Pergamon PII. S0268~4012(97)00038-8
International Journal of Information Management, Vol. 18. No. 1, pp. 29-47, 1998 © 1998 Elsevier Science Ltd. All rights reserved Printed in Great Britain 0268-4012/98 S19.00 + 0.00
The Information Audit: An Integrated Strategic Approach
S BUCHANAN AND F GIBB
Fundamental to the development of an effective information strategy is the recognition of information as • key organisational resource. The role of the Information audit is to provide a method for identifying, evaluating, and managing information resources in order to fully exploit the strategic potential of information, in consideration of this strategic role the Information audit should provide strategic direction and guidelines for the management of an organisation's information resources. However, a review of existing methods concludes that none provide a comprehensive information auditing solution or completely fulfil this strategic role. Therefore a universal methodology is proposed. © 1998 Elsevier Science Ltd. Ail rights reserved
Steven Buchanan is an IT Management Consultant at SMS Consulting Group PTY Ltd, Level 18, West Tower, South-gate, 60 City Road, Southbanlc, VIC 3006, Australia. Email:sbuchanan@sms.-com.au
Forbes Gibb is with the Department of Information Science, Strathclyde Business School, University of Strathclyde, 26 Richmond Street, Glasgow, Gl IXH, UK
'The Hawley Committee, Information as an asset: the board agenda. KPMG, London, 1996.
2Joint Information Systems Committee, Guidelines for developing an information strategy. JISC, Bristol, 1995. 'information   management survey. Deloitte and Touche, London, 1996.
Introduction
The strategic exploitation and effective management of information and enabling technologies is increasingly recognised as critical to organisational success. The Hawley Committee 1 have highlighted the need to classify and value the information assets of an organisation while, within higher education, much attention is currently focused on information management following publication of the Joint Information Systems Committee (JISC) guidelines 2 for developing an information strategy. However, many fundamental problems persist. For example, Deloitte and Touche's latest biennial information management survey 3 reveals that information overload, organisational misunderstanding of the role of information management, inadequate locator tools, poor co-ordination of information with decision-making needs, and costs associated with paper handling, non-compliance and information loss are still significant features of the information terrain.
In response to these problems this paper discusses the strategic role of the information audit in helping to achieve the twin goals of effective information management and maximum exploitation of an organisation's information resources. We look at the requirements for an information strategy and describe a framework for the alignment of information strategy with business strategy; Next, the paper addresses the role of the information audit and reviews some popular approaches; We then propose a new integrative approach to the information audit; and finally summarise the conclusions of this study.
29
The information audit: S Buchanan and F Gibb
4Remenyi, D., Information Management Case Studies. Pitman, London, 1993.
5Marchand, D. and Horton, F.W., Info-Trends: Profiting from your Information Resources. John Wiley, New York, 1986.
"Earl, M.J. ed.. Information Management: The Organizational Dimension. OUP, Oxford, 1996.
The strategic requirement
Remenyi provides considerable evidence 4 that many organisations have underestimated the strategic importance of information and associated technologies and that this has resulted in poor planning and unfulfilled potential of IT. Remenyi argues that in several cases organisations have failed to realise the strategic benefits of IT because they have mistakenly regarded IT as merely a replacement for manual and administrative functions rather than as a strategic resource. This echoes the view of Marc-hand and Horton:
The firms that just survive in the information economy will be the ones that just use information resources and computer technologies only as cost-displacement and labor-saving tools. The firms that compete effectively and flourish in the information age will be the ones which use information technologies in strategic ways to manufacture new and better products, find new markets, and distribute products and services in creative ways. These will be the intelligent organizations of the future.5
Remenyi also highlights several management problems associated with IT initiatives:
• The culture gap between IT managers and business managers resulting in mistrust, poor working partnerships, and a lack of strategic alignment.
• A lack of procedures or a policy statement for the acquisition of IT and the creation of operational guidelines.
• A failure to measure the benefits delivered or derived from information systems.
• A failure to deliver cost effective systems and to identify, cost and allocate appropriate resources to deliver and maintain systems.
• A lack of integration between information systems resulting in substantial amounts of data duplication, unnecessary data entry and data processing.
• Failure to integrate IT investments with strategic business initiatives.
Further problems which may affect the successful implementation of IT/ IS include:
• A lack of transparency in decision-making.
• A lack of a clear project sponsor and owner.
• Inheritance of projects by sponsors with new agendas and priorities.
• A lack of user involvement in all aspects of the system life-cycle.
• A lack of core competencies.
• Power-mongers, who have no project specific responsibilities, attempting to influence project goals.
• Multiple reporting lines where the initiative serves multiple stakeholder groups.
• Ineffective change management.
Earl 6 argues that senior managers need to take responsibility for positioning the use of IT as an enabling force in shaping business plans and initiatives. This implies the need for senior management and other users to become more aware of the opportunities and associated competitive threats presented by IT. The requirement is for a clearly defined information management function that reflects the need to shift from an emphasis on technology management to one of matching information resources to business objectives. Thus, it is no longer sufficient to be technically competent to manage IT and information systems. A multi-disciplinary
The information audit: S Buchanan and F Gibb approach is required that combines both business and information management skills in order to effectively bridge the gap between IT and the organisation's strategic business objectives.
