Italyatchristmas 101214094614-phpapp01-101218223454-phpapp01 (1)
technologyauditbymagdyelmessiry-130410144619-phpapp01
Transcript of technologyauditbymagdyelmessiry-130410144619-phpapp01
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
1/126
Technology Audit
1 Dr Magdy El Messiry
TechnologyAudit
Training CoursePART IBy
Dr. MAGDY ELMESSIRY
KNOWLEDGE TRANSFER CENTER
ALEXANDRIA UNIVERSITY
2011
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
2/126
Technology Audit
2 Dr Magdy El Messiry
Technology Audits Will Help IdentifyPotential Issues That May Become SeriousProblems for Your Business If Left UnattendedWhile each organization should insurean effective continuous auditing forincrease the generated income
Dr. M.El Messiry
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
3/126
Technology Audit
3 Dr Magdy El Messiry
"A trip of a thousand miles begins with a single step"
PREFACE
The main objectives of this booklet are to give the reader a survey of the different elements ofthe Technology Auditing (TA), hence the TA is the only way for the organization to improvetheir situation on the market. Technology audits will help identify potential issues that maybecome serious problems for your business if left unattended. Technology auditing will berecognized as the reliable and trusted source for the best application of relevant technology in theindustry. The continuous technology auditing will lead to the following;
Establishing proven methodologies for technology assessments
Establishing proven methodologies for quality control
Establishing a network of reliable and brief information sources Establishing a periodic review and assessment of technology news and information
Establishing a standard technology assessment model
Establishing a secured database of reports and assessments
Establishing and maintain business models for measuring return on investment and totalcost of ownership
To enhance the effectiveness of organization by providing the tools will be achieved throughinformation concerning the latest technology and innovation relevant to the particularindustrial fields that is the specific mission and goals of the organization.
The role of the Universities in implementing the Technology Auditing in the differentorganizations can be accomplished through the specialists in the technology and other areas of aglobally competitive economy. Their function will be the assistance in:
Promoting competitiveness and job creation.
Enhancing the quality of life.
Developing human resources.
Working towards environmental sustainability.
Promoting an information society.
Producing more knowledge-embedded products and services.
Developing innovation technologies that lead to increasing the number of patents.
The objective of this course is to give the specialists in the technology transfercenters at the universities and the industrial organizations the basic concepts on
TECHNOLOGY AUDITING and to help them in building TA departments.
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
4/126
Technology Audit
4 Dr Magdy El Messiry
TABLE OF CONTENTS
PREFACE
CHAPTER ONE
TECHNOLOGY AUDTING
1.1 Introduction
1.2 Technology Audit Composition
CHAPTER TWO
INTERNAL AUDIT, EXTERNAL AUDIT, AND CONTINUOUS AUDITING
1. InternalAudit
1.1 Mission of the Internal Audit Function
1.2 Internal Audit Practice in Organization
1.3 Steps for Building the Internal Audit Team
1.4. Suggestion for Successful Internal Audit
1.5 Code of Ethics for Audit Staff
1.6 International Standards for the Professional Practice of Internal
Auditing (Standards)
2. External Audit
2.1 Implementation Procedure
2.2. Continuous Auditing
2.3.Key Steps to Implementing Continuous Auditing
2.3.1. Additional Considerations
2.3.2. Organizational Infrastructure
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
5/126
Technology Audit
5 Dr Magdy El Messiry
2.3.3. Impact on Personnel
CHAPTER 3
THE AUDITORS PERFORMANCE IN TECHNOLOGY AUDIT
3.1. Introduction
3.2. Role of Auditor
Phase One: Pre-Audit
Phase Two: On-Site Visit
3.3. Road Map for the External Audit Team Audit Leader
3.4. Notes to the Auditor
3.4. Control objectives
CHAPTER 4
SWOT ANALYSIS
4.1 Introduction
4.2. The Need for SWOT Analysis
4.3. Limitations of SWOT Analysis
4.4. SWOT Analysis Framework
CHAPTER 5
PRACTICAL EXAMPLES OF SWOT ANALYSIS
5.1. Health centers
5.2. University SWOT Analysis
5.3. Retail Industry SWOT Analysis
4.4. Web Business SWOT Analysis
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
6/126
Technology Audit
6 Dr Magdy El Messiry
CHAPTER 6
GLOSSARY
APPENDIX I
SWOT Analysis Template
APPENDIX II
Audit Checklist
APPENDIX III
Audit Checklist ISO/IEC 19770-1
APPENDIX IV
Template to use when writing an audit report
APPENDIX V
Information Technology Audit Report
REFERENCES
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
7/126
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
8/126
Technology Audit
8 Dr Magdy El Messiry
As shown in Figure (1), an organization can perform an audit in order to:
Generate income (or more income) for the technology driven organizations (e.g.
