An automated audit for IT resources

As we all know, government works in its own inimitable way. When it comes to compliance with regulations such as Sarbanes-Oxley, Uncle Sam doesn’t much care what processes you use, so long as you say what you do and do what you say — and prove it.

Therefore, you must have a process in place for approving financials and collecting records. Then you must demonstrate that you follow that process in a second, procedural audit above and beyond the usual financial audit.

In other words, “Prove to us that you are doing business in the way you say you do business.”

This is easy enough to do if you’re a business manager using ERP applications. You’ll know how old your inventory is, how many help-desk calls were processed, and — using higher-level metrics — how effective your support team is. On the other hand, despite the fact that IT is about 6 percent of total spending in manufacturing industries and as high as 10 percent in financial companies, a CIO will be hard-pressed to answer similar business questions about IT.

What’s on a particular server? Who or what group does it serve and at what cost? When a router goes down and a tech is dispatched to fix it, how long is it down and what does it cost to fix it?

The second audit — the one certifying that the processes that produced a company’s financials function properly — relies on information about that broken router. Unfortunately, CIOs don’t have the same kind of ERP tools at their disposal as business managers do.

What can bridge the gap between these two seemingly incommensurate practices? According to Chuck Ames, CEO of Oak Grove Systems, a spin-off of NASA’s Jet Propulsion Laboratory, BPM offers the solution. BPM systems create, execute, and monitor workflows and generate an audit trail. Although BPM wasn’t created with the latest crop of government regulations in mind, it appears to be the right tool for the job.

AOL first used Oak Grove’s BPM software package, Reactor, for broadband provisioning of its dial-up customers. The application models the process and then monitors its execution for compliance with the model.

For example, in switching a dial-up customer to broadband, and AOL account representative must change account records, adjust billing amounts and attributes, make a call to a service tech, and confirm the appointment.

Then the lightbulb went on at AOL. This same BPM tool could be used for Sarbanes-Oxley compliance, rather than buying a Sarbanes-Oxley application per se.

Going back to the example of the failed router, BPM checks to make sure that a tech was dispatched, that the router was fixed, and whether or not the tech filed the after-action review. Records of each of these steps in the process are exactly what that procedural audit requires to prove regulatory-compliance.

But we still haven’t connected all the dots. For that, you need a company such as ITM Software, which licenses Reactor from Oak Grove and uses it to create workflow models designed specifically for auditing IT. The result is that IT managers can use BPM to track the same kind of information that business managers get from ERP.

There, I’ve connected the dots between IT and Sarbanes-Oxley. Go forth and comply.