Whatever unpleasant images an IT audit may bring to mind for you, as an IT professional you’re diligent enough to start preparing for your own audit somehow. You’re also smart enough to do things the easy way whenever you have a chance.
I don’t think the two belong in the same sentence, let alone in your preparation for an IT audit.
If doing things the easy way amounts to doing them the way you always have – sticking with your outdated compliance process, manually documenting changes to your ERP system, tracking your efforts with spreadsheets and skipping steps to document your compliance – then you’re not really doing things the easy way, even if you think you are.
The way to really make ERP change management easy is to automate it.
First, you need to understand the machinery behind the IT audit.
Part 2 of our e-book called “Avoid the Common Pitfalls of ERP Change Management” includes plenty of arguments in favor of automating your ERP change management process. Most of them revolve around a few ugly truths about IT audits:
1. It’s not the auditors’ fault.
Some IT managers stick with manual techniques for ERP change management out of a perfectly natural fear of change. (Seems ironic that you wouldn’t want to change the way you change things, but it happens.)
Other managers don’t understand the machinery behind an IT audit. Once I had a peer IT manager say to me, “I’m not going to put new processes in place just because the auditors make me do it. I’ll show them.”
“But it’s not the auditors’ fault,” I told him. “They’re only auditing what the audit committee tells them to audit, and that committee is made up of our peers, a few execs and even some people from our board of directors.”
“Oh,” he said. “But I still don’t have to like it.”
“Of course not,” I said, “but keep your perspective.”
2. The audit committee decides what to audit.
It’s not like an income tax audit, where you can get in trouble with the government; in fact, if you follow the recommendations that come out of the audit, they may even help you stay out of trouble with the government.
Whatever deficiencies you may have, know that the board of directors and the audit committee will see your performance. Auditors don’t make you do anything; they audit based on what you as an organization say you do and on what the committee has asked them to review.
3. The audit committee sees your dirty laundry.
As an IT manager, when you get an audit report that reveals deficiencies, you have to provide an explanation to management of what you’re going to do to remediate those deficiencies. Your dirty laundry goes up to the audit committee, including the board of directors and senior management on the committee.
Repeated deficiencies are considered material deficiencies. In those cases, it’s no longer a question of whether things will fall apart, but when; the audit has already established a lack of control there.
Thus, a sword of Damocles looms over your head. What are you going to say differently this year to convince the audit committee that you have a handle on your deficiencies?
Call me crazy, but let’s try something different.
“But we’ve always prepared for IT audits manually,” you say.
And I ask, “Why on earth would you do that?” Obviously, if you keep doing things the same way, you’re going to get the same results.
Automated ERP change management won’t magically correct all your deficiencies or take down that sword hanging over your head. However, it will provide you with a comprehensive trail – the who, what, why, when, where and how of change – to reduce the time and resources required to prepare for an IT audit.
Have a look at Part 2 of our e-book, “Avoid the Common Pitfalls of ERP Change Management.” It includes more insight into IT audits and a checklist for defining the control objectives you want your change management processes to achieve.
And if you missed Part 1 of the e-book, check it now for advice on how to apply a secure, automated change management process.