Operational Assessment of IT presents ideas and concepts of optimization designed to improve an organization’s business processes and assist business units in meeting organizational goals more effectively. Rather than focus on specific technologies, computing environments, enterprise risks, resource programs, or infrastructure, the book focuses on organizational processes. Throughout the book, the author presents concerns and environments encountered throughout his career to demonstrate issues and explain how you, too, can successfully implement the tools presented in the book.
The assessment process reviews the economics as well as the effectiveness and efficiency of the process. Whether your organization is profit-based, not-for-profit, or even governmental, you cannot provide services or products at a continuous loss. For an operational assessment to be of value, the ultimate goal must be to insure that the business unit process is effective and efficient and employs the financial assets and resources appropriately or helps the business unit make adjustments to improve the operation and use resources more efficiently and economically.
After reading this book, you will be able to devise more efficient and economical ways to meet your customers’ requirements, no matter who or where your customers are. You will learn that the goal of any process is to service or supply customers with what they want. The book provides tools and techniques that will assist you in gaining a 360-degree view of the process so that you can help the business unit improve the delivery of a quality product or a service to the customer.
Table of Contents
Measuring the Success of an Organization
Voice of the Customer
Measuring the Success of the Processes
Operational Assessment Drivers/Impetus
Operational Factors: The Three Es
Operational Assessment Planning
RACI Matrix (or RASCI)
Key Performance Indicator
Process Review (As Is)
Activity: Procurement Audit Planning
IT Support of the Business Unit
Business Continuity Planning
Operational Assessment Fieldwork
Failure Mode and Effect Analysis
Root Cause Analysis (RCA)
The Five Whys
Pareto Principle (80–20 rule)
Standardization or Anarchy
IT and the Business Process
The Fraud Red Flag
Business Continuity Management
PUTTING IT ALL TOGETHER
Share the Picture
Focus on the Issue/Concern
A Picture Can Say Volumes
Presenting the Report
IT and COBIT
COBIT Management Environment
Washington State Audit Report
Typical Swim Lane Diagram
Steve Katzman is a retired master sergeant who spent four years in accounting and finance and the rest of his 21-plus-year Air Force career in information technology (IT) and data communication. He has over 35 years of computer and technology experience and 14 years in auditing (internal and external). Mr. Katzman earned a BS degree in management information systems with a focus on business from Central Connecticut State University. He maintained several professional certifications, including CIA, CISA, CRMA, CRISC, and CISSP. During his military career, he held a top-secret security clearance.
When I first received this book for review, I was a bit nervous. I am not an auditor, and have never been one. It is true that I have participated in hundreds of audits across different industries and disciplines, as both a customer and much more frequently, as an advisor, but I never had to put my name to the bottom of an attestation (except, I suppose, for a few PCI self-assessment questionnaires).
In short, I was concerned that I would not be able to properly grasp it, and thus fail to do it justice.
By the time I was done, I found myself with the same concern, but this time, coming from a completely different angle.
Because Steve’s book is truly a delight. I have worked with hundreds of auditors, and only a couple of them have ever shown the scope and breadth of experience, the desire to go beyond following rote process, and the sheer interest in staying true to the purpose of an audit – any audit – that Mr. Katzman exhibits in his book.
Steve’s personal stories shine through, and really help in framing the conversation. The little quips he embeds throughout his writing made me chuckle repeatedly, certainly not what I expected from a book about what is ultimately a rather dry subject matter. The planning chapter alone is worth the price of entry, as first and foremost it does such a great job at reminding all of us why audits exist in the first place.
For me, this work provided a great insight into the mind of an auditor, in a way that I never quite grasped before. That is undoubtedly going to help me in future audits. Considering the way Steve seamlessly transitions between the client and auditor viewpoints, if you are an auditor (the stated target audience for this book), then I cannot imagine how it would fail to help in a mirrored fashion.
I find it fitting to end this review by borrowing Steve’s own ending words from the book:
"Stay well, stay happy, and stay productive".
-- Barak Engel, CISO and author, Why CISOs Fail – The Missing Link in Security Management and How to Fix It