Check business resilience with a technology audit


Today, almost all business operations rely on technology — when the technology stops, so does the business.


“What's critical to understand is that technology is really enabling and driving core operations of almost every business,” said Grant Thornton Risk Advisory Partner Scott Peyton. That’s why the resilience of your business depends on the resilience of your enabling technology infrastructure. Your internal audit team can play an important role in evaluating and maintaining your technology resilience. Audits of your technology infrastructure should assess your IT strategy, reporting tools, cloud change management and asset management.




IT strategy


An internal IT strategy audit can help a business ensure that it has the right technology infrastructure to drive its core operations with efficiency and resilience. In a recent Grant Thornton webinar with more than 1,000 attendees, almost half said that their companies have not audited their IT strategic plans.



Inefficiencies in your IT infrastructure can be very costly, so it’s important to establish an IT strategy that helps you anticipate needs and adapt over time. It’s also important to get buy-in on that strategy, track its execution and audit it regularly.


Your internal audit team can help you understand and ensure that your IT strategy supports your business strategy. It starts with identifying the essential components of an effective strategic plan. Your plan should:

  • capture the current and future state of the company’s technology infrastructure.
  • align with your overall business objectives, to strengthen your efforts towards business goals.
  • integrate with comprehensive enterprise risk management to help avoid or mitigate risks. 
  • include a process for ongoing monitoring and reporting that produces valuable data for informed technology decisions.

Capturing the current state involves determining the company’s IT baseline, assessing each technology pillar or stack and understanding how it’s all managed through IT governance. Capturing the future state requires an IT roadmap that shows targets, priorities and innovation adoptions. A process for ongoing monitoring and reporting should track the current and future state, so that an audit can assess whether the company’s capabilities, financing and staffing are on track to meet the technology targets.


“The IT internal audit really helps inform us about how the organization can avoid pitfalls, as it tries to deploy the IT strategic plan,” Peyton said.




Reporting tools 


Your IT strategy drives your technology decisions, and your reporting tools drive your business decisions.


Internal auditors need to assess the enterprise’s reporting tools, like Microsoft Power BI and Excel or managed SQL queries. “You might also need to include data from legacy reports that management has always used, whether it’s on a mainframe or just a typical report out of the ERP system,” said Grant Thornton Risk Advisory Principal Matthew Cassidy. To analyze large amounts of data from enterprise data storage areas, consider online analytical processing software and artificial intelligence capabilities.



Core reporting tools


Reporting tools are especially important during phases one and two of the three-phase IT strategy audit, as it performs detailed testing procedures. Tools can reside in the cloud, on site, with a vendor or might be embedded in an existing system. Each repository and data flow has inherent risks to mitigate. “It’s critical to understand how the systems are connected, how data flows, and the processes and controls around each piece,” Cassidy said. “The controls and the procedures change, depending on where that data is within the flow of the systems.”




Cloud change management


Beyond your analysis and reporting tools, cloud platforms are the standard for most of today’s enterprise applications. That’s why it’s important to assess cloud change management, evaluating the Continuous Integration / Continuous Deployment (CI/CD) environment. “CI/CD is a modern definition of software development, in smaller increments rather than large deployments, to help ensure the changes are reliable,” said Grant Thornton Risk Advisory Managing Director Vikrant Rai.


CI focuses on automated test cases and quality gates, testing application changes against pre-defined criteria where failures can be quickly resolved. Then, CD encompasses the ability to cancel or revert a change to a prior version, if the result of integration output adversely impacts production.


A CI/CD model


Efficient CI/CD can help ensure seamless and continuous updates before and during deployment, if the proper governance and controls are in place for stakeholders throughout the technology asset lifecycle. “The CI/CD policy is critical to ensure that there is successful automation in the overall process,” Rai said.





Asset management


Software and hardware assets constantly move through an organization as they are procured, deployed, employed, managed, stored and disposed of. To ensure that assets are managed appropriately from adoption to end-of-life, it’s important that people know and adhere to updated IT Asset Management (ITAM) procedures.


“When we think about IT asset management, literally everybody who has an asset in the organization is a part of that effort, and needs to take ownership accordingly,” said Grant Thornton Risk Advisory Principal Chris Saracco. An audit can evaluate ITAM procedures against practices.



Asset management best practices



ITAM best practices can mitigate the risks of inaccurate records, noncompliance with software licensing, unclear vendor contracts and poor hardware or software disposal.


A comprehensive technology audit can help ensure the successful development and ongoing execution of your IT strategy, reporting, cloud change management, asset management and more. It gives you the information you need to move toward your desired future state, and can help ensure the resilience of your business operations along the way.



Content disclaimer

This Grant Thornton Advisors LLC content provides information and comments on current issues and developments. It is not a comprehensive analysis of the subject matter covered. It is not, and should not be construed as, accounting, legal, tax, or professional advice provided by Grant Thornton Advisors LLC. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this content.

Grant Thornton Advisors LLC and its subsidiary entities are not licensed CPA firms.

For additional information on topics covered in this content, contact a Grant Thornton Advisors LLC professional.


Our fresh thinking