The Secret to Productive IT Audits: Master the Process

The Secret to Productive IT Audits: Master the Process - Interview with Steve Tauber (CTO, madewithlove)

There are some problems tech leaders can’t solve alone.

When you need to raise capital, when you sense communication issues within the organization, or when the engineering team has slowed down, you might want help to find out why.

This is where IT audits come into play. An audit can provide an objective viewpoint to tackle technical, efficiency and even psychological issues.

So, how do you know if your company needs an IT audit, and what does the process look like?

Steve Tauber, CTO at madewithlove, has helped numerous companies overcome difficulties that leadership and management couldn’t pinpoint. He talks about possible scenarios when companies might require an audit, and he explains his IT audit framework.

This blog post is based on episode 65 of the Level-up Engineering podcast hosted by Karolina Toth.

This post covers:

• The basics of tech audits
  • The IT audit process in a nutshell
• Different approaches
  • Traditional IT audit checklist method
  • The five pillars of tech audits
  • IT audit framework at madewithlove
• Making the most out of the audit
  • Evaluating the results
  • Establishing psychological safety
• Performing a tech audit for Flexmail
• Things auditors observe in companies
  • Rituals
  • Feedback methods
• How to prepare for an IT audit
  • Awareness
  • Reflection
  • Rejection
  • Prepare for bad news
  • Team focus
• Main takeaways
  • Pick auditors you can work with
  • Trust your employees
• About Steve Tauber

What’s an IT audit, and when does your company need one?

When your startup struggles, or when you’re planning to raise capital, it’s a good idea to do an IT audit.

An IT audit is also beneficial if

• you suspect that things aren’t going in the right direction,
• development is slowing down, or
• you have questions concerning your strategy.

Performing an IT audit in a nutshell

The process is simple: auditors come in and talk to your team. They write a report based on these conversations, making sure that non-technical CEOs or investors understand the outcome as well. Then they present their findings and discuss the necessary decisions in order to move forward.

What is your IT audit process?

Traditional tech audits

Most tech audits follow a checklist system. They ask questions about the company’s infrastructure and software, they might get code access, and they compare reality to their checklist. Sometimes, they don’t even get access to the code; they simply go with the checklist.

The five pillars of IT audits

At madewithlove, there are five pillars to conducting an IT audit, so we don’t miss any information.

1. Team and leadership

The first pillar focuses on teams - auditors must know how they function on an interpersonal level. The company's leadership stories provide insight for auditors about the inner processes.

2. Processes

 This segment focuses on the processes that guide the work and the information flow rather than the code itself.

3. Written communication

It’s important to check what’s documented and how it’s used for knowledge sharing, both by technical and non-technical members of the company.

4. Product

The fourth pillar is the engineering product itself, including the architecture and the infrastructure. This is the point where we do a code audit.

5. Problem in solution

 The last pillar is about the product management processes. We analyze the information that the engineering team receives from the product department, and how the information is shaped before it arrives to the team.

IT audit framework at madewithlove

1.     The baseline interview

At madewithlove, the internal audit process starts with a baseline interview. This is a conversation with the most senior technical person of the company, usually the CTO, and it tends to take about an hour and a half to two hours. The baseline interview provides information about the product and the team’s struggles.

2.     Individual reports

Based on the CTO’s insight, auditors determine who they want to interview next. They pick 3-7 more people and have hour-long conversations with them individually. They inquire about their workdays and their methods of implementing ideas, and these details help them solve specific problems later on.

3.     Presenting the results

After the interviews, they write a report and present the findings to the person they did the baseline interview with. Then they present the results to the rest of the company, they hold a Q&A session, and if invited, they also attend board meetings to present the report to investors and advisors.

How can a company make the necessary changes based on an IT audit?

Evaluate the facts & observations

When delivering the five-pillar report, we break down each pillar into two sections. One is for the observations, the things that are occurring at the company. The second section is for the concerns we have based on the observations.

We present our concerns to highlight specific problems that they think could affect the growth, scalability and functioning of the team. From that, it's up to the team to decide which parts they can fix themselves and which parts they need help with.

Provide psychological safety

According to Google’s research Project Aristotle , the number one trait of high-performance teams is psychological safety . The number 1 priority is to establish this safety, so auditors talk to people during every step of the process to see how the individuals on the team are interacting.

If the company prioritizes psychological safety, it’s easier to build a well thought-out, well-shaped, high quality engineering product.

A tech audit at Flexmail

We did the internal audit process at Flexmail. Once they saw the problems we highlighted for them, they invited us to join their company and help them improve.

We had a “Gordon Ramsay’s Startup Nightmares” type of case with them. These are the audits where the company isn’t sure about the root of the problem: The CEO might have lost touch with the engineering department, or maybe the engineering has slowed down and they don’t know why.

In these situations, it's possible that we come in and identify the pain points - it’s often the shaping of the work before it reaches the engineering team.

