Prepared by Jerod Brennen For ISACA – Central Ohio Chapter Meeting 12/9/2010.
Phoenix ISACA Chapter Meeting - Information … · Phoenix ISACA Chapter Meeting Project...
Transcript of Phoenix ISACA Chapter Meeting - Information … · Phoenix ISACA Chapter Meeting Project...
Phoenix ISACA Chapter Meeting
Project Implementation -Successes & Failures
October 28th, 2010
“I cannot imagine any condition which could cause this ship to flounder. I cannot conceive of any vital disaster happening to this vessel.” E.J. Smith, Captain of the Titanic
© 2010 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Straight From the Headlines
Hershey’s – In November 1999, Hershey's reported a 19% drop in third quarter net earnings, and placed part of the blame on 'computer problems'. The chocolate maker was having issues with its new order-taking and distribution system, a $112 million combination of ERP, CRM, and SCM software. – InfoWorld and CFO Magazine
Cleveland State University – Ohio's attorney general filed a lawsuit in 2004 against a ERP provider seeking $510 million in damages stemming from an allegedly faulty installation of the company's ERP and student administration applications at Cleveland State University. –Computerworld
© 2010 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
2
Computerworld
Levi Strauss – Problems with a massive global ERP rollout have helped send Levi Strauss' 2008 Q2 results through the floor. The jeans giant reported a 98% drop in net income to $1 million and squarely blamed "substantial costs" associated with its new ERP system. – The Register
Goodyear – In November 2003, Goodyear Tire & Rubber Co. restated earnings by $84.7 million for periods going back as far as 1998, due to the implementation of an ERP system in 1999 and errors in inter-company billing systems. – CFO.com
The Hits Keep on Coming…
Invacare – Medical care company Invacare lost $30 million as a result of a bungled ERP implementation in Q4 2005. When the implementation went live, there were problems with the order-to-cash process, despite it having been tested prior to the system going live. – Invacare News Release and ComputerworldUK
Hewlett-Packard – In August 2004, HP announced that its revenues for Q3, from its Enterprise Servers and Storage (ESS) segment had gone down by 5% to $3.4 billion, as compared to the same quarter the previous year. The company attributed this revenue shortfall mainly to the problems faced in migrating to a centralized ERP system at one of its
© 2010 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
3
shortfall mainly to the problems faced in migrating to a centralized ERP system at one of its North American divisions. The total financial impact of the failure including backlogs and lost revenue was pegged at $160 million, more than five times the cost of implementing the ERP project. – Center for Management Research (ICMR) Case Study
Overstock.com – In October 2008, Overstock.com says it "failed to hook up some of the accounting wiring" and will revise more than five years of results because of problems in implementing an ERP program. The revisions to its 2003–2007 results probably will reduce revenue by $12.9 million and increase cumulative net loss by $10.3 million. – CFO.com
IT Project Outcomes
2006
2009
Failed
Challenged
© 2010 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
4
0% 20% 40% 60% 80% 100%
2004
2006 Challenged
Succeeded
The Standish Group International, Inc., 2009
45% cost overrun
63% time overrun
67% of required functionality delivered
How Projects Fail
© 2010 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
(The Standish Group International, Inc., 2009)
Key Risk Factors
• Business critical applications
• Unproven or unfamiliar technology
• Complex project dependencies
• Strict time or budget constraints
• Lack of appropriate performance and status metrics
• Ineffective project
© 2010 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
• Unclear or misaligned project objectives
• Lack of management support
• Lack of user involvement
• Project team skills or availability issues
• Ineffective project communications
• Immature project management process
• Ineffective project risk management process
Throughout the Project Life Cycle …
Total project life cycle
Opportunity to reduce risk
When is the Right Time to Mange Risks?
© 2010 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Time
ProductionConcept Development Implementation
Area of highest risk impact
Cost to Prevent/Mitigate/Remediate
Assess or Consult? - Considerations
• General Internal Audit philosophy
• State of PMO and project risk management function
• Compliance role within business/IT
• Organization's implementation history/experience
• Internal Audit resources/skills
© 2010 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
• Internal Audit resources/skills
• Involvement of 3rd parties (system integrator)
• Significance of project/system
• Internal Controls ownership/focus within business/IT
8
What is our focus?
• Project Management Risk
– Time
– Money
– Requirements
• Project Lifecycle Controls
• Future Internal Controls
© 2010 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
• Future Internal Controls
– Application/Configurable
– Privileged Access and SOD
– Interface
– IT General Controls
– Reports
• Compliance
9
Project Risk Management
Project Risk ManagementPMI ®
Project Management (Project Office)
Scope QualityTime Cost
ProcurementCommunication Risk
Project Lifecycle
Planning & Initiation DevelopmentRequirements
AnalysisDesign
Human Resource
© 2010 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
10
Testing Implementation & Rollout Post Implementation
Project Support
ProgramOffice
Integration with CommonBusiness Functions
Project Environment
Business Environment Process Alignment Portfolio Management
Strategic Alignment Corporate Culture Stakeholders
Project Management - Focus
• Requirements definition
• Governance
• Risk/Issue tracking and resolution
• Management of customizations
• Communication
© 2010 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
• Communication
• Ownership - RACI
• Change enablement
11
Project Lifecycle - Focus
• CRP/UAT Development and Execution
– Scope (Functions, Role, Data)
– Test Development
– Criteria
– Involvement
– Requirements
© 2010 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
• Date Conversion and Migration
– Strategy
– Ownership
– Resources
– Phases
– Testing
12
Future Internal Controls
• Application/Configurable
– Available Options and Selection of Controls
– Elimination of unnecessary manual controls
– Addition of new manual controls
– Incorporation into requirements/design
– Pre/post-implementation testing
© 2010 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
• SOD/Access
– Foundational SOD policies in business terms
– Report Access
– Scalable role-based functional and technical design (Who is doing it?)
