- What are the key components of SAP change management controls you would expect the auditor to review?Why?
- In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
- How have you seen change management work in your organization? What improvement recommendations do you have?
- In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
Tamekia P. says
1. What are the key components of SAP change management controls you would expect the auditor to review?Why?
The key components of the SAP change management controls that the auditor should review are making sure that development, quality assurance and live (development) are segregated. This ensures that the changes made are not made directly into production but developed and tested first. This ensures that impact as a result of the change have been evaluated in the QA environment. In addition, the auditor would review segregation of duties related to changes made to the system. The developer that configures the change should not be able to also launch the change into production. This avoids one individual from being able to complete a full change without any oversight.
Tamekia P. says
1. What are the key components of SAP change management controls you would expect the auditor to review?Why?
Another necessary component of SAP change management is the review and approval of changes prior to go live. Changes need to be reviewed by necessary stakeholders to ensure that the change they are requesting has been configured appropriately by IT and produces the expected results.
Tamekia P. says
2. In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
I would consider blueprint to be a description of the way that the process should work. These blueprints are important because it describes the way the system is designed to function. These are important documentation because it allows auditor to quickly understand system without doing extensive testing. This would also be useful material for those on-boarding within the organization.
Heiang Cheung says
Hi Tamekia,
It was a really good point that it is useful for on-boarding new staff because if there is a blueprint in place a new trainee can just look at the blueprint and follow through with the steps.
Tamekia P. says
3. How have you seen change management work in your organization? What improvement recommendations do you have?
Change management within my organization requires approval and testing of changes prior to go live in production. The only improvement that I could think of is ensuring that all impacts to all downstream systems should be considered. This may require consulting individuals in other groups prior to change being approved and processed.
Mengqiao Liu says
Tamekia,
Thank you for let me know how change management works in your organization because I have no experience with change management when I was an intern in the company.
Tamekia P. says
4. In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
What is the most common error you find during an audit?
What could process owners do that would make the audit more efficient / reduce fees? What is the most frequent test that you perform?
Scott Radaszkiewicz says
I like asking what could owners do to make the audit more efficient. Living through a few financial audits, I have had many growing pains! Knowing how to lessen that pain would be very helpful!
Nathan A. Van Cleave says
1. What are the key components of SAP change management controls you would expect the auditor to review?Why?
Key SAP change management controls audit should review are segregation of duties and the various environments in which changes are executed.
For segregation of duties, there should be distinct roles to manage the change control process for the SAP system. They could include, approver, developer, test/QA, promoter and implementer. Depending on the structure/size of the company, there could be highly segregated duties to ensure no one individual has the capability of affecting production changes without authority and approval.
For environments, there should be segregated environments for developing, testing, and production. Additionally, these environments should have aligned roles to help maintain the segregation of duties mentioned above.
In all situations there should be appropriate mitigating controls such as change control reviews.
Xiaozhou Yu says
Hi, Nathan
Thanks for sharing your thoughts, I agree that SOD is an essential component to be considered. I like the way you explained it which included distinct roles for change management. it is interesting that you mentioned the environment should be segregated as well for different process, I think that’s a good idea for overlap tasks and save the cost.
Nathan A. Van Cleave says
2. In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
There are various types of “blueprints” in organizations. From network diagrams to swim lanes for business processes. In any situation, the visual representation of a process flow is valuable in assess controls that should be implemented as well identify potential vulnerabilities. Additionally, such documents could be considered highly or critically sensitive information and the protection around it should be appropriate.
The example I can think of is a network security diagram. As it would likely spell out in detail the structure of the network and its components; it would basically be the “playbook” on how to penetrated or bypass the implemented controls.
Nathan A. Van Cleave says
3. How have you seen change management work in your organization? What improvement recommendations do you have?
I work in a highly regulated, global organization with very detailed and specific IT change management processes and controls. I can say with confidence that there is still rampant misuse cases that, if followed correctly, the key controls layed out in the standards and procedures would reduce the likelihood that there would be change control issues.
Very often in organizations, the balance between resourcing and appropriate levels of controls can be a challenge. If an IT organization is understaffed, there is a risk that appropriate levels of segregation of duties can be bypassed or ignored, and lead to issues such as unapproved or insufficiently developed or tested changes put into production. In all situations, mitigating controls such as change management reviews could at minimum detect root causes or issues.
Nathan A. Van Cleave says
4. In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
If the auditors have worked in different firms, fields, risk areas: compare and contrast the difference in audit approaches and lenses they need to successfully identify gaps and control failures.
A walk-through of sampling approaches and a general look at their thought process to fieldwork testing.
