- What are the key components of SAP change management controls you would expect the auditor to review? Why?
- In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
- How have you seen change management work in your organization? What improvement recommendations do you have?
- In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
Parneet Toor says
1. What are the key components of SAP change management controls you would expect the auditor to review? Why?
The key components of SAP change management controls are:
System Access-Check online and internal network connections to determine unauthorized access.
Change Control Management process: Check request forms and approvals.
SOD: Are duties segregated for creation and authorization.
Validation before implementation: Make sure before pushing fir release proper testing is done and specially changes.
Khawlah Abdulaziz Alswailem says
Parneet,
Adding to your points; the auditor may also review the following:
Change request – Check the transparency and validity of change execution
Authorization change – Ensure every authorization-based change is reasonable, accurate and timely
Testing procedure – Whether the change has been tested before implementing in a live SAP system? If these testing procedures are appropriate?
Control monitoring – Monitoring the effectiveness of existing controls, the necessity of existing controls or for new controls
Michelangelo C. Collura says
Very good point about testing before going live. This is a big part of change management, and it helps to avoid disruption due to a bad build getting rolled out. Also, if requirements aren’t properly designed into the new product, this prevents an embarrassing disruption to the firm’s operations, and to your professional reputation.
Candace Nelson says
Additionally, auditors should review whether effective rollback procedures exist in the event problems are encountered when the change goes into effect so the system can be restored to its pre-implementation state!
Jing Jiang says
Good points all of you. I totally agree that the testing is necessary. By adding your point, the auditor can review Transport Request to track the changes, because it is a carrier of the changes made in the development of SAP. If there is no a documentation for the transport request, the auditor can recommend the documentation. Naming the transport request will also help to check the changes easier.
Mengting Li says
I do believe that review testing procedures and processes definitely is a good way to ensure that changes are satisfactorily tested before approved. In addition, review deployed changes relative to change management process to ensure all deployed changes comply with change management process that decided before.
Parneet Toor says
2. In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
Yes, I had used blueprint as documentation in my recent job to document business processes for review and analysis. It is important to create a blueprint for your business is a great way to clarify your project or business vision. Just like a building blueprints details every aspect of the finished product. Business blue print describes exactly how you imagine your project be look like once work is done.
Parneet Toor says
3. How have you seen change management work in your organization? What improvement recommendations do you have?
Unfortunately, my experiences with the change management had been limited at my recent job. However, I did experience filling up the changement management request form for approvals from senior leadership.
My recommendation for improvement would be companies should follow changement Management process as and when needed. Often times when projects are in crunch time such process is bypassed. Most of the time email (without filling detailed Change Management request form) is considered as proof of approval that cause a lot of problem especially, when that specific change gets defect.
Michelangelo C. Collura says
Very good point about bypassing. If change management is implemented but only when times are good, then it isn’t very effective. It makes sense if you know human nature, but it’s the precise opposite of what should happen; when times are good, change management is a useful assist. When times are bad, projects are difficult/complex, time is short, etc, then strong change management is crucial to preventing cost/time overruns and general misery.
Parneet Toor says
I agree Michelangelo, change management is crucial to prevent cost /time overruns often times it happens due to project overcost companies start getting rid of resources due to their negligence
or ignorance to follow process at the end project team suffer.
Parneet Toor says
4. In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
What are the biggest challenges in Auditing profession from their own experience?
How do they maintain relations with clients?
How do they resolve a conflict with clients or audit committee?
Khawlah Abdulaziz Alswailem says
What are the key components of SAP change management controls you would expect the auditor to review? Why?
Some of the key components that I would expect an auditor to review are as follows:
• Monitoring of changes: How are the changes to SAP system tracked and recorded? Likewise, how often are the change logs reviewed to make sure that unauthorized changes have been made?
• An approval process for changes: Who is responsible for reviewing and approving changes to the SAP system. This should include who approves the initial change to be made and who gives final approval for the change to be made into the SAP system after it has been tested.
• Testing prior to implementation: What is the process of testing changes prior to implementation of the SAP system? How are changes tested prior to implementation?
• Segregation of Duties: Are the duties segregated for those creating the changes, those reviewing the changes, and the end users?
• Policy and process for emergency changes: What are the differences in the policies and procedures for changes that would be classified as emergency changes?
Yijiang Li says
I agree with you, Khawlah. Testing prior to implementation for SAP is a key control measure. SAP is a complicated and integrated system, so any minor changes will affect the normal operation of the entire system. Therefore, necessary testing prodecure can assure those changes won’t affect others functions of the system and will play their desired role.
