sample assessment report - it asset management · pdf file©2014 international association...

S A M P L E A S S E S S M E N T R E P O R T

D I S C L A I M E R IAITAM, Inc. has exercised due and customary care to prepare this IAITAM 360 Assessment Report but has not, save as specifically stated, independently verified the information provided by Acme Widget from which the data in this IAITAM 360 Assessment Report is based. This IAITAM 360 Assessment Report and its contents is provided "as is" and without warranty of any kind, expressed or implied, including (but not limited to) any implied warranties of merchantability or fitness for any particular purpose. In no event shall IAITAM, Inc. be liable to any person for any special, indirect or consequential damages relating to this IAITAM 360 Assessment Report and its contents unless caused by gross negligence or intentional misconduct.

©2014 International Association of Information page 4 of 39 Technology Asset Managers, Inc. - IAITAM Technology Asset Managers, Inc. - IAITAM

T A B L E O F C O N T E N T S About IAITAM ................................................................................................................ 5

Introduction .................................................................................................................. 7

Executive Summary ....................................................................................................... 9

ITAM 360 Assessment Methodology ........................................................................... 12

Assessment Summary .................................................................................................. 14

Acquisition Management KPA ...................................................................................... 16

Asset Identification Management KPA ........................................................................ 18

Communication and Education Management KPA ...................................................... 20

Compliance Management KPA ..................................................................................... 22

Disposal Management KPA .......................................................................................... 24

Documentation Management KPA ............................................................................... 26

Financial Management KPA ......................................................................................... 28

Legislation Management KPA ...................................................................................... 30

Policy Management KPA .............................................................................................. 32

Program Management KPA .......................................................................................... 34

Project Management KPA ............................................................................................ 37

Vendor Management KPA ............................................................................................ 39


About IAITAM International Association of Information Technology Asset Managers, Inc. (“IAITAM”) is the professional association for individuals and organizations involved in any aspect of IT Asset Management (“ITAM”), Software Asset Management (“SAM”), Hardware Asset Management, and the lifecycle processes for IT Asset Management in organizations of every size and industry across the globe.

IAITAM officially incorporated in 2002, after years of research and discussion. Starting in 1998, a group of software and hardware asset managers began meeting to discuss the need for a centralized organization devoted to expanding and codifying information and knowledge within the IT Hardware & Software Asset Management fields. The research led to some specific needs for the newly created profession of IT Asset Manager, including:

• Advanced training programs needed to be developed to build formal expertise and to gain the professional recognition necessary to function effectively within the IT Asset field

• There was a definite need on the part of IT Asset Management and Software Asset Management professionals to obtain easy access to vendor neutral answers for specific questions as well as neutral product reviews

• Professionals needed to have a secure area to frankly discuss mission critical issues within the IT Asset field with other IT Asset Managers;

• There is a defined need to educate executive management regarding the benefits of acquiring and retaining trained expertise in the field of IT Asset Management

• The IT industry as a whole had not recognized the value of accurately monitoring IT assets and consequently suffered from over-‐investment and under-‐utilized IT assets

IAITAM milestones over the subsequent seven years include the release of the Hardware Asset Management (CHAMP) course in mid 2004 to accompany the existing Software (CSAM) and IT Asset Management (CITAM) courses. The release of the first ITAK magazine in December of 2004 was also a groundbreaking event for the IT Asset Management industry. No other publication caters directly to the educational needs of this profession.

In 2005, IAITAM surpassed the 1000 member mark and in 2006 released the first edition of the IAITAM Best Practice BluePrint, the forerunner to the IAITAM Best Practice Library. In 2007, IAITAM introduced its Fellowship program for the membership to elect key individuals to represent their needs for the organization and the Employee Awareness Program.

In the spring of 2008, with the release of both the complete IAITAM Best Practice Library and the accompanying 10 Virtual Advanced Training courses that follow the IBPL volumes, IAITAM introduced the IT Asset Management Professional Code of Ethics, which all IT Asset Management professionals should adhere to.

Throughout IAITAM’s history over the past 7 years we have striven to support the IT Asset Management industry through expert training and advice as well as lead the profession down a


path of best practice to enhance the business drivers of ROI, Efficiency, Risk Avoidance and Professional Development for themselves and their organizations.


