What is
Your
Confidence Level that
Controls are in Place
in automated
(or manual)
applications?
Integration of BA, BPM, SDLC, PM
What are Accountants’ roles
regarding establishing controls?
• Business Analysis (subject matter experts  SMEs)
• Business Process Management
• System Development Life Cycle
• Project Management
Who are the SMEs
in developing
financial control
requirement?
Necessary!
Must understand & consciously integrate activities of
Financial Auditing / IT Auditing
Business Analysis (BA)
Business Process Management /
Improvement (BPM / BPI)
System Development Life Cycle (SDLC)
Project Management (PM)
Accountant
(SME)
Strategic
Goals
control
specs
BPM
BA,
SDLC
PM
Owner, User, SME Specification,
Business Analysis
Business Process Management
Project Management
Project initiation, Requirements identification,
Work definition, and Task assignment
User specifications, Systems Analysis & Project Management
Project Management & Expert Knowledge
Project Management & Expert Knowledge
Project Management & Expert Knowledge
Information Technology Project Management, Fifth Edition, Copyright
2007
6
Some background info / examples.
Double entry accounting. Paccioli, 1494.
The control? Debits and Credits must balance.
Processes must be defined & corrected prior to automating
Automated financial systems 1950s – 1960s
Problems
Specifications – Not what users needed.
Errors – Processes not understood. Bugs in the code.
Controls – Missing or ignored.
Enron, HealthSouth, Sub-prime loans.
(1986-87 loan approval expert system.)
Desire  Adequate, error free system with necessary controls
Warnings when acquiring Business
(or any) IT Systems
Warning!
Managers / IT auditors / Users specifying requirements must
recognize when automated controls are not present.
Are
business process improvement (BPI) best practices
Warning!
accounting best practices
business analysis, system development life cycle (SDLC) best
practices
project management (PM) best practices
addressed during development of the system?
Are BEST PRACTICES followed during development?
If not, great likelihood controls not in place, user needs not
covered.
Warning!
Thoughts
from
IT Auditors, Forensic Accountants,
Ivar Jacobson’s The Object Advantage
Whitten, Bentley, & Dittman authors of Systems Analysis & Design Methods
Kathy Schwalbe author of IT Project Management
PMI, A Guide to the Project Management Body of Knowledge
and my experiences.
Paul Crigler
UAB Department of Management, Information Systems, & Quantitative Methods
IS and MBA-IT instructor
Losing control (and money)
due to
•
•
•
•
•
Finagling the facts
Violating the rules
Stealing
Incorrect / Invalid reporting
Processes or process steps that are NOT
correct or are NOT followed or are NOT
automated
!!!
• We must be aware of and understand the
integration of
•
•
•
•
•
Business Process Management
Financial Audit / IT Audit / Forensics
Business Analysis methods
Systems Development methods
Project Management techniques
• and their best practices
Financial Statement
Unaudited
IT Audit
within the Audit Process
st
(1 three steps applicable when
developing or acquiring an
information system)
Etc.
Understand
the Company
Evaluate Fraud Risk
Factors disclosed by
Internal Control
1. Complete review
2. Submit Financial Statement
draft for review
Identify
Significant Processes
Develop Final Risk Assessment
Financial Statement
Audited
Etc.
Understand Internal
Controls
3. Issue Financial Statements
How was automated control
system developed?
BPM, BPI
The enterprise with
best
its many processes
practices
BA,
guided by GAAP, ISACA,
SDLC
industry
standards and
PM, PPM
best
best
practices.
best
practices
practices
How are controls originated?
• Who establishes the business rules?
• Who defines the processes?
• Who defines the controls?
• Who are responsible for controls?
When Processes are Automated
Who defines the controls (and the processes)?
Accountants, Operation Managers, Process
Engineers, etc. - using BPM, BA best practices
Who analyzes, designs, builds computer system?
Business and Systems Analysts, Designers,
Programmers - using SDLC best practices
Who insures project is executed on time, within
budget, completely and with quality?
Project Managers, Project Portfolio Managers using PM, PPM best practices
Verifying
• What is the evidence automated controls
are not in place?
