For those working in large public organizations, I'm curious about how you approach audit situations. Specifically, what steps do you take when auditors request tickets for work that wasn't documented in project management tools like Jira or ADO? It feels like they are putting a lot of pressure on us right now.
9 Answers
For us, we use pull requests as our primary change management system. If there's no pull request, then any changes made could be lost when the next system run occurs.
Many companies enforce a strict policy of 'no ticket, no work,’ emphasizing the importance of being able to trace each change back to a request.
When auditors point out mistakes in your process, it's essential to improve on those deficiencies. Use the feedback to get ahead of the next audit. Plus, demonstrating improvements could even lead to a raise!
The audit's requirements can vary. Can you create tickets on your own? Additionally, look for any messages or emails requesting the work; those can be validated by auditors. If it's non-negotiable for changes to have tickets, your organization might need to address some training gaps.
I’m not trying to sound harsh, but why are you completing tasks without tickets? Even a placeholder ticket that references external systems would help.
Aside from tickets, is there any other documentation you can present, like Slack messages or emails to validate the work? That can often substitute for actual tickets. Having a pull request linked to your work is even better to show formal approval.
When the auditor asks for tickets that don’t exist, just be honest and say "we don’t have a ticket for that." They might suggest not to let it happen again, which is pretty standard.
That approach usually circles back every year with a new auditor coming in. Just stick with it!
Or, if you do track things differently, explain that. For instance, if you document changes in a git repository, showing commit history and logs can be acceptable for auditors.
Every pull request should ideally fit into an automated change management cycle for consistency.
That works for straightforward processes, but it's not feasible for everything.
It's crucial to handle the situation by acknowledging the issue. Present evidence of any procedural changes you've implemented to ensure this doesn't recur. Creating a plan with clear milestones can help make your operations more auditable moving forward.
Absolutely, establishing ticketing for these kinds of tasks is super helpful for compliance.
/thread. If I were in charge, I'd be seriously reevaluating my oversight on this. Sometimes the management team isn't aware of the compliance issues.
I was with you until that last part – it felt a bit like a comedic wrap-up.