Pascal Allison says
1. What are the key components of SAP change management controls you would expect the auditor
to review? Why?
All components of SAP change management controls are important to be review by the auditor. Two components that the auditor might want to spend some time reviewing will be segregation of duties (no one person begins and ends a process). The segregation of duties could range from development, approval, up to implementation; and the environment for the change should be parallel with the role of making the change.
2. In your company, do you use any blueprints as documentation? Why are process blueprints
important in the documentation?
Blueprint in my company is used for reference for verification or clarification how the process should function. Thus, the audit will have an understandability of the process/system and can use the blueprint to ensure the process/system is created and operating as it should. Because the blueprint tells how the process/system works, it should be treated with high security/control priority to avoid any unauthorized change. The should always be the blueprint.
3. How have you seen change management work in your organization? What improvement
recommendations do you have?
In my opinion, change management in my organization is implemented base on interest. Depending on how management thinks about the process/system, change management will be implemented to the fullest. The input of those using the system should always be considered. Sometimes users are not aware of changes until it is implemented. My recommendation will be segregation of duties for change management, approval and testing process, and dissemination of changes to all stakeholder before development and implementation.
4. In future weeks we may have the privilege of having real world auditors join us for our
discussions. What questions would you like to ask the Auditors to answer for us?
Looking at the audit processes, standards, regulations for companies and auditors, If you could improve the audit process and relationship between the auditor and auditee, what would you change for the betterment of audit if given the opportunity?
Mengqiao Liu says
1. What are the key components of SAP change management controls you would expect the auditor to review? Why?
In the today’s distributed environments, change control management plays a crucial role in business success. With standardized processes, methods and tools it ensures throughout for a high transparency and a continuous quality of the change processes during the entire application lifecycle. SAP Change Control Management coordinates how changes are introduced to a software landscape so that the changes do not conflict with each other and ensure that they are executed without disrupting the on-going business. This results in improved quality of the software landscape, higher availability of IT solutions, and lower total cost of ownership. Also important, change control management ensures that the changes performed remain transparent and traceable.
Reference: https://corealm.com/sap-alm-processes/sap-change-control-management/
Mengqiao Liu says
2. In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
There is no blueprint as documentation in my company. The company can use process blueprints to document business processes for review and analysis. In many organizations, technology and business processes are separate conversations. But when it’s done properly, the blueprinting process brings them together to addresses the solution in light of the organization’s technology and business needs.
Mengqiao Liu says
3. How have you seen change management work in your organization? What improvement recommendations do you have?
While change happens at the individual level, it is often impossible for a project team to manage change on a person-by-person basis. Organizational or initiative change management provides us with the steps and actions to take at the project level to support the hundreds or thousands of individuals who are impacted by a project. Organizational change management involves first identifying the groups and people who will need to change as the result of the project, and in what ways they will need to change.
Mengqiao Liu says
4. In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
How will the internal controls help them while they auditing a company and how long will they investigate the internal controls?
Mahugnon B. Sohou says
Excellent question. I always wanted to know a little more about the relationship between It auditors and internal auditors, and how that dynamic works. I have had an instance in the past when I did not have any experience in auditing, I thought the internal auditors were part of my team of auditors as well.
Mahugnon B. Sohou says
1. What are the key components of SAP change management controls you would expect the auditor to review?Why?
The key components of the SAP change management controls that an auditor should review are the segregation of duty and environment in which changes are being made. To make sure that one person cannot begins and end a process or make changes without proper oversight there should be distinct separated roles to manage the change control process. They should be a role to approve changes prior to going live, a role to developer, a role for quality assurance, and a role to implement changes into production. They should all be distinct roles. No one person should be playing two roles simultaneously. Each environments (development, testing and production) should also be segregated. Additionally each of these environments should have the appropriate roles in order to maintain the segregation of duties.
Mahugnon B. Sohou says
2. In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
A blueprint is a detailed description of a process from beginning to end. There are various types from network diagrams to swim lanes. It is very important in a documentation because it describes the way a system is designed to function and help auditors quickly understand a system and the visual representation can help identify vulnerabilities. Some of them could be highly sensitive and need to be appropriately secured. A network security diagram is one perfect exemple of that, as it shows the structure of the network and in the wrong hands it could help someone outside the company to identify and exploit vulnerabilities in the security system.
Mahugnon B. Sohou says
3. How have you seen change management work in your organization? What improvement recommendations do you have?
Change management within an organization is a process that always require proper approval and testing prior to going live in production environment, and this pretty much how it worked in most organizations I have been in. What I would improve would probably be a way to make all stakeholders aware of the changes before development and implementation.