technology based enterprises, research centers, institutes) from their available technology. Improve the productivity of the technological factors. Improve business competitiveness and public administration's performance. Assess your current capabilities before making expensive changes. Learn how to optimize the use of current technology. Learn about your technology options. Get an independent assessment that can help convince your organizational partners of
changes needed.
An audit is merely a checkup. As we gather more and more techno -devicesaround us, we recognize the need to ensure that they are all accounted for, are
working properly, and are being employed for proper purposes, purposes thatadvance the cause for our organizations. Consequently, a technology audit exists atits very core as an activity that focuses our full attention upon improvement,sustainable improvement and continuous innovation. Organizational survey andtechnology audit will help in understanding the level of attention paid totechnology in the organization and facilitate the involvement of employees fromdifferent departments of the organization in the technology management process.The organizational survey and technology audit provides an instrument forauditing the organizations technological capabilities and its awareness of
technology as means of improving competition. The organizational survey andtechnology audit are used to assess whether the organizations management has theappropriate level of understanding of technology and technology management, andwhether the required climate to use technology is in place.
Formulation of technology strategy addresses the issue of how to recognize thecritical technological needs and identifies the basic dimensions of a technologystrategy. It consists of three steps: technology assessment, technology selection,and definition of the portfolio of technological projects, and strategic priorities andactions
3. The technology audit is equally applicable to manufacturing and service
firms. The firms should wish to create new products, incorporate new processes,
diversify their activities and be with growth potential. They should have capacityto survive and innovate and competence for international cooperation. Technologyauditing should consider as means of ensuring business continuity in amanufacturing organization.
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
9/126
Technology Audit
9 Dr Magdy El Messiry
Figure (1) Objectives of Audit Cycle
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
10/126
Technology Audit
10 Dr Magdy El Messiry
1.2 Technology Audit Composition
The implementation of the technology auditing starts with the answering to;
What is the relationship between technology, business strategy andinnovation in ensuring continuity of the organization?
What does a technology audit consist of and what tools are available to helpconduct the technology audit?
What is the process flow of a technology audit?
The main steps of a technology audit process are4:
Step 1: Company Decision for Technology Audit
The starting point of the technology audit process is the desire or wish of a firm to
carry out a technology audit.
Step 2: Initial phase
The initial phase is important to ensure that the audit proceeds smoothly and
effectively. It includes discussion at the management level to explain and agreeupon the purpose of the audit, to design the questionnaire and the framework forthe report to suit the organization and to select those to be interviewed. Initialinformation about the organization (published and unpublished reports) is gatheredat this stage. Analysis of questionnaires should be done prior to the interviews andmight be done at an earlier stage, so that selection of those to be interviewed is
partly based on questionnaires.
Step 3: Interview and report phase
The company is being interviewed with a questionnaire, normally with
participation of the General Manager, aiming at:
Collecting general company data Shaping company technology profile Performing SWOT Analysis Identifying technological areas for further analysis.
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
11/126
Technology Audit
11 Dr Magdy El Messiry
Technology Audit Tool consists of two parts, the questionnaires and the reports.The results derived from the questionnaires generate the reports that can be easilyaccessed by the General Manager of the company, but for a more accurate and less
biased diagnosis, an external specialized consultant is proposed.
Step 4: Technology Audit Report Framework
The final report of the technology audit should include:
Subjects analyzed Methodology used Problem areas identified
Solutions proposed for the problems Steps to be taken for implementing the solutions (action plan)
The expected results from a carefully conducted technology audit mainly concern4:
Complete and comprehensive analysis and evaluation of the requirements ofthe organization for its sustainable growth
Thoroughly objective SWOT Analysis
Opportunity spotting for new products / new services / new technologies / newmarkets
Networking with technology suppliers, technological sources, other companies
Possible assessment of technology portfolio, intellectual property rights
There are five tasks within the audit process area:
1. Develop and implement a risk-based international audit standards (IS) auditstrategy for the organization in compliance with international audit standards,
guidelines and best practices.
