Auditing Small IS/IT Organizations
Ed Gelbstein, Ph.D.,
1940 – 2015, worked in
IS/IT in the private and public
sectors in various countries
for more than 50 years.
Gelbstein did analog and
digital development in the
1960s, incorporated digital
computers in the control
systems for continuous
process in the late ‘60s and
early ‘70s, and managed
projects of increasing size
and complexity until the
early 1990s. In the 1990s,
he became an executive
at the preprivatized British
Railways and then the United
Nations global computing
and data communications
provider. Following his (semi)
retirement from the UN, he
joined the audit teams of the
UN Board of Auditors and
the French National Audit
Office. Gelbstein also taught
postgraduate courses on
business management of
information systems.
©2015 ISACA. All rights reserved. www.isaca.org
When Is an IS/IT Organization Small?
IS/IT can be found virtually everywhere, and
when it fails to deliver the services that people
need, the result is discontent or worse. The world
of IS/IT has become complex and includes email,
Internet access, document storage, networks,
and applications and databases—many of them
complex. Then, services from outsourcers
and cloud providers and some kind of IS/
IT organization are needed, if only to manage
contracts and contact support services.
The smallest IS/IT organization I found had a
staff of zero professionals. It relied on the goodwill
of one of the managers who had some knowledge
of local area networks and the benevolence to
provide a limited amount of support. This is not an
isolated situation (see next section).
Small IS/IT groups consisting of one to five
staff who support critical operations and services
in organizations with up to 300 employees are
not unusual. A working definition of a small
IS/IT organization would likely state that the
planned absence of one of its members for a
week or two would put it under pressure and that
the departure or longer-term unavailability of one
of them could prove unmanageable.
Such organizations may not have good
infrastructure facilities, such as a purpose-
designed data center, and could be lacking a
standby power supply or controlled access to
the facilities and have instead spaghetti cabling,
a questionable power supply, unlocked cabinets
and an impression of disorder.
When such an organization does not have
someone accountable for risk management,
things get worse. Unfortunately this is not
uncommon.
Editor’s Note
On 19 July, 2015, Ed Gelbstein, Ph.D., passed away after a lengthy illness.
He was a prolific writer and contributor to the ISACA Journal and
a valued and admired colleague. His work will continue to be
published in the ISACA Journal posthumously.
WHERE DO YOU FIND SMALL IS/IT ORGANIZATIONS?
Besides the obvious small- and medium-sized
enterprises (SMEs), small IS/IT organizations can
be found in academic institutions (where students
act as network and system administrators),
nongovernmental organizations (NGOs) working
with minimal budgets, diplomatic missions and
consulates of many countries, small international
organizations, and semi-autonomous business
units of larger enterprises. It is not unusual for
the managers of such institutions to have limited
knowledge of information systems (as users) and
even less knowledge about the management of
such systems.
Finally, there are local offices around the
world of corporate entities and international
organizations. These offices may not have
access to a robust infrastructure for electricity
generation or Internet access. Some operate
in countries where there is civil disorder,
refugee issues and armed conflict. These local
offices rarely get audited, as many of them rely
on guidance from their head office. Some of
this guidance may be hard or impossible to
implement.
RISK PROFILE OF A SMALL IS/IT ORGANIZATION
In the absence of a risk manager and/or
an experienced IS/IT manager, these small
organizations make a best effort carried out
by people with good intentions, but limited
knowledge, with modest budgets and, whenever
possible, relying on the support of small local
companies.
ISACA JOURNAL Volume 4, 2015 1
 The components of their risk profile can be expected to AUDIT PRIORITIES FOR ADDING VALUE TO THE AUDITEE
include: Small organizations that are seldom audited or are faced with
• No IS/IT governance at the local level. Strategic decisions their first IS/IT audit will benefit from the auditors’ assurance
and budgets are decided elsewhere, often without that their presence intends to help them identify areas of risk
consultation. that can be sensibly addressed and point them in the right
• No formal risk assessment, risk register or documented direction with regard to good practices—along the lines of a
