IT Audit - The Institute Of Internal Auditors  


Vol. 10, December 10, 2007
printPrint Article
printPrint Entire Issue

To Vista or Not to Vista?

Switching to Windows Vista is a decision that needs to be made carefully. Looking at the risks associated with Microsoft's latest operating system can help organizations make a decision that fits their strategic IT goals.

Joe Dysart
Freelance Writer

Nearly a year after the release of Windows Vista — the latest generation of Windows operating systems — most organizations worldwide are still cautiously evaluating the product, fearing the upgrade could represent a headache. "I gave Vista a chance — I just can't use it as my primary OS [operating system] anymore," says Chris Pirillo, a high-profile technology blogger in the United States whose rants about Vista are all too common. "The shipping version of this OS is late beta, at best."

Jeffery Web, CIO at the Southwest Virginia Higher Education Center, could not disagree more. "I'd say that we'll experience a 10- to 15-percent boost in user productivity from a combination of better security, faster search, and the more attractive interface," says Web, who began migrating to Vista in February 2007.

As part of their work, internal auditors need to stay ahead of the curve by learning about the latest IT products and trends that can enhance an organization's strategic goals and objectives. Because operating systems are an invaluable part of a company's IT infrastructure, it is essential for auditors to understand the risks and advantages posed by moving to a new operating system, such as Vista. Doing this will help auditors provide recommendations that can add value to company services, while staying in line with current and future IT goals and objectives.


Part of the reason the IT industry is split over Vista is that depending on the hardware and software a company uses, an upgrade can be either an easy or slow, complicated process. Vista works exceedingly well with many Microsoft legacy products, including pre-Vista versions of Excel, Word, PowerPoint, and FrontPage, according to the company. But with other software, a Vista upgrade might be a risky venture. Pirillo, for example, found that after installing the initial version of Vista, his scanner, fax software, and desktop search software did not work with the new operating system. In addition, he noticed that Vista significantly slowed down his PC, a common complaint against the new operating system.

Consequently, it is no wonder that the September 2007 figures from market research group Net Applications show Vista's market penetration at 7.38 percent. Indeed, the backlash against Vista has grown so intense, PC vendor Dell has gone back to selling some select desktops and notebooks installed with Windows XP or XP Pro, according to Lionel Menchaca, Dell's digital media manager. Still, even with the lukewarm reception, many companies still grapple with a nagging concern: Should we continue to hold out against Vista or is staying with XP too risky?

To help IT managers get a handle on whether Vista is right for their company, internal auditors can recommend that they use some of the online tools offered by Microsoft and other vendors. These tools enable users to determine how existing hardware and software will perform once an upgrade to Vista takes place. Depending on the number of employees, auditors can recommend that IT departments use the Windows Vista Upgrade Advisor, which will analyze the hardware in a PC and determine if the user has enough power to run the new operating system in the machine. Furthermore, IT administrators can use Microsoft's Application Compatibility Toolkit 5.0, which pinpoints the applications that will work on Vista and which do not. Another option, the Windows Vista Hardware Assessment 2.1, analyzes Vista's compatibility for computers and hardware operating on a network. Finally, for a more independent analysis of software that works or doesn't work on Vista, auditors can recommend that IT managers useIeXbeta, a Web site maintained by a virtual community of Vista watchers and application experts from around the world.

"This compatibility issue should figure prominently in your audit, because depending on your applications, it can be a real show stopper," says Randy Franklin Smith, chief executive officer of Ultimate Windows, an organization that provides security information on the different Microsoft operating systems, IT auditing, and compliance. "We have some clients for whom all of their applications have Vista upgrades available and other clients who can't look at Vista anytime soon because of compatibility."

In terms of hardware, Smith advises organizations to research thoroughly. According to Smith, companies that are thinking about switching to Vista might need to consider buying new systems for two reasons: performance and driver-related issues. "[Hard] drive speed seems to be much more of a performance issue for Vista than XP," he explains. "The drivers, especially for notebooks, just aren't there or are of very bad quality." Another major risk factor to consider is the training needed for staff to get up-to-speed with Vista. For instance, "the names and locations of tools and dialogs were changed [in Vista], which created more support calls than would seem necessary," says Smith.