Introduction Information Technology is the lifeblood for most organizations in today’s dynamic, global marketplaces. Information Technology provides the foundation for:

• Internal and external communication to all stakeholders

• Corporate memory for analysis and decision making

• Business process automation

• Competitive differentiation through innovation

Organizations make a large investment in acquiring and using Information Technology capabilities. They typically invest in:

• Computers

• Software and subscriptions to Software as a Service

• Monitors

• Printers

• Networking equipment

The complexity, dispersion, acquisition methods, risk of improper management and complex finances make it easy for organizations to not achieve the maximum return on investment (ROI) from their Information Technology. Developing an organizational core competency in Information Technology Asset Management (ITAM) is critical for maximizing the ROI from investments in Information Technology.

Fundamentally, ITAM is a bridge from the financial world to the operational world. It makes sure that the money spent on Information Technology not only brings value to the organization but also makes sense against the operation supported by Information Technology.

The International Association of IT Asset Managers (IAITAM) is providing this assessment of your organization's ITAM capabilities in the Program's twelve key process. IAITAM is the world’s largest professional organization for ITAM professionals with over 8,000 members and representation in over 110 countries. It is also the largest certifying body offering the following certifications:

• Certified Hardware Asset Manager (CHAMP)

• Certified Software Asset Manager (CSAM)

• Certified IT Asset Manager (CITAM)


• Certified Mobile Asset Manager (CMAM)

• Certified IT Asset Disposition (CITAD)


Executive Summary The IT Asset Management (ITAM) Program maximizes the value of the organization's IT assets by aligning the IT assets with the organization’s business objectives and regulatory requirements. IT assets can include:

Hardware

Servers Desktops Laptops

Printers Smart phones Copiers

Software

Applications Internally developed applications

Outsourcing

Software as a service Cloud solutions Warranty and service

ITAM is not about the operations of a specific department; rather it's about the operations of a Program. This Program encompasses all departments and individuals that impact the decisions to adopt a technology or use the technology. This would include such departments as Finance (Procurement, Accounts Payable), Legal, Human Resources, IT, IT Security, Facilities Management, Vendor Management, the Executive Team and all users of IT assets.

Organizations have invested a significant amount of money in the IT infrastructure and IT has become a core competency. However, with the transition from centralized IT (mainframes) to decentralized (desktops, laptops, smart devices), the complexity of managing IT assets has increased exponentially. Furthermore, the decrease in cost of IT assets has made IT seem easily affordable to business units, departments and even individuals within organizations. Add to this the risk of data loss and security violations; it becomes quickly apparent that IT assets need to be managed centrally. However, managing IT assets from a centralized physical location will not work in today's global economy. Therefore, the management must come from a program and that program must be owned and managed. The ITAM Program is designed to be the program that manages these assets' financials, inventory and contractual agreements. The ITAM Program enables the flexibility needed by today's business units to control or influence IT decisions while ensuring the organization’s overall objectives of customer and shareholder satisfaction are met. This flexibility is achieved through the centralization of ITAM processes and the ITAM mission.

Since its inception in 2002, IAITAM has aggregated information on how to successfully manage IT assets from organizations worldwide, public and private, all industries and organizations from

©2014 International Association of Information page 10 of 39 Technology Asset Managers, Inc. - IAITAM

the largest to the smallest. This unique position has afforded IAITAM the opportunity to define an ITAM Program architecture based on organizations’ successes and void of organizations' failures. Quite frankly, IAITAM knows what works and what does not work. This report is the result of IAITAM's ITAM 360 Assessment conducted by employees of Acme Widget and analysis conducted by IAITAM. The report includes recommendations for improving Acme Widget's ITAM Program and a roadmap for implementing the initiatives. The value of this report to Acme Widget includes a baseline of the organization's ITAM Program's performance and a roadmap for which Acme Widget can develop short term and long term plans for improvement. Furthermore, Acme Widget can, at a later date, re-‐assess the ITAM Program and compare progress of their Program initiatives. The implementation of the recommended changes to the Program is entirely up to Acme Widget. IAITAM does not conduct long-‐term service engagements.

The assessment covers twelve key process areas (KPA) that make up the ITAM Program architecture. The following diagram depicts the overall score for Acme Widget's ITAM Program.

The complexity of the ITAM Program warrants a rating in each Key Process Area. An overall single score will convey little useful information. Definitions of the levels 1 through 5 can be found in the ITAM 360 Assessment Methodology on page 12 of this report.

The organization has strengths in the areas of Policy Management, Communication and Education Management, Documentation Management and Vendor Management that can be leveraged by the ITAM Program.

The ITAM Program has weaknesses in the areas of Project Management, Asset Identification Management, Compliance Management and Financial Management.


