72% of risk executives say that implementing digital transformation initiatives is critical to growth. However, many companies are trapped in a web of siloed solutions, legacy tools, budget constraints, and internal politics.
When I used to work in SOX compliance at a large public company, we used a legacy tool. Common pain points like endless follow up, disparate records, and constant status updates prompted us to entertain alternatives to our current solution. However, once we saw a demo, I realized we had no idea what came next. What were the necessary steps to purchase software for an organization? How long would it take? What did the process involve?
Many audit, risk, and compliance folks don’t have software-buying experience. Sometimes asking for an investment in the right software only solidifies our industry’s unfair reputation as a cost center. That’s why it’s critical to take a methodical approach to win over decision-makers in your organization to implement the right technology solutions.
To succeed, you must connect with the right stakeholders and convince your organization to release a budget for your cause. I’ve identified 5 steps to consider to position yourself for success at your organization to get what you need. Let’s get started!
Step 1: Identify specific pain points you’re solving for when trying to decide on a preferred vendor.
When purchasing software, a primary challenge is navigating passionate stakeholders with lots of conflicting opinions. Avoid conflict from the start by establishing a baseline: what specific pain point will technology help solve for? More often than not, this will be a list of problems rather than just one. These problems you identify will need to have implications for your business. For example – “I want to be more efficient” isn’t necessarily a compelling pain point on its own. “Our team is spending too much time on manual follow up with stakeholders. If we spent less time on that, we could do more audits and thus reduce the risk our business faces” – attaching pain points to business implications is more likely to make you successful. If you don’t have an immediate problem that presents business consequences, your business case won’t be successful.
For example, what if your organization is incurring material weaknesses? It may be due to control owners being unaware of their controls, which means your organization is exposed to risk. This is a high-stakes problem that can be addressed with the right people, processes, and technology. Most organizations have multiple issues that the right solution could holistically address.
Step 2: Decide which internal stakeholders should be involved in a software purchase decision.
This stage is all about knowing your organization: identify the relevant individuals that will use, pay for, or sign off on software contracts.
Here are some individuals that will most likely be involved:
- The team executing on the use case: This is the team we identified in the previous step – the ones coping with pain points, and using the solution you decide on. Some examples are the internal audit team, the enterprise risk team, and so forth.
- Team leader: This person may have the final say. Some examples are chief audit executive, chief risk officer, or the VP of internal audit.
- Procurement: If you have a procurement department, you should let them know you’re looking to purchase software. They’ll have to be involved at one point or another so the earlier they know, the better.
- Legal: The Legal department will most likely be reviewing the agreement. This can take anywhere from one to three weeks – depending on their backlog.
- IT/Information Security: This team will most likely be sending out a questionnaire.
- CFO: This individual will most likely give the nod for final budget approval or spend approval, so it’s better to involve them early to let them know you’re evaluating solutions.
Step 3: Outline your process from start to finish.
Ambiguity is where change management goes to die. Establish the steps involved in your decision making process from the beginning. If you have a roadmap, you are less likely to encounter significant delays as time goes on. Here are some common steps:
- Establish your use case, requirements, and timeline internally. We did some of this in Step 1, but knowing when you want to be live with a solution is also a key point.
- Meet with and outline your use case to vendors.
- Go through demos from your list of preferred vendors.
- Talk to references to assess their experience with vendors.
- Do hands-on product testing.
- Ask for a proof-of-concept.
Pro Tip: Some organizations develop scorecards before talking to vendors. These scorecards are used to rank potential vendors based on how they align to the organization’s criteria and solve for their key pain points. Make sure that these key points are well thought-out and will help the team achieve specific objectives. Aim for outcome-based criteria and not check-the-box features.
Step 4: Make a technical recommendation to the person that holds the budget.
Once you’ve completed the evaluation process and have identified your preferred vendor/solution, take this recommendation to your leader that holds the budget. Tools like a business case, ROI calculator, or an executive-level demo are incredibly effective to prove value to the C-Suite. It’s also helpful if the CFO – or whoever the budget holder is in your organization – benefits directly from this implementation in some way.
Step 5: Focus on procurement, IT, and legal.
In Step 2, you identified all the relevant contacts for this process. Once you get the green light from your organization’s executives, start reaching out to them. Most organizations will want Legal to review the contract, Information Security to conduct an assessment or questionnaire, and Procurement to discuss the commercial aspect. Allot plenty of time for this process – these steps could take between two weeks and three months, depending on your team’s backlog. At this point, your job mimics the role of a project manager. Keep in touch with each team and ask for updates, objections, and questions. Consider holding a weekly recurring meeting with project leads and the vendor to stay on track and proactively address any issues. This will prevent a sudden slow-down in the process.
Persuading Decision-Makers In Your Organization
Positioning yourself as an internal champion for audit, risk, and compliance at your organization is a laborious – and rewarding – process. When armed with a proactive plan, you are less likely to be denied. If you’re adequately prepared, you are more likely to get your software choice implemented successfully.
Peter Hammer, CPA, is a Manager of Solutions Advisory Services at AuditBoard. An experienced consultant and Protiviti alumnus, Pete has worked to manage SOX programs and oversee internal audit and IT audit projects at some of the Philadelphia area’s largest organizations. Connect with Pete on LinkedIn.