• Will discrepancies indicate?
• Will tests?
– Debits vs. Credits?
– Raw material in vs. finished goods out?
– Through-put. Others?
• What indicates that BPM, BA,
SDLC, PM best practices were
followed?
Which is Best?
Testing in?
Building in?
US automakers of 1970s?
Japanese automakers in 1970s?
Build quality into automated
control systems
using
BPM, BPI
The
enterprise with
best
BA,
its many processes
practices
SDLC
guided by GAAP, ISACA,
best
PM, PPM
industry
standards practices
best
bestpractices.
practices
Business Process Management
1st
___________
Business Process Management
Business Process Improvement
(BPM, BPI)
Some Major Processes
1.
2.
3.
4.
5.
6.
7.
8.
Cash receipts
Cash disbursements
Revenues and Accounts Receivables
Procurement / Accounts Payable
Payroll / Human Resources
Financial Statement Close Process
Information Technology
Other Processes Specific to the Business and
its Industry
Process Evaluation Criteria
Speed
Reliability
Integration
Flexibility
Security
Are the processes generating the specified
outputs in a timely manner?
Are the business processes consistent?
Is up to date information available to the
right people?
Do the business processes integrate all the
necessary components seamlessly?
Do the processes link all the required data
feeds?
Are the processes capable of absorbing
changes initiated by the environment?
Are the processes equipped with the proper
security features capable of protecting
confidential client information?
Is information authentic and reliable?
Activities of business process improvement project
Envisioning
Model of the Existing Business
Envisioning
Reengineering
Directive
Strategy
Customer
Demands
Understanding the
existing business
Bench–
marking
Objective
Specification
(vision of future,
the new company)
Business process improvement
Rebuilding
Business Process Redevelopment
Reversing the
Existing Business
Reengineering
Directive
Envisioning
“as-is”
Engineering the
New Business
“to-be”
Objective
Specification
(vision of future,
the new company)
Installing the
New Business
The reengineered
Corporation (the
documentation)
The Model –
the redesigned
process(es) for
the New Business
Business process improvement
Continuous Improvement
Business Process Reengineering project
Reversing the
Existing Business
Reengineering
Directive
“as-is”
Envisioning
Engineering the
New Business
“to-be”
No
Yes
Radical Δ ?
(Radical change?)
?
Installing the
New Business
The reengineered
Corporation (the
documentation)
Improvements
Enterprise Applications
• Warning!
Virtually all organizations require a core set
of enterprise applications
– Financial mgmt, human resources, sales, etc.
purchased (COTS – commercial off
Integration of
components
– Frequently
– a major
thesource
shelf)
of concern
– Frequently need to have custom elements added
• Systems Integration  process Warning!
of building
unified information system out of diverse
COTS –
components
squeezing size
 purchased software, custom-built 10
software,
foot into size
4 shoe
hardware, and networking.
Enterprise Applications
Framework for improving and automating processes
See page 470
Goals:
Improve
Business Processes
(controls),
Business Knowledge
&
Communications to
accommodate strategic
business objectives
Players
Systems User
Accountants
Systems Owners
Project Managers
Systems Analysts
System Designers
The Business Drivers
Warning!
Processes are not
in place or are not
followed!
Warning!
Warning!
Stakeholders not
on board!
Stakeholders do not
take ownership!
Goals do not match
strategic business
objectives!
The Technical Drivers
Implementation
Activities
BA, Control Specifications & SDLC
2nd
_____________
Business Analysis, Control Identification
&
Systems Development Life Cycle
Business Analysis / Requirements
Systems Development Life Cycle
If BA / Financial Controls / etc. requirements are
not properly addressed ….
If SDLC best practices are not in place ….
Warning!
For definitions go to http://en.wikipedia.org/wiki/Business_analysis
Typical SW Project
Information Technology
Project Management
30
Objectives for
the Accountant (or manager) responsible for specifications
1.
Understand business analysis and systems analysis and
relate to scope definition, problem analysis, requirements
analysis, logical design, decision analysis phases of
SDLC.
2.
Understand systems analysis approaches for solving
business system problems.
3.