The remainder of this report drills down further into each of the key process area’s strengths and weaknesses.

All ITAM Programs depend greatly on the performance of several functional areas or departments that the ITAM team may not have the authority over within the organization. However, the ITAM Program can act as that authority with the proper support from the Executive team, including an executive sponsor who owns the ITAM Program, and the ITAM group who is empowered to manage the ITAM Program.


ITAM 360 Assessment Methodology The ITAM 360 Performance model was created from the data collected by IAITAM since its inception in 2002. This has put IAITAM in a very unique position to aggregate best practices based on real-‐world experiences of ITAM practitioners. The result was ITAM 360, which includes the IAITAM Best Practice Library and the assessment of the ITAM Program's performance. The questions are aligned to each of the 12 Key Process Areas (KPA) that make up IAITAM's ITAM Program architecture.

The result of the assessment is not a single vector (i.e. 1 through 5) but twelve vectors -‐ one for each KPA. The reasoning behind this approach is the ITAM Program is too complex to assign a single scalar value and would yield little understanding of where the strengths and weaknesses lie within the ITAM Program. So for example, IAITAM could assign an overall score of 3 to the Acme Widget ITAM Program, but how does that rating apply to the key process areas of the ITAM Program?

Additionally, this is an assessment of the current performance of the ITAM Program and the ability to perform based on the organization’s infrastructure. For example, an ITAM Program that has applied bar codes to all hardware assets but does not use bar code readers has greater potential then an ITAM Program that does not bar code any of its assets.

Answers were weighted by Acme Widget based on the importance of the area represented in the questions. The weighting of high, medium, low, unknown and not applicable was applied to the result of the calculation of score for each question. The score is based on IAITAM's proprietary algorithm that utilizes the ITAM industry's performance data.

Level 1 through 5 are defined, however, the interpretation of the levels depends on the answers provided in the assessment. IAITAM's analysis of the answers led to the conclusion that some strengths represent the strength of the organization's process but the ITAM Program's requirements where not being met. Therefore, these level definitions are open for interpretation depending on how the rating was applied, either to the organization's process or the ITAM Program's use of the organization's process. Also, there exists dependencies between KPAs so while one KPA may appear strong, the results of the KPA's processes may be lacking.

L EVEL 1 : AD HOC No processes are defined; functions and policies exist only in silos; Internal communication is at minimum; Reactive instead of proactive actions; Compliance risk exists; Productivity is minimized; and Value is minimized.


L EVEL 2 : REPEATABLE Major processes are being repeated throughout the organization; Processes are beginning to show financial successes; Processes are beginning to be defined and repeatable, yet still function independently; Policies are defined and executed; Procedures are established; Interdependencies are at a minimum; Alignment with business needs are at a minimum; Roles are emerging; and Executive buy in is achieved

L EVEL 3 : AL IGNMENT Major processes are well defined and interaction with other processes and KPAs is clearly understood; Efficiencies exist within the program but are not yet maximized; Interdependencies exist but are not yet maximized; ITAM Program is beginning to function as a core competency; Communication effectiveness is maximized throughout the organization; Compliance risks are markedly reduced; and Roles are defined and executed.

L EVEL 4 : STRATEGIC Process performance is optimized as is the interaction between processes and KPAs; Proactive decision making is becoming a standard action; Roles are functioning toward a common goal; Projects are planned according to needs; Business goals are being achieved; Program is aligned with business needs and goals; and Organizational buy in is achieved.

L EVEL 5 : ADAPT IVE VALUAT ION Process outcomes are predictable; Process outcomes are adjustable as necessary; Program is functioning as a core competency within the organization; and Compliance risks are understood or eliminated.


Assessment Summary The diagram below shows the ratings for each of the ITAM Program's KPAs. It utilizes a classic radar diagram with each axis representing a KPA.

The Policy Management KPA and Communication & Education Management KPA show the highest level of performance and this can be misleading since for example it is difficult to get policies enforced within the organization. However, what is reflected here is a solid infrastructure for policy management, communication and education. The ITAM Program can further leverage these strengths to advance the adoption of the ITAM Program's initiatives.

Similarly, the Program Management KPA, Vendor Management KPA and Document Management KPA show good strength but not all outcomes of these KPAs work in favor of the ITAM Program.

At the bottom of the performance scale is the Project Management KPA and Asset Identification Management KPA. While there exists a Project Management Office (PMO) within the organization, the ITAM Program has not been able to capitalize on this service. The greatest concern, however, is in the performance of the Asset Identification KPA where the inventory of IT assets and associations to the IT asset's documents is proven to be weak. This impacts the next lowest rated KPAs -‐ Financial Management and Compliance Management.