Pascal Allison says
Great point here Mahugnon.. All stakeholders been aware of a change before development and implementation is very critical. If all stakeholders are not aware of a change, issues could affect the interest of a stakeholder, department, etc. which could lead to restructuring and delay implementation depending on the level of that stakeholder. This could be costly financially..
Mahugnon B. Sohou says
4. In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
What is the most common kind of fraud that you find when auditing various companies.
How do you deal with the change regulations? how do you manage to stay up to date?
Mahugnon B. Sohou says
I meant the changes in regulations*
Robert Conard says
1. Controls auditors review in reference to SAP change management are those that exist in the environment around a specific business process (access, module) and segregation of duties. This allows a plan to be developed before change management goals are finalized. In the event the auditor is not thorough in his review, certain vulnerabilities may go live that are not initially noticeable.
Robert Conard says
2. A blueprint can refer to any process or design that outlines the holistic series of steps and departments involved in a function of a business. Flowcharts, swim lanes, IT design, department hierarchy. Blue print documents are integral and exist in every company to gain uniformity so that all aspects of the business operate with the same knowledge. Being aware of self and others’ roles around you is absolutely necessary in a company. Additionally, for business processes to be done correctly, they must follow a series of events that may capture some of the more likely possibilities. Those diagrams can be used for training purposes and reference whether that process is day-to-day or an abnormality.
Robert Conard says
3. I underwent a change management program while implement a CRM database into our business. Our business process would take place online now and not just our server, so certain aspects of security were integral to reference so that everyone knew the importance of adherence. Since I was part of the team assembling the project, it is difficult to give myself any improvements. We integrated 2FA and specific licenses to employees to enable segregation of duties and efficient workflow.
Robert Conard says
4. Usually I’d like to hear a bit about them before coming up with a question. I always like to know which part of an auditing process they find the most interesting. What scale of project is it in reference to. Are they participating in every aspect of the project or are there compartmentalized efforts (depends on size of project). If they are recent graduates, how was their recruiting process and what do they like about their firm.
Mahugnon B. Sohou says
Hi Rob
You are right. it is always a good thing to stat by getting to know them first and know what they do daily at work before you can come up with questions regarding their jobs. Additionally that is an interesting question you have their, regarding which part of an auditing process they find the most interesting.
Heiang Cheung says
1. What are the key components of SAP change management controls you would expect the auditor to review?Why?
I would expect auditors to review segregation of duties and the policies and procedure in place for change management. For segregation of duties they would have to make sure the people that are making the changes are not approving their own changes and implementing it in production. They would also need to review the procedures to see how the company implement change management and see the different roles involved.
Heiang Cheung says
2. In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
Process blueprints are important in documentation because it gives a visual on what the actual process is and how it works. A blueprint is also helpful for training new employees on how to do the process because if it’s a good blueprint than they should be able to follow it step by step. There are multiple blueprints for different processes at my company because sometimes people change the processes as they are working, and it might be wrong, so you have to go back and look back at the blueprint especially if the person who created the process is not there anymore.
Heiang Cheung says
4. In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
What are the most common controls that companies fail at?
What is the most difficult thing as an IT auditor?
What skill should an IT auditor have to be productive?
Mahugnon B. Sohou says
I did not think of asking that last question but it’s a really good one (what skills should an IT auditor have to be productive) that always comes up. Your first question sounds a little similar to mine, where I was asking what are the most common frauds or failure found with most companies?
Heiang Cheung says
3. How have you seen change management work in your organization? What improvement recommendations do you have?
I work at a relatively small organization so changes are actually approved by the CTO because we rely on a good amount of consultant to implement the changes needed. The only improvement I would make is to not rely on consultant too much.
Akiyah says
What are the key components of SAP change management controls you would expect the auditor to review?Why?
I believe the key components of SAP change management controls that auditors should focus on are change requests are properly documented, separation of duties, which would include an approval process. and that change management controls are sound, in other words, lots of testing prior to implementing the change in a production environment.
Akiyah says
In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
In our company we use a documentation software to document the business process as well as the functional and technical specifications. That document is available to anyone on the project team. It is also used when explaining the process to upper management , legal, and internal audit. We do have “blueprints” that we try to follow when developing a new project that helps to ensure that we adhere to the proper guidelines/ standards.
Akiyah says
How have you seen change management work in your organization? What improvement recommendations do you have?
I have seen change management work in my organization. I believe their change management process is effective. Development is done in one environment, prior to moving to another environment for testing, once that testing has been completed a change management request is submitted which goes to multiple individuals in upper management as well as an approving manager. You have to provide process documentation as well as the test plan, and back-out steps. The change management request then goes to production control for approval. From there it will move down the line to each department that has to complete a step in the process.