Of course, forgoing an upgrade also has its risks, mostly rooted in security. Microsoft has invested heavily to enhance Vista's security features, and even its toughest critics admit the claim is partially true. "The single biggest motivator for moving to Vista is BitLocker — Windows first native full-drive encryption feature," comments Smith. "It really works, and it's the only new security feature in Vista I'm excited about and the only reason I recommend migrating." Rob Enderle, principal analyst with the Enderle Group, an organization that consults clients on the latest IT trends and events, agrees: "This is likely the strongest benefit to the new platform, in that a wide cross-section of existing viruses will not run on it." He also likes Vista's user-authorization safeguards.

In terms of their work, internal auditors can use these risks as a baseline when determining whether Vista should be part of their operating system arsenal, as Steve Mar, an IT audit consultant with Resources Global, a multinational professional services firm, explains: "Some internal auditors may decide to follow the chief information officer (CIO) or IT department when deciding whether to migrate their current operating system to Vista. However, the auditor might discover that existing audit applications do not run well on Vista or are not compatible with the new operating system, which could create challenges when delivering high-quality audit projects. Hence, it is especially important for auditors to consider what would happen if the CIO decides, or not, to deploy Vista and the impact this decision could have on the auditor's software toolset."   


If upgrading to Vista or continuing to use the existing operating system is not an option, the CIO or head of IT might recommend that the organization switch to Linux, an open source operating system that is voluntarily maintained by IT experts around the world and which often does not suffer the kind of problems Windows does with each upgrade.

"It's a huge bargain," says Kevin McDonald, assistant director of application hosting at Vanderbilt University.  "We felt we had everything to gain and very little to lose."

Because Linux is owned by no one and can be easily improved upon by everyone, IT managers and internal auditors alike might find the idea of using a Linux operating system a good one. In fact, as Caroline Kazmierski, a corporate communications specialist for Linux service maintenance company Red Hat, explains, the advantages of Linux are more than just changing the code. "You can see the code, change it, and learn from it. Bugs are more quickly found and fixed. And when customers don't like how one vendor is serving them, they can choose another without overhauling their infrastructure."

Still, getting from here to there can be painful. Migrating to a completely new operating system means proprietary software will need to be rewritten, off-the-shelf software will often have to be replaced, and staff will need to be retrained. As a result, many companies decide to keep using their current operating system, even after doing a full cost-benefit analysis. However, for those organizations that make the jump to Linux, the rewards can be substantial.

Vanderbilt's McDonald is one of the IT administrators who decided to take this jump. Historically an HP-UX and HP3000 shop, Vanderbilt's MIS department relied heavily on Unix and Oracle for its computing environment. Beginning in 2002, however, it became evident that their HP-UX systems were reaching the "end-of-life" in terms of maintenance and performance. The university's needs for data storage alone were increasing by approximately 1,000 percent each year and the HP mainframe environment wasn't keeping pace, according to McDonald. In weighing the options, it was important that any new solution be compatible with the Oracle environment, which had become a core competency of the MIS team.

As a result, Vanderbilt asked HP for pricing on two potential solutions to replace their current infrastructure: a newer HP-UX solution and an equivalent 32-bit platform. The comparison turned out to be staggering — the proposal for an Intel and Linux solution came in at more than 60 percent less. These days, the institution's finance and human resource applications, as well as a number of other applications, all run on Linux. "Looking back, it was a pretty simple task for our experienced Unix administrators," McDonald says.

"Keep an open mind," adds Richard Ray, a systems analyst at Wake Forest University, who also made the switch to Linux. "The perception that open source is not supported, not ready for mission-critical applications is not accurate. The community model is much better. Open source has so many eyes looking at it that it is pretty solid. It just grows and evolves over time."

If making the switch to Linux is in the works, internal auditors need to warn senior managers of the risks posed by the use of open source operating systems. "Moving from Windows to Linux can be likened to the choice between business application environments: Which is more appropriate for the organization's needs, a large-scale integrated environment such as SAP or Peoplesoft, a.k.a. the Windows side, or a best-of-breed mix and match approach, a.k.a. the Linux side?" comments Nelson Gibbs, senior manager with Deloitte & Touche LLP's Audit and Enterprise Risk Services division.