Financial Management and Compliance Management depend strongly on the ability to track the location, use and ownership of the IT assets.

Finally, the middle performers are the Acquisition Management KPA, Disposal Management KPA and Legislation Management KPA. The one that is of most concern in this group is the Acquisition Management KPA. Acquisition is the gatekeeper for how all IT assets are acquired and this process area has a major impact on all process downstream.


The remainder of this report will address each KPA in more detail and will conclude with a proposed roadmap for strengthening the ITAM Program.


Acquisition Management KPA

Score: 3

DEF IN I T ION The IT Acquisition Process Area is the gatekeeper for the application of all IT Asset Management strategies determined by your organization, including policies, standards and life-‐cycle processes. An effective IT acquisition process empowers the rest of your IT asset program by applying process, determining pathways for exceptions and generating the initial records for the IT assets before acquisition is complete. The goal of IT acquisition is to acquire the IT assets that are required by the organization, in the most cost-‐effective and productive manner for the organization.

SCOPE The scope of Acquisition Management KPA starts with the identification of a need for the asset through approval or rejection of the request. If approved, a Purchase Order may be approved and an order placed or if the item is in inventory, an order is placed internally. Other functions that appear in the KPA include:

Request process Approval process

Evaluation Projected ROI and TCO calculations

Risk analysis Impact analysis

Vendor negotiations

STRENGTHS • There exists an Acquisition KPA owner and the process is periodically reviewed

• Software licenses available to the SAM and Vendor Manager


• Projected ROI for non-‐standard hardware assets is calculated

• Volume purchasing agreements are leveraged.

• Contracts, including licenses are summarized

• Contracts are digitally archived and retrievable

• The contract negotiating team has the ability to negotiate terms and conditions

• Contracts are reviewed for their financial terms and the fixed asset database is updated to reflect new acquisitions

WEAKNESSES • The ITAM Program's requirements are not well represented in the contract negotiation's

process

• Historical IT vendor performance is not considered in the negotiating process

• Contracts are not summarized based on ITAM roles

• Order fulfillment does not take into account existing inventory

• TCO and ROI is not estimated for new or non-‐standard assets

• Requests and acquisition of non-‐standard IT assets does not follow a single process

• Vendor evaluation units are not formally acquired

• Hardware asset acquisitions rarely are part of the standards

• Too much focus on price versus value when acquiring IT assets

• Asset sales tax needs to be reviewed

• Risk analysis of IT contracts is not performed

CONCLUS IONS This score can be deceiving. The negotiation processes are there to support formal negotiations (which is very positive) however; the ITAM Program's requirements are not represented. Focusing on just this subarea of the Acquisition KPA, the score could be a one (1).


Asset Identification Management KPA

Score: 1

DEF IN I T ION The Asset Identification Management Process Area encompasses the activities that uniquely identify and validate the physical presence of IT assets. Asset Identification is a key enabler of many related activities in the Software Life-‐cycle, Hardware Life-‐cycle and IT Acquisition and Documentation Management Process Areas.

SCOPE The scope of the Asset Identification Management KPA starts with receiving through ready for deployment and includes support for IT asset lifecycle management. Other functions that appear in the KPA include:

Receiving process Acceptance process

RMA process Inventory management

STRENGTHS • There exists an Assed Identification KPA owner and the process is periodically reviewed

• The physical audit process is defined, conducted annually and reconciled against e-‐discovery and the repository

• Received assets are recorded

• RMA process is followed

• Help Desk, IMAC, IT has access to the information they need to fulfill their duties


• Assets are linked to the user and department

• Asset tags are removed prior to disposal

• Hardware assets are discoverable and data secured

WEAKNESSES • No centralized receiving and acceptance process

• Hardware asset tagging is not uniformly applied

• All returns are not accurately tracked

• Fixed asset database is not always updated when changes occur

• Not all assets that should be managed are being managed

• Not all IMAC operations are being recorded

• Contracts need to be associated with their respective assets

• All software should be discovered

• The ITAM repository needs to be updated to reflect receiving and acceptance

• Re-‐usable IT assets need to be placed back into inventory

• Assets need to be secured and losses / thefts need to be detected and the ITAM repository updated

• Licensed software is installed on hardware in inventory

• The Asset ID KPA needs to be documented and communicated

CONCLUS IONS The Asset Identification KPA is one of the weakest KPAs in the entire ITAM Program. This KPA is the gatekeeper for how all assets arrive in the organization and then are tracked or managed. It is within this KPA that the IT asset inventory is managed which enables reuse. This becomes even more critical given the size of Acme Widget and the number of different geographic locations.


