- What are the key components of SAP change management controls you would expect the auditor to review? Why?
- In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
- How have you seen change management work in your organization? What improvement recommendations do you have?
- In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Sean Patrick Walsh says
3. How have you seen change management work in your organization? What improvement recommendations do you have?
Change management was always put out in a policy directive first. From there training was coordinated to capture all personnel so they were made formally aware of the change(s) being implemented. After the training time period was over there normally would be some re-training for certain areas or personnel who were closer to the changes and might be having a difficult time adapting to or carrying out the changes.
I’ve seen a lot of change over my military career. The simplest thing that I think would improve change management would be conveying the reasoning behind the change(s). Many times changes were put in place, and training was conducted to highlight the changes themselves, but very little was ever explained as to the why of the changes. I think a lot of the push back to change comes from a place of not fully understanding why changes are made, or the importance of the changes being made. Also, empowering people to be a part of change management can go a long way too. When people feel a part of the decisions regarding the changes being made they feel valued, and feeling valued helps lay a smooth transition for change, or at least smoother than without valued employees.
Victoria A. Johnson says
Nice post Sean! I agree that being involved in change management decisions will definitely make employees feel more involved and a part of something. Change requires employees to do there job differently so open communication and involvement is definitely crucial in helping the transition of change for employees.
Wenlin Zhou says
Great example, the employee training is important after the changing management. explaining why change those process is good for employee to fully understand. People can feel a part of the decisions in terms of the changes being made they feel valued. Explaining detailed changes to different specific position is good for employee understanding and to master changes.
Joshua Tarlow says
Couldn’t agree more about employee involvement in this process. I’ve found that people always respond better when they have more information. Important for everyone to understand what is happening and why so that it does not seem superfluous. Reasons behind some decisions may not be obvious, but could be valid and employees would not know without an explanation. Can help to prevent unnecessary friction and tension. People also feel better when they perceive they are part of the process are considered when decisions are made.
Jaspreet K. Badesha says
Hi Sean,
This is a very very good post. I particularly like the fact that you stated ‘Many times changes were put in place, and training was conducted to highlight the changes themselves, but very little was ever explained as to the why of the changes’. This happens in many organizations and causes a big gap in the process and acceptance of the changes. This also occurs in my organization where we are told that changes need to be made but they are not discussed or explained to the point where everyone implementing the change or having to deal with the change understand. We also have a hard time documenting ‘change requests’ as they happen in hall way conversations and not always recorded or have a ‘business owner’ who is requesting it. This can cause a lot of frustration for employees and management when the concepts of these changes are not understood or implemented accurately because of lack of information.
Priya Prasad Pataskar says
Great post Sean. Jaspreet, I particularly liked the point regarding documentation of change. I could not agree more with this statement. Documentation is something that is missed as there is a lot of pressure for implementation. Generally while change is taking place the pressure of SLA breach is much more and people tend to give less importance to documentation.
The solution to this problem could be implementing strict controls in change management tool. Change tickets must be tracked and with every status change control must ensure client to document the change. Change must also be approved and the approval must be captured in the documentation.
Paul M. Dooley says
I definitely think most of us are on the same page here. Involving the employee is a critical function to ensuring change management processes are being followed, but more importantly, why they are to be followed so they have an understanding of the critical nature of the requests. It’s very easy for employee’s to get bogged down in their day to day activities and view any additional workload as an inconvenience and understand the true impact and why in fact it is being rolled out. Also, for the importance of training to get employees awareness up to speed, I would go as far as to do it’s best to make it an interactive training to ensure people are paying attention and not just checking a box stating that it’s been done.
Sean Patrick Walsh says
4. Next week we have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
I would like to know how does an auditor build trust with those closest to the process areas where fraud can take place. Is it wise for an auditor to question employees directly with hypothetical questions of how and where would they commit fraud if possible? Also, how does an auditor go about recommending changes to controls in a way that increases the buy-in for the recommendations? Is it recommended when errors are discovered that auditors help employees correct them before the audit is complete? How do you go about documenting errors in audits without harming relationships with the employees you audit so future audits aren’t affected by lack of assistance from those employees?
Brou Marie Joelle Alexandra Adje says
4. Next week we have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
Are there typical questions (the right questions), auditors always ask clients?
What are the biggest challenges in this profession?
What are their relationship with their audit committee? How often do they meet?
How do they maintain relationships with clients?
What advices can they give us to student out of college starting their career in audit?
Wenlin Zhou says
What are the key components of SAP change management controls you would expect the auditor to review? Why?
1.Review of SAP changes: The team that reviews SAP change management requests is typically the senior SAP stalwarts that include Architects or Team Leads. They do many tasks including supporting the original design and impact assessment of a given change. Equally though, they are often involved in the technical or functional review of the change once complete.
