What is Your Confidence Level that Controls are in Place in automated (or manual) applications? Integration of BA, BPM, SDLC, PM What are Accountants’ roles regarding establishing controls? • Business Analysis (subject matter experts  SMEs) • Business Process Management • System Development Life Cycle • Project Management Who are the SMEs in developing financial control requirement? Necessary! Must understand & consciously integrate activities of Financial Auditing / IT Auditing Business Analysis (BA) Business Process Management / Improvement (BPM / BPI) System Development Life Cycle (SDLC) Project Management (PM) Accountant (SME) Strategic Goals control specs BPM BA, SDLC PM Owner, User, SME Specification, Business Analysis Business Process Management Project Management Project initiation, Requirements identification, Work definition, and Task assignment User specifications, Systems Analysis & Project Management Project Management & Expert Knowledge Project Management & Expert Knowledge Project Management & Expert Knowledge Information Technology Project Management, Fifth Edition, Copyright 2007 Some background info / examples Double entry accounting Paccioli, 1494 The control? Debits and Credits must balance Processes must be defined & corrected prior to automating Automated financial systems 1950s – 1960s Problems Specifications – Not what users needed Errors – Processes not understood Bugs in the code Controls – Missing or ignored Enron, HealthSouth, Sub-prime loans (1986-87 loan approval expert system.) Desire  Adequate, error free system with necessary controls Warnings when acquiring Business (or any) IT Systems Warning! Managers / IT auditors / Users specifying requirements must recognize when automated controls are not present Are business process improvement (BPI) best practices Warning! accounting best practices business analysis, system development life cycle (SDLC) best practices project management (PM) best practices addressed during development of the system? Are BEST PRACTICES followed during development? If not, great likelihood controls not in place, user needs not covered Warning! Thoughts from IT Auditors, Forensic Accountants, Ivar Jacobson’s The Object Advantage Whitten, Bentley, & Dittman authors of Systems Analysis & Design Methods Kathy Schwalbe author of IT Project Management PMI, A Guide to the Project Management Body of Knowledge and my experiences Paul Crigler UAB Department of Management, Information Systems, & Quantitative Methods IS and MBA-IT instructor Losing control (and money) due to • • • • • Finagling the facts Violating the rules Stealing Incorrect / Invalid reporting Processes or process steps that are NOT correct or are NOT followed or are NOT automated Must understand Level of Activity and Overlap of Project Iterative Elaboration Process Over Time nature ofGroups systems projects Warning! Project team does not address all groups in integrated fashion 58 Nine Project Management Knowledge Areas Warning! • Knowledge areas describe the keyplan competencies that Project and execution project managers must develop not address all knowledge areas – Four core knowledge areas lead to specific project objectives (scope, time, cost, and quality ) – Four Warning! facilitating knowledge areas are the means through which the project objectives are achieved (human resources, Project integration communication, risk, and procurement management ) management not understood & followed – One knowledge area (project integ ration management) affects and is affected by all of the other knowledge areas 59 PM Capability Maturity Model (CMM) Lack of Maturity of Warning! enabling Low risk processes such as Low CMM(financial rating Auditing & IT), Control identification,  a big red flag! BPM, BA, SDLC, PM will be detrimental, increase High riskreduce risks, and competitive ability Very competitive Warning! Not competitive Low CMM rating higher costs lower quality more time Project Success Factors Executive support Firm basic Accountant & User requirements involvement Formal methodology Experienced project Reliable estimates manager 10 Other criteria, such Clear business Warning!as small milestones, objectives proper planning, Minimized scopeWithout these success competent staff, buyfactors in and ownership, and internal controls and Standard software necessary features infrastructure may not be included.clear communications 61 Suggested Skills for Project Managers • Project managers need a wide variety of skills Warning! • They should Project manager – Be comfortable with change does not understand the business, not leaders – Understand the organizations theyarework in and with – Lead teams to accomplish project goals 62 Project Manager Skills Communication skills: Listens, persuades Organizational skills: Plans, sets goals, analyzes Team-building skills: Shows empathy, motivates, promotes esprit de corps Leadership skills: Sets examples, provides vision (big picture), delegates, positive, energetic Coping skills: Flexible, creative, patient, persistent Technology skills: Experience, project knowledge 63 Sample Gantt Chart Work Breakdown Structure showing all tasks of project Warning! All tasks not completely identified 64 Ethics in Project Management Ethics - important part of all professions Project managers often face ethical dilemmas In order to earn PMP certification, applicants must agree to the PMP code of professional conduct Several questions on the PMP certification exam are related to professional responsibility, including ethics Warning! 65 Have concerns that project is executed ethically Project Management Office (PMO) • responsible for developing, coordinating, promoting, and supporting project management function throughout organization • Possible goals include: Collect, organize, and integrate project data for entire Warning! organization Develop and maintain templates for project documents PMO not in Develop or coordinate training in various project management place or is topics not effective Develop and provide a formal career path for project managers Provide project management consulting services Provide a structure to house project managers while they are acting in those roles or are between projects 66 How was the computer based control system developed? by following and using BPM, BPI The enterprise with best its many processes practices BA guided by GAAP, ISACA, & SDLC industry standards and PM, PPM best best bestpractices practices practices If not followed - Warning! Ask yourself – Would we want professionals trained in Project Management to manage a major compliance implementation? Existing internal controls (if any) Develop an understanding of existing internal controls Existing internal controls (if any) as we understand SOX “compliant” internal controls Continuous compliance improvement Create internal controls that accommodate SOX To have adequate IT systems and controls Managers, Financial Auditors, Users & IT Auditor should insist on Business Process Best Practices Business Analysis Best Practices System Development Life Cycle Best Practices Project Management Best Practices Managers, Financial Auditors, users on project teams, and IT auditor must insure that controls were built-in by being on the look-out for To increase the quality of systems require the certification of those • specifying the controls  CISA, CISM, CGEIT, CRISC, CPA • capturing the specifications  CBAP • designing the systems  various technology specific certifications (MS, Oracle, IBM, etc.) • managing the project  PMP Financial Auditors, Users, & IT auditors specifying requirements should be on the look-out for warnings so IT systems and controls will be implemented following Best Practices The Enterprise BPM, BPI business best processespractices GAAP, BA etc & SDLC best practices PM, PPM best practices ISACA, etc industry standards Thank you! Questions? These slides are available To receive a copy send an email to pcrigler@uab.edu with subject line “ISACA presentation”