Communication and Education Management KPA

Score: 5

DEF IN I T ION Communication is the process that by means of a commonly understood language, information and ideas can be effectively imparted between entities. Education encompasses the process of teaching and learning specific skills, tasks, processes, etc. Education is also the imparting, and acceptance of knowledge.

SCOPE The proper way to view the Communication and Education Management KPA is as a service. The KPA is responsible for all communication and education initiatives within the ITAM Program. By viewing this as service, the other ITAM KPAs can focus on their areas of responsibility knowing that the communication and education requirements can be handed off to this KPA. Note Human Resources or a formal education department may perform the functions of this KPA.

STRENGTHS • There exists a Communication and Education KPA owner and the process is periodically

reviewed

• Processes changes are communicated throughout the organization

• Existing communication and education internal services are leveraged

• Communication and education needs are assessed when processes are changed

• Employee records reflect education received

• Education initiatives are assessed to determine their effectiveness

• Communication and education initiatives are funded

• A feedback mechanism exists within the communication and education process


• The benefits and consequences of the ITAM Program are part of communication and education initiatives

• Strong communication between ITAM and the Executive team, legal, IT operations and Help Desk

WEAKNESSES • Communication and education of the ITAM Program's policies, procedures and

processes need to occur when the information is needed

CONCLUS IONS There exists a strong communication and education infrastructure within the organization. This infrastructure is being utilized to convey the purpose of the ITAM Program. The existing infrastructure should be leveraged further to capitalize on just in time communication and education. It should also be leveraged to increase employee awareness and buy-‐in in hopes of reducing the need for policy enforcement. Also consider quarterly news digest that discusses hot topics in the ITAM Program and recognizes departments and individuals who provide exceptional support and cooperation to the operations of the ITAM Program.


Compliance Management KPA

Score: 2

DEF IN I T ION The Compliance Management area is the focal point for risk avoidance and audit response. As part of this process area, the organization prepares a response to compliance events, performs periodic internal asset discoveries, and ultimately settles non-‐compliance matters.

SCOPE The scope of the Compliance Management KPA is to conduct all compliance activities involving the ITAM Program. This not only includes answering external audits but also includes audits of ITAM processes and service organizations such as disposal vendors and cloud service providers.

STRENGTHS • There exists a Compliance Management KPA owner and the process is periodically

reviewed

• Defensible compliance terms and conditions are included in contracts, but not always for software

• Policies are reviewed for support of compliance

• Audit response team is trained

• Information from the discovery process is available to the audit response team

• Hardware asset are locked down to prevent installation of rogue software assets


WEAKNESSES • Not all software is known to be compliant according to the terms and conditions of the

licensing agreement nor is there a direct relationship between the software asset and the licensing agreement

• Open source and "free" software is not managed for compliance

• Software is not secured against unauthorized use

• Music, movie and font intellectual property is not managed

• Smart devices are not managed for compliance

• Physical inventory results are not represented in the ITAM repository in a reasonable amount of time following the physical audit

• Software contracts do not contain language to support the organization's audit requirements

• There needs to be a feedback mechanism for employees to report non-‐compliance events

• Software is not audited on a regular basis

• Compliance processes need to be documented

CONCLUS IONS The Compliance Management KPA is a major challenge in many organizations. Improving performance in the Acquisition Management KPA and Asset Identification KPA can actually strengthen this KPA. This is one KPA that is strongly dependent on the data generated in other KPAs. This KPA will need to drive improvements in the other KPAs (other departments) by clearly defining the mission of this KPA and getting executive management to approve the mission. This KPA's mission should align with the ITAM Program's overall mission statement.


Disposal Management KPA

Score: 3

DEF IN I T ION The Disposal Process Area defines process and procedures for properly removing assets from your environment. A mature disposal process will allow your enterprise to avoid costly storage of unused assets, mitigate risk associated with disposal, reallocation of software, security of information maintained before the disposal process, while increasing return on investment.