Understand scope definition, problem analysis,
requirements analysis, logical design, and decision
analysis phases in terms of information system building
blocks.
4.
Understand scope definition, problem analysis,
requirements analysis, logical design, and decision
analysis phases in terms of purpose, participants, inputs,
outputs, techniques, and steps.
Information System Building Blocks
Accommodate
Business Strategy
Systems Analysis
and Design
Processes
Warning!
Warning!
Goals do not match
strategic business
objectives!
People are not on
board or being proper
considered!
Warning!
System
Building
BA, IT Auditing, SDLC, and
Blocks from
Project Management
processes are not in Systems Analysis
place!
perspective
What is Systems Analysis ?
Systems analysis  problem-solving technique
that decomposes a system into component pieces
for studying how well parts work and interact to
accomplish purpose. The What, Why & Who
Systems design  problem-solving technique that
assembles system’s component pieces into
complete system The How
5-33
Information systems analysis  development
phases in information systems development
project -- primarily focus on business problem and
requirements -- independent of technology used to
implement solution
Context of Systems Analysis
Warning!
Project
Charter
Repository not
maintained,
understood, and
used.
Warning!
A SDLC process is
not in place.
Identify
alternate
solutions
5-34
Requirements Discovery
used by systems analysts to
identify system problems & solution
requirements from user community
Accountants when the system’s
focus is to provide controls
5-35
Business Process Redesign
BPR  feature of systems analysis to
achieve major business changes
goal  dramatically improve
fundamental business processes
Warning!
BPR does
not
independent of information
technology.
occur prior to new
5-36
system design –
resulting in
automating bad
processes.
FAST Systems Analysis Phases
Scope  boundaries of project – area of a business that project may address
1. Scope Definition Phase
–
Why is project worth considering?
2. Problem Analysis Phase
– Why is new system worth building?
3. Requirements Analysis Phase
– What do users – Accountants - want from new system?
4. Logical Design Phase
– What must new system do?
5. Decision Analysis Phase
– What is best solution?
Scope Definition Phase Terms
Warning!business
Steering body  committee of executive
and system managers that studies and prioritizes
Project Charter
competing project proposals
(contract) not
(steering
committee)
adequate.
Project charter  final deliverable for preliminary
investigation phase
 defines the project scope, plan, methodology,
standards, etc.
Warning!
Steering
committee not
in place.
Context of Problem Analysis Phase
What is the
purpose of
this phase?
USERS
Who are
involved in
this phase?
5-39
Key Term of the Problem Analysis Phase
Context Diagram  pictorial model that shows how
system interacts with world around it
and
specifies system inputs and outputs.
Our
System
40
Requirements Analysis Phase
P
r
o
j
e
c
t
M
g
r
s.
U
s
e
r
s
Context of Logical Design Phase of Systems Analysis
P
r
o
j
e
C
T
M
g
r
s.
U
s
e
r
s
5-42
Builders
Designers
Have requirements
 now can
determine how new
system might be
implemented to
cover all
requirements while
dealing with
technology
constraints.
Owners
Context of Decision Analysis Phase
5-43
Feasibility Matrix
Candidates are compared
with each other
and ranked.
Warning!
A stakeholder
attempts to influence
the decision by
corrupting the data,
modifying the
weights “arbitrarily”,
etc.
5-44
Project Management
3rd
_____________
Managing the Project
Managing the Project Portfolio
Need for Organizational Standards
Standards and guidelines help project managers be more
effective.
Senior management can encourage:
– use of standard forms and software for project
Warning!
management.
– development and use of guidelines for writing project
Expect problems if
plans or providing status
information.
have no
standing
Technical Standards
– creation of a project Committee.
management office (PMO).
Warning!
Expect problems if standards
and guidelines
1) are not defined,
2) practitioners are not
trained,
3) standards are not followed.
What Is a Project?
Project  “a temporary endeavor undertaken to
create a unique product, service, or result.”
(Operations are work done to sustain the business.)
A project ends when its objectives have been
reached, or the project has been terminated.
Projects can be large or small and take a short or
long time to complete.
Project
Warning!