2. Approval of SAP changes:Clearly, somebody needs to approve each change and this will sometimes include, if not be, the people performing the review above. We estimate every change made in a SAP system involves up to 20 people and 40 individual e-mails – clogging up inboxes and eating away at valuable time. The typical SAP change process involves e-mails flying around requesting approval to migrate changes to the test systems. All highly manual, heavily reliant upon people, de-centralised and very, very time consuming.
3.Deployment of SAP changes for testing:More e-mails fly around requesting the physical import into the test system. It is usually the job of the SAP Basis Administration team to perform the actual deployment. And of course, this job cannot be passed to the development or applications teams.
4.Testing of SAP changes: Once SAP changes have been deployed, the testing team is either last to find out about it or communication is carried out manually. Not only that, but testers barely have any control over the changes being deployed which can often invalidate their current rounds of testing.
5.Approval of SAP changes for production:This is the same as the previous approval point with a number of various scenarios including whether a pre-production system may exist, requiring an additional round of testing. And, there might be a whole host of different tasks done to decide whether to grant approval. Other, concurrent projects may be waiting on these changes and dependencies must be understood. Sequencing is therefore critical and a more in-depth investigation might be needed before approval is given. Also, at this point, understanding the risk level of a given change is crucial.
6. Deployment of SAP changes to Production: This is the same set of tasks performed during deployment to the testing systems. Just much more critical to the business – the deployment into mission critical SAP systems must be managed much more carefully than deployment into earlier test systems.
7.Deployment of Production Support changes to Project Streams
http://www.basistechnologies.com/7-steps-to-automation-SAP-change-control-processes-and-release-management-tools
Abhay V Kshirsagar says
Just to add more about security evaluation. There should be an evaluation to determine who is authorized to do what. For example, as develop changes, approve testing of changes and authorize a particular change into production or even have employees having access to systems to make chances.
And of course, all this should be compared with the predefined change policy of the organization.
Wenlin Zhou says
Thanks Abhay, I add some points for security.
Secure Collaboration
Secure Process and People Collaboration: Maintain security of processes and collaboration using the security
capabilities of automated business processes and document exchanges
Identity and Access Management
User and Authorization Management: Manage IT users, authorizations, and authentication
Administration Concept: Securely administer all aspects of solution operations
Infrastructure Security
Network, System, Database, and Workstation Security: Establish and maintain the security of all infrastructure
components
Software Lifecycle Security
Secure Application Lifecycle: Securely develop and maintain the code base of standard and custom business
applications
Secure Configuration: Establish and maintain a secure configuration of standard and custom business
applications
Secure Support: Resolve software incidents securely
Monitoring and review tools
Security-related information should be monitored and reviewed as close to real-time as possible using intrusion detection systems. Configuration and authorization settings should also be verified on a periodic basis, for example, using the SAP Security Optimization Service.
Said Ouedraogo says
Next week we have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
What is the expected timeline for an audit?
Can the auditors assist with the implementation of their recommendations?
What are typical fraud questions?
How do the auditors gain an understanding of the industry or a specific business?
What tasks or assistance is the auditor prohibited from completing that would impair their independence?
Wenlin Zhou says
In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
A blueprint is a set of page templates with added functionality to help you create, manage and organise content in Confluence more easily.
Blueprints and Design Documents: As with all facility projects, design documents that are completed by the architect represent a great deal of general and specific information that is communicated to the contractor. At various times during design, the administrator and the rest of the design team review these design documents to make sure everything is going as planned. These documents are called blueprints. They can be a drawing of a particular part of the project or can be integrated and overlap with other sections of the blueprints. Blueprints become more individualized as the size of the project increases. Larger projects also require more pages and detailed sections that depict all the elements of the facility. Design documents cover all areas of a project, including the demolition or preparation, site, structural, mechanical, electrical, landscape, and other design documents.
http://www.humankinetics.com/excerpts/excerpts/understanding-of-blueprints-design-documents-a-must-for-recreational-facility-managers
Wenlin Zhou says
Next week we have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
What is the working timeline for auditor?
What is the relationship between the IT auditing and cybersecurity?
What technologic skills should be obtained for IT auditor?
What are typical questions in your auditing process?
Victoria A. Johnson says
Next week we have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
1. What is the biggest challenge that the company or audit department has gone through?
2. What is your advice for a graduate student with very little experience in auditing when it comes to finding a job in the auditing field?
3. What is the most difficult part of auditing for you?
Magaly Perez says
I believe the key components of SAP change management controls that an auditor should review are as followed:
• Change Management Process documentation such as Policies and Procedures:
• Change management processes such as:
o Change request application
o Development policies
o Testing and acceptance
o Deployment process
o Change management compliance
o Emergency change management plan
o Authorization to production
• Security assessment
o Segregation of Duties: who is authorized to do what: develop, change, approve testing of changes, authorize a change into production, classify changes, etc.