Khawlah Abdulaziz Alswailem says
In future weeks we may have the privilege of having real-world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
1. What are the biggest challenges you have faced as an auditor?
2. What’re the suggestions you may have for entry-level IT auditors?
3. What software which will be implemented in real-world work position?
Mengting Li says
What are the key components of SAP change management controls you would expect the auditor to review? Why?
Based on my research and understand, key components of SAP change management controls I would expect the auditor to review as follows:
1. Change management policies and procedures because reviews formally documented change management processes and ensure the processes have been and are being followed for each change introduced into the system.
2. Change initiation and approval to ensure each change is initiated in a formal manner and effectively approved.
3. Testing and acceptance to ensure changes are satisfactorily tested before being approved for migration into Production.
Mengting Li says
In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
Process Blueprint Describes the business process, including detailed information about processes in the process, people performing the activity or understanding and milestones in performing the activity. Therefore, process blueprints are important in documentation because those details in blueprints can provide instructions for people to understand activities. With a clear blueprint to help the organization better positioning and developing, In addition, it is good for decision makers to make decisions based on the blueprint.
Yijiang Li says
Good explanation, Mengting. Blueprint can play a guidance role for an organzation to perform their business activities better. Also, decision markers can make more resonable and effective decisions through a clear plan and direction from blueprint. A complete blueprint will be benificial for a company to allocate their capitals and resources efficiently.
Mengting Li says
In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
1. How to maintain relationships with clients?
2. What is the most difficult part of your auditing job?
3. What kind of skills as an auditor must have?
Michelangelo C. Collura says
What are the key components of SAP change management controls you would expect the auditor to review? Why?
Within the Correction and Transport System, I’d expect auditors to check the change management framework itself. In the Transport Management System, I’d hope they would check the routes, to move changes between clients or instances, in order ensure changes are being assigned appropriately. I would expect the auditor to review the Security/Authorization groups, to see who is able to go in and modify code. Also, who emergency users are and their activity logs, given their debug abilities and wide access. I would also check the documentation process for change requirements. It is always a concern that miscommunication can lead to tasks being delegated incorrectly or not at all. These are just a few possible concerns; I believe there are many more the auditor would review.
Michelangelo C. Collura says
In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
I think it provides a useful guiding light as a change is implemented, particularly in helping users/staff to understand what is happening and why and what will happen going forward. It helps to prevent anxiety and confusion, and it acts as a reference tool. This can be helpful if staff is shifted around due to the change, or if new people are taken on. The goal is to implement the change with minimal disruption to the firm’s operations, so this is a useful approach to it.
Michelangelo C. Collura says
In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
– Are you ever selling an idea to the firm’s leadership, such as enhanced SAP user controls or increased security on systems? I’m curious if you simply go in, perform the audit, and leave the results to them to use as they see fit.
– Are there any differences between federal and private sector when it comes to organizations responding to audits with improvement?
Jing Jiang says
1. What are the key components of SAP change management controls you would expect the auditor to review? Why?
Change management is important for an organization to successfully adapt and react to the changes. In SAP, it usually relates to the changes to the configuration or the development of the SAP system. I would expect the auditor to review the SAP system landscape. A system landscape with three systems is standard, which includes development system, quality assurance system and production system. The SAP system landscape can provide a layout of servers, so that helps to ensure the integration of the data. The auditor should also review the relevant settings for clients and any changes in the client setting. For example, the area “Changes and Transports for Client-Specific Objects” should set to “No Changes Allowed” in a production system.
Jing Jiang says
1. In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
I don’t have much technical work experience, but I think people will use blueprints as a guide to achieve the goal of the organization. The blueprints are important in the documentation since it is a foundation for SAP implementation or updating. The blueprints will provide a detailed guidance which helps employees to capture the significant information, such as project scope, the strategy of the organization and proposed solution, desired project outcomes, implementation approach and etc. to achieve the success of SAP implementation so that to accomplish the enterprise’s goal more effectively.
Jing Jiang says
In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
-What is the most difficult part of the auditing work and how did you overcome it?
-If you were me, as a student, what skills (soft skills or technical skills) would you want to learn to better fit in the auditing work.
Candace Nelson says
4. In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
I would be interested in asking the auditors to discuss their background, e.g. education, how they ended up in IT Audit, as well as what they do to stay current in light of the rapidly evolving technology field. I would also like to know what they find most challenging – and rewarding – about their chosen profession.
