michael werneburg

service audits are risky business


A technology service provider that undertakes a SOC-2 audit runs a curious risk; the company that emerges might be a different company that chooses new clients and serves them in new ways.

To recap; service organizations that provide technology services to regulated industries are increasingly being asked to demonstrate competence in enterprise risk management. These firms are frequently required to pass a service audit—obtaining, for instance a SOC-2 audit report. To do so, they might consider an initiative to improve internal processes.

There are hidden strategic risks inherent in such an initiative.

Risks in an initiative to improve operations

The diagram below depicts a route that a technology provider in a regulated industry might pursue to obtain such a service audit report. At the outset, the company weighs the benefits of undergoing an audit, learns what the "audit goals" are (typically from an auditor) and finds a source such as COBIT 5 to guide an initiative to overhaul its processes. In the diagram there are, of course, considerable complexities hidden within the "initiative to overhaul operations", but the overall scheme is simple. This is an operations-minded endeavor that focuses on a set of improvements to internal processes.

default flow for audit process improvement initiative
Roughly speaking, the benefits realized from the process are:

Within this seemingly straightforward process, but there is hidden complexity that contains a number of operational and strategic risks. Using the risk mapping methodology proposed by Andrew MacLennan in Strategy Execution, I have redrawn the flow diagram as follows, with two types of risk shown: failures to achieve the intended results (shown with arrows pointing “in”); and unintended and undesirable outcomes (arrows pointing out).

risk-annotated flow for audit process improvement initiative

Clearly, there are a number of inter-related hazards in this kind of initiative. In my work, I have witnessed the realization of a number of these, such as underestimating the scope of the work and the impact to operations. I’ve also seen a risk-centric enterprise revision of processes result in delays to client request turnaround, and build resentment among management and staff for the overhead and "paperwork". These were largely temporary effects experienced in the transition period

Impacts upon strategy longer-lasting and are considerably more difficult to detect.

Strategic risks

Altering the value chain. On the surface, what’s happening is a change in a number of individual processes. The mentality is that the company has to adapt as its processes will thereafter be measured in an audit. Someone leading such an initiative isn’t likely thinking about how the company serves its client, and its “value chain”.

A good working definition of value chain is the sequences of activities the company performs to design, produce, sell, deliver and support its products. These activities: create value for customers; involve significant costs; and in the words of Andrew Spanyi in Operational Leadership, “Almost always require collaboration across two or more departments”.

To anyone who’s been through a service audit, such a description will sound familiar; the process changes done “for audit” – for instance, in overhauling a software delivery life-cycle or managed application service – amount to changing the value chain.

Trade-offs. In refining its activities, a company working toward an audit adds procedural overhead and complexity, and adopts a certain mind-set in its work. I’ve witnessed this change in culture take deep root, to the point that the personnel simply won’t consider doing things that aren’t the “audit way”. This institutionalized mentality isn’t just dogma taking root; it’s good when your company is able to commit itself to a certain level of consistent quality.

Despite the maddening way that so many externally-imposed controls are worded (and measured), a service audit contains an implicit commitment to consistent delivery to clients.

This form of commitment involves a trade-off however, and that is in the commitment to a certain type of client—likely a class of client regulated into requiring high risk capabilities from their vendors. Because it’s hard to deliver your service at two levels of care, a service organization that embarks on a service audit should acknowledge the possibility that their new, risk-minded way of doing things will exclude clients that don’t value all of that care (with its inherent overhead and expense).

In summary

A company that makes decisions to select its clients differently and starts serving its clients differently, becomes, in effect, a different company. It’s chosen a different value proposition and a new market position.

While these impacts are ultimately positive, it is clear to me that the risks of underestimating the impact to a company’s strategic options must be recognized. These outcomes are too important to recognize after the fact; they must be planned for.

a strategic approach to the value chain

This is a description of a strategic approach to an initiative to improve operations in advance of a service audit.