- What are the key components of SAP change management controls you would expect the auditor to review?Why?
- In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
- How have you seen change management work in your organization? What improvement recommendations do you have?
- In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
Penghui Ai says
1. What are the key components of SAP change management controls you would expect the auditor to review? Why?
• Transporting changes into production access is restricted to authorized personnel via SAP Security.
• All changes entering production environment adequately supported by:
o Change approvals by appropriate personnel.
o Documentation of change (e.g. SAP Solution Manager).
o Test results.
• Review transport paths and related procedures to ensure appropriate change controls are designed and used to modify them.
2. In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
I did not see the blueprints as documentation during my last internship, so I assume they do not have one. The Business Blueprint is a detailed description of your business processes and system requirements, and we can print it out. This function documents the business processes in the company that you want to implement in the system. In a Business Blueprint for Projects, you create a project structure in which relevant business scenarios, business processes, and process steps are organized in a hierarchical structure. You can also create project documentation and assign it to individual scenarios, processes or process steps. You then assign transactions to each process step, to specify how your business processes should run in your SAP systems.
3. How have you seen change management work in your organization? What improvement recommendations do you have?
I did not touch the change management section in my last internship, but I have some common recommendations on the change management:
• Active review. Manage program code details.
• Access to run programs restricted via SAP Security/Authorizations.
• Further secure programs via assignment to authorization groups.
• Basis Admin no Display access to ABAP code (prevent backdoor access).
• Debug authority restricted to effectively monitored ‘emergency users.’
4. In future weeks we may have the privilege of having real-world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
What is the biggest challenge you think for a student first start his/her career in IT Auditing?
What could be an ideal candidate of IT Auditor?
Imran Jordan Kharabsheh says
Hello,
As I was reading through your response to the first question, I was quite interested in how you structured your answers. I also appreciate how you noted your concerns clearly and concisely, and also included the three criteria needed for change to be implemented. While your work experience has not involved you seeing blueprints of business processes, I would like to inform you that there are quite a few companies that do use blueprints and that they are extremely helpful for resting departments. I also found that your recommendations for change management were very interesting and unique, since I haven’t seen anyone mention debugging yet.
Haitao Huang says
Hi Penghui,
Good points. Change in a secure environment can introduce loopholes, overlaps, missing objects, and oversights that can lead to new vulnerabilities. The only way to maintain security in the face of change is to systematically manage change. Change management and patch management techniques ensure that the systems are kept up-to-date with required changes. The techniques vary depending on the resource and are described in the following sections.
Imran Jordan Kharabsheh says
1. Before looking into a few of the change management controls that I might be most concerned with as an Auditor, it should be noted that there are 2 key parts to SAP change management and each has their own unique risks. The first section of the change management process I will look at is the Transport Process, where I am most curious about the change approval process for the production environment. For any change to enter the production environment, it needs to have the approval of relevant personnel, documentation of the changes that will need to be made to accomodate, as well as supporting test results for the change in question. My concern here is that shortcuts could be taken at any of those 3 points of verification, which creates a risk that threatens productivity. The second section of the change management process to look at is program development, where I believe attention should be paid to SAP security, authorization and authorization groups. The reason behind these concerns is because without authorization controls, users in the SAP system can attempt to directly run programs which they shouldn’t be able to access.
2. During my time working in internal audit at an investment bank, there was an occasion where I was handed a blueprint for the processes that asset management had to be familiar with and use to perform regular business activities. I was tasked with testing their familiarity with the steps keyed out in the blueprint, and the results weren’t quite what I was expecting at the time. After interviewing and testing a good portion of the employees in the asset management department, I had somehow earned the spiteful eye of the head of asset management. This was because most of the employees who I had tested were not familiar with standard procedure at all, and were instead using shortcuts they had learned from friends and superiors in the department. I brought this promptly to the attention of my superior, to which he deescalated the situation between the audit and asset management departments and included my findings in the audit report. Not following procedures on the blueprints can pose a huge risk to a firm, primarily because you are skipping measures that are in place to protect company assets and remove employee liability.
3. Change management at the investment bank I worked at almost entirely revolved around the board-approved recommendations of both the internal and external auditors the company hired. I believe this was for good reason, because the recommendations we made were all inclusive and focused primarily on what was necessary for the firm to remain secure and running efficiently, from hardware and software changes to restructuring departments. While there isn’t anything in particular I would change about the way the company treats change management, I felt that only getting c-level and board approval prior to enacting change might be a little too shortsighted. To remedy this, I believe the insight and opinion of the department involved in the change should also be heard.