Candace Nelson says
3. How have you seen change management work in your organization? What improvement recommendations do you have?
At a former employer, they utilized a system to “manage” the change management function. It helped to ensure that the appropriate steps were taken and that proper approvals were granted along the way. IT performed quarterly self-assessments that Internal Audit reviewed and – to my recollection – we did not encounter any exceptions. Hence, I would not have recommended any improvements.
Yijiang Li says
Hi, candace, I am really interested in this “system” you mention to deal with change management work. It looks like this system plays a guidance job to arrange all the changes to their appropriate locations. Moreover, IT self-assessments is actually measure to assure there is no any exception happened. Therefore, they are working together to gurantee that change management work goes smoothly.
Kevin Berg says
2. In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
We use blueprint documents quite a bit. For networking, we use Visio to document all of our servers and computers (on-premise and off) and how they interact with each other. This allows us to know how our network runs from the internet demarcation point to the firewall to our DC’s etc. On top of that , the computers listed show us who uses them and what permissions they have for both our file server and our Microsoft NAV ERP. Having a baseline of what is going on security wise through a blueprint system allows for tighter security without being too secure. It also helps to look at our network and users and spoof a user to test security. For instance, a new employee is hired in marketing so I can look at a base user, bring them up in our diagrams and create the user and authorizations based off of the least privileged person, login as them and poke around. Once I am satisfied, I create the actual role based off of my testing.
Kevin Berg says
3. How have you seen change management work in your organization? What improvement recommendations do you have?
I have seen change management in my organization because I am the one who implemented it. When I first took over security, there were no password or internet policies. There was very limited access to the PRIVATE folder on our data server as well. For the ERP system, I reviewed permissions and scaled back to a least privileged permission and as users asked for access, I would then review the permission with their supervisor. Same with the PRIVATE folder. I removed all group permissions and now every private folder is user based permission. So if a users logon is not on the folder or file, they cant see it. That way I can look at the folder security and know who can see what. Keep in mind this is a 70 person company.
Kevin Berg says
3. In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
How am I supposed to review folder access and who accessed what if you have standard Windows server. I believe with Standard that folder auditing is not an option. How do I go about justifying a more expensive server version if there isn’t audit trails?
Xiaomin Dong says
What are the key components of SAP change management controls you would expect the auditor to review? Why?
1.Review of SAP changes: 2. Approval of SAP changes 3.Deployment of SAP changes for testing 4.Testing of SAP changes 5.Approval of SAP changes for production 6. Deployment of SAP changes to Production.7.Deployment of Production Support changes to Project Streams
because that regardless of the size and scope of the team making SAP changes, the IT department is usually stretched doing numerous tasks. These tasks will vary dependent upon whether it is a green-field implementation of SAP or whether it is support work. Some tasks are done to differing extents and will also be determined by the resources and skills available.
Xiaomin Dong says
In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
Unfortunately, in my previous organization, I did not have any experience with blueprints as documentation. A blueprint process. A blueprint is used to guide its priorities, projects, budgets, staffing and strategies by determining which aspects are important enough to include and which are not. It is important in the documentation because it helps schedule projects and manage the implementation sequence, as well as defines business processes and organization structural changes. A business blueprint also is used by an organization to coordinate a cost-effective and organizationally effective rollout plan.
Qiyu Chen says
I totally agree with you Xiaomin. Indeed, some companies do not have the blueprints as documentation, but it still very important in the business processes. Without a clear blueprint to help the organization better positioning and developing, the decision maker may make mistakes in the strategic level. Moreover, the blueprint can effectively guild the organization in a bigger picture, so it’s helpful for the company.
Xiaomin Dong says
How have you seen change management work in your organization? What improvement recommendations do you have?
From my previous work experience, the organization had effective change management especially in the online customer service system. I previously worked in the customer relationship department for couple months, and the customer service systems were required weekly supporting, and all PCs would be updated at least once a month. The daily operation record will be posted, and the head of department would go through it and approval.
The improvement recommendation I could offer is that the company should not only focus on the hardware supporting, but also the updating of the online customer service system itself. Since some customer commented that the loading speed of the online customer service system was getting lower from 3 pm to 5 pm.
