How to Overcome Resistance to Audits
Many CIOs and their IT organisations shy away from audits because they think they'll be scapegoated if the audit reveals problems or lack of ROI. That's why Michael Barilla, vice president for business information services of Greif, a $US1.6 billion manufacturer of industrial and paper packaging, frequently reminds himself and his IT staff that systems implementations and software deployments are not IT projects, but business projects. So if a project fails, he says, "it's going to fail as a team", and everyone - not just IT - will be accountable.
Gartner's Gomolski concurs. If an audit exposes a shortcoming, she says, that problem shouldn't only reflect on IT, especially if the project was jointly sponsored by the business, IT and finance. "Exposing problems can be a double-edged sword," says Gomolski. "But it's better to be proactive. If you haven't achieved the value you thought you would, figure out what you can do to change that."
Another common concern about PIAs shared by CIOs, IT employees and even businesspeople is that they suck up too much time and require too much toil. But companies that perform PIAs say they shouldn't - and don't - take a lot of time to execute. Honeywell Aerospace aims to spend no more than seven to 10 days conducting an audit, and Sun Life Financial tries to complete PIAs within two weeks.
Furthermore, CIOs who conduct PIAs say the time and resources audits use get recouped on subsequent project implementations. Resistance to audits also often stems from a desire to be rid of a project once the deployment is complete and to move on to the next challenge. The trick is to make it easy for workers to conduct and provide feedback for PIAs. For example, when Sun Life Financial's IT project office needs to solicit feedback on a system from business users, it asks them to fill out an electronic survey, on their own time, that takes no more than 20 minutes to complete. The response rate for those surveys is usually better than 50 per cent and is sometimes close to 100 per cent, says Ed Esposito, director of the project office.
Because Honeywell Aerospace's IT organisation for its Aviation Aftermarket Services unit also has trouble re-engaging business users in a project during an audit, the IT organisation leverages its staffers who have completed training in Six Sigma, a process improvement methodology. Those with Six Sigma training, who are experts in business processes, provide the IT department with the feedback it needs to determine whether a system has streamlined workflows.
Engage the Right People
Who should perform PIAs is a matter of great debate. The most common groups of workers include one or more of the following:
- Members of the project implementation team from IT
- Members of the project implementation team from both IT and the business
- Representatives from a company's internal audit department
At Sun Life Financial, IT's project office leads the PIA process on its own IT and non-IT projects. But it does so in conjunction with the finance department and the company's internal audit department. IT projects are audited from the beginning and on an ongoing basis, rather than at the end of an implementation, which ensures that IT follows sound project methodologies, meets user requirements, stays on budget and implements proper security controls.
Sun Life Financial's approach comes closest to being the best, according to PIA experts. Don Christian, a partner with PricewaterhouseCoopers (PwC), says the PIA team should consist of a businessperson and an IT person who were involved with the implementation, and that it should be led by someone independent, such as an internal auditor who was not part of the project team. Christian says it's better to have a group of people from different functions participate, rather than just an IT team or just internal audit, because they all provide valuable input. The advantage of having members of the IT project team involved is that they're intimately familiar with the benefits, deliverables and requirements of the project. And because they know the project so well, it is easier for them to fully evaluate a project. Having a businessperson on the audit team is important because she can more easily determine if an external factor rather than a systems failure is causing a system to not generate expected value. And an independent auditor is important because he's not afraid to ask tough questions and will prevent the members of the project team who are involved in the audit from softening any findings.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.