Enterprise PPM: The blog site for PPM practitioners and stakeholders across the enterprise

Leveraging Enterprise #PPM Systems to Survive the Compliance Audit

Almost all organizations run IT projects that fall under a governance and audit framework or regulatory imperative such as Sarbanes-Oxley, CoBit, OSHA and HIPPA. Recently, several of our clients and prospects have taken an interest in leveraging a PPM system (in this case Instantis EnterpriseTrack) to ensure that their project management processes are in compliance and will successfully pass regulatory and other types of audits. They can also use the system, of course, to manage projects aimed at bringing processes or products into compliance.

Here are some key capabilities that PPM systems can bring to bear in efforts to manage compliance and audit requirements.

1. Secure Document Management. Companies that deploy a PPM system such as EnterpriseTrack are typically migrating from unsecured document directory structures to secured and auditable document management.  This single step provides compliance across a broad range of audit types since it secures both “raw” data such as customer and financial information as well as project files which need to be auditable to comply with other types of audits.

2. Process Repeatability and Traceability. PPM systems ensure that projects are executed using repeatable, enforceable and traceable steps or roadmaps defined and stored centrally as secure templates rather than Microsoft Project plans or Excel spreadsheets that may exist in an unsecured fashion on desktops, laptops and server directories.

3. Financial Validation. In the case of EnterpriseTrack secure financial tracking, especially if it is materially significant in the SOX sense, is facilitated with an option for both automatic (the auditors favorite) and manual snapshots to ensure validity. While many projects do not by themselves have material significance, taken as a whole, an enterprise portfolio of projects can represent millions of dollars in cost savings (e.g. Lean Six Sigma, CapEx and IT infrastructure project portfolios).

4. Compliance “Program” Management. Audits of all types, OSHA, HIPPA, SOX, CoBit, etc., are executed as large projects, usually made up of several small “projects” -- which represent sub-audits of an overall audit plan. Here, PPM systems enables you to leverage support for program management constructs which, in turn, allow you to manage and report on a set of related, and potentially inter-dependent, projects. Using your secure Enterprise PPM system to manage your internal audits sends a strong signal to your external auditors that you take the process very seriously.

5. Audit Trails/Logs.  Auditors want to know, for example, if the tape backup audit is complete; how the security access badge control software is performing; and, are there any findings from such processes so far (material or otherwise). Obviously, this needs to be tracked. And, for the Audit team, it’s important to be able to easily identify which items are critical and what the status of those items is (e.g. fixed, late, etc.).  This is all out-of-the-box functionality for PPM systems like EnterpriseTrack. The system can also provide access control levels to project, program and process data that are very granular (which is important to auditors) and easily defined (which is important to user adoption).  

6. Audit Reporting. Reporting is critical for managing the audit process and summarizing and sharing key findings with stakeholders. For example, EnterpriseTrack has the ability to generate progress and "finding alerts" during the audit, and share these in emails and on dashboards and reports.  Post-audit, the user can generate a presentation using our unique PowerPoint Storyboard reporting capability. This functionality allows the auditor to present the audit process, the evidentiary documents, and other audit-critical data using a secure, consistent and automated system. This can be leveraged to go beyond communicating findings to recommending best practices and process improvements. 

7. PPM System and Data Centers Operations Compliance.  The system used to plan and execute the audit itself must be secure and auditable if deployed on customer premises or in the cloud. If the system of record is deployed in the cloud (e.g., EnterpriseTrack SaaS option), this obviously has implications for security claims and procedures for both the project portfolio being audited and the audit projects as well. The EnterpriseTrack cloud-based data center, for example, has been the subject of numerous audits and can provide Statement on Auditing Standards (SAS-70) documentation that large global enterprises and third-party audit teams require. The results can be leveraged as evidence to meet audit requirements. This takes the bulk of the compliance audit response burden off of your internal IT staff compared to on-premise data center deployment scenarios. Let’s face it, cloud safety both physical and electronic is still a concern.

In general, PPM systems are underutilized for the purpose of compliance and audit management. As awareness of PPM system business value in this arena and success stories grow, we expect to see this change.  Companies that adopt this technology early get back to generating business results instead of documenting them which is critical to keeping staffing lean while you try to expand your business.