Remenyi proposes that what is required is a new paradigm for information management that applies basic business principles through a process of commercialisation:
To ensure commercialisation, and therefore value for money, in the mid-1990s, firms will have to manage their information resources in innovative ways which will tend to reshape the business, use information and data more fully and ultimately deliver real and measurable benefits. This means "inter alia" that better costing systems and better benefit measuring and managing systems are required, (emphasis added) 7
The change to viewing information as a resource recognises that IT does not, of its own, confer competitive advantage or other business benefits. This reflects growing awareness that emphasis must shift from the container to content and context; from means to meaning and management (see for instance, Massey,8 Best,9 Vickers,10 Marchand and Horton," Orna I2). Information must be recognised as a resource that needs to be managed and accounted for like any other resource. This management philosophy was first popularised by Burk and Horton as information resource management.13
Information resources are those resources which facilitate the acquisition, creation, storage, processing, or provision of information that generates the knowledge or other value required to achieve the goals and objectives of the organisation. Developing an effective information strategy requires determining what and where these information resources are. This is the primary role of the information audit and is addressed later in this paper. Firstly, however, it is important to define the scope of information strategy and its relationship to business strategy.
7 op. cit, Ref 4.
BMassey, J., Vital assets. Information
Age. June, 1995, 25-33.
'Best, D. ed., The Fourth Resource:
Information  and its Management.
Aslib, London, 1996.
"Vickers, P., Information management
Selling  a  concept.  In Information
Management from Strategies to Action.
ed. B. Cronin. Aslib, London, 1985.
"op. cit, Ref 5.
12Orna, E., Practical information Policies: How to Manage Information Flows in Organisations. Gower, Alder-shot, 1990.
"Burk, C.F. and Horton, F.W., Info-Map: A Complete Guide to Discovering Corporate Information Resources. Prentice-Hall, Englewood Cliffs, 1988.
A framework for information strategy
The alignment of information strategy with business strategy is a critical ingredient for the success of the parent organisation. The relationship between business and information strategies is shown in Figure 1. It should be emphasised that the distinctions made between the various components represent an ideal and that the size or attitude of an organisation to information technologies may blur boundaries, conflate roles, or simply ignore some of these building blocks.
Business strategy will typically involve four key components: mission, objectives, policy and constraints, and planning (see Figure 2). The mission provides a top-level, often highly generalised, statement of what the organisation wishes to be. It should be capable of being a touchstone which is immune to all but the most dramatic changes in the organisation's environment. The mission statement is often criticised as being overly simplistic, intentionally non-controversial, and worded in terms of motherhood and apple-pie. This is in part because it is intended to be placed in the public domain and must strike the right chord with the market. It will attempt to convey the values of the organisation and should be capable of persisting, even through times of rapidly changing market conditions.
The mission statement is developed through a series of objectives, only some of which may be placed in the public domain. The objectives will not necessarily have the same degree of permanence as the mission statement and will be reviewed regularly to ensure that they reflect the current
31
The information audit: S Buchanan and F Gibb
Consumed resources:
Materials, Money, Time
Depreciated resources:
Machines/Plant, Buildings
Non-consumed resources:
Information, Expertise, Labour
	Environment		
	Mission		
	Objectives	*	\
Policy and constraints			
Planning			•.Products'.
Processes
Information
Information Msnagement 5 Strategy f
IS Strategy
S it	■ Records "
j Stretegy	Strategy j
Services
Figure 1  Business and information strategies
market conditions and perceptions regarding the best way(s) to satisfy the enterprise's mission. The objectives will also have to be interpreted within the context of the enterprise's policy on, for instance, investment, procurement and recruitment, and constraints such as the availability of capital, the regulatory regime and technologies. Policy is likely to be articulated for both public and private consumption, whilst the constraints will be divided into those which are purely for private use and those which are not. Having established the objectives, and identified the relevant policy issues and constraints, the enterprise will then develop specific plans for the realisation of the agreed objectives.
The enterprise will then have to identify, design, implement and manage the key processes which will be used to achieve its strategy. Processes can be grouped under four main headings:14
• Core processes (servicing external customers);
• Support processes (servicing internal customers);
• Business network processes (crossing company boundaries);
• Management processes (establishing the strategic framework for the other processes).
These processes will take inputs, transform them, and create value-added outputs which will ultimately represent the products and services offered by the enterprise. The processes must therefore be underpinned by a series of strategies which are concerned with the effective management of the resources required by each process.
The adoption of a process, rather than a functional, view of the organisation has major implications for the information manager. Many organisations now accept that while it is important to recognise functions (such as personnel, sales, finance, etc.) they can create barriers to effec-Earl, M.J. and Khan, B., How new is   {j    information flow and encourage managers to adopt protectionist business process redesign? European ■        .        - *   ■     .  • •„
Management Journal, 1994,12<1>, 21.    stances. A process transcends this functional view as it
32
The information audit: S Buchanan and F G/'bb
Mission
• Strategie Intent
• Value
• Vision
Objectives
• Purpose and contribution
• Quality and criteria
• Position and destination
Policies A constraints
• Resources snd limits
• Glvens and context
• Policies and guidelines
Plans & Goals
• Projects and priorities
• Targets and goals
• Journeys
Figure 2 Mission, opportunities, policies and plans (adapted from Earl15)
• Has customers (external or internal);
• Crosses organisational boundaries (again external or internal);
• Has inputs and outputs from many parts of the organisation;
• Is highly information and technology dependent.