mitigation plans combined audit/internal consultancy exercise.
• The absence of a backup person for the IS/IT manager or The following three domains, reflecting experience gained
other key personnel through many audits of small organizations, may be a good
• Malware infection of the local equipment and network due point of departure.
to the loss of effectiveness of antimalware products and a
backlog of updates of critical software. This can propagate Physical Security
through the organization’s global network. Identifying the good, the bad and the ugly, good practice
• Lack of a formal change control and proper segregation of should focus on a separate computer room that is not used as
office space, with access control that records who entered it
duties (SoD)
and when. In addition, the computer room must also have an
uninterruptible power supply, flooding and smoke detectors,
WHAT THE AUDITOR CAN EXPECT AND LOOK FOR
and fire extinguishers. The latter presupposes that the staff
Fact: The current scope of standards, guidelines and best
would know how to use them (not always the case).
practices for all aspects of IS/IT amounts to a small library,
Good practice also requires that all equipment be placed
including:
in racks (not on the floor) and that wiring cabinets be locked.
• The Information Technology Infrastructure Library (ITIL)
There should be no spaghetti cabling—the usual excuse that
• The Software Engineering Body of Knowledge (SWEBOK)
“this is temporary” is rarely true. Similarly, the use of multiple
• The Data Management Body of Knowledge (DMBOK)
extension leads spread on the floor should be discouraged
• COBIT® 5 family of products
(forbidden). Access to the computer room should exclude
• The ISO 27000 series of security standards (and many others)
visitors, food and drink.
from the International Organization for Standardization (ISO)
• The US National Institute of Standards and Technology
Logical Security
(NIST) SP 800 publications
Time pressures—much to do and limited awareness of logical
Consequence: A small organization is unlikely to have
security—make this a weak link in small organizations.
adequate knowledge of all of them and even of any of them.
Good practices require that vendor default passwords (e.g.,
This and the smallness of the team prevent many critical tasks
Sysadmin) are never used and that all current passwords are
from being done, which is reflected in the quality of service.
neither shared nor written down in a visible place (It is okay
The auditor should identify the criticality of the
to have sealed envelopes in a fire-proof safe.)
various tasks for the audited entity and make realistic
Server and network component passwords must be
recommendations, recognizing that other activities will only
based on good rules. Adequate SoD must be in place for
be carried out when the available skills and time allow for
changes to configuration, applications and access rights.
this. The audit report should present the resulting risk.
Fact: A small team, however well motivated, responsible
Key Processes
for activities to safeguard sensitive information (as would
Given that COBIT 5 has 37 high-level processes in five
be the case in a diplomatic mission or international
domains, identifying which are the most essential for a small
peace-keeping operations) will depend strongly on guidance
organization becomes a judgement call for both the auditor
and support from the organization’s headquarters.
and the auditees. My shortest list may already be too long for
Consequence: Headquarters should be accountable for the
many small organizations:1
briefing and training of the remote IS/IT organizations, for
• APO 10 Manage suppliers
disseminating policies and for monitoring compliance
• APO 12 Manage risk
with them.
• APO 13 Manage security
The auditor should assess the extent and appropriateness of
• BAI 06 Manage changes
the support provided by headquarters and report accordingly.
• BAI 09 Manage assets

©2015 ISACA. All rights reserved. www.isaca.org ISACA JOURNAL Volume 4, 2015 2
• BAI 10 Manage configuration
• DSS 02 Manage service requests and incidents
• DSS 05 Manage security services

CONCLUSION
There is no point in pushing a small IS/IT organization
to adopt and implement all the good practice guidelines
available. This is already a significant challenge to a large and
well-resourced organization.
The auditor’s priority should be to identify and rank the
small organization’s exposures to risk and recommend actions
that will help mitigate them. These should be few in number,
cost-effective and within the reach of the resources available
(staff numbers, skills and workload).

ENDNOTES
1
ISACA, COBIT® 5, USA, 2012, www.isaca.org/cobit

©2015 ISACA. All rights reserved. www.isaca.org ISACA JOURNAL Volume 4, 2015 3