Overall, I believe if an auditor can follow these key components they will be able to effectively audit SAP change management controls.
Paul Linkchorst says
3. How have you seen change management work in your organization? What improvement recommendations do you have?
Unfortunately, my experiences with change management have been limited. I have not had any experience with the change management process with the organizations that I have worked with. However, I have experienced the audit of an organization for its IT general controls, which consisted of change management as part of the scope of the audit. For this audit the company’s change management process was quite simple, they were not responsible for the changes. The organization used a series of applications which included financial management, business management, workforce management, and business intelligence as part of their financial and operational functions. This organization completely relied on changes made from the developers of the applications that they use and made no changes to the code themselves.
From an audit standpoint, it was still important to test this control. Therefore, we requested that the organization provide a confirmation from the application developers that the company did not have access to the source code of the program. Likewise, it was verified that policies and procedures were in place to identify when new changes were available, if approvals were made for changes, if testing in the test environment was performed prior to implementation, and if changes were monitored by appropriate personnel. Since the developers were from outside the company, segregation of duties was mitigated easily. However, since it was developers outside the organization, proper authentication controls and access controls were a much higher priority. While I was only a part of the walkthrough portion of this audit and am unaware of if any findings were made, I think that the change management process the organization had in place properly mitigated the risks identified.
Paul Linkchorst says
1. What are the key components of SAP change management controls you would expect the auditor to review? Why?
Change management is the process of making sure changes to a system are properly managed to reduce the risks of actions such as unauthorized access to business processes, unintended side effects to changes in code, inability to respond to emergency changes and much more. Since change management is essentially making sure that the changes in the program (code) don’t fall to those risks, it is extremely important to make sure the policies and procedures are appropriately mitigating the risks. Since change management applies to any application/program, it therefore applies to SAP as well.
Therefore, some of the key components that I would be expect an auditor to review are as follows:
• Monitoring of changes: How are the changes to SAP system tracked and recorded? Likewise, how often are the change logs reviewed to make sure that unauthorized changes have been made?
• Approval process for changes: Who is responsible for reviewing and approving changes to the SAP system. This should include who approves the initial change to be made and who gives final approval for the change to be made into the SAP system after it has been tested.
• Testing prior to implementation: What is the process of testing changes prior to implementation into the SAP system? How are changes tested prior to implementation?
• Segregation of Duties: Are the duties segregated for those creating the changes, those reviewing the changes, and the end users?
• Policy and process for emergency changes: What are the differences in the policies and procedures for changes that would be classified as emergency changes?
Ming Hu says
Nice point Paul. I failed to take segregation of Duties into consideration, but it is a very important portion. Obviously, one who requests a change must not be the one who respond to that change. Besides, considering employee turnover, their roles and responsibilities, accordingly, should be redefined following the principle of segregation of duties.
Paul M. Dooley says
I will second his point. As much as we’ve discussed the important of segregation of duties in all of our classes I still failed to take this into an account. Great answer Paul.
Ming Hu says
In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
Process blueprints describe business processes, including details about the activities in the process, the people who perform or know about the activities and their roles, the milestones that activities are performed in, etc.
Process blueprints are important in documentation because it specifies details at the process, milestone or process diagram elements. For instance, an activity has a participant property that specifies who is performing this work, an outputs property to show the result of this activity. Process blueprint is a powerful guideline for processing, monitoring and analyzing.
Source: https://www.blueworkslive.com/scr/docs/bwl/topics/blueprint_process.html
Paul Linkchorst says
4. Next week we have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
The only question that I have is what are some of the more specialized skills that an auditor can acquire?
Magaly Perez says
4. Next week we have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
1. Developing trust with your clients can be challenging, how do you go about initiating the audit in a manner in which the clients develop trust?
2. What would you say is the most rewarding part of being on the job?
3. How do you continue to grow within the audit profession?
Abhay V Kshirsagar says
Next week we have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
What challenges do you face while gathering information from different stakeholders?
What tools and important skills that are essential for us to learn as an auditor?
As someone with no work experience, how should I go about job hunting? Meaning, how do I transition from a Business Technology Analyst profile to that of an IT Auditor?
In the context of communication, can you recommend as to what we should develop from this ITACS program for our job?
Abhay V Kshirsagar says
How have you seen change management work in your organization? What improvement recommendations do you have?
Most of the change management ventures fail because the human variable in it. Either people don’t want to change, or the management hasn’t done their job of communicating the goals and their vision of where they want to take the company. So, what ends up happening is that everyone is at a different place, which creates confusion and chaos in the organization as they are sending very different signals and messages.
