In our last post we shared what we learned during conversations and presentations at various IT events. We were surprised that so many organizations still use manual methods on both SAP and other types of IT systems, though automation tools have been available for years.
These findings were recently confirmed by Protiviti, a global IT and audit consulting firm headquartered in California. Protiviti’s 2012 Sarbanes-Oxley Compliance Survey takes a systematic look at the many SOX compliance issues affecting companies and concludes that automation may be the “final frontier” for long-term savings in the cost of SOX-compliant processes and controls.
Of course, compliance and audits go hand in hand. Nobody enjoys audits but any large enterprise knows they’re necessary. Audits give you a handle on an IT system’s reliability of information and quality of internal controls, so audits are essential for good management.
To the IT team, however, audits can be burdens. They can take time and staff away from normal work, though it can be hard to show “real” returns on audit-support expenditures. For IT, an ideal audit is quickly completed, generates no exceptions and diverts few resources.
A clean audit does prove that your controls work and your documentation is complete, and both are important to any stakeholder. Reducing audit support costs is therefore the challenge.
The more automated your change process is, the more complete your documentation and the less time it will take to satisfy auditors. Automation makes you more audit-ready, and that lowers operating costs. Audit-ready documentation returns value that is very easy to show, using a baseline of your pre-automation audit support costs.
Protiviti’s survey makes a key point that, while SOX compliance can be burdensome to new filers, organizations in the long term usually conclude that the benefits outweigh the costs. Compliance sharpens internal controls, which increases process efficiencies.
Automation is a good way to lower costs and improve a company’s competitive position. The key is to automate your controls while keeping the process flexible. Aim not only for IT change process automation but for better risk management as well.
To evaluate candidate compliance tools, use automation and flexibility as key criteria. You’ll need a good basic understanding of how audits work and what data an audit team will need your team to have on hand. Look for a tool that will help your team deliver additional data quickly if the auditors need it, rather than go on expensive data hunts.
With the right tool, you’ll see better system governance and policy enforcement will benefit your IT team, not be a burden. The business side will see faster responses, making them more nimble when market conditions change. They’ll have more confidence in your team’s IT support.
These are all outcomes the business side will appreciate.