How to Leverage Best Practices to Build Effective IT Audit Plans

Why best practices?
Process practices are improved every day. “Best practices” are recognized as the preferred methods for saving time and building efficiency within a process or group of processes. IT auditors should leverage best practices to build collaborative and effective technical audit plans, improve efficiency, and address risks.
What are best practices?
Wikipedia defines best practices as:
“…a technique, method, process, activity, incentive, or reward which conventional wisdom regards as more effective at delivering a particular outcome than any other technique, method, process, etc. when applied to a particular condition or circumstance. The idea is that with proper processes, checks, and testing, a desired outcome can be delivered with fewer problems and unforeseen complications. Best practices can also be defined as the most efficient (least amount of effort) and effective (best results) way of accomplishing a task, based on repeatable procedures that have proven themselves over time for large numbers of people.”
Best practices evolve over time. Best practices used in the appropriate situation should consistently produce the best possible results.
Don’t reinvent the wheel
Everyone—regardless of their profession—wants to accomplish tasks using the minimum available resources. Best practices can be leveraged effectively to design, implement, support, and audit a given technology area. This becomes increasingly important in fast-paced and complex sectors like IT where technology is constantly changing and processes must be able to efficiently adapt.
In addition, the IT industry is dominated by major vendors such as Microsoft, Oracle, SAP, and Google. Similarities of servers, databases, network peripherals, and functionality requirements make building a collection of best practices a major attraction for the IT community.
There are several key advantages of utilizing best practices in IT:
• Benchmarking operations with industry peers can calculate a true return on investment (ROI)
• Leveraging collective human capital to cut down on the time and expense of individual “trial and error” process development
• Reducing the total cost of operations (TCO) for individual organizations by using the combined knowledge of leading resources across multiple organizations
• Identifying and targeting well-known gaps or vulnerabilities
Building a collaborative platform of best practices, based on the input from a diverse group of domain experts, vendors, and authoritative organizations, serves the larger community and help share community knowledge.
How to build multi-dimensional and up-to-date best practices
Best practices, when captured, must be associated with relevant task scenarios and organized so that the community can apply and use them as required by their specific situation. This organization can be achieved using “tags”, or metadata, within the structure of the information. Tags, in Web 2.0 terminology, are keywords or terms assigned to practices, and topics that enable efficient organization or information and rapid searching across large information sets.
As the availability of best practices increase within a given field of technology, massive repositories will contain best practices for every conceivable task scenario. To reduce the time required to find the specific best practice, or groups of practices, needed for a given task, each practice is tagged for multiple contexts and user requirements. As new task scenarios develop to support evolving compliance and business requirements, existing practices can be tagged for association with the new scenarios.
In addition to clear associations and organization, it is essential to ensure that best practices are kept up-to-date in the fast-changing technology world. The incredible amount of information in the form of whitepaper, blogs, books, presentations etc., is isolated and lacks the framework to be updated frequently. Referencing a best practice published several years ago might yield undesirable results. These best practices are continuously kept up-to-date on the easy-to-use web platform with dedicated contributors and a review and comments section for the public.
Who builds best practices and why?
In our increasingly ‘connected’ world, the best ideas and practices can come from anywhere. The key to leveraging best practices is to get up-to-date details of practices that have similar dependency factors and then share them globally.
A physician in India might operate on ten (10) to twenty (20) patients per day. But best practices that apply to a physician working with a large population, such as in India, might not be ideal for a physician in a small, rural hospital in the United States. By collecting best practices from experts with varying demographics and organizing them to be easily accessed by others in similar situations, we can substantially reduce the total time required to develop efficient processes in any given field and with any specific set of criteria.
For example, best practices collaboratively developed by physicians who operate on many patients might enable more rapid deployment of successful triage and treatment processes during a natural disaster in an area that typically does not service large patient populations.

Why use best practices for IT audit planning?
IT Audit is the process of collecting and evaluating evidences to determine if an organization’s information systems are:
• Designed to maintain data integrity and safeguard assets
• Positioned to achieve current and future organizational goals effectively
• Designed to use resources efficiently
An effective and efficient information system leads the organization to achieve its objectives and uses minimum resources in achieving the required objectives. IT auditors must know the characteristics of information systems in the organization while evaluating the effectiveness of any system since IT governance and strategy are critical to an organization’s success. IT auditors play a major role in identifying risks and gaps in the system.
Controls in an information system reflect the practices designed to provide reasonable assurance that business objectives will be achieved. IT controls also ensure effectiveness and efficiency of operations, reliability of financial reporting, and compliance with rules and regulations using a global best practice knowledge base, organizations can learn from others who have experienced the same or similar issues and quickly employ controls to mitigate risks.
To develop an effective risk assessment and audit plan, it is essential to break down the IT universe into smaller and more manageable components. Typically, IT sub-components are defined as infrastructure and applications systems
Infrastructure systems consist of hardware systems that include servers, routers, communications devices, desktops, etc. The hardware infrastructure controls the flow and processing of information throughout the organization.
Applications systems are typically the software used to record and store business transactions. Examples would be databases, enterprise resource planning systems, cloud-hosted applications, and business intelligence software.
The hardware infrastructure and applications are audited to ensure security, effectiveness, continuity, maintenance, and cost. The IT controls that monitor these elements are generally contained in security and risk management documents, business continuity plans, and service level agreements (SLAs). By leveraging the best practices developed at the component level, an IT auditor can quickly build an audit plan based on specific criteria and provide a risk assessment report of the IT environment.
Why Checklist 2.0?
Checklist 2.0 is building the premier repository of best practices for creating effective and comprehensive IT audit plans. Our global collaborative knowledge base is organized for easy access and rapid deployment. Our dedicated contributors and online community update and validate practices every day to ensure they remain up-to-date for changing business requirements. We welcome your thoughts and inputs. To contribute to our global IT Audit Best Practices, please register at http://www.checklist20.com