SCOPE The scope of the Disposal Management KPA starts when it is determined that asset has reached its end of life. This includes both software and hardware assets. Other functions that appear in the KPA include:

Disposal requirements Disposal security

Software harvesting Data backup

Recording of the asset's disposition

STRENGTHS • There exists a Disposal Management KPA owner and the process is periodically reviewed

• Due diligence is performed on Disposal vendors

• Disposal regulations are well understood

• Lost or stolen assets during the disposal process are identified

• Final disposition of assets is recorded


WEAKNESSES • No formal disposal process for software assets

• Software harvesting is not performed during the disposal process

• Inability to track assets after they are transferred to the disposal vendor

• No reconciliation between assets shipped to the disposal vendor versus assets received by the disposal vendor

• Assets are not secured prior to the disposal process

• Disposal policies are not well understood

• Disposal budget is inaccurate

CONCLUS IONS While the disposal process is strong for hardware assets, it is imperative that software assets be disposed of properly and software licenses are harvested from hardware assets that are being disposed. Many larg organizations have a zero cost disposal directive and the size of Acme Widget should make this possible. It is also imperative that the disposal processes ensure the security of the organization's data so working in tandem with IT Security may be mutually beneficial.


Documentation Management KPA

Score: 4

DEF IN I T ION The Documentation Management Process Area encompasses management capability for all IT asset related documents throughout most of their life cycle, from request, through acquisition and onward.

SCOPE The proper way to view the Documentation Management KPA is as a service. The KPA is responsible for managing all documents associated with IT assets including version control, access control and enforcing document standards.

STRENGTHS • There exists a Document Management KPA owner and the process is periodically

reviewed

• Financial, contractual and human resource documents are accessible

• Procurement has access to appropriate documentation

• Hardware assets are linked to their respective documents

• A document standard exists

• Documents are stored electronically, backed-‐up, archived, secured, comply with retention requirements, accessible by role, assigned a unique identifier and properly disposed

• Most documents are accessible by Help Desk, IMAC and the technicians

• Most ITAM documents are formally reviewed


• Warranties are tied to their respective IT assets

WEAKNESSES • Documents are not summarized based on needs of a particular role

• Documents do not adhere to the organization's document standards

• Software contracts (licensing agreements) are not categorized by the license type

• Proof of purchase, service contracts and software contracts are not linked to the appropriate software asset

• Historical vendor data and research is not available to the ITAM team

• Events such as renewals do not trigger automated notifications

• Version control is not applied where applicable

• ITAM project management documentation is not maintained

• Help desk records are not linked to the corresponding software asset

• Documentation processes are not documented

CONCLUS IONS The infrastructure for Document Management exists (which is why the KPA's score is so high); however, ITAM needs to leverage the system further to make the documents more usable by the individuals who need the IT asset's information. This means designing documents with the roles in mind. For example, design documents for Help Desk personnel whereby Help Desk will only see the information pertinent to their role and responsibilities.


Financial Management KPA

Score: 2

DEF IN I T ION The Financial Management KPA is the process of managing IT Asset Financial information and data within an organization. IT Asset Financial Management maintains cost controls, financial data, and budgeting information for the IT Asset Management Program, as well as reconciliation processes and financial audit information. The Financial IT Asset Management group should be involved with any financial transactions for the IT Asset Management Program.

SCOPE The scope of this Financial Management KPA is all financial processes surrounding IT assets. This includes ROI and TCO calculations, invoice reconciliation and analyzing the financial conditions found in contracts. This KPA is also critical for managing and creating service costing models and chargebacks.

STRENGTHS • There exists a Financial Management KPA owner and the process is periodically

reviewed

• Invoice reconciliation of financial values is performed

• Lease payments are verified

• ITAM budget is accurate

• IT asset types are aligned with chart of accounts

• Returned and disposed IT assets are accurately reflected in the financial system

• Financial model is reviewed by ITAM

• Maintenance payments are reviewed

• Financial processes are documented


WEAKNESSES • IT financials are not available or easily accessible by the appropriate personnel

• TCO of assets is not estimated, monitored and finalized

• ROI of assets is not estimated, monitored and finalized

• Low percentage of the IT budget is spent on strategic investments, however, this may be the nature of the business

CONCLUS IONS The overall financial processes are in place to support the ITAM Program. ROI and TCO will need further support in order to understand the true benefits and costs associated with IT assets. IAITAM strongly recommends that the ITAM Program support a service costing model whereby departments are accurately charged for their use of IT assets. The recommendation is made regardless of whether or not this model is actually implemented. IAITAM recognizes the decision to implement a service costing model is a business decision made by the executive team. However, the ability to clearly understand the costs associated with IT assets is a core competency and responsibility of the ITAM Program.