2. Plan specific audits to ensure that IT and business systems are protected andcontrolled.
3. Conduct audits in accordance with IS audit standards, guidelines and best practices
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
12/126
Technology Audit
12 Dr Magdy El Messiry
to meet planned audit objectives.
4. Communicate emerging issues, potential risks and audit results to key stakeholders.
5. Advise on the implementation of risk management and control practices within theorganization while maintaining independence.
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
13/126
Technology Audit
13 Dr Magdy El Messiry
CHAPTER TWO
INTERNAL AUDIT, EXTERNAL AUDIT, AND CONTINUOUS AUDITING
The auditing process can be divided into three categories; Internal Audit, ExternalAudit, and Continuous Audit that might integrate for the fulfillment of the
organization objectives as illustrated in Figure (2).
2.1. Internal Audit
Internal auditing, as defined by the Institute of Internal Auditors (IIA), is anindependent, objective assurance and consulting activity designed to add value andimprove an organization's operations. It helps an organization accomplish itsobjectives by bringing a systematic, disciplined approach to evaluate and improvethe effectiveness of risk management, control, and governance processes.
2.1.1 Mission of the Internal Audit Function
The mission of the internal audit function is to provide organization management
with systematic assurance, analyses, appraisals, recommendations, advice andinformation with a view to assisting it, and other stakeholders, in the effectivedischarge of their responsibilities and the achievement of organizations mission
and goals5. The role of the internal audit function includes providing reasonable
assurance on the effectiveness, efficiency and economy of the processes in variousareas of operations within the organization, as well as compliance withorganization financial and staff rules and regulations, general assembly decisions,applicable accounting standards and existing best practice.
2.1.2 Internal Audit Practice in Organization
Each organization should establish Internal Audit. Its original mandate included
both internal audit and evaluation functions. The Internal Audit Department alsoinformally acted as a focal point for investigation and inspection. The organizationInternal Audit Charter follows Standards for the Professional Practice of InternalAuditing issued by the Institute of Internal Auditors
5(IIA) in assignments
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
14/126
Technology Audit
14 Dr Magdy El Messiry
performing audit.Audits are conducted in accordance with a detailed annual auditplan that is developed based on an annual risk-based assessment of internal auditneeds for the whole of organization.
Figure (2) Types of Auditing Models
Figure (3) Steps of Performing Internal Audit
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
15/126
Technology Audit
15 Dr Magdy El Messiry
Risk-based annual audit plans are subject to regular revision, at least annually, inorder to be aligned with the strategic objectives of the organization. Audit needsare estimated based on a thorough review of organizations business and other
systems and processes which make up the audit environment for the InternalOrganization Audit Department. The audit needs assessment is reviewed annuallyat the same time as the detailed annual audit plan is set out.
For annual audit planning purposes in line with the new set of strategic goals setfor the Organization, the Internal Organization Audit Department strategy and
annual plans are re-aligned regularly to ensure:
Due emphasis is put on the operational efficiency and effectiveness aspect
in the detailed work plans to the extent possible. Main organization business processes are reviewed to identify strengths and
good practices, as well as gaps and deficiencies. Value adding
recommendations are made to assist management in addressing these issues.
Audit support is provided to key management and governance initiatives
recognizing that the responsibility for such initiatives rests with the
management in the case of a strong indication of any fraudulent activity
found during an audit.
Sufficient audit work is performed to gather factual evidence and the
supporting documentation is handed over to the Investigation Section for
further examination if need be.
2.1.3 Steps for Building the Internal Audit Team
Figure (3) represents the steps for building the Internal Audit Team.
1- Group FormationLocal audit team leaders are chosen. They may appoint an individual to serve as
overall coordinator, as well. The key here is to get the best leadership in placeand functioning quickly.2-Audit teamsAudit teams are formed and necessary documents needed to support the audit
are gathered (Technology plan, facilities plan, personnel reports, etc.).
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
16/126
Technology Audit
16 Dr Magdy El Messiry
3- MeetingsMeetings are held at each organization department to explain this process toemployees. The purpose is to ensure that all employees know what to expect as
their auditors begin gathering data from a large number of locations to explainthe process, to seek community support and patience, and to forecast somefindings. This serves to get the community on board.4- Teams WorkDepartment-by-Department teams are working within the organization. At the
same time, another team works on the organization as a whole.5- Individual Team ReportsReports are written, and then combined into an organization wide document.