Focusing on processes therefore forces the organisation to look at how information flows and how functions must co-operate in order to achieve customer satisfaction. The analysis of these flows falls within the information audit, which is discussed in the next section.
The role of the information audit
15Earl, M.J., Management Strategies for Information Technology. Prentice-Hall, London, 1989.
"Costello, J., The united way to better management. Computer Weekly, 14 March, 1991, pp. 22-23.
Information managers will need to call on a number of tools in order to define and implement an information strategy. One popular approach is the mapping of dynamic information processes and information flows. This approach links technical and social systems as it involves an analysis of the communications (processes and information) that take place between agents (people) in a social context (the organisation) using a variety of media and channels (technology). Information strategy is therefore concerned with managing the relationships between these components (see Figure 3).
Taken further, organisations can be viewed as a series of conversations.16 Managerial work consists of many short interactions (traditionally oral) in which managers create, meet, and initiate further commitments. The core of an organisation is a network of recurrent conversations based on initiating, monitoring and co-ordinating, and the lifeblood of an organisation is these information flows. One criterion for deciding on investment in information systems therefore should be the extent to which the system^plays a role in supporting these communi-
33
The information audit: S Buchanan and F Gibb
cative acts. The upsurge in interest in group-oriented systems can be understood within the context of this appreciation of the importance of effective information flow.
The information audit is a process for discovering, monitoring and evaluating an organisation's information flows and resources in order to implement, maintain, or improve the organisation's management of information. The information audit should not be considered as an option, but as a necessary step towards determining the value, function, and utility of information resources in order to fully exploit their strategic potential.
The exact boundaries of an information audit may be difficult to draw as it may subsume more specific audit processes or be subsumed itself by others; for example, the communications audit. A typology of audits is shown in Figure 4. The business audit is designed to assess the health of the organisation in terms of its current strategy, its target and potential markets, and the products and services it has available to meet those market demands. The communication audit is designed to evaluate the management style of the organisation and the methods for communicating to and with its workforce. It is concerned with the sociological and organisational aspects of information flow. The information audit then looks at the managerial aspects of information flow by evaluating the key processes, their interaction and the information resources needed to service them. The systems audit then evaluates the functionality, usability and effectiveness of specific applications, while the technology audit is principally concerned with asset management.
Traditionally, information audits have tended to be designed specifically for the individual organisation in which they are to be implemented and, consequently, their role has varied depending upon the particular circumstances and objectives of the organisation. Because of this, the role of the information audit has neither been clearly defined or universally agreed upon. For example, in its simplest form the purpose of the information audit is to:
• Identify an organisation's information resources.
• Identify an organisation's information requirements.
However, when used to its full potential the purpose of the information audit can also include:
• Identifying costs and benefits of information resources.
Figure 3  The co-ordinating role of information strategy
34
The information audit: S Buchanan and F Gibt
Technology Audit
Systems Audit
Information Audit
Communication Audit
Business Audit
Strategy, Markets, Products & Services
J Organisational Communication Information Resources £ Flows
Systems Functionality
Technology Base
Figure 4 A Typology of audits
• Identifying opportunities to use information resources for strategic competitive advantage.
• Integrating IT investments with strategic business initiatives.
• Identifying information flows and processes.
• Developing an integrated information policy.
• Creating awareness of the importance of IRM and defining the management role.
• Monitoring and evaluating conformance with information-related standards, legislation, and policy guidelines.
Ideally, an information audit should include all of the above to provide a truly comprehensive and integrated strategic approach. This approach would as its ultimate goal, produce an integrated information strategy encompassing and providing overall direction for each of the functions defined by Earl 17 and illustrated in Figure 5. Note that each strategy component is complemented by its own audit approach (IM strategy: information audit; IS strategy: IS Audit; IT strategy: IT audit).
An alternative view of the same model is given in Figure 6 which highlights some of the responsibilities which fall under each strategy.
To achieve this level of integration the information audit method should be similar in approach to Earl's multiple methodology for information system strategy formulation (see Figure 7).
Leg one of Earl's model matches IS investments with business needs by adopting an analytical top-down approach supported by a formal methodology and inputs from business teams. These business teams should involve representatives from relevant stakeholder groups and not be restricted to technical specialists. Leg two evaluates current information systems by conducting bottom-up surveys and internal audits to identify
35
The information audit: S Buchanan and F Gibb
"ibid, "ibid.
^Barker, R. L, Information audits: designing a methodology with reference to the R & D division of a pharmaceutical company. Department of Information Studies, Occasional Publications Series No. 8. University of Sheffield, Sheffield. 2,Robertson, G., The information audit: a broader perspective. Managing Information, 1994,1(41, 34-36. "Haynes, 0., Business process re-engineering and information audits. Managing Information, 1995, 2(6), 30-32.
"Underwood, P.G., Checking the net: a soft-systems approach to information auditing. South African Journal of Library and Information Science, 1994, 62(2), 59-64.
"Ellis, D., Barker, R., Potter, S. and Pridgeon, C, Information audits, communication audits, and information mapping: a review and survey. International Journal of Information Management, 1993,13(2), 134-151. 2SGillman, P., Information audits, and what they tell about services. TIP Applications, 1996,9(8), 6-10. "Gibson, P., Information audits: can you afford not to? Library Manager, 17 April, 1996, pp. 12-13. "Bertolocci, K., The information audit: An important management tool. Managing Information, 1996, 3(6), 34-35.
