Asset Management
Assets are defined as resources and information that an organisation needs to conduct it's business. In fact I would define INFORMATION as the major asset that any business of any size needs to conduct its business. Yet many businesses treat the information that is held electronically very casually. But if they thought of what they would do if all their data was lost tomorrow they would admit that their businesses would go "belly up".
IT Assets are managed under the discipline of configuration management. IT assets seem to be some of the hardest to manage. The reason for this is that they are often smaller items of great value. I.e. Programs on CD-ROMs, Laptop computers, even parts from inside a workstation or server. It is not unknown for boards in a high value work station to be substituted with lower costing boards. Thus there need to be management procedures to protect the company’s assets.
HARDWARE
Computers have a habit of walking. In one area of a company I worked for 20 computers were stolen from one area over a weekend from a single department. The way to discourage this is to lock the computers to the furniture using cables. Having spoken of locking the computers it may be advantageous to also lock the tower/boxes so that no-one can access them as indicated above.
The first step is to identify the company’s assets. As pointed out earlier these are not necessarily hardware but also software and data. The easiest way to start is to obtain a list of purchased assets and disposed of assets. From this one needs to create a list of current assets. This can be quite scarcely as in doing the asset count it will soon be evident that many assets are still around that have supposedly been disposed of and many assets are not around that should be. It is at this point that the auditor must begin to calculate the loss of assets (those that have been "disposed of" written off the assets list should be appropriately disposed off or if they are still being used written back into the assets list). Depending on the size of the firm this may become a long a arduous task, however it is appropriate that Audit withdraw from the project at this stage as they are not line management/staff. The audit response should be to inform management of the status of asset management and re-schedule the audit for a later date when IT has had the opportunity to put their house in order.
Audit may find that there is a list of current assets. This provides the auditors something to audit to. However it is important to establish how each of the assets is identified. Should the company have chosen to identify each of their assets using the factory serial number this can make auditing the list a time consuming business as each item must be examined to find the serial number and then this needs to be linked up to the asset list. However IT may not have been keeping these lists up to date and there are consequent inaccuracies. These inaccuracies need to be reflected in the audit report and recommendation made that there is a regular accounting of the assets.
A better way of controlling the assets is to use a barcode system. Here each asset is given a barcode and each barcode has a description of the asset on the asset list. The asset count can then be carried out using a barcode reader to establish that all the assets are accounted for.
Assets are often allocated to certain departments. this should also be reflected on the asset record. Often people are transferred from one area to another tend to take their computers with them especially if they are laptops. Thus the asset register may reflect assets in the wrong area. The IT staff need to make the necessary adjustment in order to address this as well as putting in procedures to ensure that the assets remain accounted for correctly.
SOFTWARE
This is such a serious issue that software vendors have set up an organisation to address software piracy. Software is often loaded in a manner contravening the license agreement onto more than one machine or is taken home and loaded on a home machine. This was a problem in larger firms as they were unable to keep adequate track of their software licenses. Some software vendors have now addressed this by adjusting the licensing agreement to enable users to add extra machines to their license agreements.
A clear policy must be put in place, banning the use of unauthorised software on the Company’s premises.
It is the responsibility of the company that is using the software to manage its software packages and licenses. Therefore in order to do this, some sort of system needs to be set up and the software needs to be kept under lock and key. In smaller firms locking the software packages in a cupboard, keeping a list of the software and where it is loaded may be sufficient control. In a large firm a software library system needs to be set up to control the software and the licenses. When the licenses are altered by the addition of workstations, this needs to be recorded. When packages need to be reloaded this needs to be validated and recorded. Consequently a catalogued system needs to be put in place for ALL software from mainframe down to palmtop. It is this catalogue that the auditor needs to audit.
STAFF
Very often the most important assets of all are neglected. These are the members of the staff. Every effort should be made to keep them happy so that the relationship with them can be long and productive. If you have to find and train new staff on a regular basis then there is a definite drop in efficiency as well as the cost of finding them. Therefore it is important the management are always aware of what the market place value of each of these assets is this can be done by obtain the results of the annual Salaries analysis and keeping within those limits.
