IT Audit Worksheet

Our IT survey is used to get a better idea of what you currently have, in terms of IT assets, and what you’re “missing”. Once we’ve collected the raw data we would then look for shortcomings, potential problems and accidents just “waiting to happen”.

We would then assist in the prioritization of these findings into a plan of attack.  A Summary of Findings report outlines this in detail.

• How many employees are there? PC users?
• How many standalone users? Networked users?
• How many notebooks? Desktops?

• Is there a network in place today? If so, what kind? Is it based on a peer-to-peer model such as Windows or Apple Mac OS?
• Is it based on a centralized-server model such as Novell, Microsoft or Linux?
• What kind of network technology is in place? What speed? Wireless?
• Are there any host-based systems inside or outside of the office that you connect to?
• What kind of data cabling is in place? Category 5? Coaxial? Fiber? Was it a certified installation?
• Are there any wide area links?  Other offices outside of the building?

• What are your company-wide desktop standards? Hardware? Applications? Operating systems? Printers?  Anti-virus? Span protection?
• What does the staff like and dislike about these standards? (Hint: Different groups within the company often have totally different priorities.)
• Are there any legacy or custom applications that are redundant or obsolete?  Available to upgrade?
• Are there any orphaned applications where the ISV is no longer in business or no longer supports the product?
• How does software license compliance look? Who’s in charge of maintaining and enforcing this?

• Do you have a written policy on acceptable use of IT resources such as the LAN, e-mail and Web browsing?
• Are there any EDI or similar relationships with clients or suppliers?
• Is there a formal IT business plan in place that forecasts projects (budgets and plans?) at various time intervals?
• What kind of documentation exists? Technical? End user? Is it adequate? Is it up to date? Is a hard copy kept off site?

• Does your company have basic file sharing? Printer sharing? CD-ROM sharing?  Application sharing?
• What about modem sharing or network-based faxing?
• Is there internal and/or external e-mail?  Is this consistent throughout?
• Is there a contact management or groupware application?
• Does anyone have access to network resources while traveling? While working from home? Which software applications?

• What kind of confidential data does your company deal with? Social security numbers? Credit card numbers? Proprietary research and development? Client lists? Payroll?
• Is any sensitive data being kept locally on desktops, notebooks or PDAs?
• How is data protected today? What are the biggest internal and external security risks?
• Does everyone have his or her own logon account and password or is there just one shared password?  Are there policies for these?  Are they enforced?
• Are servers physically secured? Who has access?
• How often are passwords changed? What kinds of policies are in place to strengthen passwords?
• Is encryption used for any applications? Smart cards? Remote dial-back?
• Is there a formal disaster recovery plan? How often is it tested? Revised? Who’s in charge? Where’s the “hot” site?

• Where are Uninterruptible Power Supplies (UPS’s) being used? Are data-grade surge suppressors being used on all other devices?
• How much battery backup run-time is available for critical systems? Is UPS monitoring software utilized? What about e-mail alerts?
• When was the last time UPS units were tested for automated shutdown? Who monitors the UPS logs?
• How often are full system tape backups run? How many sets of tapes are maintained? How often are tapes rotated off site?
• When was the last time the tape backup restore capability was tested at the file level? At the volume or server recovery level?
• Are verifies done daily? Are tape backups launched manually or on a preset, automated schedule? Who monitors the tape backup logs?
• How is data on workstations protected? What about data on notebooks and PDAs?
• What kind of antivirus software is in place? How often is the engine updated? What about the definition files? Are the updates automated or done manually?
• Who’s responsible for monitoring the antivirus logs? Are both servers and workstations protected? Are the Web, proxy and e-mail servers protected?
• Are users trained on protecting against virus infections?

• How many people have Internet access? For Web browsing? For e-mail?
• What kind of shared access is there? Who maintains the router and/or proxy/firewall solution?
• What kind of bandwidth is being used? Is it ISDN? Frame relay? T1? Cable modem? DSL?
• Does your company have a domain name? a Web site?  Does the company rely upon for it ecommerce? Prospecting? Marketing? Product support?
• How is the Web site maintained? Is it a static or database-driven site?  Do you have backups of the site?  of the data?
• What kinds of Internet Service Provider (ISP) relationships are in place today for Internet access, email and Web site hosting?

• What kind of computer training does the staff receive? What topics? How often?
• Is there formal classroom training? One-on-one? Peer-based? Self-study? Cross-training?
• If so, how effective has the training been?

• Who determines hardware/software needs and writes up the specifications?
• How do you procure hardware and software?
• Who determines whether items shipped match the items requisitioned on purchase orders?
• Is hardware and software generally leased or purchased?
• Are service agreements ordered at the time of purchase?
• What’s the typical asset life cycle? How often is hardware refreshed?
• Who maintains the asset inventory?

  Home | Our People | Contact Us | About Us | Hosting | Our Support


Login