IT audit: tasks it solves and how to know if you need it

«We want to scale our system. But if we do, the cost of equipment will increase significantly.» This is one of the concerns from which an audit can begin in the IT sphere. We’ll tell you why you might need an audit and what to pay attention to if you order one.

An IT audit is a tool that helps to find weak points in a system and understand what and how to change things for better performance. In practice, it means that experts analyze the state of programs, products, applications — everything. And, based on the results, they prepare a report with their recommendations. This is similar to a medical check-up.

The customer decides what exactly to investigate and why. For example, one can order an analysis of the operation of all systems or only one. What precisely is checked is also decided by the customer. There are no strict rules.

There is no universal advice when a company should conduct an audit. Everyone decides for themselves. In our experience, people more often apply for expertise in the following cases:

• There is an obvious problem
• It’s unclear whether something is worth investing in
• The client wants to check if the business is using the best solutions
• A migration or other change is planned

There is an obvious problem, but it is not clear exactly where it is or how to fix it. For example, new developments take too long or require more resources than the potential economic effect from them.

It is unclear whether it’s worth investing money or whether it’s possible to reuse existing resources. For example, a company uses six servers, but not at full capacity, but so that there is headroom in case of a peak load.

The volume of tasks to be handled by the system increases and additional capacity is needed. The question arises: is it worth increasing the load on the servers and risking a possible peak, or is it safer to pay extra for new services?

An audit helps find a solution. It’s quite possible that it will be feasible to free up capacity for those working with the service at the expense of other technologies. For example, switching to the Go language.

There’s a task to check whether the business is using the best solutions and getting the most out of them. Let’s say there is a task regarding work with certain devices, but so far it’s not functioning properly. You need to understand what the problem might be.

A migration or other change is planned, such as an upgrade or scaling. In order not to lose money and suspend work, it’s beneficial to understand in advance what needs to change, what to take into account, and so on.

For example, the database that the company uses is no longer being maintained or developed, so you will have to use a different solution. Or a move to a different codebase: something was written in one language, and it’s outdated.

Audit can cover two areas. One is related to solving problems, the second is the evaluation of proposals, plans, general status, and everything related to the future.

Examples of tasks for an IT audit

Problems and risks	Evaluation of solutions and plans
Scaling	A plan for infrastructure migration to cloud storage
Expensive system development and support	Modernization of outdated equipment stock
The system does not bring expected income	Outsource part of infrastructure support and maintenance processes

The areas involved in an audit depend on the customer’s wishes. For example, if one is ready to give access to storage systems, experts will be able to test ithem. If not, then they can check them superficially or not at all.

Examples: what can be examined as part of audit

Computing infrastructure	Telecommunication infrastructure	Engineering systems
Servers	Corporate data transmission network	Basic infrastructure services
Data storage systems and data storage network	Local computing network	Information Security
Backup system	Video communication
Archiving system	Telephony
Virtualization system

The audit can be in two formats — remote or in-person. If the task is to check the systems, experts usually work online. In this case, there’s no need to find space for people to work, issue passes, etc. And when it is needed, you only need grant access to the systems. In-person audits are rare.

Regardless of the format, the audit goes through the same steps. Here’s how the OrbitSoft team does it.

Based on the audit results, the company gets a detailed report and recommendations on what they need to do, how they should implement these actions, and when they should them. The type and format of the report can be standardized or customized for a specific business and tasks.

• At Digital mainly shows ads from Yandex and Google — other banner networks, which in turn show ads from other networks.
• The site has Adfox and settings for header-bidding connected, and requests for bids are being made. There is probably a hidden auction via Adfox is taking place.
• The sizes of ad slots are not fixed and banners are displayed in several sizes or their combinations. The width of the site is flexible, which causes incidents during impressions, for example, a 720px banner may not fit and is cut off at the edges.
• The site has a huge number of scripts with confusing logic. Some of these are probably not used, but they do affect performance.

A part from an Orbitsoft report as a result of ad solutions analysis

In addition to the audit itself, experts prepare recommendations and help with implementing changes. For example, the Orbitsoft team can draw up a vulnerability remediation plan, help with software implementation, or with developing needed algorithms.

What can be in a report	Examples
Architecture	A list of errors A list with the elements that don’t adhere to modern standards
Fault tolerance	Peak load criteria for determining the moment when the system will fail What breakdowns will disable the system A list of incorrect software settings
Performance	Download statistics Parameters of system resources utilization Overload level Capacity shortage
Software relevance	Versions of microcodes, system software, and so on Support resources Compliance with best solutions in the market
Monitoring	Coverage of monitoring systems List of metrics for analysis Comparison of collected metrics and those that still need to be collected Quality of observation of failures response
Operation	Operating conditions and how they comply with standards Physical and other depreciation Warranties