Thanks to legislation like Sarbanes-Oxley, the terms "audit" and "headache" have become synonymous for many organizations.
Most companies are forced to track disparate software (that is function specific) with email and spreadsheets to create an audit trail that verifies compliance to an established process. Just describing it sounds like a convoluted mess to me. I can only imagine the hassle associated with trying to keep email strings and different software logs updated—no wonder compliance audits are so expensive.
At the risk of sounding a little self-serving, we just went through an audit for SAS70 compliance. I bring this up in the context of our conversation on governance and auditing because I think it’s relevant and not necessarily because we happen to use our own software to create our audit trail. I’d like to describe one part of our process, and how a centralized project data repository helped streamline the SAS70 audit for our company.
For the sake of argument, let’s talk about software bugs and how they are addressed. I think it’s safe to say that regardless of the software application, it’s difficult to test for every conceivable scenario before software is released to the public. It seems software vendors can’t get away from at least the occasional "bug." Here’s the process in a nutshell, feel free to call me out if I miss anything:
- A bug is identified either internally or by a customer
- It is reported (directly to Quality Assurance (QA) if internal, or probably a customer service representative if reported by a customer, who then reports it to QA)
- QA attempts to duplicate the bug, and if successful, reports the needed fix to the development team and acknowledges the issue to the person who submitted it
- The development team fixes the bug and forwards the fix to the IT department to push live
- The IT department then pushes the fix to the live servers
Typically, and this is an over-simplified example, most customer service call centers work with a customer service-specific software to manage incoming calls or no software at all. The CS representative will make note of the issue and probably forward an email to QA or might possibly make an entry into their company’s issue management software.
An email string begins back and forth from CS to QA to Dev to the submitter and finally to IT.
Imagine the difficulty of verifying emails (which never get lost, right) and coordinating different software logs into a spreadsheet or other database. I bet auditors love this type of system because the clock is ticking and I can hear every second going, ka-ching, ka-ching, ka-ching…
On the other hand, because we manage this entire process within our project management software (which keeps all project data in a centralized location) the audit trail from start to finish is completely verifiable. With a few simple keystrokes, our CIO was able to answer every question the auditor asked, at a level of detail that helped us sail through the audit.
"When did QA get notified of the bug or feature request?" asked the auditor.
"At 10:00 am MST on August 14th," answered the CIO.
"When was it tested, and who did the test?" was the next question.
"Sara was able to duplicate the problem at 11:15 am on August 14th and at 11:30 am it was submitted to the development team," was the answer.
…and so on throughout the process until IT pushed the fix live. No emails to get lost. No spreadsheet to create. Our CIO beamed as he walked me through the audit process.
Regardless of the type of project based work you do, if you need to verify an audit trail for compliance reasons, it just makes sense that your project management software keeps all of the project data together in once place and automatically logs every action initiated or completed in the process.
Governance auditing doesn’t have to be a headache, unless your approach is to prepare for the audit the week before the auditors arrive. Centralizing project data into project software is smart at a number of levels, but it saves countless hours and a lot of expense in terms of verifying compliance and auditing.
How did you get through your last audit? Was your project management software able to help streamline the process?