6- Team Leader Report
Team leadershares the internal audit report with the organization board.7- Report ApprovalOrganization board approves the internal technology audit final report.8- Report PublicationTeam leader authorizes the report publication.
2.1.4. Suggestion for Successful Internal Audit
In order to insure the success of the internal audit processes the following
recommendations6 should be considered by the organization manager forimplementing the Internal Audit;
Recommendation 1:
Invite the Director General to submit Internal Audit Charter to the organizationgeneral assembly. The charter could then cover the activities of the EvaluationSection and could give a general description of the tasks of the department and amore detailed description of the tasks of each Section (Director, Internal Audit,Investigation, and Evaluation & Inspection). After this recommendation has beenaccepted,Internal Organization Audit Department supports this recommendation asit will help clarify the distinct roles of the three main functions, i.e. internal audit,investigation and evaluation and promote the role of oversight in organization. Arevision of the Internal Audit Charter will be proposed for review by the Programand Budget Committee which will create an Internal Audit.
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
17/126
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
18/126
Technology Audit
18 Dr Magdy El Messiry
Recommendation 7:
Invite Internal Organization Audit Department to review its strategy on planningfor audits involving medium to low risks in order to concentrate more on
engagements involving higher risks.
Recommendation 8:
The Internal Audit Section should:a. clarify the work program by linking it with the risk analysis,
b. ensure that the work program includes the priorities and the resource allocationfor each subject to be audited,c. ensure that the work program allows a connection to be made between theworking papers and the recommendations,
d. ensure that comments concerning the involvement and assignment of externalexperts are highlighted in the audit plan, ande. ensures that the signature of the Director of Internal Organization AuditDepartment and the date of approval are systematically placed on the audit
program before the audit begins.
Recommendation 9:
Invite Internal Organization Audit Department:
a. to improve the formalization of working documentation so that a third partyaudit professional is always able to compare the objectives of the engagement, the
content of the examinations carried out, the results, the auditors opinion and therecommendations. The standardization and organization of working papers couldgo some way to achieving this,
b. to integrate into the Internal Audit Manual regulations relating to auditdocuments, information to be archived and the period for which files must be kept;rules on access by third parties to working papers should also be included,c. to create audit notes that include a summary of the work carried out and allowconnections to be made between the work program, interviews, analyzeddocuments and the notes and recommendations contained in the report,
d. to establish a system for reviewing working papers and dating and signing them,and
e. to provide for the establishment of standards relating to documentation in theaudit manual.
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
19/126
Technology Audit
19 Dr Magdy El Messiry
Recommendation 10:
In order to increase the visibility of the internal audit function within organization,
invite the Director of Internal Organization Audit Department to increase hiscontact with the Organization General manger.
2.1.5 Code of Ethics for Audit Staff
The internal audit staff is expected to follow the internal audit function in conducting
audits as set out in the Audit Charter8.
The Internal Auditor enjoys operational independence in the conduct of
his/her duties. He/she has the authority to initiate, carry out and report on
any action, which he/she considers necessary to fulfill his/her mandate.
The Internal Auditor shall be independent of the programs, operations and
activities he/she audits to ensure the impartiality and credibility of the audit
work undertaken.
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
20/126
Technology Audit
20 Dr Magdy El Messiry
Internal audit work shall be carried out in a professional, unbiased and
impartial manner.
The conclusions of the audits shall be shared with the managers concerned,
who shall be given the opportunity to respond.
Any situation of conflict of interest shall be avoided.
The Internal Auditor shall have unrestricted, direct and prompt access to all
organization records, officials or personnel holding any organization
contractual status and to all the premises of the Organization.
The Internal Auditor shall respect the confidential nature of information and
shall use such information with discretion and only in so far as it is relevant
to reach an audit opinion.
2.1.6 International Standards for the Professional Practice of Internal Auditing
(Standards)
The Institute of Internal Audit published the professional practice that includes
Introduction to the Standards, Attribute Standards, and Performance Standards*.
Internal auditing is conducted in diverse legal and cultural environments; withinorganizations that vary in purpose, size, complexity, and structure; and by personswithin or outside the organization. While differences may affect the practice ofinternal auditing in each environment, conformance with the IIAs InternationalStandards for the Professional Practice of Internal Auditing (Standards) is essentialin meeting the responsibilities of internal auditors and the internal audit activity.