The one recommendation that I would give is to ensure that all parties that would be effected by the change are aware of the upcoming change and are properly trained (when possible) prior to the change being released in production.
Akiyah says
In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
=> Can you describe a “typical” day in the life of an IT auditor?
=> What skills do you believe an IT auditors needs to have to be successful?
=> Can you describe your most difficult audit? Specifically what made it so difficult?
Scott Radaszkiewicz says
Akiyah, that’s a great question: What is a typical day like for an IT auditor. I would imagine it’s filled with hours and hours of tracking down information. Some of which could be exciting!
Mahugnon B. Sohou says
Hi Rob
You are right. it is always a good thing to stat by getting to know them first and know what they do daily at work before you can come up with questions regarding their jobs. Additionally that is an interesting question you have their, regarding which part of an auditing process they find the most interesting.
Xiaozhou Yu says
1. What are the key components of SAP change management controls you would expect the auditor to review?Why?
The first component I would like to review is the segregation of duties. it is an essential part of change management to prevent potential fraud, and improve the process efficiency. As there are shared and duplicated files in different modules of SAP, it is important to set up clear SOD.
Another one I would like to consider is data migration. Migration is an important step in change, the accuracy and completeness of data determine the effectiveness of SAP system.
Nathan A. Van Cleave says
Hana,
Great point about data integrity during migration. Very critical to ensure the completeness and accuracy of data within SAP (or any system).
Xiaozhou Yu says
2. In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
Blueprint outlines the organization’s future goals and documents the specific steps that are needed to accomplish these goals.
Blueprint is the key reference when executing business change and transformation, and help with the major decisions. It also helps with determining which aspects are important enough to include and which are not.
Derrick A. Gyamfi says
Hana,
Great point regarding blueprints outlining the organization’s goals and serving as a documented guide to help specific that are needed to accomplish these goals. I didn’t think of this as I answered this question initially – however, in retrospect blue print allows the organization streamline all of its business processes contributing to the overall organization goals and objectives.
Xiaozhou Yu says
3. How have you seen change management work in your organization? What improvement recommendations do you have?
I didn’t see any change management in my organization, since it is a small startup,
but I still think we should follow change management process to have more effective change and reduce the risk of unexpected errors.
The process includes: request for change, impact analysis, approve, implement change and review.
With such process we will be clear about what to change and how to change, as well as the effectiveness of change.
Heiang Cheung says
Yeah, I agree with you even though it’s a startup it should still follow some type of change management because I feel like with startup they could be more at risk of something going wrong.
Xiaozhou Yu says
4. In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
What are some auditing challenges?
Is the auditing request from your client detailed or general?
What kind of deliverable you typically have?
Anonymous says
Question 1: What are the key components of SAP change management controls you would expect the auditor to review?Why?
Thinking of SAP change management, I think the key components I would expect and auditor to review are simple. First, the approval of any SAP changes should be checked. Knowing who approved the changes and for what reason is vital to ensure the continuity of the system. Next, testing of those changes in a controlled/test environment. Ensuring that these new changes don’t have any other undesired effect. And finally, there should be some auditing of who deploys the changes. This way, anything that is changed can be traced back through the process from want/need, to testing, to deployment.
Anonymous says
Question 3: How have you seen change management work in your organization? What improvement recommendations do you have?
In my current organization, change management is not a documented process. Too often it is done at the whim of a need, and not carefully thought out. Unfortunately, this is not good. A solid process and procedures should be in place for any change that happens in an organization. In my organization, chain of command has been the biggest issue. Many times, those responsible for areas are left out of conversations and discussions, and issues could have been avoided if all the right people were involved from the beginning.
Scott Radaszkiewicz says
Question 1: What are the key components of SAP change management controls you would expect the auditor to review?Why?
Thinking of SAP change management, I think the key components I would expect and auditor to review are simple. First, the approval of any SAP changes should be checked. Knowing who approved the changes and for what reason is vital to ensure the continuity of the system. Next, testing of those changes in a controlled/test environment. Ensuring that these new changes don’t have any other undesired effect. And finally, there should be some auditing of who deploys the changes. This way, anything that is changed can be traced back through the process from want/need, to testing, to deployment.
Scott Radaszkiewicz says
Question 3: How have you seen change management work in your organization? What improvement recommendations do you have?
In my current organization, change management is not a documented process. Too often it is done at the whim of a need, and not carefully thought out. Unfortunately, this is not good. A solid process and procedures should be in place for any change that happens in an organization. In my organization, chain of command has been the biggest issue. Many times, those responsible for areas are left out of conversations and discussions, and issues could have been avoided if all the right people were involved from the beginning.