– User involvement & regional/business-unit variations
– Testing, mitigating and remediating
– Approval for deviations or “violations”
– Go forward management/maintenance
13
Future Internal Controls
• Interfaces & Reports
– Adequate definition of requirements (scope)
– Testing
– Monitoring controls (interfaces)
• IT General Controls
© 2010 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
– User Administration
– IT SOD
– Change Management & Data Governance
• User controlled configurations
• Master Data
– GRC Tools
14
Enforces & validates allowable PCG -
AACG
AccessValidation
ContinuousMonitoring
SoD: Ensures no conflicts of interest for a given user or role
Identifies user access events for validation and audit history
Enforces form level restrictions -modifies security, navigation, field and data properties
PCG - FormRestriction
Overview of Oracle GRC Controls Suite
© 2010 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
GRC Controls CCG
Configuration Change
Enforces & validates allowable values
Provides audit history of changes to critical application data
TCG
TransactionValidation
Validates transaction against business policy rules
Enforces & identifies transactions for validation and audit history
PCG -PreventiveValidation
TransactionMonitor
15
Additional Considerations
• Statutory/Regulatory Compliance
• Selection
• Information Security
• Data Privacy
• Cloud Computing/Outsourcing
© 2010 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
• Cloud Computing/Outsourcing
• Disaster Recovery
16
Project Sponsor, Business Owners and Project Management
• Provide required design and implementation resources
• Provide project and system ownership
• Manage Program Office
• Provide business strategies, processes, & requirements
Internal Audit
• Establish compliance / risk management program
• Define control and compliance requirements
• Validate controls framework
• Ensure that new process and systems fulfill compliance requirements
• Understand, map and document process controls
System Integrator & Impl.Team
• Provide project management and accountable for scope, functionality, budget, schedule, etc.
• Responsible for delivery – system design, configuration, development, testing, and cutover
• Provide expertise in system and related technologiesSystem Internal
Business Sponsor & Business Owners
Strategic Teaming Model
© 2010 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
• Understand, map and document process controls
• Understand and validate security, segregation of duties (SoD), and/or critical access
• Audit implementation risks
• Compare against defined audit requirements
• Attest to design and operational effectiveness of controls
technologies
• Configure security and control recommendations based on functionality
• Integrate controls framework
Protiviti
• Enable / facilitate 'control-focused' dialogue between implementation stakeholders and other compliance parties
• Provide risk / control best practices and supporting tools• Facilitate control-focused discussion across all phases of
implementation, from gathering of compliance / risk management requirements to testing / validation of controls (e.g., security and SoD)
• Assist to optimize application controls
• Assist to enable sound security design and configuration
• Leverage knowledge and experience from projects
• Implement GRC solution to monitor and maintain environment
• Knowledge transfer to further enhance client capabilities
ERP Implementation
Team
System integrator
InternalAudit
ExternalAuditor
Definition Elaboration Build Transition Production
• Independent Review of Project Scope & Plan
• Deliver BPO Business Concepts Training
• Design SDLC controls and identify all required SI documentation
• Update SI design documentation with proposed risks & controls
• Design IT Application Controls (ITAC) relevant to RCM
• Ongoing independent
• Complete GRC implementation
• Complete SoD design, considering client-specific resource constraints
• Design change and access management
• Test SoD using automated tool
• Perform application controls testing
• Complete business process RCMs
• Perform & document data
• Perform post go-live SoD test
• Validate effectiveness of Access & Change Management IT controls
• Compile SDLC testing results for external audit
Implementation Risks and Methodology
Project Phases / System Development Life Cycle (SDLC)
© 2010 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 18
documentation
• Independent review of key design elements
• Identify policy and procedure gaps for the future state processes
• Review data conversion strategy
• Ongoing independent review of key design elements
• Define SoD Policies
• Define SoD Rule Set
• Start design of Responsibilities
• Develop /update Finance Policies that integrate with new system
• Develop data conversion and interface validation procedures
• Start Oracle GRC implementation
access management controls
• Develop key report validation procedures
• Perform first automated assessment of SoD
• Review whether access to sensitive functions is adequately restricted
• Review the new Finance Policies as the system is configured
• Perform & document data conversion, interface & key report validation procedures
• Participate in go live preparedness risk assessment
• Finalize security administration procedures
results for external audit review
• Perform walkthrough of updated compliance documentation in Production
• Perform testing of ITACs in Production
• Perform testing of Key Reports in Production
Multi-phase Activities: Project Risk Management & Guidance
© 2010 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
19