"Dimond, G., The evaluation of information systems: A protocol for assembling information auditing packages. International Journal of Information Management, 1996,16(5), 353-368.
continued on page 37
system gaps that need to be filled. As discussed above there are a number of audits that may be undertaken and typically these will be undertaken by relevant specialists. Leg three identifies opportunities afforded by IT which may yield competitive advantage or create new strategic options by a creative approach that encourages entrepreneurial managers to generate innovative solutions.
The information strategy should encompass each of these legs with the second leg expanded to become the identification and evaluation of information resources (which would include information systems). As a basic framework, the information audit should begin by identifying the business goals and activities, before identifying the related information resources, and then exploring innovative IT solutions as part of the final information strategy development stage. The end result will allow the organisation to identify where it wants to be, what it currently delivers, and what it must provide to bridge the gap between demand and capability (see Figure 8).
Existing information audit methods
A problem with existing information audit methodologies is that although there has been much recent debate on the subject (Barker,20 Robertson,21 Haynes,22 Underwood,23 Ellis et al.,24 Gillman,25 Gibson,26 Bertolluci,27 Dimond28) very few of the methods proposed or discussed go beyond basic frameworks which require further development. As yet, there is no single accepted methodology that is supported by statute, standard, or professional association. Although several methods exist (Riley,29 Henderson,30 Gillman,31 Quinn,32 Worlock,33 Reynolds,34 Barker,35 Best36) many are characterised by a very definite purpose and scope which makes their universal adoption difficult. For this reason the most commonly adopted methodologies are those provided by Burk and Horton,37 and by Orna.38 Each of these methods is briefly reviewed below.
What?
Applications
IS Strategy
• SBU/Process bated
• Demand oriented
• Organisation focused
How?
Delivery
IT Strategy
• Activity/function baaed
• Supply oriented
• Technology focused
Who? Why? Management
IM Strategy
• Organisation based
• Relationship baaed
• Management focused
Figure 5 Interlinking information strategy components (adapted from Earl18)
The information audit: S Buchanan and F Gibb
Meaning:
• Processes
• Information
• Logical security
• User tools
• Information Interchange
• Application standards
Means:
• Architecture
• Infrastructure
• Technical standards
• Physical security
• Maintenance
• Procurement
Information Systems Strategy
Information Management Strategy
Information Technology Strategy
Management:
• Legal issues
• Training
• Best practise
• Health & safety
• Ownership
• Accountability
Figure 6  Information strategy agendas
Corporate Plans ft Goals I
Top down
Current Systems
Bottom up
Analytical
Planning Methodologies ft Frameworks
Organisation«! teams
IT
Opportunities
Inside out
Evaluative
Surveys ft Audita
Users ft Specialists
Creative
Intelligence gathering
Mavericks ft Entrepreneurs
Information Strategy Portfolio
Figure 7 A multiple approach to information strategy development (adapted from Earl19)
continued from page 36 29Riley, R.H., The information audit. Bulletin of the American Society for Information Science. 1976,2(5), 24-25. "Henderson, H.L., Cost effective information provision and the role for the information audit. Information Management, 1980,1(4), 7-9. 3lGillman, P.L., An analytical approach to information management. The Electronic Library, 1985, 3(1), 56-60. S2Quinn, A.V., The information audit: a new tool for the information manager. Information Manager, 1979, 1(4), 18-19.
33Worlock, D.R., Implementing the information audit. Aslib Proceedings, 1987, 39, 255-260.
"Reynolds, P.D., Management information audit. Accountants Magazine, 1980,84(884), 66-69. 35op. cit, Ref 20.
continued on page 38
Horton's infomap
InfoMap, developed by Burk and Horton,39 provides a step by. step process to discover, map, and evaluate information resources. The methodology is highly structured and provides a framework for carrying out a comprehensive inventory of an organisation's information resources. There are four main stages:
• Survey: the organisation's existing information resource base is defined by carrying out a preliminary inventory of all information resource entities (IREs) via interviews with staff involved in using, handling, supplying, and managing information.
• Cost/Value: a multi-disciplinary approach drawing from accounting, business, and economics is adopted to measure the cost and assess the value/benefits of each IRE in order to relate cost and value in the form of ratios to provide an overview of costs and value across the organisation.
• Analysis: three information resource mapping techniques are used to relate the identified IREs to the structure, functions, and management of the organisation. Through this process the particular functions and
37
The information audit: S Buchanan and F Gibb
Demand
Business Strategy
IM
Strategy
What's Missing?
IS
Strategy
it
Strategy
Supply
Business Processes
Ownership, end-user support, resource management, training, contractor management, legal Isaues, etc.
Applications, information processes and stsndards
Technologies, technical ■tandards and infrastructure
Figure 8
potential
Bridging the gap between business needs and technological
continued from page 37 MBest, D., Information mapping: A technique to assist the introduction of information technology in organisations. In Information management From strategies to action, ed. B. Cronin. Aslib, London, 1985, p. 79. 37op. cit, Ref 13. 38op. cit, Ref 12. ^op. cit, Ref 13. *°op. cit, Ref 23.
configurations of IREs can be identified and related to the organisational structure in order to identify corporate resources.