The purpose of the Standards is to:
1. Define basic principles that represent the practice of internal auditing.2. Provide a framework for performing and promoting a broad range of value-
added internal auditing.3. Establish the basis for the evaluation of internal audit performance.4. Foster improved organizational processes and operations.
The Standardsare principles-focused, mandatory requirements consisting of:
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
21/126
Technology Audit
21 Dr Magdy El Messiry
Statements of basic requirements for the professional practice of internalauditing and for evaluating the effectiveness of performance, which areinternationally applicable at organizational and individual levels.
Interpretations, which clarify terms or concepts within the Statements.
The structure of the Standardsis divided between Attribute and PerformanceStandards. Attribute Standards address the attributes of organizations andindividuals performing internal auditing. The Performance Standards describe thenature of internal auditing and provide quality criteria against which the
performance of these services can be measured. The Attribute and PerformanceStandards are also provided to apply to all internal audits.
Implementation Standards are also provided to expand upon the Attribute and
Performance standards, by providing the requirements applicable to assurance orconsulting activities. Assurance services involve the internal auditors objective
assessment of evidence to provide an independent opinion or conclusionsregarding an entity, operation, function, process, system, or other subject matter.The nature and scope of the assurance engagement are determined by the internalauditor. There are generally three parties involved in assurance services:
1. the person or group directly involved with the entity, operation, function,process, system, or other subject matterthe process owner,
2. the person or group making the assessmentthe internal auditor,
3. the person or group using the assessment the user.
Consulting services are advisory in nature, and are generally performed at thespecific request of an engagement client. The nature and scope of the consultingengagement are subject to agreement with the engagement client. Consultingservices generally involve two parties:
1. the person or group offering the advice the internal auditor,
2. the person or group seeking and receiving the advicethe engagement client.
When performing consulting services the internal auditor should maintainobjectivity and not assume management responsibility.
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
22/126
Technology Audit
22 Dr Magdy El Messiry
2. External Audit
External assessments must be conducted at least once every five years by aqualified, independent reviewer or review team from outside the organization. Thechief audit executive must discuss with the organization board the need for morefrequent external assessments and the qualifications and independence of theexternal reviewer or review team, including any potential conflict of interest. Aqualified auditor or auditing team demonstrates competence in two areas: the
professional practice of internal auditing and the external assessment process.Competence can be demonstrated through a mixture of experience and theoreticallearning. Experience gained in organizations of similar size, complexity, sector or
industry, and technical issues is more valuable than less relevant experience. In thecase of an auditing team, not all members of the team need to have all the
competencies; it is the team as a whole that is qualified. The chief audit executiveuses professional judgment when assessing whether an auditor or auditing teamdemonstrates sufficient competence to be qualified. An independent auditor orauditing team means not having either a real or an apparent conflict of interest andnot being a part of, or under the control of, the organization to which the internalaudit activity belongs.
2.1 Implementation Procedure
A schematic of the steps that are normally followed while carrying out atechnology audit is shown and described below. Partial techniques per step are thetools used for the proper implementation of the technique.
STEP 1: Desire/Wish to Carry Out Technology Audit
Desire / wish of the organization to carry out technology audit, if the company
initiates the audit, no particular communication tool is used. However, if thecompany is approached by the service provider, it should explain: Scope ofinitiative, brief description of technique, potential benefits to the organization, andmain characteristics of the consultant / service provider.
STEP 2: Expert to Carry Out Technology Audit
Once common ground has been established between the organization and external
consultant/expert, the next step can follow.
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
23/126
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
24/126
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
25/126
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
26/126
Technology Audit
26 Dr Magdy El Messiry
- Potential suggestions (especially if the audit stops at this point) for resolvingproblems and exploiting strengths & opportunities, mainly by indicating routes forsolutions with an action plan, isolation of specific areas / departments for further
diagnosis, proposal with justification.
STEP 7: PRESENTATION OF FIRST DIAGNOSIS REPORT TO GENERAL MANAGER AND
COMPANY MANAGEMENT
Presentation of first diagnosis report to General Manager and company management is
done with the handing out some time earlier of a hard copy of the report, themain findings, and the finalization on whether to continue for further diagnosis and
the agreement on the subject(s) to analyze is also performed here.
STEP 8: ADDITIONAL VISITS/INTERVIEWS TO DEPARTMENT HEADS
Entail an in-depth investigation of key areas of the organization being assessed. Afull due diligence audit of an external company can take up to a week at a smallsingle-site company with a technical staff of 50 or less, several weeks at larger
companies with a localized development team, and even longer examining a largercompany with geographically distributed development teams.
