to clean up minor errors and omissions, then the goal of the audit has been largely reached … to
ensure compliance.
For an audit to be truly effective, communication and cooperation is essential, and that can only be obtained
through a non-threatening process of review and evaluation.
Schedule the audit with IT managers and any essential staff.
Request any special security requirements in advance (ids, passwords).
Identify any required documentation, logs and records.
Schedule time for an informal review of preliminary results.
Before you begin your audit, you should set clear expectations for the use and application of audit
results. Since “blame” should not be the goal of any audit, audit results should be clearly and openly
communicated. While all results may not be positive, at the end of the process, there should be a
clear direction for improvement.