Are You Audit Ready?

Are you Audit-Ready?

Authors: Ki James and John Boyer

 

When you first read the title of this article, you probably shuddered and immediately thought of your financial audit. Those may be scary, but what about compliance audits?

 

Are you prepared for a review of your organization’s adherence to contract and regulatory requirements?

 

A compliance audit reviews your internal controls, security policies, user access controls, and risk management. The chances are high that you have some kind of policies in place, but a compliance audit related to (for instance) the Health Insurance Portability and Accountability Act (HIPAA) will validate that your organization has consistently enforced policies and controls, not just that they’re on the books.

 

The exact nature of a compliance audit will depend on the type, but often consists of demonstrating that access to records is secure, and that data in your analytics and reporting environment is restricted to necessary personnel.

 

The Problem

 

Providing good and valid proof of adherence can be a huge pain. For demonstrative purposes, let’s focus on one specific example. 

 

Every production environment ought to have a digital paper trail. It should start with ideation, continue down through testing and bug fixing, find its way past resolution, and end at the approval of the final, completed product.

 

That last step – the final approval – is a favorite of auditors to pick on. They might ask, “can you show me how you confirm that all reports in the production environment have adhered to your documented process?” 

 

You’d then have to provide a list of every migrated report.

 

Why this is important

 

Providing auditors necessary and sufficient information can be daunting, particularly when it’s a manual process – even more so if you haven’t planned for the occasion. 

 

It is important to not only establish and follow your policies, but also keep mechanisms in place to validate and prove the adherence to your own standards. 

 

Minimally, you need to be prepared to provide an auditable record of who accessed what, what changes were made to the environment, all reports people made, who made the reports, and how every asset in the production environment passed through developer and QA hands appropriately. 

 

The Strategies

 

Being “ready” for an audit can come in multiple different forms, some of which are higher effort and more likely to keep you out of trouble than others. Here’s a ranking of some but not all in order of increasingly better options. 

 

Chaos and Mayhem

Everything Everywhere All At Once

Image Credit: https://www.reddit.com/r/MovieDetails/comments/vflvzk/in_everything_everywhere_all_at_once_2022_at/

 

It’s possible that you, dear, unfortunate reader, through this article have come to the realization that you are woefully unprepared to prove you don’t commit dire HIPAA violations to the satisfaction of an auditor. 

 

If this is the case, it may be too late depending on how long your haphazard status quo has reigned. You may find yourself in the unfortunate position of scrambling to find any scraps of information you can.

 

This is a tried and true method that’s been proven throughout the annals of time to have disastrous results. 

 

If you plan to take your chances and shoot for this strategy, simply do not. Your future self will thank you. 

 

Blood, Sweat, and Tears

 

Traditionally, businesses have kept meticulous records of everything that happens through grit and labor. In some folder in their system, there are handwritten (or hand typed) spreadsheets and documents detailing everything that an auditor might need to know.

 

If you’re trying to dig yourself out of the Chaos and Mayhem strategy, this may be your best bet getting started. Rather than waiting to scramble and find all the key information under the terrible gaze of an auditor, digging up everything you have and compiling it in an at least semi acceptable record can be done manually while you have time.

 

Whether or not this strategy is your day to day norm or the way you plan on breaking out of bad habits, we recommend the following plan for you to start as soon as you possibly can. 

 

Version Control Software

 

Having holistic version control across all parts of your business, not just repos where it comes prepackaged, makes this entire process essentially handle itself. As users make changes to anything, it will automatically silently record who’s making the change, at what time, what procedures were followed, the whole nine yards. 

 

When the auditors come knocking on your door and want to know what happened, you can just refer to your internal version history. You won’t need to scramble to find proof, you won’t need to waste hours in a spreadsheet recording information – the software does the job for you. You can just focus where it matters most. 

 

Version control software has some other big benefits too; namely, the ability to roll back to previous versions. This can be a huge quality of life feature, particularly for programs that otherwise didn’t have this functionality.

 

Having the ability to comprehensively and accurately roll back to precise versions also gives you a security blanket from things like ransomware, where wiping your machines might be a necessity to start running the business again. Rather than losing all your records or even the project itself, you can simply consult the version control, pick the most recent option, and bada boom, you’re back in business. 

 

Conclusion

 

Audits don’t have to be terrifying specters looming over your business, waiting to crush whatever momentum you have. If you take proper precautions and acquire good version control software, then the stress of an audit and the slog of record keeping can both disappear, like tears in rain. 

 

Scroll to Top
As the BI space evolves, organizations must take into account the bottom line of amassing analytics assets.
The more assets you have, the greater the cost to your business. There are the hard costs of keeping redundant assets, i.e., cloud or server capacity. Accumulating multiple versions of the same visualization not only takes up space, but BI vendors are moving to capacity pricing. Companies now pay more if you have more dashboards, apps, and reports. Earlier, we spoke about dependencies. Keeping redundant assets increases the number of dependencies and therefore the complexity. This comes with a price tag.
The implications of asset failures differ, and the business’s repercussions can be minimal or drastic.
Different industries have distinct regulatory requirements to meet. The impact may be minimal if a report for an end-of-year close has a mislabeled column that the sales or marketing department uses, On the other hand, if a healthcare or financial report does not meet the needs of a HIPPA or SOX compliance report, the company and its C-level suite may face severe penalties and reputational damage. Another example is a report that is shared externally. During an update of the report specs, the low-level security was incorrectly applied, which caused people to have access to personal information.
The complexity of assets influences their likelihood of encountering issues.
The last thing a business wants is for a report or app to fail at a crucial moment. If you know the report is complex and has a lot of dependencies, then the probability of failure caused by IT changes is high. That means a change request should be taken into account. Dependency graphs become important. If it is a straightforward sales report that tells notes by salesperson by account, any changes made do not have the same impact on the report, even if it fails. BI operations should treat these reports differently during change.
Not all reports and dashboards fail the same; some reports may lag, definitions might change, or data accuracy and relevance could wane. Understanding these variations aids in better risk anticipation.

Marketing uses several reports for its campaigns – standard analytic assets often delivered through marketing tools. Finance has very complex reports converted from Excel to BI tools while incorporating different consolidation rules. The marketing reports have a different failure mode than the financial reports. They, therefore, need to be managed differently.

It’s time for the company’s monthly business review. The marketing department proceeds to report on leads acquired per salesperson. Unfortunately, half the team has left the organization, and the data fails to load accurately. While this is an inconvenience for the marketing group, it isn’t detrimental to the business. However, a failure in financial reporting for a human resource consulting firm with 1000s contractors that contains critical and complex calculations about sickness, fees, hours, etc, has major implications and needs to be managed differently.

Acknowledging that assets transition through distinct phases allows for effective management decisions at each stage. As new visualizations are released, the information leads to broad use and adoption.
Think back to the start of the pandemic. COVID dashboards were quickly put together and released to the business, showing pertinent information: how the virus spreads, demographics affected the business and risks, etc. At the time, it was relevant and served its purpose. As we moved past the pandemic, COVID-specific information became obsolete, and reporting is integrated into regular HR reporting.
Reports and dashboards are crafted to deliver valuable insights for stakeholders. Over time, though, the worth of assets changes.
When a company opens its first store in a certain area, there are many elements it needs to understand – other stores in the area, traffic patterns, pricing of products, what products to sell, etc. Once the store is operational for some time, specifics are not as important, and it can adopt the standard reporting. The tailor-made analytic assets become irrelevant and no longer add value to the store manager.