• Synthesis: by careful selection of a set of resource criteria (nature, cost, and value of each IRE) the organisation's information resources are identified along with their strengths and weaknesses relative to the objectives of the organisation.
InfoMap is arguably the most comprehensive method available for identifying and defining an organisation's information resources. For the organisation there are a number of benefits:
• It helps to identify all formal information resources (e.g. is comprehensive rather than selective).
• It provides a measurement of the cost and value of IREs.
• It draws attention to problems and opportunities relating to current information management practices and policies.
• It creates and stimulates awareness of the importance of IRM.
However there are also a number of potential problems:
• The main purpose is discovery and awareness of information resources, not how to manage information.
• The process is time consuming and can incur considerable expense.
• Measures of cost and value are, in most instances, rough approximations.
• Attention is focused on information resources and does not include an organisational analysis.
• It provides a snapshot analysis of the organisation that will require periodic updating.
One the limitations of InfoMap identified by other commentators is the neglect of the issue of organisational context. Burk and Horton do point out the importance of context at various stages but do not provide any method or technique for its analysis. Underwood 40 argues that because  InfoMap is dependent on  users  identifying information
38
The information audit: S Buchanan and F Gibb resources, more emphasis is placed on the discovery process than on the use of such information. This can then make analysis of the results difficult because of a lack of detailed knowledge regarding the context of information use within part(s) of the organisation.
Underwood also points out that InfoMap is dependent on there being a reasonably stable and coherent set of views about the range and value of information resources within the organisation. He argues this world view is typically found in organisations that have reached a point of evolutionary stability (or maturity) and therefore have comparatively little lo gain from an information audit. However, the organisations with the most to gain from an information audit may be those experiencing instability but which ironically could be hampered by their own organisational immaturity. Underwood provides an example of this problem from a recent case study.41
The organisation being audited was three years old, had a highly divi-sionalised structure, and was going through a period of rapid growth and change. At the time of investigation the organisation was considering a central information service or resource centre to support the various divisions. The first step was to establish an information map of the organisation. The chosen methodology was InfoMap. However it was extremely difficult to establish a shared organisational view of information resources and to persuade divisions that resources available to them could also be of value elsewhere in the organisation. In the end, the results of the audit provided no common view and ultimately relied more on the judgement of the consultants.
Underwood's experience should not be considered as a serious criticism of InfoMap, but more as an example of some of the problems that can disrupt the audit process. The purpose of InfoMap is to carry out an inventory of information resources and therefore the problem lies more with the organisation than the particular method. However Underwood's experience does highlight the need in some cases for a more extensive audit process that includes more of an organisational analysis. One such method is provided by Orna's flow based approach.42
Orna's information flow analysis
In contrast to the bottom up approach of InfoMap, Orna's top down approach places more emphasis on the importance of organisational analysis. While InfoMap focuses on static IREs, Orna's method focuses on dynamic information flows. Also, while the end product of InfoMap is a series of maps (or tables) to provide an inventory of information resources, the end product of Orna's approach is a corporate information policy.
There are four main stages to Orna's method:
• Initial investigation: a top-down analysis of the organisation's objectives, structure, and culture with the knowledge gathered forming the basis of the information audit.
• Information audit: adopts several steps from InfoMap but goes on to identify information flows, human resources, and the distribution of IT in relation to information flow.
• Balance sheet: the findings of the information audit are related to the organisation's objectives to identify positive and negative relationships.
39
The information audit: S Buchanan and F Gibb
• Policy development: the development of a corporate information policy to provide strategic direction and management guidelines for the organisation's future use of information.
Orna's method has three main advantages over other methods of information auditing:
• A top-down organisational analysis is carried out.
• Dynamic information flows are identified.
• The end product is a corporate information policy.
However, a potential challenge with Orna's method is that it lacks the practical tools and techniques required to carry out several of the steps. For example, during the initial investigation (stage one) a crucial step is an in-depth investigation of the organisation's objectives, structure, and culture. However to carry out the initial investigation requires a number of important research skills (e.g. interview technique, qualitative data analysis, and organisational analysis tools to identify the organisation's mission, environment, structure, and culture) that can be easily underestimated in terms of their potential complexity and need for a structured, methodical approach. Further, it is highly probable that the information audit will be managed or carried out by an information professional or senior member of staff with an information background who consequently may lack one or more of these required skills. This has been highlighted by Best:43
..the skills needed, spanning as they do business, information and technology areas, are rare and not yet part of training programmes for managers in MBA and other Business School courses.
The solution of course is to have a multi-disciplinary management team and this is recommended by Oma. However, there will still remain a need to identify suitable tools and techniques to carry out several of the steps involved in the audit process. Nickerson 44 has highlighted this problem and suggests that tools and techniques are simply outside the scope of Orna's methodology. However, whether this is true or not, it does highlight a potential barrier to success that cannot be ignored.
It is apparent from this review that no single method can provide a complete information audit solution and that none fully fulfil the strategic role of the information audit. The distinguishing feature that each method has in common is that they all have a very definite purpose and scope, which inevitably acts as a trade-off with universal applicability. Perhaps the most useful and applicable method is provided by Oma but this ultimately depends on the objectives of the information audit. Therefore it is essential that the purpose and scope of the information audit are clearly defined, for only then can an appropriate methodology be selected or developed.