Xiaomin Dong says
In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
1. What technical skills do you think are very helpful for an entry-level IT auditor?
2. Would mind sharing with us how you started you career as an auditor?
3. How could auditors deliver value to the company? Could you give us some examples?
4. Could you give us some recommendations on how to prepare yourself for being an IT auditor during school days?
Khawlah Abdulaziz Alswailem says
Great Questions, Xiaomin
These are other questions that we may also ask:
1. What are the biggest challenges you have faced as an auditor?
2. What’s the suggestions you may have for entry level IT auditors?
3. What software which will be implemented in real world work position?
Qiyu Chen says
1.What are the key components of SAP change management controls you would expect the auditor to review? Why?
Generally, I would expect the auditor to review the changes and updates of the SAP systems. First of all, the changes in the SAP system should be reviewed. The team that reviews SAP change management requests is typically the senior SAP stalwarts that include Architects or Team Leads. They do many tasks including supporting the original design and impact assessment of a given change. In addition, the approval of SAP changes should be made. somebody needs to approve each change and this will sometimes include, if not be, the people performing the review above.
Furthermore, the deployment of SAP changes should be tested. More e-mails fly around requesting the physical import into the test system. It is usually the job of the SAP Basis Administration team to perform the actual deployment. And of course, this job cannot be passed to the development or applications teams.
Qiyu Chen says
In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
Process blueprints describe business processes, including details about the activities in the process, the people who perform or know about the activities and their roles, the milestones that activities are performed in, etc.
Process blueprints are important in documentation because it specifies details at the process, milestone or process diagram elements. For instance, an activity has a participant property that specifies who is performing this work, an outputs property to show the result of this activity. Process blueprint is a powerful guideline for processing, monitoring and analyzing.
Qiyu Chen says
In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
1. What are some tools and skills an auditor must have in order to become successful in his or her career?
2. What is the most challenge part for you as an auditor?
3. How long is the working timeline for a typical project? Does it vary among different industries?
4. What would you recommend and give advice to graduate students in ITACS program? How should we prepare ourselves before start working in the audit profession?
5. How do you maintain a good relationship and develop trust with clients?
Lezlie Jiles says
2. In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
No, we don’t use blueprints. However, blueprints ensure a successful implementation of a process. If utilized and updated properly it will provide a greater control over how a project is carried out and completed.
Lezlie Jiles says
3. How have you seen change management work in your organization? What improvement recommendations do you have?
Unfortunately, I have not worked with change management in my current position. However, I have reviewed a few change management policies and my recommendation would be to make sure the policy is clear and concise. Meaning making sure the role and responsible parties are identified, as well as, how changes are processed and reviewed and approved. I know this may seem like common knowledge or expected, but believe it or not, policies can sometimes be very vague.
Lezlie Jiles says
4. In future weeks we may have the privilege of having real-world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
This question is interesting because I just had a conversation with a classmate about the auditor’s approach with the auditee. I would like to know:
1. How does an auditor approach an audit with an auditee who may not be so welcoming?
2. What was the worst audit experience they have experienced in their career?
3. What was your worst audit experience and how did you handle it?
4. What are some of the tools and techniques you use?
Lezlie Jiles says
1. What are the key components of SAP change management controls you would expect the auditor to review? Why?
I would expect the key components of SAP change management controls an auditor to review would be the approval process, testing, the policies, and procedures, as well as the process of documenting the changes.
Yijiang Li says
2. In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
Blueprint is always important for an organization’s next few years’ development. With the blueprint as documentation, every department within this company can work efficiently to align with the company’s business goals and objective based on this guidance. Moreover, blueprint as documentation can provide shareholders and investors a clear plan and direction about the company’s future, so they can use this guidance to optimize their capital and resources to support the company’s development better.
Khawlah Abdulaziz Alswailem says
Yijiang,
As you mentioned, Process blueprints describe business processes, including details about the activities in the process, the people who perform or know about the activities and their roles, the milestones that activities are performed in, etc.
Process blueprints are important in documentation because it specifies details at the process, milestone or process diagram elements. For instance, an activity has a participant property that specifies who is performing this work, an outputs property to show the result of this activity. Process blueprint is a powerful guideline for processing, monitoring and analyzing.
Source: https://www.blueworkslive.com/scr/docs/bwl/topics/blueprint_process.html
Yijiang Li says
4. In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
For internal audit work, how can you overcome the difficulities while some employees would not like to coordinate with you because their self-benefits will be affected by this audit?
For external audit work, how can you obtain enough auditing materials while you client is not willing to provide or they cover some key materials intentionally?