IT systems audit helps firms avoid flirting with disaster

The drive in the server stops spinning. A power supply fails. An email server stops working. The phone system crashes. Too often, it's only when something bad happens that firms look at their IT systems.

Then they are likely to fix the immediate problem, without looking at where the next problem is likely to happen.

The alternative is the IT audit, getting professionals in to look at every aspect of your information and communications technology, from hardware to applications and service agreements.

Sometimes the audit can be done by an existing supplier. Sometimes it is better to bring in an outsider, to give management some ammunition when negotiating with suppliers.

Since IT isn't the core business of most firms, there is no need for them to have the knowledge in house, or to keep abreast of current trends and developments in technology.

"The understanding of IT in firms varies from self-sufficient to incompetent, so they need to identify where they fit in that range and understand their strengths and weaknesses," says Allan Maclean from Maclean Computing, an Auckland firm which provides services to mid-sized businesses.

Scott Green, the general manager of Axon, which services larger firms, says an outside review of IT requirements and deficiencies is often the only chance firms have to find out what is best practice in each area of operations - which is something which changes as technologies improve.

"The review shapes both the immediate remedial action and also allows for future planning," Green says.

He says many audits are about risk or cost, where firms suspect they are paying too much.

"The third stream of audits are people wanting to know what represents best practice, and how they can maximise efficiency on the back of clever IT.

"If you look at global best practice, there are many things our infrastructure in New Zealand will not allow us to do in a blanket way, but there are areas with high-speed fibre which allows allows people to explore options with remote primary sites and backup sites," Green says.

The bigger the business, the bigger the cost, but Green says for between $3,000 and $10,000, most local firms could at least identify some of the key risks and opportunities facing them.

Maclean says the first priority in an audit is usually to look at how firms protect themselves from data loss.

"In many small firms there would not be adequate back-ups. They often make compromises. The dream back-up is that you can always go back to a complete set of data and restore, but the economics may say the firm feels it can only do a full back-up once a week.

"You must always work on the basis the system will fail sooner or later, usually when a hard disc stops spinning."

Discs have become more reliable, and computers have become cheaper, but everything dies. That's why Maclean recommends never keeping a server past its warranty period - parts can be hard to source.

"Another possibility is to make sure the server itself does not crash and burn, so you need a big enough UPS (uninterrupted power supply) so if there is a power failure it will shut down gracefully, and you need to check the batteries in the UPS every three years."

Improvements in infrastructure and changes in the telecommunications market are making remote hosting more feasible for many firms.

Maclean says the advantage is that the time of highly-paid IT professionals can be better used.

"On average each of our engineers look after 20 companies, so two things happen. When they need to fix something, they have probably seen the problem before. And we don't have to pay them for 40 hours a week when they are not working all that time, so it is a cost-effective solution," Maclean says.

Auditors can also flag things like law and accounting changes which affect IT systems, but which might not have caught the attention of firms in the course of day-to-day activity, like the need to be able to retrieve emails.

"They will also look at infrastructure, whether it is capable of doing the job, identify which parts of the network need to be bought up to standard, whether the firm is dealing effectively with things like spam, viruses, anti-hacking tools.

Then there is the software licence audit. Are you running unlicensed software? Are you paying for licences you don't use?

"You may have six copies of Adobe Acrobat, but you only make six PDFs a month. It may be better to put the program on just one machine, and move the job to that machine for output," Maclean says.