Embed Size (px)
Citation preview
What is Your
Confidence Level that Controls are in Place
in automated (or manual)
applications?
Integration of BA, BPM, SDLC, PM
What are Accountants’ roles regarding establishing controls?
• Business Analysis (subject matter experts SMEs)
• Business Process Management
• System Development Life Cycle
• Project Management
Who are the SMEs
in developing
financial control
requirement?
Necessary!Must understand & consciously integrate activities of
Financial Auditing / IT Auditing
Business Analysis (BA)
Business Process Management / Improvement (BPM / BPI)
System Development Life Cycle (SDLC)
Project Management (PM)
BPM
BA, SDLC
PM
Strategic Goals
Accountant(SME)
control specs
Project initiation, Requirements identification, Work definition, and Task assignment
6Information Technology Project Management, Fifth Edition, Copyright
2007
Owner, User, SME Specification,Business AnalysisBusiness Process ManagementProject Management
User specifications, Systems Analysis & Project Management
Project Management & Expert Knowledge
Project Management & Expert Knowledge
Project Management & Expert Knowledge
Some background info / examples.
Double entry accounting. Paccioli, 1494.The control? Debits and Credits must balance.Processes must be defined & corrected prior to automating
Automated financial systems 1950s – 1960sProblems
Specifications – Not what users needed.Errors – Processes not understood. Bugs in the code.Controls – Missing or ignored.
Enron, HealthSouth, Sub-prime loans.(1986-87 loan approval expert system.)
Desire Adequate, error free system with necessary controls
Warnings when acquiring Business (or any) IT Systems
Managers / IT auditors / Users specifying requirements must recognize when automated controls are not present.
Are
business process improvement (BPI) best practices
accounting best practices
business analysis, system development life cycle (SDLC) best practices
project management (PM) best practices
addressed during development of the system?
Are BEST PRACTICES followed during development?
If not, great likelihood controls not in place, user needs not covered.
Warning!
Warning!
Warning!
Thoughts
from
IT Auditors, Forensic Accountants,
Ivar Jacobson’s The Object Advantage
Whitten, Bentley, & Dittman authors of Systems Analysis & Design Methods
Kathy Schwalbe author of IT Project Management
PMI, A Guide to the Project Management Body of Knowledge
and my experiences.
Paul Crigler
UAB Department of Management, Information Systems, & Quantitative Methods
IS and MBA-IT instructor
Losing control (and money)
due to
• Finagling the facts• Violating the rules• Stealing• Incorrect / Invalid reporting• Processes or process steps that are NOT
correct or are NOT followed or are NOT automated
!!!• We must be aware of and understand the integration of
• Business Process Management• Financial Audit / IT Audit / Forensics• Business Analysis methods• Systems Development methods• Project Management techniques
• and their best practices
IT Audit within the Audit Process
(1st three steps applicable when developing or acquiring an
information system)Financial Statement Unaudited
Understand the Company
Identify Significant Processes
Understand Internal Controls
Evaluate Fraud Risk Factors disclosed by
Internal Control
Develop Final Risk Assessment
Etc.
1. Complete review
2. Submit Financial Statement draft for review
3. Issue Financial Statements
Financial Statement Audited
Etc.
How was automated control system developed?
The enterprise with its many processes
guided by GAAP, ISACA, industry standards and
best practices.
BPM, BPI best
practices BA,SDLCbest
practices
PM, PPM best
practices
How are controls originated?
• Who establishes the business rules?
• Who defines the processes?
• Who defines the controls?
• Who are responsible for controls?
When Processes are Automated
Who defines the controls (and the processes)?
Accountants, Operation Managers, Process Engineers, etc. - using BPM, BA best practices
Who analyzes, designs, builds computer system?
Business and Systems Analysts, Designers, Programmers - using SDLC best practices
Who insures project is executed on time, within budget, completely and with quality?
Project Managers, Project Portfolio Managers -using PM, PPM best practices
Verifying
• What is the evidence automated controls are not in place?
• Will discrepancies indicate?
• Will tests?– Debits vs. Credits?– Raw material in vs. finished goods out?– Through-put. Others?
• What indicates that BPM, BA, SDLC, PM best practices were followed?
Which is Best?
Testing in?
Building in?
US automakers of 1970s?
Japanese automakers in 1970s?
Build quality into automated control systems
The enterprise with its many processes
guided by GAAP, ISACA, industry standards -
best practices.
BA, SDLCbest
practicesPM, PPM
best practices
BPM, BPI best
practices
using
Business Process Management
1st ___________
Business Process Management
Business Process Improvement
(BPM, BPI)
Some Major Processes
1. Cash receipts2. Cash disbursements3. Revenues and Accounts Receivables4. Procurement / Accounts Payable5. Payroll / Human Resources6. Financial Statement Close Process 7. Information Technology8. Other Processes Specific to the Business and
its Industry
Speed Are the processes generating the specified outputs in a timely manner?
