I’ve worked in the compliance and risk field for almost 15 years. Every company I’ve worked for and with has had policies; all of them also had and made exceptions to their procedures and guidelines. The way the policies were written, stored and communicated tends to be similar across organizations. However, the way exceptions are managed is less consistent. Depending on the company’s size and maturity, exceptions might be granted during simple a hallway conversation; or in a more formal method, as a multi-level risk analysis and approval workflow using a technology.
Once the pieces of a management software are in place, your audit world can become everything you ever wanted it to be—challenges will be met and conquered. The right software will not only help your workflow, it can enhance your entire process to do things your way.
This is my “sometimes the best lessons to learn are the hard ones” offering. I wish I could say that everything I am I owe to the tireless work ethic I’ve fostered since day one on the job. I cannot. In fact, there were stretches in the early part of my career where the best adjective I can muster up to describe them is wayward. The real value of this lesson for me is in another I’ve learned:
It’s never too late.
As someone who has worked with auditors for over a decade implementing software to help streamline their audits, I can undoubtedly say that the auditor stereotypes are mostly untrue. First off, I’ve met several auditors that I would consider “glass half-full” people; the kind that would be more likely to say, “What would we do if Karen won the lottery and quit?!” rather than “What would we do if Karen got hit by a bus?!”
Let’s consider everything auditors do. Their best work might be getting organizations to simply follow the rules—when they get groups to comply with rules and regulations, I think that’s a super feat in and of itself. But there is far more to being an auditor than just following the rules, and that’s where the superhero thing comes into play.
I am what you might call a late bloomer. It took a while, but I finally feel like I’m coming into my own with this whole “being a professional” thing. I share this because in my early days as an internal auditor I didn’t really grasp the concept of why we were doing what we did, let alone how we were helping drive a risk-focused culture in our organization.
To some, the constant barrage of “why” questions from their kids is irritating, but to me it was my very favorite thing about having those youngsters in my house. The concept of “why” is rooted in learning. When you ask this question, you are seeking to gain knowledge, perspective, understanding—you simply want to figure it out.
Onspring recently conducted a survey, reaching out to audit professionals to find out about future trends in the internal audit field. Putting together tangible questions that deliver concrete results on current practices in internal audit and risks that may impact the field in the future was our target, and that was accomplished.
A lot of times when we start showing a client our out-of-the-box audit solution, we’ll be told, “Oh, that’s pretty close to what we already do.” We’ll have to tweak a couple of fields, but what Onspring starts with initially is usually all that a lot of clients will need. We take a lot of pride in the fact that we’ve added and shaped our audit solution to meet most of the needs presented to us by customers.
Much like my fishing trip, you should begin defining your requirements and planning early on, maybe even wade around in research materials for a few months before beginning the purchasing process itself. It is of paramount importance to ask yourself the tough questions that will help shape and define your scope—questions around your budget, specific needs, timeline and workflow requirements tend to work best.
One of the main aspects of the HIPAA law is that it forces healthcare practices and professionals to keep and secure PHI (protected health information) from data breaches and other possible complications and problems. This makes HIPAA and other regulations associated with it something that’s extremely important to the risk and compliance field, especially when dealing with highly sensitive health data.
I recently had lunch with an audit executive who told me her team needed a new audit software solution. However, she kept putting it off because she felt overwhelmed by the myriad of options and the process of finding one. Wading through solution websites, stretching out mentally to determine which functionalities are marketing fodder and which are real, knowing she’d have to sit through numerous demos; she said she felt exhausted before she’d even begun!