Change Management in the Sarbanes Crosshairs
Today, all that is, well, changing. Sarbanes Oxley (SOX) section 404 requires any processes that could effect the company's bottom line be auditable. For IT managers, this means ad-hoc or informal change management procedures are no longer good enough. And what this means is who did what, to what systems, where and when needs to be tracked and documented.
To meet these challenges and relieve the pressure of audits, IT departments are being encouraged to implement enterprise-wide change management policies, said Kurt Milne, BMC Software's senior manager of Strategic Marketing.
"The audit community is shifting from auditing the results or outcome of the process to actually auditing the process as a more reliable approach" to SOX compliance, he said. "And that is not a shift everyone has gotten."
Instead of one department or division handling things one way and another division handling things another, CIOs are best advised to implement one, end-to-end (and often automated) change management system so that auditors need only review one set of policies when deciding if you are in compliance (or if they need to dig deeper into your documentation to see what's going on).
But this is (as anyone who has ever tried to get a large group of people to do anything the same way knows) not so easy.
Only recently have software vendors begun to roll out modules that fill in the gaps between your ticketing system, provisioning software, application management and testing software, and any other systems that touch your business-critical software stack.
Ticketing systems, for example, often fall short of following up on whether or not a ticket was retired, who did the work, and what changes were made, said Chris Pick, vice president of Corporate Strategy at Net IQ, an IT service management vendor.
"What (change management solutions) have failed to do and what Sarbanes has picked up on ... ," said Pick, "that when changes to a production environment happen, that they are approved, authorized, and audited. And the current change management solutions around the trouble ticketing, around the service desk, just fall short of that."
For many companies that have already instituted best practices in this area, the effect of SOX may not be all that troubling. But, usually, that is the minority. For most CIOs and IT department mangers, SOX is causing a scramble just to keep up, as Pink Elephant's Spalding recently found out on a consulting trip to a client.
When Spalding asked to see their change management policies and procedures they asked him if he wanted to see the real ones or the ones they had prepared for their auditors.
"They had created a change management process in response to the auditors about to walk in the door so that they would get all the signatures ...," said Spalding. "Because the audit was going to happen in a few weeks, they didn't have time to completely adjust their existing change management process so what they did is they wrapped it in a 'SOX Okay' envelope with signatures and controls."
This, according to Spalding, was simply a short-term fix so that the IT department could get through a year-one audit they were not prepared for; not a dodge to avoid compliance.
Unfortunately, many IT managers find themselves faced with a similar challenge because auditors are often calling for the same level of documentation for a minor change as a major one.
All the news is not bleak, however. For many companies, homogenizing policies and procedures across the enterprise is a Holy Grail often just out of reach. But now that "what was best-practice is now the law," as BMC's Milne puts it, IT has the muscle to force needed changes across divisional boundaries and individual fiefdoms.
So, what was once best-practice, should, over the next few years, become the norm and, in the end, should net some real benefits for organizations big and small.
"The leaders are already doing this and they've demonstrated superior cost performance," Milne said. "And the rest of use are going to have to do it whether we want to or not. And we're going to find out that after we take the medicine we're going to feel better."