Reliability Are the business processes consistent?
Is up to date information available to the right people?
Integration Do the business processes integrate all the necessary components seamlessly?
Do the processes link all the required data feeds?
Flexibility Are the processes capable of absorbing changes initiated by the environment?
Security Are the processes equipped with the proper security features capable of protecting confidential client information?
Is information authentic and reliable?
Process Evaluation Criteria
Activities of business process improvement projectEnvisioning
Strategy
Understanding theexisting business
CustomerDemands
Bench– marking
Envisioning
ReengineeringDirective
Model of the Existing Business
Objective Specification(vision of future, the new company)
Business process improvement Rebuilding
Objective Specification(vision of future, the new company)
The Model –the redesigned process(es) for the New Business
Envisioning
Reversing theExisting Business
Engineering theNew Business
Installing theNew Business
ReengineeringDirective
“as-is”
“to-be”
The reengineeredCorporation (the documentation)
Business Process Redevelopment
Business process improvement
Continuous Improvement
Envisioning
Reversing theExisting Business
Engineering theNew Business
Installing theNew Business
ReengineeringDirective
“as-is”
“to-be”
The reengineeredCorporation (the documentation)
Business Process Reengineering project
Improvements
Radical Δ ?(Radical change?)
No
Yes ?
Enterprise Applications
• Virtually all organizations require a core set of enterprise applications – Financial mgmt, human resources, sales, etc.– Frequently purchased (COTS – commercial off
the shelf)– Frequently need to have custom elements added
• Systems Integration process of building unified information system out of diverse components purchased software, custom-built software,
hardware, and networking.
Warning!
COTS – squeezing size 10 foot into size 4 shoe
Warning!
Integration of components– a major source of concern
Enterprise Applications
Framework for improving and automating processesSee page 470See page 470Goals:
Improve Business Processes
(controls), Business Knowledge
&Communications to
accommodate strategic business objectives
Implementation Activities
The Business Drivers
PlayersSystems UserAccountantsSystems OwnersProject Managers Systems AnalystsSystem Designers
The Technical Drivers
Warning!
Goals do not match strategic business objectives!
Warning!
Stakeholders not on board! Stakeholders do not take ownership!
Warning!
Processes are not in place or are not followed!
BA, Control Specifications & SDLC
2nd
_____________
Business Analysis, Control Identification
&
Systems Development Life Cycle
Business Analysis / RequirementsSystems Development Life Cycle
If BA / Financial Controls / etc. requirements are not properly addressed ….
Warning!
If SDLC best practices are not in place ….
For definitions go to http://en.wikipedia.org/wiki/Business_analysis
Typical SW Project
Information Technology Project Management
30
Objectives for the Accountant (or manager) responsible for specifications
1. Understand business analysis and systems analysis and relate to scope definition, problem analysis, requirements analysis, logical design, decision analysis phases of SDLC.
2. Understand systems analysis approaches for solving business system problems.
3. Understand scope definition, problem analysis, requirements analysis, logical design, and decision analysis phases in terms of information system building blocks.
4. Understand scope definition, problem analysis, requirements analysis, logical design, and decision analysis phases in terms of purpose, participants, inputs, outputs, techniques, and steps.
Accommodate Business Strategy
Systems Analysis and DesignProcesses
System Building
Blocks from Systems Analysis
perspective
Information System Building Blocks
Warning!
Goals do not match strategic business objectives!
Warning!
BA, IT Auditing, SDLC, and Project Management processes are not in place!
Warning!
People are not on board or being properconsidered!
5-33
What is Systems Analysis ?
Systems analysis problem-solving technique that decomposes a system into component pieces for studying how well parts work and interact to accomplish purpose. The What, Why & Who
Systems design problem-solving technique that assembles system’s component pieces into complete system The How
Information systems analysis development phases in information systems development project -- primarily focus on business problem and requirements -- independent of technology used to implement solution
5-34
Context of Systems Analysis
Identify alternate solutions
Project Charter
Warning!
A SDLC process is not in place.
Warning!
Repository not maintained, understood, and used.
5-35
Requirements Discovery
used by systems analysts to
identify system problems & solution requirements from user community
Accountants when the system’s focus is to provide controls
5-36
Business Process Redesign
BPR feature of systems analysis to achieve major business changes
goal dramatically improve fundamental business processes
independent of information technology.
Warning!
BPR does not occur prior to new system design – resulting in automating bad processes.