Scott Radaszkiewicz says
Question 4: In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
One question I would really like to ask the auditors is: What is the biggest hurdle you face in an IT audit? I’m sure an IT audit can be a daunting task filled with some major challenges. Curious on what they might think is the biggest.
Nauman Shah says
1 -System changes should be authorized, tested and approved. So auditor should look for authorization of change and testing documentation prior to implantation to production. Auditor should also review segregation in roles and environments. In other words, changes should be developed by programmers in the test environment and migrated to production by a system admin.
Nauman Shah says
2 -At my company, we do use blueprints to document process worflows, such as new user access process, change management process and Network flow diagrams. These process blueprints are important because they demonstrate the process visually and are easier to understand, especially for visual learners. Process can be followed from a to z in proper sequence.
Nauman Shah says
3 -I work in a highly regulated, global organization, so we have highly standardized procedures for everything including change management, therefore, I do not usually have any recommendations form a control design stand point, but in some instances, I do come across “exceptions” which are caused by not following the standard procedure for a given process. The recommendation in that case is to re-train the responsible staff to make sure they follow the SOPs.
Nauman Shah says
4 – If they are Internal Auditors, I would like to ask them what type of audits do they work on and in their opinion how much value do they think they are adding to the company’ overall mission
Derrick A. Gyamfi says
Change management controls play a crucial role in today’s distributed environments. With standardized processes, methods and tools, it ensures a high level of transparency and continuous quality in the change processes throughout the entire application life cycle. Change Control Management coordinates all changes in a software landscape, to ensure that they do not conflict with each other. It also ensures that changes are made without disrupting the ongoing business.
With that said, among the SAP change management controls, I would expect the auditor to review the change request management component. This list to determine the level consideration that is given to authorization, testing, and production implementation approval of application changes.
Derrick A. Gyamfi says
In my company, we use a three area focus approach as blueprint for documentation. This means – with regard to changes to an application was the change:
1. Authorized – Was the change authorized or approved by the appropriate individuals?
2. Tested – If authorized, has the change been tested? Where is the evidence of testing?
3. Approved for Implementation – After testing, who assess the results and approved the change for implementation?
Process blueprints are important in documentation because they establish consistency across the organization and be reproduced/reperformed.
Derrick A. Gyamfi says
I have personally not seen change management work in my organization but in auditing other companies and their change management against my company’s established blue print below, some improvement recommendations I have include:
– Establish a change management process blue print
– Identify the right “agents” to authorize, test and implement changes
– Communicate changes on all levels
– Test and iron out all issues prior to implementation
– Document! Document! Document!
1. Authorized – Was the change authorized or approved by the appropriate individuals?
2. Tested – If authorized, has the change been tested? Where is the evidence of testing?
3. Approved for Implementation – After testing, who assess the results and approved the change for implementation?
Derrick A. Gyamfi says
What was the most unexpected thing about pursuing a career in auditing that you now appreciate?
What are some key things you know now in your career that you wish you knew early on?
With your background and expertise, if you did not pursue a career in audit – what would you have pursued?
What does exit opportunities look like in the field?
James T. Foggie says
1. What are the key components of SAP change management controls you would expect the auditor to review? Why?
I believe the approval process of change management is very important and needs to be a focus of any SAP audit. If changes to the system are not properly reviewed and approved by business owners and management; risks and vulnerabilities may occur. For example, all controls associated with change can be bypassed if employees know there are gaps in the approval process. Also, tight approval controls lead to improved availability of resources.
James T. Foggie says
2.In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
Our Hardware Site and Support (HSS) team utilizes blueprints all of the time. HSS is a facilities management team who is responsible for all equipment (building and IT) that comes into the building. It is very important from an asset management and change management perspective that the HSS team maintain and utilize blueprints to ensure accuracy during change activities.
James T. Foggie says
3. How have you seen change management work in your organization? What improvement recommendations do you have?
Our change management process within IT is a closed-loop process. Record entry kicks off the change process via an established workflow. The change tool pulls data from centralized data repositories to ensure consistency in information, for example application names; team names; hardware allocations etc. Throughout the workflow, records are evaluated for valid data entry and required input. The status of the change record changes throughout the various stages of the workflow. Only after all required approvals will the change become available for implementation.
James T. Foggie says
4.In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
(1) Are you an ‘internal’ or ‘external’ auditor? Did you prefer ‘internal auditing’ over ‘external auditing’? or vice versa?
(2) What is the most challenging part of your job? In a ‘good’ way; and ‘bad’ way?
(3) Are there numerous opportunities to move within the IT audit career field? For example, cybersecurity governance vs auditing?