Many CEOs try to engage other people with things that excite and inspires them personally. For instance, if I am the CEO and my vision is to be number 1, but if you ask my sales team and they were fine with it but it wasn’t really something that got them engaged, so that’s an issue. So the CEO essentially has to ensure that his/her WHAT is consistent everywhere, but the WHY resonated with different people in the organization. E.g: How this journey that they all are going to take is grow all of them as a team. Hence, it is important for the management to engage their employees and connect with them on “WHY” it matters.
Deepali Kochhar says
4. In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
I would like to ask following questions to the auditors:
What is the relationship between internal audit and the audit committee?
What is the difference in the approach of an internal and an external auditor?
Are the activities of internal audit coordinated with the external auditors?
To whom does internal audit report administratively?
How the effectiveness of internal audit function are assessed?
Vu Do says
3. How have you seen change management work in your organization? What improvement recommendations do you have?
While working at Highmark BlueCross BlueShield, my management team changed 2 months before I left and it was that reason I left. I was working as an Associate Application Developer and my old management team was located at my job site in Delaware. My whole entire organization change when the main jobsite in Harrisburg decided to combine everything into two different groups. My new boss was located in Harrisburg and the change she bought to the group in DE was not effective in my opinion. Instead of getting to know the new members and see what their strengths are, she had expectations and wanted us to just know how to do it. That cause a lot of struggle since I was fairly new and was just learning the process of my old team and being bought onto the new team with high expectations was difficult. I did not know who to turn to for questions since my manager was not a programmer. I had no guidance and was not located on site so I felt as though my new manager did not care and that was the issue I had. I would recommend getting to know the new members and learning what they are good at so they can decide what project to assign them. Also if there is something they don’t know, then it would be good to learn that and assign them to a mentor to teach them.
Wen Ting Lu says
Hi, Vu
Thanks for sharing your experience! I am sorry to hear that the change management isn’t working out for you.
I cannot agree with you more that the culture and people in an organization are very important. It is challenging to work with someone you have no idea who he or she is. Especially when you are still new to the organization, you want to have someone who you can talk to when you are facing difficulties. In my personal opinion, I believe for a new employee, it is best for them to work with someone who was in his or her position before. I think the new employee will benefit the most and learn very fast by observing how the experienced staff accomplish their assignment. According to Fores’ article, “The best managers earn respect by being every bit as prompt with their own employees as they are.” It is essential for management to show that they care about their employees, and they try their best to work and grow together with every single one of the employees in the organization. Obviously, In your situation, this new manager didn’t consider too much about her employees, and she just want to get things done and expected you all should know how to do it. I think she should first introduce herself, and instead of demanding you guys to work under her preference, I think she should walk you guys through and give all of you an opportunity to meet and introduce each other.
Wen Ting Lu says
Lack of communication is clearly a major issue in Vu’s situation. It can create uncertainty that leads to stress and conflict. In addition, lack of communication can lead to confusion and conflict between team members and the ultimate failure to achieve objectives.
Joshua Tarlow says
Change usually involves some level of uncertainty which is unavoidable. Which is why communication is key in these situations. Without effective communication a myriad of problems can occur and cause other issues.
Paul M. Dooley says
Vu Do, in my prior experiences I also have been “thrown to the wolves” so to speak with very little direction on how to accomplish specific things that were critical to completing the job at hand. To second Josh’s point, communication and documentation are critical for the obvious reasons of employee turnover etc, but also just to have a resource to guide them through the normal tasks of the day to day job.
Fred Zajac says
What are the key components of SAP change management controls you would expect the auditor to review? Why?
The key components of SAP change management controls are the:
The Technical Aspect – The size of the hardware required to perform the functions required for the business to function. The auditor would look at things like the RAM installed, Processor Speed, and other requirements outlined by SAP.
SAP Solution Manager Configuration, Master Correction Note & Change Request Management Master Note – Determine if the solutions manager is properly installed and configured
System Access – Check internet and internal network connections to determine unauthorized access
Change Control Management Process – Check Transport requests
SAP Connect – Monitor text transitions and set controls for text retrieval and information extraction.
https://support.sap.com/dam/library/SAP%20Support%20Portal/support-programs-services/methodologies/support-standards/e2e-standard-for-change-control-management.pdf
Fred Zajac says
In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
We used a number of different flow charts, from conflict resolution in HR to the sales cycle in our marketing department. The process blueprints are important documentation to know how to work through each process, and understand each sub-process. Some blueprints will also include steps on how to handle the sub-processes. This is more of a roadmap to the goal of a process.
Fred Zajac says
My previous company decided to change the CRM system because the ticketing function was “better” and the solution was cheaper. I don’t know have an opinion on the ticketing function and didn’t deal with company expenses, but from a business development standpoint, the new CRM system was horrible. It didn’t integrate with our Microsoft outlook calendar, the GUI wasn’t user friendly, couldn’t track proposal through the sales cycle, and several more complaints from the sales and marketing team. The biggest improvement I would recommend is getting each department involved in the process before moving forward. Sometime policies and changes are made without your input. This isn’t a good business process. The change management process should include the input of all users.
