Home / Resources / ISACA Journal / Issues / 2015 / Volume 4 / IS Audit Basics: Auditing Small IS/IT Organizations: When Is an IS/IT Organization Small?

IS Audit Basics: Auditing Small IS/IT Organizations: When Is an IS/IT Organization Small?

IS Audit Basics
Author: Ed Gelbstein, Ph.D.
Date Published: 1 July 2015

IS/IT can be found virtually everywhere, and when it fails to deliver the services that people need, the result is discontent or worse. The world of IS/IT has become complex and includes email, Internet access, document storage, networks, and applications and databases—many of them complex. Then, services from outsourcers and cloud providers and some kind of IS/IT organization are needed, if only to manage contracts and contact support services.

The smallest IS/IT organization I found had a staff of zero professionals. It relied on the goodwill of one of the managers who had some knowledge of local area networks and the benevolence to provide a limited amount of support. This is not an isolated situation (see next section).

Small IS/IT groups consisting of one to five staff who support critical operations and services in organizations with up to 300 employees are not unusual. A working definition of a small IS/IT organization would likely state that the planned absence of one of its members for a week or two would put it under pressure and that the departure or longer-term unavailability of one of them could prove unmanageable.

Such organizations may not have good infrastructure facilities, such as a purpose-designed data center, and could be lacking a standby power supply or controlled access to the facilities and have instead spaghetti cabling, a questionable power supply, unlocked cabinets and an impression of disorder.

Editor’s Note

On 19 July, 2015, Ed Gelbstein, Ph.D., passed away after a lengthy illness. He was a prolific
writer and contributor to the ISACA Journal and a valued and admired colleague. His work
will continue to be published in the ISACA Journal posthumously.

When such an organization does not have someone accountable for risk management, things get worse. Unfortunately this is not uncommon.

Where Do You Find Small IS/IT Organizations?

Besides the obvious small- and medium-sized enterprises (SMEs), small IS/IT organizations can be found in academic institutions (where students act as network and system administrators), nongovernmental organizations (NGOs) working with minimal budgets, diplomatic missions and consulates of many countries, small international organizations, and semi-autonomous business units of larger enterprises. It is not unusual for the managers of such institutions to have limited knowledge of information systems (as users) and even less knowledge about the management of such systems.

Finally, there are local offices around the world of corporate entities and international organizations. These offices may not have access to a robust infrastructure for electricity generation or Internet access. Some operate in countries where there is civil disorder, refugee issues and armed conflict. These local offices rarely get audited, as many of them rely on guidance from their head office. Some of this guidance may be hard or impossible to implement.

Risk Profile of a Small IS/IT Organization

In the absence of a risk manager and/or an experienced IS/IT manager, these small organizations make a best effort carried out by people with good intentions, but limited knowledge, with modest budgets and, whenever possible, relying on the support of small local companies.

The components of their risk profile can be expected to include:

  • No IS/IT governance at the local level. Strategic decisions and budgets are decided elsewhere, often without consultation.
  • No formal risk assessment, risk register or documented mitigation plans
  • The absence of a backup person for the IS/IT manager or other key personnel
  • Malware infection of the local equipment and network due to the loss of effectiveness of antimalware products and a backlog of updates of critical software. This can propagate through the organization’s global network.
  • Lack of a formal change control and proper segregation of duties (SoD)

What the Auditor Can Expect and Look For

Fact: The current scope of standards, guidelines and best practices for all aspects of IS/IT amounts to a small library, including:

  • The Information Technology Infrastructure Library (ITIL)
  • The Software Engineering Body of Knowledge (SWEBOK)
  • The Data Management Body of Knowledge (DMBOK)
  • COBIT 5 family of products
  • The ISO 27000 series of security standards (and many others) from the International Organization for Standardization (ISO)
  • The US National Institute of Standards and Technology (NIST) SP 800 publications

Consequence: A small organization is unlikely to have adequate knowledge of all of them and even of any of them. This and the smallness of the team prevent many critical tasks from being done, which is reflected in the quality of service.

The auditor should identify the criticality of the various tasks for the audited entity and make realistic recommendations, recognizing that other activities will only be carried out when the available skills and time allow for this. The audit report should present the resulting risk.

Fact: A small team, however well motivated, responsible for activities to safeguard sensitive information (as would be the case in a diplomatic mission or international peace-keeping operations) will depend strongly on guidance and support from the organization’s headquarters.

Consequence: Headquarters should be accountable for the briefing and training of the remote IS/IT organizations, for disseminating policies and for monitoring compliance with them.

The auditor should assess the extent and appropriateness of the support provided by headquarters and report accordingly.

Audit Priorities for Adding Value to the Auditee

Small organizations that are seldom audited or are faced with their first IS/IT audit will benefit from the auditors’ assurance that their presence intends to help them identify areas of risk that can be sensibly addressed and point them in the right direction with regard to good practices—along the lines of a combined audit/internal consultancy exercise.

The following three domains, reflecting experience gained through many audits of small organizations, may be a good point of departure.

Physical Security
Identifying the good, the bad and the ugly, good practice should focus on a separate computer room that is not used as office space, with access control that records who entered it and when. In addition, the computer room must also have an uninterruptible power supply, flooding and smoke detectors, and fire extinguishers. The latter presupposes that the staff would know how to use them (not always the case).

Good practice also requires that all equipment be placed in racks (not on the floor) and that wiring cabinets be locked. There should be no spaghetti cabling—the usual excuse that “this is temporary” is rarely true. Similarly, the use of multiple extension leads spread on the floor should be discouraged (forbidden). Access to the computer room should exclude visitors, food and drink.

Logical Security
Time pressures—much to do and limited awareness of logical security—make this a weak link in small organizations. Good practices require that vendor default passwords (e.g., Sysadmin) are never used and that all current passwords are neither shared nor written down in a visible place (It is okay to have sealed envelopes in a fire-proof safe.)

Server and network component passwords must be based on good rules. Adequate SoD must be in place for changes to configuration, applications and access rights.

Key Processes
Given that COBIT 5 has 37 high-level processes in five domains, identifying which are the most essential for a small organization becomes a judgement call for both the auditor and the auditees. My shortest list may already be too long for many small organizations:1

  • APO 10 Manage suppliers
  • APO 12 Manage risk
  • APO 13 Manage security
  • BAI 06 Manage changes
  • BAI 09 Manage assets
  • BAI 10 Manage configuration
  • DSS 02 Manage service requests and incidents
  • DSS 05 Manage security services

Conclusion

There is no point in pushing a small IS/IT organization to adopt and implement all the good practice guidelines available. This is already a significant challenge to a large and well-resourced organization.

The auditor’s priority should be to identify and rank the small organization’s exposures to risk and recommend actions that will help mitigate them. These should be few in number, cost-effective and within the reach of the resources available (staff numbers, skills and workload).

Endnotes

1 ISACA, COBIT 5, USA, 2012

Ed Gelbstein, Ph.D., 1940 – 2015, worked in IS/IT in the private and public sectors in various countries for more than 50 years. Gelbstein did analog and digital development in the 1960s, incorporated digital computers in the control systems for continuous process in the late ‘60s and early ‘70s, and managed projects of increasing size and complexity until the early 1990s. In the 1990s, he became an executive at the preprivatized British Railways and then the United Nations global computing and data communications provider. Following his (semi) retirement from the UN, he joined the audit teams of the UN Board of Auditors and the French National Audit Office. Gelbstein also taught postgraduate courses on business management of information systems.