Inadequate documentation can lead to audit violations.
Don’t let it jeopardize your next security audit.
Nobody likes creating or maintaining documentation. It’s extremely tedious work and can take a long time to do it properly.
But missing, incomplete or out-of-date documentation of your security processes could lead to problems during your next security audit.
Good documentation removes operational ambiguity
Poorly documented processes can result in operational mistakes and oversights that lead to audit violations. For example:
- Consultants configure the system and then roll off the project after go live, resulting in business resources not understanding the processes, such as who is supposed to do what and when.
- Not involving the right people when creating documentation can leave gaps, especially when it comes to compliancy – for example, missing approvals.
- Data integrity issues. When procedures are not fully documented with step by step instructions, it can result in orphaned records. During audit time, this can significantly increase the amount of back and forth related to sample selection.
And don’t forget that your auditors may audit your process documentation itself! They will expect to see that it adequately and accurately sets out your procedures and review processes.
Good documentation also provides training material that can help new employees to adopt your processes quickly, and it can even yield marketing benefits, as this article by managementstudyguide.com points out.
How to create good documentation
Where should you start and what do you need to consider?
Use this list to help you start from scratch or review your existing documentation to see if it measures up:
- Understand the purpose and strengths of different document types
When creating documentation, consider the format that is most appropriate. Different documentation types can be used, such as: process flows, process guides, procedures and matrices, which will assist with differing requirements or different types of learners. Using different types can also reduce the complexity of your document, making it less wordy.
- Use examples
Examples allow users to quickly grasp the concepts within your document. Using one example through an entire end-to end-process makes it less confusing for users and helps re-enforce the process.
- Know your audience
Your documentation should be written so that users with only basic computer skills can read and learn. Having step by step instructions and screen shots goes a long way.
- It’s not only about the happy path!
Anticipate problems the user may run into, let them know about workarounds, recovery strategies or vendor contacts in cases where outside help may be needed.
- Consider compliancy from the outset
It’s important to ensure that a process or procedure is documented correctly – but you must also be able to provide evidence that it enforces execution per compliance requirements.
Make sure that your documentation includes important tasks such as: ticket numbers, references to approval documents or systems, and a specific section indicating how often the process or procedure itself should be reviewed / approved. Incorporating this information will reduce errors during execution and dramatically decrease your risk of audit violations.
- Always test your documentation
Wherever possible, ask someone who is not familiar with the procedure to use your documentation to step through the process and provide feedback.
- Be prepared for your security audit
Auditors often request a copy of your documentation showing how a procedure or review is executed. It’s important to store your documentation in a central location, track any updates in an appendix and version the document properly.
Make sure that inadequate documentation doesn’t become the weakest link in your security chain!
If you need tools to make security, audit and compliance easier, why not take a look at our solutions for JD Edwards EnterpriseOne, World and Oracle E-Business Suite or get in touch with our services team.