4. The first question I would like to ask is the approach and process each auditing professional takes when tasked with performing the auditing functions on a specified department, as I’ve noticed that most auditors who I’ve worked with have somewhat unique approaches. Another question I would enjoy hearing an answer to is how they determine a company’s appetite for risk, in order to recommend proper risk management solutions. Finally, I would like to hear about a few example of some of the emerging risks that professional auditors are struggling to find solutions for in today’s organizations.
Penghui Ai says
Hi Jordan, you shared very good examples related to your job experience, which is very helpful for the understanding of the questions. If you are the auditor of the company I interned, I will be one of the employees that not familiar with the blueprint. There is no doubt that employees’ awareness of the company’s blueprint is necessary.
Deepa Kuppuswamy says
What are the key components of SAP change management controls you would expect the auditor to review?Why?
1] To manage activities performed during a change management process, SAP Solution manager deliver a default tool called SAP ChaRM that allows us to track change requests, transport requests in change management system in the entire business solution. Following are the key components of SAP Change Management Controls:
Step 1: Change request and authorization — Every change requires a formal authorization before it can be implemented. Usually in most cases it would be authorized by process owner or the change requester itself.
Step 2: Change Approval — Every change that is being implemented in production should be approved by someone. It can be the approval from Change Advisory Board (CAB) or Change Review Board (CRB). They help in advising change management guidelines with respect to assessment, change types and priority.
Step 3: Development of change in DEV environment — Once the change is approved by CAB then it is developed in a separate DEV layer and then it will be transported into TEST environment for testing the change.
Step 4: Deployment of change for Testing — User Acceptance Testing (UAT) should be performed for every change to ascertain that the change is developed as per the initial request.
Step 5: Approval for migrating the change into production – Before migrating any change into production the change should be approved by authorized individuals.
Step 6: Deployment of Change into Production – After obtaining the approval, the change should be implemented into production and we need to ascertain that SOD is in place in all the stages.
Step 7: Post Implementation Review – After implementing the change in production, post implementation review is performed to make sure that the change is deployed and working as per the request. Otherwise, rollback plan is implemented to revert the change.
Deepa Kuppuswamy says
2. In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
I have experience from a Big 4 accounting firm but I have not got an opportunity to look at blueprint documentation of that firm but I am sure that all the companies have process blueprint documentation in order for the business to keep up running during situations like disasters. Process blueprint is like the first place where IT and business processes meet so it very important to provide necessary direction for organizations looking to overhaul or enhance their existing IT environments. Often times I see that in most of the client’s environment they try to bypass blueprinting to expedite the process or to reduce cost. Although overriding the blueprint can initially speed up the process, it causes delays and added costs later so it very important to follow blueprint documentation which would help to provide a roadmap for building and implementing the solution.
Deepa Kuppuswamy says
3. How have you seen change management work in your organization? What improvement recommendations do you have?
As an external auditor, I had got an opportunity to review and test change management process for various clients. As I had worked on multiple clients, I have seen client’s using different methods and CM tools to deploy changes. One major criticality that I had noticed in many clients are in terms of identifying ‘Emergency Changes’, when they identify a change as emergency change there are few key critical priorities and criteria’s to consider before implementing an emergency change and it was not properly documented or retained in many client environments due to which we had to note deficiency in many cases. I would recommend clients to maintain business justification and appropriate documentation for every change and also it is important to maintain UAT testing results for normal changes which was also missing in many cases.
Deepa Kuppuswamy says
4. In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
Below listed are my questions:
1, How difficult is it to present audit findings on table during reporting process? Please give us some hints and advice to present findings better and convincing.
2, Which are the difficult phase that we need to focus more during real time audit with clients?
3, What would be the difficult factors when auditing block chain, supply chain and how are we going to audit Artificial Intelligence?
Rouying Tang says
Hello Kuppuswamy, thank you for your sharing. I am also curious about the second question you asked.
Rouying Tang says
1. What are the key components of SAP change management controls you would expect the auditor to review?Why?
The auditor need to review who can access to the transporting changes into production access. Do the relevant regulation followed by the personnel. They also need to figure out whether those changes are adequately supported by change approvals by appropriate personnel, documentations, and test results. The relevant transport paths and related procedures should be focused as well.
Yuan Liu says
I think auditors should focus on the Quality Gate Management. It provides a phase-based overview of the status of your software change projects. The project phases end in quality gates. By releasing a quality gate, the import lock is removed and an import into subsequent systems is possible. As long as a project is in the initial status, no changes and transports can be created.
