Greasing the Audit Skids by Exposing Business ProcessesBy Michael Vizard | Posted 2006-04-06 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce REGISTER >
The name of the game is to get the auditors in and out as quickly as possible.
Auditors are a necessary evil in a new era of compliance marked by Sarbanes-Oxley, HIPAA and other regulations.
Given that new reality, the best course of action is not to bemoan the current state of affairs, but rather take steps to reduce the amount of time auditors need to determine whether your company is compliant. After all, your company is paying auditors by the hour to determine whether the company complies with regulations, so the sooner you get them out of everybody's hair, the better. Productivity also takes a hit because of the auditing process, as more and more people get pulled away from revenue-generating tasks to assist with the audit.
To get rid of auditors sooner, you need to think about making your business processes as digitally transparent as possible. For example, Broadcom CIO Ken Venner says his company has come through two SarbOx audits with flying colors, thanks to an investment the company made in a suite of Digital Guardian tools from Verdasys in Waltham, Mass.
Broadcom originally invested in the Verdasys tool set, which keeps track of what information is being sent where and prohibits certain data from being distributed without permission, as a way to help safeguard its intellectual property. This information could, for example, be inadvertently e-mailed by an employee to someone outside the company.
An unanticipated upside of that effort was that when Broadcom had to deal with auditors, the Verdasys system, coupled with custom workflow tools and BMC Software's Remedy I.T. management package, provided the auditors with a clear-cut path to follow across multiple business processes.
That path is created by deploying agent software on all files, tracked by a Verdasys server that can prevent documents from being downloaded to a USB device or even printed.
Similarly, Aspen Aerogels, a maker of synthetic gels for thermal and acoustic applications, turned to IBS America in Lexington, Mass., a provider of a document management framework for environments dealing with compliance issues.
According to Aspen Aerogels quality manager Ann Upton, the company uses the IBS software to keep track of customer interactions and supplier information. She said the vast majority of the company's employees are already trained on how to use the system, but for the most part the system is transparent to the employees because it does not require any major changes to their workflow to keep track of which documents were attached to a specific business process. In the event of an audit, this means that auditors would be able to quickly follow the flow of information across the company.
In both instances, an ounce of prevention is worth several pounds of cure because the information systems in place make it easier to follow who has access to what data, and when. Most auditors are not looking for immense amounts of detail. What they are looking for is clearly delineated processes that are then effectively monitored. When they can't follow those processes, they have to try to reconstruct them. Once that happens, they basically move in, complete with assigned office space that, in addition to billable hours, gets paid for by the chief financial officer.
Beyond getting auditors out the door faster, these systems usually provide greater visibility into the business. Having these systems can expose the fact that the company's biggest customer is actually its least profitable customer, or that one particular business unit is consuming 80% of the back-office services that the rest of the company pays for, making that unit a lot less profitable in reality than it is on paper.
Of course, you can always hope that this compliance rage will blow over once Congress figures out that the cost of being compliant is causing a drain on productivity, which recently dropped for the first time in many years. But it will take a few hundred thousand audits to quantify compliance's draining effect on productivity. And in any case, it may be too early to determine whether the tasks of complying may actually increase productivity down the road by forcing us to have greater visibility into our business processes.
In the meantime, minimizing the amount of time auditors spend with your company is never a bad strategy.