Managing the information technology function within an accounting firm often
causes frustration within the owner group as they seldom understand the intricacies
of IT and often view the function as an expense, rather than a strategic investment
in their firm’s profitability. These same owners are comfortable reviewing
the firm’s financial information and are often presented with “Flash
Reports” that give them a condensed view of operations, allowing them
to quickly understand the firm’s status on key performance indicators.
So why not apply this concept to IT? Network integrators such as the Xcentric
Group in Atlanta, have provided their clients with a proactive monthly IT summary
that lets them know the status of their IT infrastructure, as well as comments
on existing and potential issues. According to Trey James, President of Xcentric:
“We encourage our customers to leverage automated system tools whenever
possible to take the load off of IT staff and provide a summary of network operations.”
These reports can be developed by your in-house personnel or your outsourced
IT department (if an external company is used). It is recommended that they
be provided to the internal IT champion at least monthly, who will verify that
the network infrastructure is sound and report to the firm’s Executive
Committee. It is also recommended that the analysis be explained to the entire
owner group at least once per year, so they can be assured that the IT function
is being effectively managed. Following is a summary of items that firms might
consider for their IT flash report:
- Server Hard Drive Capacity/Utilized
Today’s hard drives can hold astounding amounts of information, but
can shut down a firm’s operations if they have inadequate space for
processing current applications. This is particularly true during busy season
when the volume of new *.PDF files increases, as well as the amounts of entries
in the time and billing system. The flash report should list the capacity
for each server, the amount of disk space utilized, and the amount of hard
disk space remaining, which should never be below 20 percent. Event logs should
also be reviewed to identify any application or hardware component failures,
as well as to view procedures to clean up or defragment drives.
- Data Backup
The most critical component of a firm’s disaster response is the verification
that all data is backed up, verified and stored securely offsite. Firms should
monitor that backups are completed at least daily, the amount of data backed
up (compared to what is on the servers) and the remaining capacity on the
tapes. The report should also include the start and finish time for the backup
process to make sure that it does not impede on the core workday hours, when
it is most expensive to kick staff off the system to complete the backup.
Tape backup systems are extremely expensive, and it is imperative that owners
be aware of requirements for a new one at least a year in advance.
- Server Patch Management
Firms must monitor security and operating system patches to ensure that the
firm is being adequately protected, while at the same time being aware of
conflicts with existing accounting applications. As network operating systems
release new patches, the IT department should coordinate updates with their
core application vendors (tax, practice, audit engagement and document management)
to minimize conflicts and determine the optimal schedule for implementation.
- Firewall Testing
The firm’s firewall is the primary defense against hacking attempts
from the Internet, and the IT department must verify that no unauthorized
ports are being utilized. Port tests such as Shield’s Up from GRC.com,
will validate which ports are accessible and should be tested at least monthly.
Outside resources that can test the firm’s systems against the top security
threats from the CSI/FBI study can also be found at SANS.org
- Internet Monitoring
Internet appliances can also monitor the web sites visited listing the percentage
and frequency of these visits to ensure that Internet access is focused on
production websites. Applications such as Websense and iPhantom can monitor
activity and also make management aware of applications that consume bandwidth
resources such as continuous audio or video feeds and the number of times
that individuals attempt to violate firm filtering or access policies.
- Bandwidth Optimization
Firms rely on the Internet for communications, research and system upgrades
and must monitor bandwidth resources. The report should list the amount of
bandwidth contracted for, as well as actual throughput for both upstream and
downstream communications including statistics for a redundant Internet connection.
- E-mail Filtering
Anti-viruses, spam and other malware can have a severe impact on firms if
not properly managed. Virus footprints are often updated daily so even if
the process is automatic, it must be verified and owners should be notified
of the number of e-mail viruses that were removed as well as viruses found
on workstations. Spam and spyware continue to be major time wasters; the report
should list the volume of these items removed.
- UPS Systems
Uninterruptible power supplies are an important component of a firm’s
disaster planning, and automated tools should be set to verify that the batteries
are still holding the anticipated charge and that they will send appropriate
notification to the IT department in the event of an outage.
- Workstation Management
Owners should be aware of the versions of Windows and Microsoft Office loaded
on computers to ensure they are in compliance with licensing and so they can
plan for future upgrades. The firm’s inventory should list all applications,
licenses and the number of users to ensure that licensing policies are not
- Password and Usage Policy
Most firms will change passwords at least twice per year and provide an update
on computer usage policies for both internal and remote user policies. These
reminders should be scheduled in advance and the status presented in the report
along with a validation that passwords have been changed appropriately and
all terminated passwords are inaccessible.
- IT Project Management
The report can also list the number of IT issues addressed as well as those
items that are still outstanding. Timeframes, impacts and cost for any projected
IT projects should be listed at least one year out so that management is not
surprised by unplanned expenditures. A comprehensive budget should be prepared
that lists the current expenditures as well as projections for the next two
years. While many IT personnel have a variety of applications available for
IT management or utilize the Microsoft Office in smaller firms, there are
a number of IT help desk and network automation tools that can help with monitoring
such as Numera Track-It!, Microsoft Operations Manager (MOM), and Belarc.
Providing firm management with a flash report that summarizes the health of
the firm’s IT infrastructure can go a long way in comforting owners that
mission critical IT processes are being effectively monitored. Build your firm’s
IT flash report and start educating your firm today.
Roman H. Kepczyk, CPA.CITP is president of InfoTech Partners North America, Inc. and works exclusively with CPA firms to implement today’s leading best practices and technologies.