For the purposes of developing an information strategy, a comprehensive top-down integrated strategic approach is required. This should incorporate the appropriate tools and techniques to guide and support what is essentially a complex and multi-disciplinary approach that requires a broad range of business and research skills. Two aspects should be highlighted in this context:
*3op cit Ref 9
"Nickerson, G„ Book review. Practical (1) There is a need for a more comprehensive top-down integrated stra-information polices: how to manage tegic approach to information auditing which enables the develop-information flows in organisations. { of an jnforrnation strategy.
Database, 1991,14(6), 86.
40
The information audit: S Buchanan and F Gibb (2) The success of this approach is critically dependent on the identification of appropriate management tools and techniques to make it work.
An integrated strategic approach to information auditing
In consideration of the limited choice of information audit methodologies it was decided that a universal model should be developed that might be of use to other organisations. The methodology is therefore presented in its entirety, identifying each and every prerequisite for the development of an effective information strategy. Organisations may find that they already possess the knowledge to satisfy some of these steps. For example, they may already have a mission statement with clearly identified objectives; if this is the case they will be able to skip the relevant steps. There are five main stages to the methodology:
• Promote
• Identify
• Analyse
• Account
• Synthesise
The information audit is led by the information auditor (a senior information professional — internal or external) in association with a working group. The working grolpshould be a representative team of senior members of the organisation selected for their information-related backgrounds.
Promote
The purpose of this stage is to promote support and co-operation for the information audit. There are three steps, the first two of which are completed by the working group while the final step is completed by the auditor:
(1) Promote the benefits of the information audit. Ideally the organisation should hold a conference or series of seminars which explains the role of the information audit and why the organisation needs one. The purpose of this step is twofold:
• To promote support and co-operation by increasing awareness ■ and understanding of the strategic importance of information
management and highlighting the benefits to be gained from the information audit.
• To reduce suspicion and hostility among staff members.
Foster co-operation throughout the organisation. This is achieved by circulating a passport letter 45 signed by the chief executive that succinctly reiterates the issues addressed by the previous step and informs staff of the procedures to be followed during the information audit. The passport letter acts both as a medium of introduction for the auditor, and as a symbol of approval from the top executive. Carry out a preliminary survey of the organisation. The purpose of this step is to allow the auditor to make preliminary assessments of the level of awareness and value of information throughout the orga-
(2)
<BHamilton,  S.,   A   Communication ty\ Audit Handbook: Helping Organisations Communicate. Pitman, London, 1987.
41
The information audit: S Buchanan and F Gibb
nisation by a simple informal walk-around.46 This is a vital step as it will determine the level that the information audit should be set at, e.g. depth of explanation required, level of support, and suitability of methods.
Once this stage has been completed there will exist, at the very least, greater understanding of the importance and purpose of the information audit and, hopefully, greater co-operation and support for the information audit process. The auditor will also have a valuable preliminary picture of the organisation on which to base further investigation in the next stage.
Identify
This stage begins with a top-down strategic analysis of the organisation which builds up a rich picture of the organisation's mission, environment, structure, and culture. Towards the latter part of this the organisation's information resources and information flows are identified (as part of the overall objective of identifying the strategic relationship between the organisation's mission and the identified information resources).
There are six steps. The first four are carried out in a workshop by the working group. The final two are completed by the auditor. Although the information resource identification step is the last one, in reality the information resource inventory is gradually built up during each of the preceding steps. The purpose of the final step is to finalise the inventory and to complete a more detailed survey of the information resources. The identify stages are as follows:
(1) Identify and define the organisation's mission. A thorough understanding of the organisation's mission is essential in order to assign appropriate values and priorities to information resources, and to provide integrated strategic direction for the information audit process and resulting information strategy. There are three main steps:
• Abell's business definition framework 47 is used to define the business the organisation is in and whether or not future activities should remain extensions of the original business or become more diversified in unrelated areas.
• Synnott's interpretation of Portfolio analysis 48 is used to identify objectives and to assess how the balance of activities and resources that make up the organisation's business contribute to its strategic potential.
• For each objective the critical success factors (CSF), key tasks/ activities, and related information resources are identified in a manner similar to Pellow and Wilson's CSF approach.49
The frameworks recommended above and below have been selected on the basis of their widespread use in business analysis. There are, however, many other frameworks which could be substituted depending on the specific remit of the information audit and the preferences of the auditor. For summaries of frameworks see, for instance.50,51
(2) Identify and define the organisation's environment. The environment refers to the political, economic, social, and technological influences (PEST) that affect the organisation. It is important to understand the environment in order to fully understand informa-
42
"ibid.
*7Abell, D.F., Defining the business: the starting point of strategic planning. Prentice Hall, Englewood Cliffs, NJ, 1980.
"Synott, W.R., The information weapon: winning customers and markets with technology. John Wiley and Sons, New York, 1987. ''Pellow, A. and Wilson, T.D., The management information requirements of heads of university departments: a critical success factors approach. Journal of Information Science,, 1993,19(6), 425-437. Mop. cit, Ref 14.
51Gjbb, F. and Yepng, S.K., Business analysis frameworks. Strathclyde University, Glasgow, 1997. (MBA Lecture Notes).
The information audit: S Buchanan and F Gibb tion needs, and to ensure that information solutions fit the specific business environment. There are two main steps:
• PEST analysis 52 is used to identify environmental influences.
• Porter's model of competitive forces 53 is used to identify the organisation's competitive position, the competitive forces affecting this position, and the role information plays in influencing these forces.