FAST Systems Analysis Phases
1. Scope Definition Phase– Why is project worth considering?
2. Problem Analysis Phase– Why is new system worth building?
3. Requirements Analysis Phase– What do users – Accountants - want from new system?
4. Logical Design Phase– What must new system do?
5. Decision Analysis Phase– What is best solution?
Scope boundaries of project – area of a business that project may address
5-38
Scope Definition Phase Terms
Steering body committee of executive business and system managers that studies and prioritizes competing project proposals
(steering committee)
Project charter final deliverable for preliminary investigation phase
defines the project scope, plan, methodology, standards, etc.
Warning!
Steering committee not in place.
Warning!
Project Charter (contract) not adequate.
5-39
Context of Problem Analysis Phase
USERS
Who are involved in this phase?
What is the purpose of this phase?
40
Key Term of the Problem Analysis Phase
Context Diagram pictorial model that shows how system interacts with world around it
and
specifies system inputs and outputs.
Our System
Requirements Analysis Phase
Users
Project
Mgrs.
5-42
Context of Logical Design Phase of Systems Analysis
Users
ProjeCT
Mgrs.
5-43
Context of Decision Analysis Phase
Bui
lder
sD
esig
ners
Ow
ners
Have requirements now can determine how new system might be implemented to cover all requirements while dealing with technology constraints.
5-44
Feasibility Matrix
Candidates are compared with each other
and ranked.Warning!
A stakeholder attempts to influence the decision by corrupting the data, modifying the weights “arbitrarily”, etc.
Project Management
3rd
_____________
Managing the Project
Managing the Project Portfolio
Need for Organizational Standards
Standards and guidelines help project managers be more effective.
Senior management can encourage:– use of standard forms and software for project
management.– development and use of guidelines for writing project
plans or providing status information.– creation of a project management office (PMO).
Warning!
Expect problems if have no standing Technical Standards Committee.
Warning!
Expect problems if standards and guidelines 1)are not defined, 2)practitioners are not trained, 3)standards are not followed.
What Is a Project?
Project “a temporary endeavor undertaken to create a unique product, service, or result.”
(Operations are work done to sustain the business.)
A project ends when its objectives have been reached, or the project has been terminated.
Projects can be large or small and take a short or long time to complete.
Project
1. Has unique purpose
2. Is temporary
3. Is developed using progressive elaboration
4. Requires resources, often from various areas
5. Should have a primary customer or sponsor• project sponsor provides direction and
funding for project
6. Involves uncertainty
Warning!
C level management and sponsors don’t understand projects.
Warning!
Management doesn’t support the project
Warning!
Risk Management Plans not in place
Warning!
Domain experts / SMEs / Accountants providing control specs are not engaged
49
Project Management Framework
Warning!
Project does not support strategic plans.
Project Management Perspective necessary to appreciate ROI
$ Benefits
$ Costs
Traditional Focus
Feasibility
Analysis
DesignBuild Test Ship
Focus must continue beyond implementation to reap benefits.
Development Operations with Support
All that happens after “project” ends
Warning!
BA & SDLC must utilize best analysis, design, and support processes
Warning!
IT Controls must be in place to minimize risk so maximum $ will be made.
Warning!
Requirements must be correct so maximum utilization will be achieved by users.
Project and Program Managers
Project managers work with project sponsors, project teams, and other people involved in projects to meet project goals.
Program: “A group of related projects managed in a coordinated way to obtain benefits and control not available from managing them individually.”*
Program managers oversee programs and often act as bosses for project managers.
1-52
Project Manager
Project Manager experienced professional
- responsible for planning, monitoring, and controlling projects
with respect to schedule, budget, deliverables, customer satisfaction, technical standards, and system quality.
Warning!
Without experienced PM may not include users’ (Accountants’, Managements’, etc.) concerns in system.
Project Management Certification
• PMI provides certification as a Project Management Professional (PMP).
• A PMP has documented project experience, agreed to follow code of ethics, and passed exam.
Warning!
Don’t have experience, certified PMs managing IT Control projects.
Different players, different agendas
6.1 / 64
Warning!
Must identify all stakeholders & understand their agendas!
55
Project Stakeholders• Stakeholders are the people involved in or affected by
project activities.
• Stakeholders include:1. Project sponsor (person generally with $$$ and clout)
2. Project manager
3. Accountants, Project team
4. Support staff
5. Customers
6. Accountants, Users
7. Suppliers
8. Opponents to the project can stop or kill a project
Warning!
Stakeholders are not adequately identified and engaged.
War story about Office Paper Recycle Project stakeholders
Another war story about HR Admin system stakeholders
Importance of Top Management Commitment
top management commitment
key factor for project success.
Top management must help project managers
– Secure adequate resources.
– Get approval for unique project needs in timely manner.
– Receive cooperation from people throughout organization.
– Learn how to be better leaders.
Warning!
Management not committed to project
Need for Organizational Commitment to IT
• If the organization has a negative attitude toward IT difficult for IT project to succeed
• Chief Information Officer (CIO) at a high level in organization helps IT projects
• Assigning non-IT people to IT projects more commitment
Warning!