C level
Has unique purpose
management and
sponsors don’t
Is temporary
understand
projects.
Is developed
using
progressive
elaboration
Warning!
Requires resources, often from various areas
Risk Management
Should
have
a primary customer or sponsor
Plans not
in place
• project sponsor provides direction and
funding for project
6. Involves uncertainty
Warning!
Warning!
1.
2.
3.
4.
5.
Domain experts / SMEs /
Accountants providing
control specs are not
engaged
Management
doesn’t support
the project
Project Management Framework
Warning!
Project does not
support strategic
plans.
What may
prevent
enterprise
success?
49
Project Management Perspective necessary to appreciate ROI
Warning!
Development
Operations with Support
BA & SDLC must
utilize best analysis,
design, and support
processes
$ Benefits
Feasibility
Analysis
Design
Build
Test
Ship
Warning!
$ Costs
Warning!
IT Controls must be
in place to minimize
Traditional Focus
All that happens after “project”
ends must
Requirements
risk so maximum $
be correct so
will be made.
maximum utilization
will be achieved by
Focus must continue beyond implementation to reap
benefits.
users.
Project and
Program Managers
Project managers work with project sponsors, project
teams, and other people involved in projects to meet
project goals.
Program: “A group of related projects managed in a
coordinated way to obtain benefits and control not
available from managing them individually.”*
Program managers oversee programs and often act as
bosses for project managers.
Project Manager
Project Manager  experienced professional
- responsible for planning, monitoring, and controlling
projects
with respect to schedule, budget, deliverables,
customer satisfaction, technicalWarning!
standards, and
system quality.
Without experienced PM
may not include users’
(Accountants’,
Managements’, etc.)
concerns in system.
1-52
Project Management Certification
• PMI provides certification as a Project
Management Professional (PMP).
• A PMP has documented project
experience, agreed to follow code of
ethics, and passed exam.
Warning!
Don’t have
experience,
certified PMs
managing IT
Control projects.
Different players, different agendas
Warning!
Must identify all
stakeholders &
understand
their agendas!
6.1 / 64
Project Stakeholders
Another war story about HR
Admin system stakeholders
•
Stakeholders are the people involved in or affected by
project activities.
War story about Office Paper
Recycle Project stakeholders
•
Stakeholders include:
1.
2.
3.
4.
5.
6.
7.
8.
Project sponsor (person generally with $$$ and clout)
Project manager
Accountants, Project team
Warning!
Support staff
Customers
Stakeholders are not
adequately identified
Accountants, Users
and engaged.
Suppliers
Opponents to the project  can stop or kill a project
55
Importance of Top Management Commitment
Warning!
top management commitment
 key factor for project success.
Management not
committed to project
Top management must help project managers
– Secure adequate resources.
– Get approval for unique project needs in timely
manner.
– Receive cooperation from people throughout
organization.
– Learn how to be better leaders.
Need for Organizational Commitment to IT
Warning!
CIO not at high level in
company
Warning!
IT issues not standing
agenda item for Board
of Directors
• If the organization has a negative attitude toward IT difficult for IT
project to succeed
• Chief Information Officer (CIO) at a high level in organization helps IT
projects
• Assigning non-IT people to IT projects more commitment
Warning!
Few non-IT people on
the project
Must understand
Level of Activity
and Overlap of Project
Iterative Elaboration
Process
Over Time
nature ofGroups
systems projects.
Warning!
Project team does not
address all groups in
integrated
fashion.
58
Nine Project Management Knowledge
Areas
Warning!
• Knowledge areas describe theProject
key competencies
that
plan and execution
project managers must develop.
do not address all
knowledge areas.
– Four core knowledge areas lead to specific project
objectives (scope, time, cost, and quality).
Warning!
– Four facilitating knowledge areas are the means
through which the project objectives are achieved
Project
integration
(human
resources, communication, risk, and
management
not
procurement
management).
understood & followed.
– One knowledge area (project integration
management) affects and is affected by all of the other
59
knowledge areas.
PM Capability Maturity Model (CMM)
Lack of Maturity
of
Warning!
enabling
Low risk
processes such as
Low CMM(financial
rating
Auditing
& IT),
Control
identification,
 a big red
flag!
