What is
Your
Confidence Level that
Controls are in Place
in automated
(or manual)
applications?
Integration of BA, BPM, SDLC, PM
What are Accountants’ roles
regarding establishing controls?
• Business Analysis (subject matter experts
SMEs)
• Business Process Management
• System Development Life Cycle
• Project Management
Who are the SMEs
in developing
financial control
requirement?
Necessary!
Must understand & consciously integrate activities of
Financial Auditing / IT Auditing
Business Analysis (BA)
Business Process Management / Improvement (BPM / BPI)
System Development Life Cycle (SDLC)
Project Management (PM)
Accountant
(SME)
Strategic
Goals
control
specs
BPM
BA,
SDLC
PM
Owner, User, SME Specification,
Business Analysis
Business Process Management
Project Management
Project initiation, Requirements identification,
Work definition, and Task assignment
User specifications, Systems Analysis & Project Management
Project Management & Expert Knowledge
Project Management & Expert Knowledge
Project Management & Expert Knowledge
Information Technology Project Management, Fifth Edition, Copyright
2007
6
Some background info / examples.
Double entry accounting. Paccioli, 1494.
The control? Debits and Credits must balance.
Processes must be defined & corrected prior to automating
Automated financial systems 1950s – 1960s
Problems
Specifications – Not what users needed.
Errors – Processes not understood. Bugs in the code.
Controls – Missing or ignored.
Enron, HealthSouth, Sub-prime loans.
(1986-87 loan approval expert system.)
Desire Adequate, error free system with necessary controls
Warnings when acquiring Business
(or any) IT Systems
Warning!
Managers / IT auditors / Users specifying requirements must
recognize when automated controls are not present.
Are
business process improvement (BPI) best practices
Warning!
accounting best practices
business analysis, system development life cycle (SDLC) best
practices
project management (PM) best practices
addressed during development of the system?
Are BEST PRACTICES followed during development?
If not, great likelihood controls not in place, user needs not
covered.
Warning!
Thoughts
from
IT Auditors, Forensic Accountants,
Ivar Jacobson’s The Object Advantage
Whitten, Bentley, & Dittman authors of Systems Analysis & Design Methods
Kathy Schwalbe author of IT Project Management
PMI, A Guide to the Project Management Body of Knowledge
and my experiences.
Paul Crigler
UAB Department of Management, Information Systems, & Quantitative Methods
IS and MBA-IT instructor
Losing control (and money)
due to
•
•
•
•
•
Finagling the facts
Violating the rules
Stealing
Incorrect / Invalid reporting
Processes or process steps that are NOT
correct or are NOT followed or are NOT
automated
!!!
• We must be aware of and understand the integration
of
•
•
•
•
•
Business Process Management
Financial Audit / IT Audit / Forensics
Business Analysis methods
Systems Development methods
Project Management techniques
• and their best practices
Financial Statement
Unaudited
IT Audit
within the Audit Process
(1st three steps applicable when
developing or acquiring an
information system)
Etc.
Understand
the Company
Evaluate Fraud Risk
Factors disclosed by
Internal Control
1. Complete review
2. Submit Financial Statement
draft for review
Identify
Significant Processes
Develop Final Risk Assessment
Financial Statement
Audited
Etc.
Understand Internal
Controls
3. Issue Financial Statements
How was automated control
system developed?
BPM, BPI
The enterprise with
best
its many processes
practices
BA,
guided by GAAP, ISACA,
SDLC
industry
standards and
PM, PPM
best
best
bestpractices.
practices
practices
How are controls originated?
• Who establishes the business rules?
• Who defines the processes?
• Who defines the controls?
• Who are responsible for controls?
When Processes are Automated
Who defines the controls (and the processes)?
Accountants, Operation Managers, Process
Engineers, etc. - using BPM, BA best practices
Who analyzes, designs, builds computer system?
Business and Systems Analysts, Designers,
Programmers - using SDLC best practices
Who insures project is executed on time, within
budget, completely and with quality?
Project Managers, Project Portfolio Managers
-using PM, PPM best practices
Verifying
• What is the evidence automated controls are
not in place?
• Will discrepancies indicate?
• Will tests?
– Debits vs. Credits?
– Raw material in vs. finished goods out?
– Through-put. Others?
• What indicates that BPM, BA,
SDLC, PM best practices were
followed?
Which is Best?
Testing in?
Building in?
US automakers of 1970s?
Japanese automakers in 1970s?
Build quality into automated
control systems
using
BPM, BPI
The
enterprise with
best
BA,
its many processes
practices
SDLC
guided by GAAP, ISACA,
best
PM, PPM
industry
standards practices
best
bestpractices.
practices
Business Process Management
1st
___________
Business Process Management
Business Process Improvement
(BPM, BPI)
Some Major Processes
1.
2.
3.
4.
5.
6.
7.
8.
Cash receipts
Cash disbursements
Revenues and Accounts Receivables
Procurement / Accounts Payable
Payroll / Human Resources
Financial Statement Close Process
Information Technology
Other Processes Specific to the Business
and its Industry
Process Evaluation Criteria
Speed
Reliability
Integration
Flexibility
Security
Are the processes generating the specified
outputs in a timely manner?
Are the business processes consistent?
Is up to date information available to the
right people?
Do the business processes integrate all the
necessary components seamlessly?
Do the processes link all the required data
feeds?
Are the processes capable of absorbing
changes initiated by the environment?
Are the processes equipped with the proper
security features capable of protecting
confidential client information?
Is information authentic and reliable?
Activities of business process improvement project
Envisioning
Model of the Existing Business
Envisioning
Reengineering
Directive
Strategy
Customer
Demands
Understanding the
existing business
Bench–
marking
Objective
Specification
(vision of future,
the new company)
Business process improvement
Rebuilding
Business Process Redevelopment
Reversing the
Existing Business
Reengineering
Directive
Envisioning
“as-is”
Engineering the
New Business
“to-be”
Objective
Specification
(vision of future,
the new company)
Installing the
New Business
The reengineered
Corporation (the
documentation)
The Model –
the redesigned
process(es) for
the New Business
Business process improvement
Continuous Improvement
Business Process Reengineering project
Reversing the
Existing Business
Reengineering
Directive
“as-is”
Envisioning
Engineering the
New Business
“to-be”
No
Yes
Radical Δ ?
(Radical change?)
?
Installing the
New Business
The reengineered
Corporation (the
documentation)
Improvements
Enterprise Applications
• Virtually all organizations require a core set
Warning!
of enterprise applications
– Financial mgmt, human resources, sales, etc.
purchased (COTS – commercial off the
Integration of
– Frequently
components
– a major
source
shelf)
of concern
– Frequently need to have custom elements added
• Systems Integration process of
building
Warning!
unified information system out of diverse
COTS –
components
purchased software, custom-built
hardware, and networking.
squeezing size
software,
10 foot into size
4 shoe