We've always done audits manually - why change now?

Change is not easy – and the process of managing change is even harder. Add to that the scrutiny of an IT audit, and it becomes easy to lose track of why all of this is necessary, and eventually get stuck in that head down, power through mode. Look away for a second and you’ll find that this has become your new “norm.” 

It’s time to break the cycle, and embrace change, no matter how difficult it might seem at first. That critical first step starts with understanding the mechanics of an audit, and how it will enable you see to improve the change management audit process and the overall outcome for your business.

If it ain’t broke, don’t fix it?

Going with a tried and tested manual approach to IT audit may seem like the easy option, but does it force your organization to spend more time preparing for an audit than it does for the actual audit to be completed?  Are these activities part of your norm?

- Manually documenting changes to your ERP system

- Tracking approvals, rejections and code version changes

- Compiling spreadsheets, emails or files from disparate systems

Audits can really shake things up because they can force you to implement more changes.  I’ve often heard IT managers complain that they need to put a new process in place just to make the auditor happy.  Really?

Don’t hate the player, hate the game.

Remember, auditors only audit what your organization’s audit committee tells them to. The audit committee is determined by the board of directors.  The number and qualifications for the audit committee are defined by the board of directors in the audit committee charter.  Basically, the auditor is there at the audit committee’s behest, and is responsible for calling out deficiencies based on what the committee has asked them to review.

Do what you say, say what you mean. 

The whole point of auditing your change controls is to ensure that your organization is doing what it says, and says what it means – so that you are in compliance with standards set by the business and external regulatory bodies.

Although nobody likes to have their weaknesses called out, it is the best opportunity to strengthen your business against vulnerabilities.  If a process causes repeated deficiencies, these are considered material deficiencies.  The consequences of ignoring those can be far greater and far more expensive than a failed audit.

Automation is the word that you heard.  

So the question is what can you do to get into the audit groove? How do you make audits faster and easier while ensuring that your ERP change management process is serving your business in the most effective way possible?

Have a look at the second part of our e-book, “Avoid the Common Pitfalls of ERP Change Management,” and gain insight into how you can successfully streamline and pass your next change management audit.  Plus, be sure to get your copy of our COBIT checklist that will help you align your control objectives with change management processes to achieve audit success. 

Anonymous