How to manage auditability (and other nonfunctional, non-technical requirements).

Dave GordonThis guest post is by Dave Gordon
Missing requirements are one of the main reasons IT projects slip into “troubled” status. This is often because subject matter experts fail to consider all functional requirements at the start of the design stage. Sometimes, technical requirements are “discovered” during the execution phase, when the team builds the system that will meet the functional requirements. While there are many sources and advocates for technical and functional requirements, there may also be requirements that are not functional or technical. These requirements could be overlooked by the project manager and may not be supported by the advocates. In many cases, the project manager must advocate for these requirements.
Consider the following attributes of a modern transaction processing system, whether located on a server in the corporate data center or delivered as Software-as-a-Service in the Cloud. Each of these requirements may be an option for your next information technology project.
Auditability refers to the ability to trace transactions from originator to approver to final disposition through a system audited by an auditor. Part of auditability is due to system documentation. Part of it comes from visibility of integrity-related modifications to system and data records. Auditors should be able to see logs and determine who did what when. Auditors can be internal or external to an organization. Once you have identified the auditors, work with them in order to ensure that it meets their needs. They will want to verify and document that it does.
System security is the control of access to system resources. This includes both programs and stored data. It helps to protect the integrity, authenticity, confidentiality, and confidentiality of data and operating processes. Security is achieved through a combination of software and internal controls, in accordance with relevant standards and policies. Your organization may have a Chief information Security Officer who is responsible for setting security standards. You can work with them to identify the appropriate security controls and how to implement them. Keep the auditors informed.
Records Management
Most transactions are only kept for a specified purpose and have a short retention period. A record management policy should specify when a record is considered obsolete and must be deleted. A court order may require preservation of records in the event of litigation. Discuss the policies with your Chief Administrative Officer or Corporate Counsel to determine the retention periods and establish procedures for requesting, authorizing, and documenting destruction of obsolete records. You must have procedures in place to document the chain and control access.
Part of your project may include planning for the retirement of an old system if it is to replace a legacy system. This could include:
purging obsolete records
Archiving records that are not yet obsolete and not moving to the new system
Notifying all interested parties
Ordering the removal and disposition servers.

Collaborate with the data custodians, the data center manager, and the subject matter experts to identify and conduct stakeholder analyses. As you know, retirement overlaps with Auditability, Security, Records Management. Make sure it’s part of these conversations.
Final Thoughts
These aren’t the most glamorous parts of an IT project. However, if you don’t meet these requirements, it can delay your project or make it impossible to complete.