Legislation Management KPA

Score: 3

DEF IN I T ION The purpose of the Legislation Management Process Area is to help you learn to stay current on legislation that will impact an organization in terms of non-‐compliance threats and risks, thus allowing an organization to proactively adapt, prepare, and respond to all compliance requirements.

SCOPE The scope of the Legislation Management KPA involves the monitoring of all government regulations that impact the organization and can be supported by the ITAM Program. Regulations that need monitored and managed include disposal, copyright, Sarbanes-‐Oxley, HIPAA, international trade and privacy.

STRENGTHS • Legislation processes are reviewed and updated

WEAKNESSES • There is no owner of the Legislation processes

• Legislation processes are not documented

• Legislation affecting the ITAM Program is not reviewed

• Legislation requirements behind the organization's policies is not communicated

• Legislation requirements are not backed by policy. This may not be an issue if the legislation requirements are communicated to the organization's employees


CONCLUS IONS Legislation is an area that needs to be monitored and the complexity of laws that face international organizations requires further attention and monitoring by the ITAM group with great assistance from the organization's legal department.

A key take-‐away for the ITAM group is content for educating the organization's employees on legislation requirements and each individual's responsibility to the organization.


Policy Management KPA

Score: 5

DEF IN I T ION Having appropriate and correct policies defined is a critical success factor for any IT Asset Management program. Policies need to be clearly defined, understandable and enforced. As a best practice, IAITAM has identified more than thirty policy areas that relate directly to IT asset management and must be defined for any organization. Once defined, the policies must be accessible and presented in a way that employees can readily understand exactly what is required of them, and why it is beneficial for the organization.

SCOPE The proper way to view the Policy Management KPA is as a service. The KPA is responsible for the creation and management of all policies associated with IT assets. Note Human Resources and Legal may perform the functions of this KPA.

STRENGTHS • There exists a Policy Management KPA owner and the process is periodically reviewed

• All IT assets are governed under ITAM policies

• New or modified policies are under change control management and are communicated

• Policies are developed by a cross-‐functional team

• Policies are clearly defined, accessible and are easy to understand

• Policies are reviewed every six months

• A feedback mechanism exists for policies

WEAKNESSES • Well defined metrics are not used to measure the effectiveness of policies


• Policies are not enforced

• Employee records do not indicate which policies were presented to the employee

• New asset types do not trigger a policy review

• New hires are not trained on ITAM policies

• Policy processes are not documented

• There appears to be a disconnect between executive support of policies and the lack of enforcement of the policies

CONCLUS IONS A solid foundation for policy creation and management is in place -‐ thus the high score for this KPA. The ITAM specific policies however need to be measured for their effectiveness. Existing policies must be enforced. The change of the organization's culture can start with new hire orientation. Sadly, policy enforcement is one of the key challenges in many organizations. At some point the ITAM Program may need to concede this fact and depend more on procedures and communication and education so that individuals may police themselves.


Program Management KPA

Score: 4

DEF IN I T ION The Program Management process area encompasses providing centralized procedures, cost saving strategies, accountability for compliance, tools and tracking for all ITAM related efforts. This also includes the complete lifecycle of assets, which follows a “birth-‐to-‐death” analogy of lifecycle management. Installs, Moves, Adds, Changes (IMAC) is also part of the process, and represents the underpinnings of a successful software compliance program, leasing program, and the capability of strategic business planning that is supported by an accurate inventory

SCOPE The scope of the Program Management KPA is the entire ITAM Program. This KPA is responsible for managing all other KPAs which in practice will involve activities in other departments.

STRENGTHS • There exists a Program Management KPA owner and the process is periodically

reviewed

• Strong executive support of the ITAM Program

• Hardware asset moves are tracked

• Hard and soft dollar savings by the ITAM Program are reported

• ITAM participates in mergers and acquisitions

• IT budget planning uses ITAM data

• Software and hardware incidents are accessible

• Hardware asset location status is known (i.e. deployed, in-‐stock, received)

• ITAM initiatives have a budget

• Other functional areas cooperate with the ITAM team more often than not


• ITAM roles are assigned and understood by the employee

• Software and hardware assets meet the needs of the end user

• The majority of software and hardware assets are deployed and in use

• An educated staff and tools for the most part are sufficient for the ITAM Program at this time

• The ITAM Program is aligned with the organization's goals and objectives

• The ITAM Program goals and successes are frequently communicated

• The ITAM Program has visibility within the organization and is supported by the organization

WEAKNESSES • Software asset location status is unknown (i.e. deployed, in-‐stock, received)

