What is
Your
Confidence Level that
Controls are in Place
in automated
(or manual)
applications?


Integration of BA, BPM, SDLC, PM
What are Accountants’ roles
regarding establishing controls?
• Business Analysis (subject matter experts 
SMEs)
• Business Process Management
• System Development Life Cycle
• Project Management


Who are the SMEs
in developing
financial control
requirement?


Necessary!
Must understand & consciously integrate activities of
Financial Auditing / IT Auditing
Business Analysis (BA)
Business Process Management / Improvement (BPM / BPI)
System Development Life Cycle (SDLC)

Project Management (PM)


Accountant
(SME)

Strategic
Goals

control
specs

BPM

BA,
SDLC

PM


Owner, User, SME Specification,
Business Analysis
Business Process Management
Project Management

Project initiation, Requirements identification,
Work definition, and Task assignment

User specifications, Systems Analysis & Project Management


Project Management & Expert Knowledge

Project Management & Expert Knowledge

Project Management & Expert Knowledge

Information Technology Project Management, Fifth Edition, Copyright
2007

6


Some background info / examples.

Double entry accounting. Paccioli, 1494.
The control? Debits and Credits must balance.
Processes must be defined & corrected prior to automating
Automated financial systems 1950s – 1960s
Problems
Specifications – Not what users needed.
Errors – Processes not understood. Bugs in the code.
Controls – Missing or ignored.
Enron, HealthSouth, Sub-prime loans.
(1986-87 loan approval expert system.)
Desire  Adequate, error free system with necessary controls


Warnings when acquiring Business
(or any) IT Systems


Warning!

Managers / IT auditors / Users specifying requirements must
recognize when automated controls are not present.
Are
business process improvement (BPI) best practices
Warning!
accounting best practices
business analysis, system development life cycle (SDLC) best
practices
project management (PM) best practices
addressed during development of the system?
Are BEST PRACTICES followed during development?
If not, great likelihood controls not in place, user needs not
covered.

Warning!


Thoughts
from
IT Auditors, Forensic Accountants,
Ivar Jacobson’s The Object Advantage
Whitten, Bentley, & Dittman authors of Systems Analysis & Design Methods
Kathy Schwalbe author of IT Project Management
PMI, A Guide to the Project Management Body of Knowledge

and my experiences.

Paul Crigler

UAB Department of Management, Information Systems, & Quantitative Methods
IS and MBA-IT instructor


Losing control (and money)
due to
•
•
•
•
•

Finagling the facts
Violating the rules
Stealing
Incorrect / Invalid reporting
Processes or process steps that are NOT
correct or are NOT followed or are NOT
automated


!!!
• We must be aware of and understand the integration
of
•
•
•
•
•


Business Process Management
Financial Audit / IT Audit / Forensics
Business Analysis methods
Systems Development methods
Project Management techniques

• and their best practices


Financial Statement
Unaudited

IT Audit
within the Audit Process
(1st three steps applicable when
developing or acquiring an
information system)

Etc.

Understand
the Company

Evaluate Fraud Risk
Factors disclosed by
Internal Control
1. Complete review
2. Submit Financial Statement
draft for review


Identify
Significant Processes

Develop Final Risk Assessment

Financial Statement
Audited
Etc.

Understand Internal
Controls

3. Issue Financial Statements


How was automated control
system developed?
BPM, BPI
The enterprise with
best
its many processes
practices
BA,

guided by GAAP, ISACA,
SDLC
industry
standards and
PM, PPM
best

best
bestpractices.

practices

practices


How are controls originated?
• Who establishes the business rules?
• Who defines the processes?
• Who defines the controls?
• Who are responsible for controls?


When Processes are Automated
Who defines the controls (and the processes)?
Accountants, Operation Managers, Process
Engineers, etc. - using BPM, BA best practices
Who analyzes, designs, builds computer system?
Business and Systems Analysts, Designers,
Programmers - using SDLC best practices
Who insures project is executed on time, within
budget, completely and with quality?
Project Managers, Project Portfolio Managers
-using PM, PPM best practices


Verifying
• What is the evidence automated controls are

not in place?
• Will discrepancies indicate?
• Will tests?
– Debits vs. Credits?
– Raw material in vs. finished goods out?
– Through-put. Others?

• What indicates that BPM, BA,
SDLC, PM best practices were
followed?


Which is Best?

Testing in?
Building in?
US automakers of 1970s?
Japanese automakers in 1970s?


Build quality into automated
control systems
using
BPM, BPI
The
enterprise with
best
BA,
its many processes
practices

SDLC
guided by GAAP, ISACA,
best
PM, PPM
industry
standards practices
best
bestpractices.
practices


Business Process Management
1st
___________
Business Process Management
Business Process Improvement
(BPM, BPI)


Some Major Processes
1.
2.
3.
4.
5.
6.
7.
8.

Cash receipts

Cash disbursements
Revenues and Accounts Receivables
Procurement / Accounts Payable
Payroll / Human Resources
Financial Statement Close Process
Information Technology
Other Processes Specific to the Business
and its Industry


Process Evaluation Criteria
Speed
Reliability
Integration
Flexibility
Security

Are the processes generating the specified
outputs in a timely manner?
Are the business processes consistent?
Is up to date information available to the
right people?
Do the business processes integrate all the
necessary components seamlessly?
Do the processes link all the required data
feeds?
Are the processes capable of absorbing
changes initiated by the environment?
Are the processes equipped with the proper
security features capable of protecting

confidential client information?
Is information authentic and reliable?


Activities of business process improvement project
Envisioning

Model of the Existing Business
Envisioning
Reengineering
Directive

Strategy

Customer
Demands

Understanding the
existing business

Bench–
marking

Objective
Specification
(vision of future,
the new company)


Business process improvement

Rebuilding
Business Process Redevelopment

Reversing the
Existing Business
Reengineering
Directive

Envisioning

“as-is”

Engineering the
New Business
“to-be”

Objective
Specification
(vision of future,
the new company)

Installing the
New Business

The reengineered
Corporation (the
documentation)

The Model –
the redesigned

process(es) for
the New Business


Business process improvement
Continuous Improvement
Business Process Reengineering project
Reversing the
Existing Business
Reengineering
Directive

“as-is”

Envisioning

Engineering the
New Business
“to-be”

No
Yes
Radical Δ ?
(Radical change?)

?

Installing the
New Business


The reengineered
Corporation (the
documentation)

Improvements


Enterprise Applications
• Virtually all organizations require a core set
Warning!
of enterprise applications
– Financial mgmt, human resources, sales, etc.
purchased (COTS – commercial off the

Integration of
– Frequently
components
– a major
source
shelf)
of concern

– Frequently need to have custom elements added

• Systems Integration  process of
building
Warning!
unified information system out of diverse
COTS –
components

 purchased software, custom-built
hardware, and networking.

squeezing size
software,
10 foot into size
4 shoe