- Have you ever been involved with an internal audit or audit of your process / project? Briefly describe.
- How is independence maintained when working for the company as an internal auditor?
- When is the cost of implementing a compliance control higher then the benefit obtained? What should an organization do to ensure efficiency and profitability?
Week 11: Change Management, Development Wrap-up
Continuing great job on the discussions. Keep up the good work. You raised most of the important points but let me summarize my view.
Q1: What key components of ERP change management controls should auditors review? You provided some good background and details of the systems change management process. From my experience the key components to focus on are: 1) defined policies and procedures (and proof they are followed) 2) Solid documentation of requirements (what the change should be) 3) testing and more testing and 4) strong approval / governance process.
Q2: Does your company use blueprints as documentation? Why important? From the few responses it’s a mixed bag about organizations use of blueprints. My experience is that the blueprints are very useful in implementing successful, complex processes. They are excellent communication tools and help define for people new to the process or changing it later how it’s supposed to work. It takes discipline and work to keep the blueprints up to date but in the long run are very useful as ERP systems and processes outlast those originally developing them.
Q3: How have your seen change mgmt work? How would you improve? Only a few comments but they highlight some keys of good change management: clear communication about the ‘Why’ of change, Methods that those affected by the change can get their questions answered and employee involvement.
Q4: What questions would you like to ask auditors? Some very good questions. We’ll include some of them in coming weeks discussion.
Change management is one of the necessary evils of good systems management. Doing it well requires lots of discipline, hard sometimes tedious work but in the end ERP systems won’t survive well without it.
Week 11: Change Mgmt Breakout Questions
Below is the consolidation of the breakout session responses from yesterday’s class. Some excellent comments and useful ideas.
Change Management practices may seem bureaucratic and time summing. How do you manage the trade-off of added work vs. needed controls?
- Compliance requirements for highly regulated industries (i.e. Health, Finance and Insurance)
- By following change management practices it will help ensure the Quality of the product or service is better or at the same standard as it was previously.
- Software automated testing prior to integration
- A well-designed schedule – e.g. everyone knows what’s going to happen for preparation
- Electronic approval process – e.g. IT help desk; approval by email
- Update the documentation in order to assign approval align with the new work (changes are review)
- Define option and response document and clear and concise roles in align with new work
- The date of when the change management practices are going to occur. what is affected
- An emergency change process is in place
- Changes are submitted for approval
- Categorize everything
- Quantify controls
- Identify the risks that not checked.
- Clients justify very easily
- Prioritize controls
- Put automated systems in place to that automated controls can be helpful
- Training for employees
- Perform change out of business hours if required so that it does not pile up and miss SLA
- Prioritize changes based on risks mitigated, criticality of issue & solutions.
- Perform Changes outside of Business Hours so that work is not affected and neither are large # of users impacted.
- Streamline the change management process so that there is minimal disruption to services and hence fewer service requests to attend to as well, also changes should be reviewed thoroughly to ensure the change is successful.
What are the ramifications of managing change management in the scenario where the changes (e.g. development, etc.) are outsourced?
- Cultural differences in the Company and the vendor organization
- Security issues w.r.t Change performers having high privileged access to the system and messing it up.
- Whether there is sufficient expertise in the outsourcing vendor implementing the changes
- Cultural difference will affect process
- Time zones can be different and hence SLA breach is possible
- Security and privacy issues during change management
- Schedule change control-the project schedule has been affected somehow and events in the project are being delayed.
- Cost change control-the scope contents have not change, but the price for the items in the scope have increased or decreased.
- Giving up control of the change management process
- Adjusting to the new team and learning what each individual are skilled in.
- Communication back and forth could be a challenge if there is a difference in time zone.
- Granting access to the members who are outsourced to the programs used within the company, could take some time and are there security in place to mitigate risk.
- Production of quality, control
- Customer satisfaction of the service
- Compliance standard align with our business objective
- Application able to run on their system
- Confidentiality of our sensitive data can be affected
- Understanding of the required change (The ‘why’ is not consistently communicated by upper management to all team members)
- makes monitoring adherence more difficult if things aren’t done in the same standard or by the same protocols that the main organization is enforcing or following
- They may lack the understanding of the “business” it’s goals and vision of the organization as well as local employees
- Design and functionality are out of control
- Increase need of quality assurance
- Data management issues
- System uniformity
Exam 2: Case
As discussed several of the questions on Exam 2 relate to this real-world like small business case. You are encouraged to pre-read, print, etc. this case prior to the Exam.
Week 11 Questions
- What are the key components of SAP change management controls you would expect the auditor to review? Why?
