Green IT audit: What it is and how to prepare

What is a green IT audit?

A green IT audit uses standards to evaluate the environmental impact of an organization's enterprise technology. This type of audit assesses tech's energy use, carbon footprint, water usage, e-waste, infrastructure sustainability and other factors that affect the planet.

More stringent than a green IT assessment, a green IT audit uses standards, regulations and other guidance to validate that the IT department complies with relevant benchmarks. For example, green IT audits can help organizations stay current with and prepare for national and global regulations like the Inflation Reduction Act of 2022, the EU's Corporate Sustainability Reporting Directive of 2023 and the SEC's impending climate-related disclosures rule.

CIOs and IT leaders might consider including specific ESG metrics developed by independent standards organizations like the Global Reporting Initiative. For example, measuring the Scope 1 emissions of existing IT assets is an important environmental consideration. IT teams might also wish to include other factors in the green IT audits. These aspects could include social metrics, such as human rights support and governance metrics, such as internal IT controls.

Audit methodology

While there are many ways to organize and conduct an audit, the key activities are identifying the relevant controls, gathering evidence through interviews and researching various data sources. From there, auditors will analyze the evidence versus the controls and prepare a report with findings and recommendations. For example, ISACA provides considerable guidance on the IT audit process. The organization also offers a governance framework called COBIT. 

After determining the appropriate audit framework, IT leaders should consider including relevant environmental attributes to refine the control framework.

Relevant audit controls

IT leaders can use the environmental metrics below and suggested audit controls to understand their impacts.

Getting ready for the green IT audit

IT teams should follow several steps before the audit starts, listed below in a recommended sequence:

• Determine the need for a green IT audit.
• Secure initial senior management approval for the audit.
• Determine if the audit will be conducted internally, by the IT department, the company's internal audit department or by a third-party audit firm.
• Develop an audit plan specifying the audit's scope and objectives, including the selected controls.
• Secure the audit's formal approval, including funding.
• Determine if audit software is to be used and -- if approved -- secure and install the system on company servers.
• Notify key stakeholders, investors and other employees of the audit.
• Establish a regular briefing schedule for senior management.
• Develop tools to gather information, such as surveys and in-person or remote interviews on green IT activities.
• Develop a document checklist in collaboration with the auditor or audit team.
• Determine the metrics for auditing green IT compliance; these can include company policy, laws and good practice.
• Ensure the auditors are knowledgeable about sustainability and ESG issues, and their applicability in the enterprise.
• Establish a work area for the audit team, such as a conference room. This step is important when working with an external audit firm. Conference rooms provide effective work areas to conduct interviews.
• Gather and deliver all relevant audit documentation to the audit team.
• Identify candidates for audit interviews and secure their availability.
• Organize a schedule of interviews for the auditors.
• Have copies of internal evidence supporting green IT compliance; these can include reports, emails and meeting minutes.
• Schedule a preaudit meeting with the audit team.
• Schedule a briefing of all interview candidates to ensure they understand their roles and responsibilities during the audit.

How to use the results from the audit

Once the process ends, the auditor delivers a report with recommendations. Thoroughly reviewing the results is crucial to getting meaningful insights. Stakeholders should be a part of the process to decide on the next steps for implementing the auditor's recommendations.

The structure of the audit and the selected controls can help the company further understand the IT team's environmental performance.

For example, the report's results might identify activities that generate quick wins for the IT department, such as having users power down computers at night, reducing use of email and turning off cameras during Zoom meetings. Other recommendations might take more time and result in extensive changes to the organization's sustainability initiatives. These suggestions might include finding ways to reduce data center energy use as well as greener approaches to software engineering and networking.

CIOs and IT leaders should consider performing annual green IT audits to gather data that can enhance the organization's long-term sustainability strategy. Periodic assessments can supplement green IT audits and evaluate the effectiveness of new and existing sustainability-focused policies and procedures.

Paul Kirvan is an independent consultant, IT auditor, technical writer, editor and educator. He has more than 25 years of experience in business continuity, disaster recovery, security, enterprise risk management, telecom and IT auditing.