top of page
Search
  • cindy8756
    • Dec 12, 2023
    • 3 min read

What is an automated IT audit plan?




Pebl1 provides an automated IT audit plan.  But what is it?  Would it work for you?  In this blog, we’ll provide the core features, and explain why it might be a cost effective, rapid and high-quality option for you.

 

How does IT audit work?

Usually, an internal audit team will perform IT audit manually.  This means they will:


Perform an annual risk assessment, to determine which parts of the IT environment need to be audited.  The list of options tends to be pretty fixed, and include:

  • Specific systems

  • Major projects or changes

  • Major outsourcers

  • Information and cyber security

  • IT strategy and management

  • Resilience, business continuity and disaster recovery

  • Data privacy

  • Compliance with specific rules or regulations

 

Schedule those audits specified as being ‘high risk’.  Unless they’re a large organisation, this would be between two and six audits each year.


Resource the audits.  To do this, you could employ someone, find an independent contractor, or ask a specialist firm to do this for them.

Deliver and exit the audit.

 

We’ve run through the economics of different commissioning models in a previous blog (https://www.pebl1.com/post/what-are-the-benefits-of-automating-audit).  But how does implementing an automated audit plan differ from the standard way of working, and why is it different?

 

How us an automated plan different?


For an automated audit plan, you begin in the same place: you perform a risk assessment.  The two differences are:

The risk assessment itself is automated.  One or more people in your organisation complete a simple automated risk assessment.

You risk assess a set number of categories within the system, rather than whatever you want.  So, the risk assessment is based on categories like:

  • IT strategy and management

  • Change and project management

  • IT service and delivery

  • Cyber security

  • Data privacy

  • IT operations and management

  • IT outsourcing

  • Resilience

 

Once you have completed, you then choose how many audits you’d like to do, and when you do it.  There is no conversation around scheduling – you can do the work whenever you want to do the work.  Why?  Well, there are no complicated commissioning decisions to make – you don’t need to recruit or contract the work.  You just choose when you want to do it.


When an audit starts:

  • You will be sent an automated terms of reference, telling you what the audit will cover and the preparation you need to do. You’ll need to find the right contact(s) to support this audit your side.

  • A named specialist from our automated audit team will contact you for a 1-hour meeting to gather the information needed to identify whether the controls in the audit are properly designed.

  • They will then send you the initial conclusions and a request for evidence. 

  • You correct the comments and upload the requested evidence.

  • In the background, our pool of specialist auditors will review the evidence and conclude.

  • The system generates conclusions, based on the audit brain we have developed.

  • A draft audit report is automatically produced and sent to you.

  • Our named specialist will meet with specialist will meet with you to conclude and agree the report.

  • You are sent a final audit report.

 

In summary, the bulk of the scoping, review, analysis and reporting is performed automatically.  However, a qualified audit specialist checks this and communicates this to you, meaning you get the speed and efficiency of automation with the judgement and experience of a qualified auditor.

 

Is this right for everyone


Probably not.  For example, if you’re a large of complex organisation, the above may not work as well out of the box – it may need some amendment (of course we’d be happy to talk to you about that). 

 

However, for most medium and smaller entities, the above works well.  Why?

  • They tend to audit the same things.  Yes, everyone’s special, but we have found most organisations audit the same things in IT, sometimes using slightly different language.

  • The scheduling and timing sit with the client being audited and can be flexible.

  • There is minimal human involvement, which means it’s a LOT cheaper than alternative models.

  • The results are based on methodologies developed by experts in this area, so you get great quality.

 

Some examples:

  • We have found a one-week onsite IT audit usually takes internal or contracted resources four weeks to deliver (from initial planning to final reporting).  If you have the right people available, an automated approach can do this in 1-5 days.

  • Similarly, individual audits that traditionally cost £7k-£12k to deliver can be done for £750 using automated methods.

  • Our internal benchmarking (admittedly biased) shows that traditional audits tend to ‘skip bits’ – for example where things are too complicated to explain or where they already have enough issues to report.  Automated audits are locked into the system, so cannot miss a thing if you put the right information in.

 

So, if you are a small or medium sized organisation and want to take control of your IT audit plan, reduce your IT audit spend by an order of magnitude and improve quality, please get in touch.  You might be surprised at the results.

 

2 views

Recent Posts

See All

Comments

bottom of page