Performing an IT Cost Management Review
 (Part 1 of 3)

By: Mitchell H. Levine, CISA
Audit Serve, Inc.

With the IS Audit budgets being slashed during the economic downturn of the last three years, many audit organizations have found it necessary to include IT Cost Management as part of their exist Software Development, Data Center, Infrastructure and Application Reviews. The need to reduce costs is so great that there is now justification to perform standalone IT Cost Management Reviews.

Performing an IT Cost Management Review is very difficult since one is assessing the productivity of the IT department which can lead to a conclusion that resources should be reduced. 


The first area of cost management should include the review of the application software development organization. In order to determine the level of productivity of an application software development group, an effective project management process needs to be in place which tracks each project. This includes large projects and small one-day projects. The data captured as part of project management needs to include a formal process to approve the project from the user area. Having this formal process brings the required level of attention to the types of requests being made by individuals in order to ensure the project is necessary. Having a statement of impact if the request is not fulfilled is a necessary piece of data to assist in the approval process to ensure that all projects are justified. Other critical data which is needed to be captured to allow for the proper approval of the project includes internal manpower requirements, external resources requirements, and material costs. 

To ensure that the proper level of application development resources are deployed within an organization there needs to be a process in place to track each developer's time.  The time tracking system needs associate each developer's time to a specific project. Therefore, if there is not an  effective process to define each project along with a budget, there will be not be a basis for measuring the application developer's productivity. If there is a timekeeping system in place along with a process to define and manage projects, a compliance test should be performed to determine whether developer's time was accounted for based on the organization's work colander. If there is a shortfall of accounting for an individual's and overall development group's time then this will in most cases lead to a conclusion that there is an excess of development resources. 

As part of analyzing the productivity of the development group it is important to gain an understanding of the type of development being performed. Questions should be asked to determine whether the core systems are inhouse developed, third vendor products, or a combination of vendor products which are further customized. If the vendor code is customized, is it performed by the internal development staff or is the vendor contracted to perform these updates? If a vendor product is being used, then the role of the support staff may only consist of installing & testing new releases and coordinating problems with the vendor. Overall, the development resources needed to support a third party vendor product is much less then the support of an inhouse developed system. Overall, It is necessary to understand the type of development being performed in an organization in order to reach a conclusion as to whether the size of the development staff is appropriate. 

In many organizations, small projects (e.g., less then 5 days) are lumped into one expense category which is referred to as Run & Maintain. There are dangers in using this approach since the Run & Maintain budget could be abused in a manner in which large sized projects are included which bypass the project creation controls. A compliant test should be performed of the size of the Run & Maintain as it relates to the overall development budget, taking in consideration that type of development which occurs within an organization. Grouping expenses in Run & Maintain also impacts the ability to assess the productive use of development resources since the developers time would not be allocated to a specific project.

As part of the review of cost controls of the software development department, a critical control would be the ongoing analysis of the development budget by the user department. However, this would only occur if the users are given incentive to perform this task. This would only occur if the development department's expenses were allocated back to the users. 

The remaining parts of this article which will appear in the December and January issues of Audit Vision which will include a discussion on the management of budgets, cost management, and the management of Infrastructure expenditures. 

Copyright  2006, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.

 For a free proposal to perform an audit of your organization or provide SOX support & testing services, contact Mitchell Levine of Audit Serve at (203) 972-3567 or via e-mail at

AuditNet - The Global Resource for Auditors

Audit Vision

Since 1991
Join 3,500 other subscribers



Free Audit Serve Seminars Posted Online

25 minute extract from the seminar entitled "Alternate Control Design Approaches for z/OS" presented by Mitch Levine in London (at the Churchill War Rooms) March, 2018 which would be of interest to IT Audit, Security and GRC personnel

General Data Protection Regulation Seminar

Copyright © 2015. All Rights Reserved.