Fred Zajac says
In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
What are the three tools you couldn’t live without?
Software programs, Documentation material, ect
If you had a magic wand, what would you change about your job?
If you had a crystal ball, what would the industry look like in the future?
Vu Do says
2. In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
Yes blueprints are very import with documentation since it gives detail instruction of what happen and what changes where put in to get to the end results. Management or whoever looks at the document will know exactly what steps were taken for the changes. You can also be given a blueprint to work off of for a project. A detail blueprint will give details as to how the work has to be done and what programs or area must be used.
Process blueprints are important in documentation since it gives detail instruction of the construction of the program or work that was done or needs to be done. People reading or looking at it will see what steps the person creating it did and see how they want it done if they are the one giving the blueprint. It is a list of details on the project and steps to get it done.
Vu Do says
4. In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
• What is it like in the day of an Auditor?
• What are the common issues you face on a day to day basis?
• What is a typical or common job assign to an Auditor?
• Is travel common for the job?
• What kind of programs that you use to do your job everyday?
Joshua Tarlow says
1. How have you seen change management work in your organization? What improvement recommendations do you have?
I saw a lot of management changes when I was in the military, although they were called change of commands. The Army rotates soldiers every few years to a new unit, which also includes senior enlisted and officers/commanders. At times it felt that every few months another company in my unit would get a new commander. Unfortunately this turnover continued into deployment and actually got worse. Every single company in my brigade changed commanders at some point during the year. From my knowledge it was done to allow more officers to receive command experience for their careers and promotions. However, it was incredibly disrupted to operations and morale. I remember my team having to stop working to for days to inspect inventory and other administration issues with the new commander. I guess my recommendations would be to try and minimize these rotations during deployment as opposed to actively scheduling them. If possible, should be either before or after the deployment cycle unless absolutely necessary.
Wen Ting Lu says
4. In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
1. What are some tools and skills an auditor must have in order to become successful in his or her career?
2. What is the most challenge part for you as an auditor?
3. How long is the working timeline for a typical project? Does it vary among different industries?
4. What would you recommend and give advice to graduate students in ITACS program? How should we prepare ourselves before start working in the audit profession?
5. How do you maintain a good relationship and develop trust with clients?
Yu Ming Keung says
1 What are the key components of SAP change management controls you would expect the auditor to review? Why?
SAP change management is to help organizations determine what they need when they are managing change today, such as current challenges and opportunities, and how are they integrate change management and training. Risks and business impacts are identified and communicated to the appropriate level of the organization.
I would expect the IT auditor to review the following:
1. Change of segregation of duties
2. Change of policies
3. Review of SAP changes
4. Approval of SAP changes
5. Testing of SAP changes
6. Deployment of SAP changes to production
7. Approval of SAP changes for production.
Yu Ming Keung says
In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
1. Timeline of an audit
2. How do you present the finding of your audit? What opinions do you usually give?
3. What kinds of controls is organization most likely to miss?
Yu Ming Keung says
In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
Unfortunately, in my previous organization, I did not have any experience with blueprints as documentation. A blueprint process. A blueprint is used to guide its priorities, projects, budgets, staffing and strategies by determining which aspects are important enough to include and which are not. It is important in the documentation because it helps schedule projects and manage the implementation sequence, as well as defines business processes and organization structural changes. A business blueprint also is used by an organization to coordinate a cost-effective and organizationally effective rollout plan.
Fangzhou Hou says
I totally agree with you Yu-Ming. Indeed, some companies do not have the blueprints as documentation, but it still very important in the business processes. Without a clear blueprint to help the organization better positioning and developing, the decision maker may make mistakes in the strategic level. Moreover, the blueprint can effectively guild the organization in a bigger picture, so it’s helpful for the company.
Wenlin Zhou says
I agree with you. I also want to add a point. A business process blueprint is important to an ERP implementation. In fact, it is a key deliverable of our extensive business process management services we provide to our ERP clients. However, it is only one component of a more comprehensive business process management methodology, which is one of the key reasons why most ERP consultants and system integrators have historically failed in their attempts to implement ERP software.
Ming Hu says
What are the key components of SAP change management controls you would expect the auditor to review? Why?
Change request – Check the transparency and validity over change execution
Authorization change – Ensure every authorization-based change is reasonable, accurate and timely
Testing procedure – Whether the change has been tested before implementing in a live SAP system? If these testing procedures are appropriate?
Control monitoring – Monitoring the effectiveness of existing controls, the necessity of existing controls or for new controls
Emergency change – If there’s a correct organizational and technical procedure defined for cases where a change has to be executed urgently
Compliance issues – Check whether existing change management controls are in compliance with predefined regulations and policies
Wen Ting Lu says
2. In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
A blueprint document records the process to be implemented and the technical details of the implementation.