Rouying Tang says
2. In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?
When I was a manager at student origination in China, I did use blueprint as an tool to show the draft of the processes and the corresponding representatives, but eventually I will use words to describe it as reports. Blueprints do be an good ways to show the logical relationship clearly and pretty straightforward.
Rouying Tang says
3. How have you seen change management work in your organization? What improvement recommendations do you have?
I have no experience related on change management. But I would recommend to follow an predefined change management process to conduct any changes to avoid the risk and unexpected errors. Any unexpected changes must be prohibited. An continuing monitor on changing management process is needed.
4. In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?
Do you like the job of auditors, if yes, which part of the auditing jobs do your like the most? If no, what makes you become an auditor?
Haitao Huang says
1. The change management process has three basic components:
Request Control:
The request control process provides an organized framework within which users can request modifications, managers can conduct cost/benefit analysis, and developers can prioritize tasks.
Change Control
The change control process is used by developers to re-create the situation encountered by the user and analyze the appropriate changes to remedy the situation. It also provides an organized framework within which multiple developers can create and test a solution prior to rolling it out into a production environment.
Release Control
Once the changes are finalized, they must be approved for release through the release control procedure. An essential step of the release control process is to double-check and ensure that any code inserted as a programming aid during the change process (such as debugging code and/or backdoors) is removed before releasing the new software to production. Release control should also include acceptance testing to ensure that any alterations to end-user work tasks are understood and functional.
2. NO.
3. The goal of change management is to ensure that any change does not lead to reduced or compromised security. Change management is also responsible for making it possible to roll back any change to a previous secured state. Change management can be implemented on any system despite the level of security. Ultimately, change management improves the security of an environment by protecting implemented security from unintentional, tangential, or affected reductions in security. Although an important goal of change management is to prevent unwanted reductions in security, its primary purpose is to make all changes subject to detailed documentation and auditing and thus able to be reviewed and scrutinized by management.
4. What are the biggest challenges and opportunities for IT auditors?
Yuan Liu says
1. Change Request Management (SAP ChaRM) allows you to process your projects universally in SAP Solution Manager: from change management and project planning, through resource management and cost control, to the physical transport of the changes from the development environment into the production environment.
Change Diagnostics supports customers in identifying, controlling, maintaining and verifying the versions of configurations of the system landscape components to provide a heterogeneous system landscape.
Configuration Validation offers the capability to compare and validate current values of configuration items of many systems against a defined target or standard configuration. It allows performing an interactive cross-system configuration audit as well as configuration reporting for a large number of compared systems. Validation of the configuration items is based on the E2E Diagnostics Infrastructure.
2. Visualizing the plans is the initial component. Viewing an architect’s perspective of the project, a detailed elevation, or simply flipping through the drawings begins the print reading process. Absorbing the image of the project in its entirety provides a sense of completeness.
Interpreting the information follows visualization. Interpretation requires more time delving into the drawings. Each building is different and every architect and engineer draws and details each project differently. Interpretation begins by flipping through the entire set, sheet by sheet, and noting the information pertinent to your scope of work.
3. I worked in a pear juice before as a project manager. Because the company is built near the pear farm, the company has a remarkable price advantage compared with us. Because of low price competition advantage, the company try to sell the product to American market for higher profit compared with Chinese market. However, there is a high level food checking standard in American market in the FDA checking. The original product could not pass the FDA checking in some component, so the company should upgrade factory equipment and re-train employee for new producing process. At the same time, there is a new accounting system coming out for fitting new producing process. For example, there are different vendors, so it is necessary to create more account for procedure process and new order to cash process. I used change management to pass FDA checking. At the beginning, I made a goal and do research to find solution how to pass the FDA checking. After that, I upgrade factory instruction and re-train employee and hire different employees. The main idea of this project is that I worked with my team to find the solution.
4.What is most popular topic in auditing area?
Peiran Liu says
1. In my opinion, the key components of SAP change management controls that I would expect the auditor to review is Quality Control Management. The reason why I think so is that the quality control for the change the most crucial part to whole control. If the Quality Control goes wrong, changes won’t reach the expectations.
2. When I was the monitor of my class, I didn’t use any blueprints as documentation, as I didn’t have any blueprints to use. But after some failures on holding some activities, I found that planning it first makes it so much easier. The reason why process blueprints are important is that it can the whole work easier.
3. I didn’t involve in change management but I have some ideas for improvement recommendations, such as making the change effective, making sure the right timing and making sure the change can behave as expected.
4. Is there lots of pressure from senior manager? How to make full use of your knowledge in the company?