Step 5: Turning the Tables on the Dreaded Audit
Welcome to step 5 of my blog series meant to give IT practitioners techniques to navigate the journey to better service management. In a previous blog, I wrote about several topics that touched on the need to perform regular policy checks for attributes as well as the relationships to other configuration items. I will build on this previous information, hopefully providing you with additional ways to drive higher within the organization value chain.
The Dreaded Audit
For most, audit may as well be a four-letter word! IT teams dread the day, typically annually, when the internal auditors begin scheduling meetings to review the previous year’s controls and exceptions. For these internal auditors, this is a critical step prior to the external auditors paying an annual visit.
A hive of activity ensues to cover the bases and make sure all are prepared. Unfortunately, often times the biggest concern is being able to report and extract the data that will be needed to pass the audit. This is a common pain point for many organizations I spend time with.
For example, many organizations have switched out tools mid year, changed (and hopefully improved) operational processes, along with a myriad of restructuring. And, of course, the first issue to be raised in many situations – just who is the person now responsible for completing the audit and being that IT resource?
Changing the Game
It’s time to play these internal audit specialists at their own game and show how IT can elevate its position! And, at the same time demonstrate how IT controls roll up into something much bigger such as SOX, HIPPA, DISA and so on. Sound good?
Now what about (and don’t tell them this) making the auditors complete the audit! There are several resources available to help complete audits against industry or regulatory standards. Add these to your own internal audit controls and you have a pretty significant amount of data points to test against and demonstrate controls. This is where IT can take advantage of its tools and automation to get ahead of the game. ServiceNow customers I speak with have been using the IT Governance, Risk & Compliance (GRC) application for many years to do just this.
Utilizing a single platform enables IT organizations to stay ahead of the game and proactively maneuver the audit by utilizing the following:
- IT GRC – the overall audit and governance control framework
- Change Management – oversees the operation process
- Data Certification – manages and controls data quality
- Discovery (systems and services) – automates the population of key data, systems and services
- Reporting & Analytics – allows complete visibility from a single source of truth
- Workflow Engine – drives process and corrective/proactive task assignment (CAPA)
At this point, you are probably thinking that the ability to demonstrate the total path of change is a complex activity, which typically requires multiple systems of record and many resources hunting down the right information and bringing it together. But as organizations integrate the applications and features mentioned above, it’s actually very possible to put together an end-to-end process.
By embedding audit controls and attestation processes as part of Change Management, the IT organization can not only position itself to deliver on the continued expectation of change and rapid results, but also demonstrate control and confidence in what they do on a daily basis. Some might argue it allows IT to do more, but that’s for another day….
Up next in Step 6: How to hit the bulls-eye continually and consistently!