According to Gibbs, senior managers also need to keep in mind different operational support and development concerns that depend heavily on the version of Linux being deployed. Options range from fully supported enterprise-level environments from vendors such as IBM and Red Hat to deployments based entirely on code modified and compiled by the IT department without external support available. "With Vista, companies transfer most of the risks and costs associated with operating system software development and maintenance to Microsoft. However, with Linux, companies may be absorbing most of those risks and costs," he explains.


The largest legal battle concerning Linux to date is the US $5 billion SCO v. IBM trade secrets case, in which SCO Group alleged IBM contributed SCO property to the Linux kernel. During the course of the case, SCO notified Fortune 1000 and Global 500 companies of their possible liability if they continued to use Linux without paying licensing fees to SCO, and then proceeded to file lawsuits against Novell, DaimlerChrysler, and AutoZone. However, in August 2007, a judge ruled in favor of IBM finding that Novell and not SCO owns the copyrights to Unix. SCO then filed for Chapter 11 bankruptcy a month later.  

In addition, senior managers need to consider the current legal landscape with respect to Linux. As Gibbs describes, "there are still licensing, intellectual property, and other legal matters before several courts that have yet to be decided, which may impact an organization's decision to switch over to Linux, although most of the broad cases to date have been decided in favor of the Linux community."

Furthermore, there are strategic risks to consider, especially alignment with organizational goals and core competencies. "The switch to Linux might necessitate a change in the organization's staffing model, IT department skill sets, and an increased capital commitment to the IT budget, especially if the decision is made to become self-supporting," Gibbs continues. "The organization also might need to establish and develop new relationships with a different set of software vendors if pursuing an externally supported Linux environment."


Internal auditors need to consider Vista implementation from two perspectives: as part of the organization's overall risk assessment plan and as part of their audit universe (i.e., the auditor's toolkit), explains Mar. For instance, what risks could the use of Vista introduce to the organization that did not previously exist? Will the audit department deploy Vista as an operating system to perform audit projects? And if so, how will future audit projects be impacted by this change? Answers to these questions, Mar points out, will depend on the IT department's or CIO's strategic direction.   

"For the internal auditor, the decision to deploy Vista will probably depend on the CIO or IT department's strategy," says Mar. "Because the CIO may decide to deploy, postpone, or not use Vista, the internal auditor should consider the risks and impact of each option." Additionally, the auditor should contact the organization's software vendor and inquiry about the vendor's future plans to become Vista compatible. According to Mar, if the auditor uses in-house supported tools, the question should be asked of the CIO or IT department regarding the organization's level of support and compatibility. Other questions auditors should ask when deciding whether to deploy Vista include:

  • Is the auditor in a position to advise the IT department or CIO on deploying Vista?  
  • Should the auditor assess the risks of switching over to Vista and determine if it should be part of the audit universe? 
  • What has been the organization's risk history when a new operating system is deployed? 
  • What might be the impact to the organization if Vista is deployed?  
  • What should the auditor do if Vista is deployed and it impacts negatively the audit software portfolio? 
  • How can the auditor become comfortable about Vista prior to its deployment? 
  • Will deploying Vista impact how the auditor works with external parties or external auditors?  


As the move to Vista continues around the world, internal auditors need to recommend that senior managers carefully study their situation and weigh all their options. Only then can a decision be made that best meets the organization's current and future IT needs without causing major disruptions in work productivity. As Mar concludes, "Whether the organization will switch over to Vista or use a different operating system such as Linux, the roll-out approach should be the same and be as seamless a process as possible."

Joe Dysart is a journalist with 20 years' experience. Dysart's articles have appeared in more than 40 publications, including The New York Times and The Financial Times of London. Currently, he's a technology columnist for five vertical market industry publications, and a contributing IT editor as well.  
Rate this article!
Extremely relevant    6    5    4    3    2    1    Not relevant
Extremely useful    6    5    4    3    2    1    Not useful

IIA Conference small ad Dec 2007