How to Make Auditors Happy (and You Happy Too) · 2014-12-23 · How to Make Auditors Happy (and You Happy Too) Michael Solomon, CISSP PMP CISM

How to Make Auditors Happy (and You Happy Too)

Michael Solomon, CISSP PMP CISM

© 2011 Tugboat Software. All rights reserved. 2

Overview

All about auditing and what fun it is (or not)

What auditing demands and the ideal solution

Selecting the right tools

Version Control vs. Software Configuration Management

How SCM can make both you and your auditors happy

Questions

Session Agenda


All about auditing and what fun it is (or not)


For Enterprise Resource Management (ERM), auditing is …

“a process, effected by an entity’s board of directors, management, and other personnel ,applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

- The Committee of Sponsoring Organizations

of the Treadway Commission

Auditing is about managing risk


Governance essentially provides monitoring of ERM • Monitors both risk events and responses

• Risks are not always negative

• Governance includes responding to positive events

Strategic in nature

Requires that organizations show how activities support objectives

Governance is a necessary step


It’s purpose is to ensure the organization is “on track.”

Auditing is a part of that step

Similar to GPS Tracking

1. Preplan a route to a destination.

2. During the trip, detect current location.

3. Display current location.

4. If location is not on the selected route: update the route (“recalculating”).


Compares performance to goals

Each organization adheres to different types of goals • Policies

• Standards

• Regulations

• Best Practices

Auditing helps organizations understand how well they meet goals

Auditors are just looking for evidence of what happened

Auditing benefits you


Poorly perceived

Frustrating - points out deficiencies and failures

Painful - uncomfortable to expose weaknesses

Interruption – takes time away from producing a product

Our perception of auditing


1. Regulatory compliance is the key outcome • Compliance is only a small part of audit goals

• Meeting organizational goals is the real target

2. Audit results are only pass/fail • Fine-grained results are more valuable

3. Auditing implies advanced technology • Sometimes the simple solutions work best

4. Risks are separate from opportunities • Important to identify both

Skewed perception … to myths


Done well, auditing can be positive

Reduces overall risk • Identifying problems early makes addressing them easier

Identifies opportunities • Auditing results can help identify new productive directions

• Identifies variances from goals, both positive and negative

Crucial for continuous improvement • Necessary to reduce negative variances

The reality of auditing


Improves Product quality

Product visibility

Product control

Customer confidence

Decreases Rework

Confusion

Project risk

The benefits of auditing


What auditing demands and the ideal solution


1. Audit Objective Identification • What are you trying to do?

• In our context, manage software development process

2. Control Selection • What tools will you use to reduce risk

• Software Configuration Management tools

3. Audit Procedures • What information will the auditors need?

4. Audit Evidence Evaluation • How will auditors verify the controls meet the objectives?

What auditing demands


A proactive audit response … that avoids redundancy.

The ideal solution


Understand your organization’s goals • Policies

• Regulatory requirements

• Best practices

Be ready to provide evidence of performance • You should already have project progress documentation

• This is the key! Just show how you met goals

Know how to show you are on track • Project management helps here

• More than just being on schedule

A proactive audit response


Capture evidence in the process • Fresher information

• Quicker and more accurate

Don’t revisit completed work • Takes time to recall what was done in the past

Use tools that collect evidence automatically • Avoid any user interaction when possible

• Evidence should be a by product of normal process

• Avoid adding new processes just to create evidence

… that avoids redundancy


Version Control vs. Software Configuration Management


Does the final product meet its goals? • Features

• Performance

• Cost

Did the process meet its goals? • Risk

• Quality

Selecting the right tools


Many version control tools; fewer SCM tools

Most common tools for OpenEdge development (ordered from most basic to sophisticated solution)

• CVS - version control

• Subversion - version control

• Mercurial - distributed source code control

• Roundtable TSMS – software configuration management

Change management tools


Version control (also known as source code control) is a process of tracking changes to source code. This is typically done by checking objects to be worked on out of a centralized repository and then back in when work is completed.

Version control is one aspect of software configuration management.

Version control


Software Configuration Management is the discipline of managing the entire lifecycle of a software project. It creates a structure – based on the principles of the manufacturing industry– that delivers repeatable, high-quality production of software applications.

Whereas version control is a check-in / check-out system; SCM is an assembly line for application development. As an assembly line, it can streamline and provide controls for (and evidence from) all stages in the development lifecycle, making it an ideal tool to satisfy auditors.

Software configuration management


Defines the process

Applies controls

Manages changes • Who?

• What?

• When?

• Why?

• Revert back.

Audits results

How SCM works


… applied to every level

Test Environment

Development Environment

Pre-production Environment

Custom Environment

Partner source code (when applicable)

Deployment


SCM tools ease the process of evidence collection

SCM process requires creating evidence auditors need • Configuration identification information

• Version information for changes

• Change grouping to associate multiple changes with higher level requests

• Build management and process flow evidence

SCM tracks answers to most questions auditors ask

What a SCM solution offers


How a SCM solution can make both you and your auditors happy


Culligan chose Roundtable TSMS: A full-featured SCM solution (much more than just version control)

Integrates evidence collection into ongoing processes – it manages the flow of all activities throughout the development lifecycle

Provides many features, views, and reports for auditors, as well as for developers and managers

Case study – One choice


Culligan also got these benefits : OpenEdge integration

Schema management

Easily extensible - Integrated bug tracking system with Roundtable

Controlled promotion process: development, testing, production

Tracks change responsibility and reason

Robust security model to restrict activities

Case study – One choice


Roundtable tasks promote good workflow practices

Tracking work done

Check-in groups of objects

Visibility to management

Keep track of concurrent work

Visibility of other, related work

RTB Tasks


Tasks follow structured lifecycle

Task lifecycle steps • Create task

• Checkout/create objects

• Modify objects

• Compile objects

• Check-in objects

• Complete task

Task Lifecycle


RTB Object Checkout


RTB Development


RTB History View


SCM Plan – high-level document that includes responsibilities, process, and configuration descriptions

Schedule – list of scheduled SCM activities

Change Request Plan – procedure for handling all change requests

Change Configuration Board – operating procedures and minutes

Audit results – How evidence supports, or is in contrast to, goals

Ongoing communication – e-mails, reports, etc.)

SCM Records


Happy auditors On-demand reports of all changes

Separation of roles

Case study - Results


Happy managers Controlled schema

Work in process visibility

Bug tracking integration means easy to relate bugs to fixes

Simpler code promotion process

Happy developers Easier to avoid conflicts with multiple programmers working

Easy to get tons of information about objects

Case study - Results


Happy auditors don’t have to create their own input

The process is more like a check-up than an attack

Prepare for an audit in every activity • You will create better evidence

• You will create clear procedures

Select the tools that • Support and enhance your process

• Create the evidence auditors want

Summary


Questions …

For more information about Roundtable TSMS, visit

www.roundtable-tsms.com .

http://www.roundtable-tsms.com/



Documents

How to Make Auditors Happy (and You Happy Too) · 2014-12-23 · How to Make Auditors Happy (and You Happy Too) Michael Solomon, CISSP PMP CISM