(3) Identify and define the organisation's structure. The organisation's structure will determine the flow of information and either facilitate or hinder the development of an information strategy depending on the compatibility between the strategy and the structure. There are three steps:
• The basic organisational structure is identified (this can be either a traditional functional model or a process model as recommended by Hammer and Champy.54
• Mintzberg's method 55 is used to determine the structure/strategy fit of the organisation.
• Preliminary information flow requirements are identified similar to Orna's flow based approach.56
(4) Identify and describe the organisational culture. The organisation's culture will influence the value the organisation puts on information, the way information flows, and how information is used. Therefore it is important to ensure that the organisation's culture is reflected in the development of the information strategy. There are two steps:
• Stakeholder analysis (as illustrated by Grundy 57) is used to identify and track key stakeholder influences on the information strategy-
• Lewin's method of force field analysis is used to diagnose and evaluate the enabling and restraining forces that affect the information strategy.
(5) Identify information flows. According to Orna the organisation's information flows:
give an insight into what information is generated in the organisation, who generates it, who uses it, and how they use it. It shows who has the authoritative information on given subjects, who can be expected to know what, and who cannot be expected to know. It also reveals gaps in information provision, and shows missing links in chains of information. 59
This step identifies the general information flows based on the findings of the previous steps and superimposes them on the organisational (or process) model.
(6) Identify the organisation's information resources. A preliminary inventory of the organisation's information resources will have been built-up during the preceding steps. The purpose of this step is to finalise the inventory and to then interview information users (by the auditor) in order to build-up a more detailed picture of each information resource relative to the activities it supports. There are two steps:
• A database is built to store detailed information on each information resource (resources may be categorised based on Burk and Horton's classification 60).
• The working group nominates participants to be interviewed who are provided with the list of key tasks and related information resources and asked to discuss the value (on a scale of 1 to 5),
"Johnson, G. and Scholes, K., Exploring Corporate Strategy: text and cases, 3rd edn. Prentice Hall, Engle-wood Cliffs, NJ, 1993. "Porter, M.E., Competitive Strategy: Techniques for Analysing Industries and Competitors. Free Press, New York, 1980.
"Hammer, M. and Champy, J., Re-engineering the Corporation: a Manifesto for Business Revolution. Nicholas Brealey Publishing, London, 1994. 65Mintzberg, H.( The structuring of organisations. In The strategy Process: Concepts, Contexts, and Cases, eds. J.B. Quinn, H. Mintzberg and R.M. James. Prentice Hall, New York, 1988, p. 278.
teop. cit Ref 12.
"Grundy, T., Implementing Strategic Change: a Practical Guide for Business. Kogan Page, London, 1993. 58Lewin, K., Frontiers in group dynamics: concepts, method, and reality in social science; social equilibria and social change. Human Relations, 1947, 1(1). 69op. cit, Ref 12.
'•'Burk, C.F. and Horton, F.W., op. cit.
43
Tne information audit: S Buchanan and F Gibb
function, and utility (including any problems/possible improvements) for each information resource relative to the task supported.
Once the identify stage has been completed the organisation will have a comprehensive database of its information resources each of which is clearly linked to the organisation's mission, related goals, objectives, and activities. The rich picture produced by this stage will also illustrate the strategic fit between the organisation's mission (including alignment of business and information strategy), environment, structure and culture, and will highlight problematic situations and future objectives as a basis for detailed analysis in the next stage.
Analyse
The purpose of this stage is to analyse and evaluate the organisation's information resources and to formulate action plans to improve problematic situations and achieve objectives identified during the identify stage. There are four steps to the analyse stage. The first three are completed by the auditor in consultation with appropriate members of staff. The workshop resumes for the fourth step. The steps are as follows:
(1) Evaluate the information resources. Information resources are evaluated according to their strategic importance, utility, and associated problems in order to identify appropriate management strategies for each information resource. They are evaluated as follows:
• Strategic importance is evaluated firstly by assessing each resource in relation to the task(s) it supports and the strategic relationship between the tasks, CSFs, and objectives supported, and secondly according to the arithmetic mean of the value assigned for each information resource relative to the task supported.
• Utility identifies what each information resource should, could, and is being used for, thus identifying whether or not users are properly exploiting the full potential of the resource. Utility is evaluated firstly, by defining the information resource's utility independently of what it is being used for by the organisation, and secondly, to then use this definition to determine whether or not the information resource is being properly utilised and to identify the potential strategic value of the resource. Once these two steps have been completed McFarlan and McKen-ney's Strategic IT/IS grid 61 can be used to position information resources according to their existing strategic importance (mean value) and planned importance (future utility) to help identify appropriate strategies for each information resource.
• Problems are evaluated according to the nature of the problem. For instance, is the problem one of awareness, availability, accessibility, or appropriateness? Potential solutions can then be identified with the decision as to whether or not to implement them based on balancing the strategic importance and utility of the resource against the severity of the problem and the steps required to implement the solution (explored further during the action plan stage below).
(2) Produce the detailed information flow diagram. The purpose of this step is to develop detailed information flow diagrams to illustrate
•"McFarlan, F.W., Information technology changes the way you compete. Harvard Business Review, May-June, 1984.
The information audit: S Buchanan andFGibb who is using what, where and why. This is achieved by superimposing the identified information resources onto the general information flow diagrams produced earlier.