- In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
- How have you seen change management work in your organization? What improvement recommendations do you have?
- In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
Exam 2: Take November 13
The second exam of the semester will be conducted by Blackboard at the beginning of class next week (Monday November 13).
Some specifics:
- Questions mainly focus on course content (on-line and from class) from Weeks 7 – 10. Note topics listed on any ‘Overview’ or ‘Review’ slides.
- Some questions from prior material (see Review slides from Week 7) may also be included on the exam.
- Maximum amount of time to complete the exam is 60 minutes
- Exam is approximately 25 questions (variety of formats i.e. Fill in blank, multiple choice
- Some of the questions relate to a real-world like small business case (to be published Thursday). You are invited to pre-read, print, etc. prior to the exam.
Week 10: Data, SOD/SAT Review Wrap-up
Continuing great job on the discussions. Keep up the good work. You raised most of the important points but let me summarize my view.
Q1: How to assure master data integration works well for all? This is hard with ERP systems because master data is used so extensively across so many transactions, processes, etc. Company needs to have a good plan, lots of well defined processes and controls. It’s important that there is a broad understanding of master data and appreciation for good data. This comes only with good training and strong management focus.
Q2: Who should play the key role in defining and assuring quality of master data? All processes who use the data, not just the main users need a say in what the master data is (definitions, processes, etc.). Because of the high degree of integration across business processes in ERP systems those in charge of master data need integration/ broad perspectives. Accounting / finance is one critical voice but in my experience not the best to be in charge. A strong financial focus can be just as bad as another groups focus (e.g. sales, supply chain, etc.)
My experience is there needs to be a defined master data coordinator (data steward is term many of you used – great term). Great, cooperative master data coordinators and new Master Data Management (MDM) software are becoming a must for strong ERP system users.
Q3: What is riskier: inaccurate data or excessively repetitive data? Both are bad. You all gave some great examples. I agree that inaccurate data causing problems is more common than repetitive, but be aware of both.
Q4: Which transaction is most ‘Sensitive’? Many, many transactions are sensitive – no correct answer. The rule of thumb I used is that any transaction that creates master data or creates or can lead to creation of a financial transaction is sensitive. Note that many systems and configuration transactions are sensitive and need to be locked down in production.
A good ERP systems runs on good master data.
This coming week we will look change management and development aspects of ERP systems.
Extra Credit Assignment
Background
Context is Global Bike Inc. (GBI) that we’ve used in all other course assignments.
You are an auditor in GBI’s internal auditing team. As a result of your work at GBI you’ve uncovered a significant risk in one of GBI’s business processes. You’ve made this risk known to your manager who requested that you investigate what potential changes / controls should be put in place to address the risk.
Assignment
You have the opportunity to address the audit committee of the board to discuss the risk you’ve uncovered in your work and recommended changes / controls. Unfortunately, the agenda is packed and you only have 5 minutes to make your presentation.
Deliverables
- Brief (1 slide?) Powerpoint slide(s)
- Brief script of what you plan to say to the audit committee
Grade
Treat like a ½ credit Assignment Exercise. Full credit can yield extra 4 points in final grade (e.g. raise a grade of 90 to an 94)
Grading Rubric
- Substantive content related to class content 2
- Concise, clear message appropriate for audience 1
- Convincing argument, message 1
Due Send deliverables to professor by Tuesday December 12. Wednesday December 13.
Exam 2: Coming up November 11 – 13
A reminder that the second exam of the semester will be conducted by Blackboard and must be completed between Friday November 11 and Sunday November 13 (midnight).
Some specifics:
- Questions mainly focus on course content (on-line and from class) from Weeks 7 – 10. Note topics listed on any ‘Overview’ or ‘Review’ slides.
- Some questions from prior material (see Review slides from Week 7) may also be included on the exam.
- Test will be conducted via Blackboard – you must complete between Friday November 11 and Sunday November 13 (midnight).
- Maximum amount of time to complete the exam is 40 minutes
- Exam will be approximately 25 questions (variety of formats i.e. Fill in blank, multiple choice)
- Some of the questions relate to a real-world like small business case. I’ll publish case which you can pre-read, print, etc. Tuesday prior to the exam.
Week 10 Questions
- Master data in an ERP system is highly integrated with various processes and effects many parts of the organization. How does an organization assure this integration works well for all?
- Which department or person should play the key role in defining master data and assuring it’s quality?
- Which is more of a risk to a company: inaccurate data or excessive repetitive data? Explain
- Which transaction do you believe is the most ‘Sensitive’ and therefore should have extra focus in an SAT (Sensitive Access to Transaction) audit? Explain