CIO not at high level in company
Warning!
Few non-IT people on the project
Warning!
IT issues not standing agenda item for Board of Directors
58
Level of Activity and Overlap of Project Process Groups Over Time
Warning!
Project team does not address all groups in integrated fashion.
Must understand Iterative Elaboration
nature of systems projects.
59
Nine Project Management Knowledge Areas
• Knowledge areas describe the key competencies that project managers must develop.
– Four core knowledge areas lead to specific project objectives (scope, time, cost, and quality).
– Four facilitating knowledge areas are the means through which the project objectives are achieved (human resources, communication, risk, and procurement management).
– One knowledge area (project integration management) affects and is affected by all of the other knowledge areas.
Warning!
Project plan and execution do not address all knowledge areas.
Warning!
Project integration management not understood & followed.
PM Capability Maturity Model (CMM)
Low risk
High risk
Not competitive
Very competitive
Warning!
Low CMM rating
a big red flag!
Warning!
Low CMM ratinghigher costs lower qualitymore time
Lack of Maturity of enabling
processes such as Auditing (financial & IT),
Control identification, BPM, BA, SDLC, PM will be detrimental, increase
risks, and reduce competitive ability.
61
Project Success Factors
1. Executive support
2. Accountant & User involvement
3. Experienced project manager
4. Clear business objectives
5. Minimized scope
6. Standard software infrastructure
7. Firm basic requirements
8. Formal methodology
9. Reliable estimates
10. Other criteria, such as small milestones, proper planning, competent staff, buy-in and ownership, and clear communications
Warning!
Without these success factors -internal controls and necessary features may not be included.
62
Suggested Skills for Project Managers
• Project managers need a wide variety of skills.
• They should
– Be comfortable with change.
– Understand the organizations they work in and with.
– Lead teams to accomplish project goals.
Warning!
Project manager
does not understand the business,
are not leaders.
63
Project Manager Skills
1. Communication skills: Listens, persuades.
2. Organizational skills: Plans, sets goals, analyzes.
3. Team-building skills: Shows empathy, motivates, promotes esprit de corps.
4. Leadership skills: Sets examples, provides vision (big picture), delegates, positive, energetic.
5. Coping skills: Flexible, creative, patient, persistent.
6. Technology skills: Experience, project knowledge.
64
Sample Gantt Chart
Work Breakdown Structure showing all tasks of project
Warning!
All tasks not completely identified.
65
Ethics in Project Management
1. Ethics - important part of all professions.
2. Project managers often face ethical dilemmas.
3. In order to earn PMP certification, applicants must agree to the PMP code of professional conduct.
4. Several questions on the PMP certification exam are related to professional responsibility, including ethics.
Warning!
Have concerns that project is executed ethically.
66
Project Management Office (PMO)
• responsible for developing, coordinating, promoting, and supporting project management function throughout organization.
• Possible goals include:1. Collect, organize, and integrate project data for entire
organization.
2. Develop and maintain templates for project documents.
3. Develop or coordinate training in various project management topics.
4. Develop and provide a formal career path for project managers.
5. Provide project management consulting services.
6. Provide a structure to house project managers while they are acting in those roles or are between projects.
Warning!
PMO not in place or is not effective.
How was the computer based control system developed?
The enterprise with its many processes
guided by GAAP, ISACA, industry standards and
best practices.
BPM, BPI best
practices BA & SDLC
best practices
PM, PPM best
practices
If not followed - Warning!
by following and using
Ask yourself –Would we want professionals trained in Project Management
to manage a major compliance implementation?
Develop an understanding
of existing internal controls
Existing internal
controls (if any)
Existing internal
controls (if any) as we
understand
Create internal
controls that accommodate
SOX
Continuous compliance
improvement
SOX “compliant”
internal controls
To have adequate IT systems and controls
Managers, Financial Auditors, users on project teams, and IT auditor must insure that controls were built-in
Managers, Financial Auditors, Users & IT Auditor should insist on
Business Process Best Practices Business Analysis Best Practices
System Development Life Cycle Best Practices
Project Management Best Practices
by being on the look-out for
To increase the quality of systems require the certification of those
• specifying the controls CISA, CISM, CGEIT, CRISC, CPA
• capturing the specifications CBAP
• designing the systems various technology specific certifications (MS, Oracle, IBM, etc.)
• managing the project PMP
business processes
GAAP, etc.
industry standards
ISACA, etc.
The Enterprise
Financial Auditors, Users, & IT auditors specifying requirements should be on the look-out for warnings so IT systems and
controls will be implemented following Best Practices.
BPM, BPI best
practices
BA & SDLC
best practices
PM, PPM best
practices
Thank you!
These slides are available.
To receive a copy send an email to
with subject line “ISACA presentation”
Questions?
