Performing an IT Cost Management Review
 (Part 3 of 3)

By: Mitchell H. Levine, CISA
Audit Serve, Inc.


Budget management is the starting point for an IT cost management audit. A budget process which cannot accurately predict the cost of IT expenses would represent an area which has minimal cost management controls. An organization which has effective cost management controls would have minimal differences between the budgeted versus actual expenses. An area which is significantly under budget cannot be considered a sign of proper cost controls since the budget did not accurately predict the expenses properly. When an area is significantly under budget it might be based upon the utilization of funds which were not directly tied to budgeted items. This is why it is important to review the budget to ensure that expenditure categories are defined at sufficient level of detail in which the numbers cannot be easily "fudged". Using generic categories is common practice to hide funds.

Within an IT development area there are few fixed expenses. Fixed expenses may include license fees which could also may be included in the data center/Infrastructure department's budget. The primary budget item within the IT development area is maintenance expenses (referred to as run & maintain) and new development/system enhancements. The budget process should include a complete breakout of all new development and system enhancements. Since the budget process occurs several months prior to the fiscal year, it may be difficult to identify all new development projects. To handle these occurrences there needs to be an off-budget process for the review an approval of development requests which occur throughout the year.  It is important that these unforeseen development projects do not get included in the run & maintain budget since it is difficult to account for these type of expenses. As part of audit of IT cost management, the run & maintain budget and actual expenses need to be reviewed to ensure that development projects, which should be separate budgeted items, are not included in the run & maintain budget. 

Overall, standards need to be established which identify the level of approval which is required for development projects. This includes development projects identified during the budget and off-budget timeframes. Project funding requests which group development projects for a specific line of business is an indication of generic budgeting which is major control issue within the budgeting process.

Within the US, development projects which extend the functionality of the system are candidates to be classified as Capital Expenses whose costs are amortized over a period of time. Maintenance projects are considered Operating Expenses which are expensed the year in which the work occurred. Standards should be in place which identify the types of development which should be classified as Capital Expenses versus Operating Expenses. A compliance test should be performed as part of an audit to ensure that these standards are being properly followed.


An important component of IT cost management is the management of actual versus budget expenses. Each of the expenses which are paid should be matched to the same category used in the budget process. If the expense categories do not match the budget categories then this is a major cost control issue. 

On ongoing basis, the budget versus actual expense reconcilement needs to occur. Large variances should be escalated to management along with a root-cause for each variance which exceeds a tolerance level. At a minimum, this reconcilement should occur on a quarterly basis depending on the size of the organization.

Large variances between budget versus actual expenses could be attributed to expenses being applied to the incorrect categories which should be reviewed as part of the audit. If large variances between planned (i.e., budget) versus actual exists, then senior management should be aware of this throughout the years and should be able to provide explanations for the variances.


Software and hardware licenses is an area which can yield significant costs savings if the proper controls are in place. The cost savings would occur for utilization-based licenses. The most common method used for utilization licenses is based on the number of IDs defined on the system or the number of clients which are installed. When these approaches are used to derive the license fees, there should be a process in place to ensure that these licenses are actually being used. This review process should include tools which identify the utilization of IDs. If the utilization of IDs is not being monitored then this should be raised as a control issue. 

If the license fees are a fixed cost regardless of  utilization, then the control should be an annual cost/benefit analysis to determine the importance of the software or hardware as it relates to the overall costs. 


The cost management of data feeds is similar to the approaches discussed with license fees. Data feeds such as Reuters charge a base fee per user plus a utilization fee based on services which are used. A process should be in place to monitor the usage be each user which subscribes to the service to ensure that non-utilized subscribers are removed.

For a free proposal to perform an audit of your organization or provide SOX support & testing services, contact Mitchell Levine of Audit Serve at (203) 972-3567 or via e-mail at

Copyright  2006, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.


AuditNet - The Global Resource for Auditors

Audit Vision

Since 1991
Join 3,500 other subscribers



Free Audit Serve Seminars Posted Online

25 minute extract from the seminar entitled "Alternate Control Design Approaches for z/OS" presented by Mitch Levine in London (at the Churchill War Rooms) March, 2018 which would be of interest to IT Audit, Security and GRC personnel

General Data Protection Regulation Seminar

Copyright © 2015. All Rights Reserved.