BPM, BA, SDLC, PM will
be detrimental, increase
High riskreduce
risks, and
competitive ability.
Very
competitive
Warning!
Not
competitive
Low CMM rating
higher costs
lower quality
more time
Project Success Factors
1. Executive support
7. Firm basic
requirements
2. Accountant & User
involvement
8. Formal methodology
3. Experienced project
9. Reliable estimates
manager
10. Other criteria, such
4. Clear business
Warning!as small milestones,
objectives
proper planning,
these success
competent staff, buy-in
5. Minimized scopeWithout
factors internal controls and
ownership, and
necessary features and
may
6. Standard software
not be included.
clear communications
infrastructure
61
Suggested Skills for Project Managers
• Project managers need a wide
variety
of
Warning!
skills.
Project manager
• They should
does not
understand the
business,
– Be comfortable with change.
are not leaders.
– Understand the organizations they work in
and with.
– Lead teams to accomplish project goals.
62
Project Manager Skills
1. Communication skills: Listens, persuades.
2. Organizational skills: Plans, sets goals, analyzes.
3. Team-building skills: Shows empathy, motivates,
promotes esprit de corps.
4. Leadership skills: Sets examples, provides vision (big
picture), delegates, positive, energetic.
5. Coping skills: Flexible, creative, patient, persistent.
6. Technology skills: Experience, project knowledge.
63
Sample Gantt Chart
Work Breakdown Structure showing all tasks of project
Warning!
All tasks not
completely
identified.
64
Ethics in Project Management
1. Ethics - important part of all professions.
2. Project managers often face ethical dilemmas.
3. In order to earn PMP certification, applicants must
agree to the PMP code of professional conduct.
4. Several questions on the PMP certification exam are
related to professional responsibility, including ethics.
Warning!
65
Have concerns that
project is executed
ethically.
Project Management Office (PMO)
•
responsible for developing, coordinating, promoting, and
supporting project management function throughout organization.
•
Possible goals include:
1.
2.
3.
4.
5.
6.
Collect, organize, and integrate project data for entire
organization.
Develop and maintain templates forWarning!
project documents.
Develop or coordinate training in various project management
PMO not in
topics.
place or is
Develop and provide a formal career
path for project managers.
not effective.
Provide project management consulting services.
Provide a structure to house project managers while they are
acting in those roles or are between projects.
66
How was the computer based
control system developed?
by following and using
BPM, BPI
The enterprise with
best
its many processes
practices
BA
guided by GAAP, ISACA,
& SDLC
industry
standards and
PM, PPM
best
best
practices.
best
practices
practices
If not followed
- Warning!
Ask yourself –
Would we want professionals trained in Project Management
to manage a major compliance implementation?
Existing
internal
controls
(if any)
Develop an
understanding
of existing
internal
controls
Existing
internal
controls (if any)
as we
understand
SOX
“compliant”
internal
controls
Continuous
compliance
improvement
Create
internal
controls that
accommodate
SOX
To have adequate IT systems and controls
Managers, Financial Auditors, Users & IT Auditor should insist on
Business Process Best Practices
Business Analysis Best Practices
System Development Life Cycle Best Practices
Project Management Best Practices
Managers, Financial Auditors, users on project teams,
and IT auditor must insure that controls were built-in
by being on the look-out for
To increase the quality of systems
require the certification of those
• specifying the controls  CISA, CISM, CGEIT,
CRISC, CPA
• capturing the specifications  CBAP
• designing the systems  various technology
specific certifications (MS, Oracle, IBM, etc.)
• managing the project  PMP
Financial Auditors, Users, & IT auditors specifying requirements
should be on the look-out for warnings so IT systems and
controls will be implemented following Best Practices.
The
Enterprise
BPM,
BPI
business best
processespractices
GAAP,
BA etc.
& SDLC
best
practices
PM,
PPM
best
practices
ISACA,
etc.
industry
standards
Thank you!
Questions?
These slides are available.
To receive a copy send an email to
pcrigler@uab.edu
with subject line “ISACA presentation”