This is the number one problem that new startups have. They have excellent engineers, but the requirements are unclear, and they lack context, so the engineers can’t execute.

They receive the work, but they're missing all the puzzle pieces. You have to be able to see the entire playing field before you can start working efficiently as an engineer. Engineers’ job  isn't just to write code; their job is to create abstractions, to mimic and model the real world.

So, when we worked with Flexmail, we brought in a product manager and software engineers, and we helped reshape the way their team functioned. Then we also helped build new functionality, working with their engineers in the process.

We were teaching people how to communicate in a more agile way, and to collaborate effectively. We made sure the code was well-tested, and that everything was documented so we didn’t lose important information.

It was more about team shaping and making sure that the work was flowing in a proper way. Of course, there were technical challenges as well, but those were manageable.

Since then, the company has grown immensely. We worked with them for a long time, but we’ve stepped away, and they’re thriving.

For us, this is success. They took the lessons to heart, they understood our philosophy, and they continue to build on it.

What do you look out for during an internal audit process?

Question rituals

If your team follows agile processes, you must know why you’re doing each ritual. For example, the goal of the stand-up is to bring people together so they can discuss what they’re working on, and they can share their plans to get everyone on the same page.

Stand-ups are especially important for junior teams, and auditors often encourage incorporating these meetings. When it comes to advanced teams, stand-ups can get obsolete. These people are already good at collaborating and communicating, so they don’t need those meetings anymore.

Teams need to question why they’re doing specific things, why they’re implementing new processes, and whether they need them.

Implement an effective feedback system

Learn from your mistakes

Reflecting on your work is important, and it’s something that great organizations often do. For example, Real Madrid watches back their games to see what mistakes they made, so that they can try to prevent them in the future.

Give individual feedback , and make sure to deliver it effectively. Highlighting the problems is essential, but you also need to discuss how to act on them. Make sure these conversations end with clear action items, so that people can change their behaviors based on the feedback they’ve received.

Make sure your message arrives

Your team can’t learn from mistakes if you don’t establish a strong, effective feedback culture. When you’re giving feedback, it’s your job to make sure that your message is received. You must communicate to people in a way that they’re going to be receptive.

If you’re just yelling at someone who is upset, neither of you are ready for feedback. This means you’ve wasted your time, energy and emotion on something that isn’t going to help anyone. Instead, deliver your message in a time and in a way that will lead to a better outcome.

How can a company prepare for an IT audit?

Practice awareness

People who are too close to their company may find it hard to prepare for an internal audit process. It’s challenging to pinpoint what’s going wrong. However, there are usually a few employees who can list existing problems.

Generally, auditors repeat the same information that the company already has. They have heard it before from colleagues; they just need a neutral third party to confirm that same information.

Reflect

If you think your company needs a tech audit, take a step back and ask yourself these questions.

• How is information flowing through your team?
• How are your teams structured?
• Do people have psychological safety?
• How is your product built?
• What are your product’s values?

These aspects are important because there are common patterns  for why tech companies or startups fail.

Accept no

When performing a tech audit, sometimes, auditors have to say no. Not every idea or goal is manageable, and that can be very hard for people to hear.

Prepare for bad news

Lots of hidden problems can come to the surface during the internal audit process. That amount of honesty can be difficult, but accepting auditors’ honest, direct feedback about the company is the only way to move forward. Therefore, prepare to receive bad news during an IT audit.

Focus on your team

Apple has a concept called directly responsible individuals. It's about pushing decision making as low as possible in the organization. If the directly responsible individual can't make the decision, that person is responsible to find the right people who can decide, and give room for them to do so.

Some businesses still operate with a top-down mentality, where the CEO knows best, regardless of the issue at hand. As a leader, you should be more humble. Listen to the people you hired, and let them solve problems, since you’re paying them for their expertise.

Bonus advice for IT audits

Choose wisely

Partner with someone you can trust. Auditors must provide an unbiased opinion, but of course, everyone is biased to a certain extent. Acknowledge your biases at least.

Let your employees do a good job

Flexibility

Listen to the people on your team, and make sure they have enough space to do a good job. Give them enough flexibility to do the best work they can.

If your employees are stuck working nine to five in the office, half of their brain might worry about their child playing at home alone, because they didn’t get daycare service that day. That won’t benefit anyone in the long run. Give people enough freedom so they can focus and do their best.

Focus on value

Get rid of the structures that don't add value, and think about what's important to the success of the company and what information your people need to have in order to be successful.

Trust your employees

And then, trust those people. You hired them; you should not be hiring people you don't trust. Trust them on the first day, build that psychological safety up, and give them the space to do the best work they can do.

About Steve Tauber

Steve, CTO at madewithlove, has audited and mentored over 30 companies. He gives valuable technical advice, and he helps leaders to ensure their team’s psychological safety. His approach has helped companies to grow and thrive.

He has been CTO in residence at madewithlove for almost two years. Currently, he’s working on a book called Free Range Management - How to Manage Knowledge Workers by Creating Space.