Auditing
It Ain't Over... Until You Do the Post-Implementation Audit
Furthermore, CIOs who conduct PIAs say the time and resources audits use get recouped on subsequent project implementations. Resistance to audits also often stems from a desire to be rid of a project once the deployment is complete and to move on to the next challenge. The trick is to make it easy for workers to conduct and provide feedback for PIAs. For example, when Sun Life Financial's IT project office needs to solicit feedback on a system from business users, it asks them to fill out an electronic survey, on their own time, that takes no more than 20 minutes to complete. The response rate for those surveys is usually better than 50 percent and is sometimes close to100 percent, says Ed Esposito, director of the project office.
Because Honeywell Aerospace's IT organization for its Aviation Aftermarket Services unit also has trouble reengaging business users in a project during an audit, the IT organization leverages its staffers who have completed training in Six Sigma, a process improvement methodology. Those with Six Sigma training, who are experts in business processes, provide the IT department with the feedback it needs to determine whether a system has streamlined workflows.
Engage the Right People
Who should perform PIAs is a matter of great debate. The most common groups of workers include one or more of the following.
At Sun Life Financial, IT's project office leads the PIA process on its own IT and non-IT projects. But it does so in conjunction with the finance department and the company's internal audit department. IT projects are audited from the beginning and on an ongoing basis, rather than at the end of an implementation, which ensures that IT follows sound project methodologies, meets user requirements, stays on budget and implements proper security controls.
Sun Life Financial's approach comes closest to being the best, according to PIA experts. Don Christian, a partner with PricewaterhouseCoopers, says the PIA team should consist of a businessperson and an IT person who were involved with the implementation, and that it should be led by someone independent, such as an internal auditor, who was not part of the project team. Christian says it's better to have a group of people from different functions participate, rather than just an IT team or just internal audit because they all provide valuable input. The advantage of having members of the IT project team involved is that they're intimately familiar with the benefits, deliverables and requirements of the project. And because they know the project so well, it is easier for them to fully evaluate a project. Having a businessperson on the audit team is important because she can more easily determine if an external factor rather than a systems failure is causing a system to not generate expected value. And an independent auditor is important because he's not afraid to ask tough questions and will prevent the members of the project team who are involved in the audit from softening any findings.