An IT blueprint is a planning tool or document that an information technology organization creates in order to guide its priorities, projects, budgets, staffing and other IT strategy-related initiatives.
The process of blueprints is important in the documentation because it helps the CIO to make decisions on which specific technologies are to be used, the employees or third-party contractors charged with managing them.
Source:
http://searchcio.techtarget.com/definition/IT-blueprint
Wen Ting Lu says
I am not sure if this is a “blueprint”. In the accounting firm I am working at now, we have a ” cheat sheet” that we referring to when clients come to us to open up business. According to the information client provided, we follow the diagram to determine whether it is beneficial for client to register as LLC or C-corporation. After we made determination, then we follow the diagram to ask clients provide additional information if needed to help them register for business.
Annamarie Filippone says
In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
1. What was the most challenging audit you ever worked on? What made it so difficult?
2. How do you teach yourself about the business line/group that you’re auditing? What resources do you use?
3. What do you believe are a few key skills/traits that successful auditors should have?
Ming Hu says
In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
1. What technical skills do you think are very helpful for an entry-level IT auditor?
2. Would mind sharing with us how you started you career as an auditor?
3. How could auditors deliver value to the company? Could you give us some examples?
4. Could you give us some recommendations on how to prepare yourself for being an IT auditor during school days?
Ming Hu says
In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
Process blueprints describe business processes, including details about the activities in the process, the people who perform or know about the activities and their roles, the milestones that activities are performed in, etc.
Process blueprints are important in documentation because it specifies details at the process, milestone or process diagram elements. For instance, an activity has a participant property that specifies who is performing this work, an outputs property to show the result of this activity. Process blueprint is a powerful guideline for processing, monitoring and analyzing.
Source: https://www.blueworkslive.com/scr/docs/bwl/topics/blueprint_process.html
Joshua Tarlow says
In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
What is the most difficult part of auditing for you?
Have you ever completed any server virtualization audits?
What is the most challenging problem for the it audit field in the future?
How is and will technology change the field of auditing?
Abhay V Kshirsagar says
In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
A blueprint offers organizations the best chance to successfully achieving their goals. Blueprinting is an effective tool and it helps organizations understand as to how the process will look like and it also offers approximation of the timeline.
During a business critical application implementation, business blueprinting is the project phase when an organization conveys the business requirements and defines the realization of business processes and organizational structure.
For example, building critical application roll outs in ERP packages; building proper structure can be time consuming. In SAP, SAP enables their customers to create blueprints for implementation, to support organization’s core processes and as well as the non-SAP processes. The process-related reference content is also available to be reused for this particular activities.
Abhay V Kshirsagar says
What are the key components of SAP change management controls you would expect the auditor to review? Why?
There are a number of key components included in the IT change management audit for the SAP.
The change management policies and procedures should be formally document the change management process and there should be a review as to the processes are being followed for each change that had been introduced in the system.
There should be a review of security around the development and deployment of SAP changes to make sure that only personnel who are authorized have made changes as stated by the policy.
Auditors should also ensure that there is a clear link between the technical change (SAP transport and object change) and the detailed change request. The goal is to ensure that the changes that were made to the SAP systems match with the changes that were documented.
To cover all the aspects of the change management audit, there should be an evaluation of change management processes, development, built test and deploy process.
Source: https://blogs.sap.com/2012/07/06/simplifying-the-sap-it-change-management-audit/
Fangzhou Hou says
1. What are the key components of SAP change management controls you would expect the auditor to review? Why?
Generally, I would expect the auditor to review the changes and updates of the SAP systems. First of all, the changes in the SAP system should be reviewed. The team that reviews SAP change management requests is typically the senior SAP stalwarts that include Architects or Team Leads. They do many tasks including supporting the original design and impact assessment of a given change. In addition, the approval of SAP changes should be made. somebody needs to approve each change and this will sometimes include, if not be, the people performing the review above.
Furthermore, the deployment of SAP changes should be tested. More e-mails fly around requesting the physical import into the test system. It is usually the job of the SAP Basis Administration team to perform the actual deployment. And of course, this job cannot be passed to the development or applications teams.
Source: http://www.basistechnologies.com/7-steps-to-automation-SAP-change-control-processes-and-release-management-tools
Fangzhou Hou says
2. How have you seen change management work in your organization? What improvement recommendations do you have?
From my previous work experience, the organization had effective change management especially in the online customer service system. I previously worked in the customer relationship department for couple months, and the customer service systems were required weekly supporting, and all PCs would be updated at least once a month. The daily operation record will be posted, and the head of department would go through it and approval.
The improvement recommendation I could offer is that the company should not only focus on the hardware supporting, but also the updating of the online customer service system itself. Since some customer commented that the loading speed of the online customer service system was getting lower from 3 pm to 5 pm.
