Why We Don’t Accept Verbal Orders

From time to time, someone may ask IT to “just take care of something real quick” — over the phone, in the hallway, or via an informal conversation.

While we understand the intent, we don’t act on verbal IT orders. This isn’t about trust or bureaucracy — it’s about accuracy, security, and accountability.

This post explains why written requests are required and how this policy protects everyone involved.

What we mean by “verbal orders”

A verbal order is any request that:

  • Is made only by phone or in person

  • Has no written record

  • Isn’t submitted through an approved channel (ticket, email, portal, etc.)

Examples include:

  • “Can you just add this user real quick?”

  • “Go ahead and remove access — I’ll send it later.”

  • “I approved that change earlier, you can move forward.”

Even when well-intentioned, these requests create risk.

Why verbal orders are a problem

1. No reliable record

Without a written request:

  • Details can be misunderstood

  • Scope can be unclear

  • There’s no confirmation of what was approved

  • There’s no audit trail

In IT, small misunderstandings can have big consequences.

2. Security and authorization risk

Many IT actions affect:

  • User access

  • Sensitive data

  • System configurations

  • Costs and licensing

Without written authorization, IT cannot reliably confirm:

  • Who requested the change

  • Whether they were authorized

  • What level of approval was required

3. Accountability and protection

Written requests protect:

  • The organization

  • The requester

  • IT staff

If questions arise later, a written record clearly shows:

  • What was requested

  • Who approved it

  • When it was completed

This prevents disputes and confusion.

Verbal urgency doesn’t remove the requirement

Even during urgent situations:

  • A short written confirmation is required

  • A quick ticket or email is sufficient

  • “Please proceed” in writing is enough

Speed and documentation are not mutually exclusive.

How to submit requests properly

We ask that all IT requests be submitted through one of the following:

  • The support ticket system

  • An approved email address

  • The client portal (if applicable)

This ensures:

  • Requests are tracked

  • Approvals are verified

  • Work is completed accurately

  • Nothing falls through the cracks

How this aligns with best practices

Requiring written authorization aligns with:

  • HIPAA (access control and auditability)

  • CMMC / NIST (change control and accountability)

  • PCI-DSS (traceability of system changes)

  • General governance and security best practices

This policy isn’t unique — it’s standard in mature IT environments.

Our recommendation

For everyone’s protection, we require:

  • Written requests

  • Clear approval

  • Documented changes

This helps us deliver fast, accurate service without compromising security or accountability.

If you ever need help submitting a request or aren’t sure who should approve something, let us know — we’re happy to assist.

Al Davis