• Not all software titles are being managed to the degree required

• Too few ITAM process are automated

• Too few ITAM initiatives are considered strategic

• End user satisfaction with the ITAM Program's services is not measured

• Maintenance contracts associated with disposed assets are not terminated

• Warranty and maintenance information is not available to the Help Desk

ROOM FOR IMPROVEMENT The following actions occur the majority of the time but not enough to qualify as a strength and therefore can be improved upon:

• IT asset moves need to be performed by authorized staff and the move accurately recorded

• Increase the IT asset's ROI through re-‐use

• Complete documentation of the ITAM processes


CONCLUS IONS While all KPAs are equal in importance, in many ways this KPA is the face of the ITAM Program. The ITAM Program's challenge is to coordinate all of the activities between all KPAs, which means coordinating departments and individuals who do not directly report to IT Asset Management. Another way of describing this is "all of the responsibility but none of the authority". However, this does not make the IT Asset Management discipline unique to organizations. Project management in matrix organizations faces this challenge, as does Product management. These disciplines have been successful under these conditions because they are older professions and organizations have come to embrace their methodologies. This means the ITAM Program must continue to educate the entire organization on the ITAM Program.


Project Management KPA

Score: 1

DEF IN I T ION A project can be described as an organized and managed set of activities that when properly executed, results in the achievement of a unique and well defined product. Such a work product is often referred to as a deliverable. Resources are mobilized and deployed to perform the activities in a controlled fashion. A project is classified as having a definitive start, and a calculated end. Therefore, a project differs from recurring operational activities that may be performed many times repeatedly in a typical corporate environment. In essence, a project can be characterized by the following:

• A Project produces unique results or deliverables which are accomplished through an organized and managed sequence of activities performed by qualified personnel according to a finite schedule, with a defined start and end date

• The Project Management process area defines those characteristics of a project team that are essential to successfully conducting the initiatives that are needed to meet the goals of the ITAM Program

SCOPE The proper way to view the Project Management KPA is as a service. The KPA is responsible for managing all ITAM projects using a project management methodology. Note, the Project Management Office (PMO) may perform the functions of this KPA.

STRENGTHS • There exists a Project Management KPA owner and the process is periodically reviewed

• The strategic purpose of the project is defined, presented and accepted by the organization

• ITAM projects are supported by the executives and are monitored


WEAKNESSES • The ITAM team has limited project management knowledge

• ITAM projects do not utilize the organization's project management program

• Projects are not reviewed for ITAM requirements

• ITAM projects are poorly defined and staffed

• Project management processes are not defined

CONCLUS IONS Project management is essential to the success of ITAM related projects. IAITAM recommends the ITAM team utilize the organization's Project Management Office (PMO) whenever possible, however, it is also recommended that a project manager be part of the ITAM team only if the primary ITAM roles are fulfilled. Project management is a time consuming job when done correctly and if the ITAM group is spending the majority of time managing projects then they are not managing the ITAM Program. It is also important to point out that many ITAM projects involve changes to human behavior. This will threaten the successful completion of the ITAM projects and therefore must be monitored very closely. Finally, accurate project planning can demonstrate to executive management the resources required to successfully manage the ITAM Program.


Vendor Management KPA

Score: 4

DEF IN I T ION The Vendor Management process area will focus on the steps required to develop a successful vendor management program. The objective of a Vendor Management program should be to implement a “Fair and Consistent” enterprise wide strategy to develop and manage vendor relationships that enable our corporate strategy.

SCOPE The scope of the Vendor Management KPA is to manage all IT vendors designated as important enough to warrant assigning a resource. This resource manages the relationship between the vendor and the organization for the purpose of obtaining the most value from the vendor's IT assets or services.

STRENGTHS • There exists a Vendor Management KPA owner and the process is periodically reviewed

• Vendor communications monitored and recorded and contact information maintained

• Disputes are managed through the organization's process

WEAKNESSES • Too few vendors are formally managed and follow a score card process

• Vendors are not educated on vendor policies including the organization's communication policy

• Building a "win-‐win" relationship is not a goal of the organization

• The vendor management policy is not documented

• Vendor management does not provide input into IT strategic planning


CONCLUS IONS Vendor Management is the opportunity to maximize the value of an organization's IT assets. The ITAM Program needs to establish a scorecard system whereby the feedback from the organization's employees can be collected for the purpose of evaluating the vendor's performance. Vendor communication policies need to be communicated to both employees of the organization as well as the vendors. This will ensure the organization's control of the negotiations process and how much influence a vendor will have on the organization's strategic IT initiatives.