That wasn’t the only move that was questionable…
I didn’t have anything to do with the GRC project; I was there performing an audit. But I saw many auditors scream and slither as if they were slugs bathed in salt.
It was painful to watch. I suffered too.
The app, which was not created with audit workpapers in mind, was hard to master and use. So the audit group spent a lot of money to customize the app so that it “works” for workpapers.
I’m sure some systems that do GRC do workpapers just fine, but I haven’t seen one yet. I haven’t seen all the major GRC packages, but the ones I have used make auditors wish they were still working with paper (if you missed the pun, you better back up).
Management said they picked this package because they expect the GRC features to be used across the organization eventually. (In the meantime, let’s torture as many auditors as we can.)
I am so weary of audit departments not eating their own dog food. In other words, auditors insist everyone else follow good project management practices, ensure proper controls are implemented, and processes are efficient and timely, and yet they fail to follow those same requirements for their own projects. And they never write up audit issues about for their own failures!
Here’s a few of the doggy treats this audit department refused to swallow:
- Determining what the project requirements are before selecting a product.
One auditor told me that early in the project, she asked whether the selected application could search for words and phrases across all audits, workpapers, attachments, issues, and other data. Audit management told her it was “too early in the process for determining requirements, after all, we’re still in the contract negotiation stage.”
Since when do you negotiate prices before determining whether the system will do the tasks for which it is purchased?
(In all fairness, while it wasn’t purchased primarily for doing workpapers, that is one of its most frequent and time-consuming uses of the app.)
- Doing a security review of the product, vendor, and hosting environment prior to purchasing the product.
The security review was performed in while the product was being installed and configured (in other words, after some money was already committed). Halfway through the process the configuration was halted due to security findings. After the vendor resolved the issue, configuration resumed, but most of the vendor’s key people were onto different projects, which severely delayed the final configuration. As a result, the audit department had to reschedule some of their audits as well as internal IT people helping with the project. Several months were wasted.
- Ensuring that all appropriate key personnel were involved in the project.
No RITA (real IT auditor) was invited to join the audit team that worked on the implementation. As a result, several items that a RITA would have identified right away were not noted until later, which made the fixes more costly. Go figure.
- Ensuring that data was protected in transit.
Since this is a cloud solution, various types of data are transmitted between the company’s audit group and the cloud solution during different processes. No one checked whether all the data transmissions were encrypted (where’s RITA when ya need her?). Whether they turned out to be encrypted or not, the point is that they did NOT check.
- Selecting a product that makes 1 thing better for some staff, but 10 things worse for most of the staff.
Like too many GRC products, this one isn’t workpaper friendly. One auditor told me that creating workpapers in this product is like drinking Earl Grey tea in a biker bar–you are likely to get hurt, even before you enjoy one sip of tea. Instead of being able to type in your narrative and embed attachments, you type all your data in separate, little boxes which scroll poorly and provide no spell check. Then at a different level of the program, you add attachments.
So what is this app good at? Reporting! Since you have to enter items like audit year, audit name, control objective number, control objective name, workpaper number, workpaper name, test steps, etc., in separate boxes, the app is great at creating boxy reports which management loves.
So make things easy for management to report at the end of an audit, the end of a month, the end of a quarter, and the end of the year, but make the poor auditor struggle with those stupid boxes EVERY DAY.
Evidently, many of the auditors on the implementation team felt this was not the right package, but they were too afraid to question audit management.
These are the same auditors who call company management to task on occasion. I guess the difference is that when you challenge company management, you have audit management watching your back. When you challenge audit management, who will watch your back? No one, so you watch your own back, I guess…
This reminds me of another post I wrote a while back, entitled Who Audits the Auditors?
What dog food does your audit team (or a “friend’s”) need to eat?
What system do you use to create workpapers, and how do you like it?