Fangzhou Hou says
4. In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
– What’s the biggest challenge for the entry level IT auditors?
– What’s the common issues that auditors may have in the real business?
– What’s the suggestions you may have for entry level IT auditors?
– What’s the technical challenges IT auditors may have during the daily work?
Jaspreet K. Badesha says
1. What are the key components of SAP change management controls you would expect the auditor to review? Why?
The key components of SAP change management controls I would expect the auditor to review are the following:
• Change management policies and procedures
o These are formally documented processes and ensures that the processes are being followed for all changes made in the system.
• Change initiation and approval
o Review the change request and approval process to ensure each change is requested and approved in a formal manner following processes.
• Development policies
o Review policies that deal with governing modification or development of code to ensure that development is initiated in a separate system outside of production or UAT.
• Test and Acceptance
o Review testing procedures and processes to ensure that all changes are satisfactorily tested before being approved and moved to production.
• Deployment
o Review all approval procedures and policies for changes going into production to ensure only authorized changes are deployed.
• Change management process compliance
o Review deployed changes relative to change management process to ensure all deployed changes comply with predetermined change management process.
• Emergency Change management
o Review processes around what categories as an emergency change management deploy and ensure all processes and situations are managed and written properly
• Security
o Review security around the development and deployment of software changes to ensure only authorized personnel are making changes as per predetermined policy.
Another main factor that needs to be considered is that practices do not differ from the clearly written policies and processes. Also that there is a clear link between the technical changes and the change request that is documented.
https://blogs.sap.com/2012/07/06/simplifying-the-sap-it-change-management-audit/
Jaspreet K. Badesha says
2. In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
Yes, in my company we use project request blueprints in which we have an outline of information required to start a project. This helps us understand the scope and business reason for the project and all functional requirements. We also have a list of procedures you must follow which includes adding this project request blueprint and changes into a tool called Confluence. This way we can track all projects and changes that are made and the status of the project in one place and have an easy way to reference it in the future. If we did not have this process we would not clearly understand, as a business, what the overall functionality and goal was for the particular project. We would also not be able to share knowledge of what happened and why it happened and what changes were made or requested. This would make referring back to it impossible in the future.
Jaspreet K. Badesha says
3. How have you seen change management work in your organization? What improvement recommendations do you have?
The one issue that we have with our change management process in our organization is that it happens in ‘hallway’ conversations and isn’t done through proper channels. Or the fact that the project team is the last to find out therefore making it hard to follow process. Also everything is always a ‘fire’ so it needs to get done right away and we can cut corners and not follow process. There needs to be more following of proper procedures and timely responses.
Jaspreet K. Badesha says
4. In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
1. What questions are the safest questions to ask when starting out as an Auditor?
2. How do you build a relationship with members of the project you are working on to get vital information without coming off to aggressive?
3. What are some helpful sites or organizations to help you stay on top of current topics?
4. How do you stay current?
Seunghyun (Daniel) Min says
Q2. In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
I recently started working for my church as a Technology Support. In my job, we have a Network connection blueprint on the wall as documentation. I think the blueprint was really important, especially for me like a new hire. It was so helpful for me to understand how the networks are connected to each other in the church. After several months at the job, I still use the documentation for my references all the time.
Binu Anna Eapen says
I agree Daniel. Even in bigger organizations blueprint is necessary for most processes. For example a blueprint of the network topology of an organization will give the picture for an administrator/auditor or anyone working on the site to fully understand and take necessary action based on the need. In-case the employee or the network admin leaves the organization or is not available, it might become difficult to trace the network like which port is connected to what port without a blueprint.
Seunghyun (Daniel) Min says
Q1. What are the key components of SAP change management controls you would expect the auditor to review? Why?
1. Review of SAP changes: Has it been completed to appropriate standards and quality? Is there a potential performance issue involved or inadvertent introduction of a security breach? Is there a dependency upon another, unrelated change? How dangerous is the change from either a technical or business perspective? Has appropriate design and unit-test documentation been included?
2. Approval of SAP changes: Why don’t you change to a system that provides contextual information that helps you consciously approve changes and automates the approval workflow? Life would be so much simpler.
3. Development of SAP changes for testing: More e-mails fly around requesting the physical import into the test system. It is usually the job of the SAP Basis Administration team to perform the actual deployment.
4. Testing of SAP changes: Once SAP changes have been deployed, the testing team is either last to find out about it or communication is carried out manually. Not only that, but testers barely have any control over the changes being deployed which can often invalidate their current rounds of testing.
5. Approval of SAP changes for production: it is possible to automate this entire approval process and workflow change approvals to the relevant people including collecting an audit of approvals gained for compliance purposes.
6. Development of SAP changes of production: This is the same set of tasks performed during deployment to the testing systems. Just much more critical to the business – the deployment into mission critical SAP systems must be managed much more carefully than deployment into earlier test systems.