(3) Produce the preliminary report. The purpose of this step is to provide a summary account of the information audit process, findings, recommendations and general areas of concern to support and focus the formulation of action plans in the next step.
(4) Formulate action plans. The purpose of this step is to identify and define the action plan(s) required to improve problematic situations and realise objectives that have been identified by the information audit. Checkland and Schole's soft systems methodology 62 provides a practical step-by-step method to deal with complex, unstructured, or poorly defined problematic situations. This step should produce a set of recommendations for action to improve such situation(s).
Once this stage has been completed the organisation will have identified the strategic importance and utility of each of its information resources and the appropriate management strategies. The organisation will also have a set of recommendations for action to improve problematic situations. The next stage in the information audit is to cost the information resources in order to assign accurate costs to information resources and associated management strategies and action plans.
-Ma .
wCheckland, P, and Scholos, J., Soft Systems Methodology in Action. John Wiley and Sons Ltd, Chichester, 1990.
MBadenoch, D., Reid, C, Burton, P., Gibb, F. and Oppenheim, C, The value of information. In The Value, and Impact of Information, eds. M. Feeney and M. Grieves. Bowker-Saur, East Grinstead, 1994, pp. 9-78. Mop. cit, Ref 12.
^Burk, C.F. and Horton, F.W., ibid. ^Reid, C, Is information worth it? London: British Library, 1994. (Information Policy Briefings 6). 87Turney, P.B.B., Activity Based Costing: The Performance Breakthrough. Kogan Page, London, 1996. "Lateral Technologies and Solutions. Grovewood Business Centre, Strath-clyde Business Park, Bellshill, ML4 3NQ, 01698-740340. MGlazier, R., Measuring the value of information. IBM Systems Journal, 1993,32(1).
Account
The purpose of this stage is to cost the organisation's information resources in order to be able to assign accurate costs to information resources and associated services, to compare costs to value and other benefits, and to be able to perform cost analysis and cost modelling as part of the development and evaluation of an information strategy.
The costing and valuing of information resources is recognised as being a problematic area.63 Orna64 and Burk and Horton 65 emphasise the need to liaise with the organisation's accountants to ensure that there is consistency and comparability within the exercise. However, accounting standards have not been fully developed in this area and few organisations have attempted to include information resources as assets in their books.66 Given the potential complexity of the exercise this stage is not represented by a rigid methodology. Instead, three approaches are highlighted which have been shown to be both innovative and of general applicability.
• Activity based costing (ABC): ABC 67 identifies the costs for information resources by measuring the causal relationship between activity cost and information resource use. ABC provides a more detailed and in-depth approach to costing than other methodologies.
• Output based specification (OBS): OBS 68 is a quality performance measurement system that also provides, where required, a mechanism to link payment to quality performance by identifying the minimum quality standards and quality indicators for each information resource (rather than the costs). ABC and OBS can be usefully combined to provide a more rigorous analysis of inputs and outputs to a process.
• Glazier's model: Glazier's model 69 is a novel approach to the
45
The information audit: S Buchanan and F Gibb
measurement of information assets in order to identify opportunities to improve revenue streams, reduce production costs, and focus on customer demand (as the most tangible evidence of delivered value).
Once this stage has been completed the organisation will have identified the costs, or cost indicators, for each information resource, depending upon the choice of costing method(s). The approach adopted will depend on the particular circumstances of the organisation and the purpose and scope of the costing exercise. Each approach provides an innovative and pragmatic solution to costing information resources
Synthesise
The purpose of this stage is to report on the complete information audit process and to synthesise the findings/recommendations in order to provide integrated strategic direction for the organisation's future management of information. There are two steps to this stage. The first step is completed by the auditor with the second completed by the working group. The steps are:
(1) The information audit report. The purpose of this step is to provide a detailed and complete account of the information audit process, findings, and recommendations for analysis, review, and reference purposes.
(2) The information strategy. The purpose of this step is to provide integrated strategic direction and management guidelines for the organisation's future management of information in relation to the organisation's mission and objectives.
Conclusions
The methodology described above is based on an analysis of existing approaches and practical experience derived from the development of an information strategy within the university sector. The potential benefits of the methodology are:
• It provides a complete (in contrast to previous methods) step-by-step pragmatic solution to information auditing.
• It provides a management tool-kit that can be tailored to individual requirements.
• The relationship between the organisation's business strategy and information strategy is identified and evaluated.
• It utilises a new approach to costing information resources.
• It provides the organisation with an information resource database inventory.
• It provides integrated strategic direction and management guidelines for the organisation's future management of information.
However, there are also a number of potential barriers to successful implementation. For instance:
• The scale of the exercise and associated resource requirements may make it impractical for organisations.
• Synthesis between stages may not always be clear and unambiguous due to the multi-disciplinary nature of the exercise.
46
The information audit: S Buchanan and F Gibb
• There can be practical difficulties in modelling relationships between objectives, CSFs, tasks, and information resources, most notably because of complex many-to-many relationships.
• Although process modelling is identified as a recommended management tool the methodology could be criticised for being predominantly task-oriented and functional in nature.
As discussed above, the methodology is intended to be wide-ranging and of general applicability but it is recognised that organisations may need to make compromises, may wish to use a sub-set of the steps, or may need to enhance or tailor it to their specific requirements.
47