7. Development of production support changes to project streams: A much better option is to implement a change control tool that automatically does this for you. Performing an automated merge is vital to streamlining and simplifying your SAP change control processes.
Source: http://www.basistechnologies.com/7-steps-to-automation-SAP-change-control-processes-and-release-management-tools
Seunghyun (Daniel) Min says
Q4. In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
What would be necessary skills for ITACS students to learn/obtain before starting their careers as IT Auditors?
What would be good/down sides of IT Auditing as a career?
What are the recommendations for students who want to become IT Auditors?
What are the most struggles when you conduct your tasks as an IT Auditor?
What compliances/regulations should our government to amend to make IT Auditors’ work more effective and efficient?
Binu Anna Eapen says
1. What are the key components of SAP change management controls you would expect the auditor to review? Why?
Ans: An auditor will have to review the system’s request and incident management processes which provides input to the change management systems. The number of times an incident occurred, frequency, root cause of the issue, troubleshooting steps, error or faults discovered, number of people affected, all this will help the auditor understand why the change was proposed and if it is meeting the expectation for which the change control was in place. Other than checking the change management process document and evaluating the processes like change request application, development, test process, change acceptance and authorization to production, an auditor must also evaluate who is authorized to do what like develop changes, approve testing of changes, authorize change to production and make changes in the running environment.
Binu Anna Eapen says
4. In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
1. What are the biggest challenges you have faced as an auditor?
2. What is the best way to confront a party or management who you think will not reciprocate well to suggestions made?
Jianhui Chen says
What are the key components of SAP change management controls you would expect the auditor to review? Why?
1.Review of SAP changes: 2. Approval of SAP changes 3.Deployment of SAP changes for testing 4.Testing of SAP changes 5.Approval of SAP changes for production 6. Deployment of SAP changes to Production.7.Deployment of Production Support changes to Project Streams
because that regardless of the size and scope of the team making SAP changes, the IT department is usually stretched doing numerous tasks. These tasks will vary dependent upon whether it is a green-field implementation of SAP or whether it is support work. Some tasks are done to differing extents and will also be determined by the resources and skills available.
Source: http://www.basistechnologies.com/7-steps-to-automation-SAP-change-control-processes-and-release-management-tools
Jianhui Chen says
Q4. In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?..
1. What are the biggest challenges you have faced as an auditor?
2. What’s the suggestions you may have for entry level IT auditors?
3. What software which will be implemented in real world work position?
Paul M. Dooley says
How have you seen change management work in your organization? What improvement recommendations do you have?
In my prior role at Verizon, change management was always addressed via a memo and then an online flash training that you click through and get a certificate that it was in fact completed. The most important thing that I would recommend to improve the impact of the change management is have live training and stress the importance of the change management process and why it’s occurring. The employees need to understand what exactly the impact is and the associated risks by not following the procedures. Sales staff, like myself, get so burdened with other responsibilities and chasing the monthly quota that when additional training is set it’s very easy to blow it off or just get the box checked by clicking through rather than really learning the information.
Paul M. Dooley says
In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
The most important question that I would have is a general open ended question as far as what tools or resources they rely on the most to complete their jobs. Also, any best practices on frequently encountered risks they may identify. Lastly, what suggestions they would have for conveying a difficult message when identifying risks to the project owner. People get very attached to their work and pointing out holes in their system can be a sensitive discussion.
Paul M. Dooley says
What are the key components of SAP change management controls you would expect the auditor to review? Why?
The key components of SAP change management controls to be reviewed by an auditor would be as follows:
Change Management Policies and Procedures –
Change Initiation and Approval
Development Policies
Testing and Acceptance
Deployment
Change Management Process Compliance
Emergency Change management
Security
Since each change can impact the availability of a production system it’s critical that a clear process and audit is done of the entire change management life-cycle. The scope would need to include review of change management documentation, policies and procedures, evaluation of the change management processes including change request application, development, built test and deploy process and finally security evaluation around who is authorized to make changes and who is granting approvals.
https://blogs.sap.com/2012/07/06/simplifying-the-sap-it-change-management-audit/
Paul M. Dooley says
In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
Verizon did in fact use blueprints as documentation to walk people through the various tasks needed to accomplish specific business processes within the organization. This was critical in walking someone through the best practices as far as order and sub processes to complete a function.
Victoria A. Johnson says
What are the key components of SAP change management controls you would expect the auditor to review? Why?
The key components of SAP change management controls to be reviewed by an auditor would the following:
• Change management policies and procedures
• Change management approval
• Development of policies
• Deployment
• Testing
• Acceptance
• Security
These components of change management are important for an auditor because auditors don’t always have time to review every facet of an organization so they need to develop audit plans based on risk assessment. Change management is a critical part of that because it allows auditors to gather preliminary information needed to measure business risks within IT.