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
27/126
Technology Audit
27 Dr Magdy El Messiry
Obviously, the relationship between company size and inspection effort is non-linear. This is because a certain set of core elements, such as policies and
procedures, business plans, and infrastructure standards are centrally located.
Typical areas and themes that could be covered with either specific subject tools orin a less structured way (if done by a specialist) could be:
(a) Quality
Policygoalspersonnel involvementtraining;
Process qualitymonitoring and control systemshandlingstoragepackaging;
Keeping of records/use of results;
Product qualityraw materials quality controlproduct quality control;
ISO issuespresentationbenefits.
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
28/126
Technology Audit
28 Dr Magdy El Messiry
Figure (5) Quality Control Cycle
(b) Human resources
Skillsavailability;
Satisfactionrewards;
Meetingsawareness of company activities/products;
Team working/project management;
Continuing education/training;
Promotionevolutionrecord.
(c) Research and development Product development
Research and development strategy/partners;
QUALTY
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
29/126
Technology Audit
29 Dr Magdy El Messiry
Product mix/product lifecycle analysis;
Analysis of procedures for new product development;
Analysis of research and development activities;
Participation in research and development projects;
Focus on specific research and development area identification of potential technologysuppliers.
Figure (4) Steps of Product Development throughout R&D
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
30/126
Technology Audit
30 Dr Magdy El Messiry
(d) Production operation
Walk through production facilitiesbottlenecksproblem areas;
Material flowflow diagram;
Overview of system automation/needsopportunities;
Floor and product safety;
Maintenanceproceduresplanningproblems;
Analysis of productivity.
(e) Marketing/sales
Existence/analysis of marketing plan;
Strategymarket share/localexports;
Competitors analysis/sector analysis/opportunitiesthreats;
Distribution networksproblems;
Use of information technologies for sales/e-commerceInternetwww.urenio.org.
STEP 9: FINAL REPORT OF THE TECHNOLOGY AUDIT COMPILED BY THE EXPERTS
Final report of the technology audit, as given in Figure (6), compiled by the expertsshould contain the following*:
Executive summary
Summary of results from first part diagnosis
Subject(s) analyzed in second part
Methodology used for analysis
Problems identified
http://www.urenio.org/http://www.urenio.org/ -
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
31/126
Technology Audit
31 Dr Magdy El Messiry
Solutions proposed
Actions to be taken (action plan)
Figure (6) Technology Audit Final Report Contents
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
32/126
Technology Audit
32 Dr Magdy El Messiry
The action plan
Should be:
a) Specific to the subjectb) With a time framec) With determined milestonesd) With an estimated budgete) With the listing of expected resultsf) With identification of potential problem solvers (technology or service providers)g) With indications about provisional funding for implementing the solutions(e.g. national and / or international R&D programs)h) An implementation monitoring schedule, possibly to be done by the service provider.The action plan should be specific to the subject, with a timeframe, with determined
milestones and with an estimated budget. The action plan must list the expectedresults, identify potential problem solvers (technology or service providers) andindicate provisional funding for implementing the solutions. An implementation,monitoring-schedule must be done by the technology auditor in conjunction with a
project manager.
STEP 10: PRESENTATION OF REPORT BY EXPERT TO COMPANY MANAGEMENT
At step 10 the report by the technology auditor to the organization must discussissues identified, solutions proposed, the proposed action plan and the monitoringsystem that will be used.The systematic audit program includes initiating the audit, preparing for on-siteaudit, conducting on site audit, report preparation and follow-up activities. Thefollow-up activities in this context are the improvements activities result from theaudit finding. Figure (7) shows the stages of audit program management.
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
33/126
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
34/126
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
35/126
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
36/126
Technology Audit
36 Dr Magdy El Messiry
2.3.1. KEY STEPS TO IMPLEMENTING CONTINUOUS AUDITING
Once the issues above are understood by managers and auditors alike, theorganization will be in a better position to begin using continuous auditing.Generally, the implementation of continuous auditing consists of six proceduralsteps, demonstrated in Figure (8), which are usually administered by a continuousaudit manager. Knowing about these steps will enable auditors to better monitor
the continuous audit process and provide recommendations for its improvement, ifneeded. These steps include:
1. Establishing priority areas.
2. Identifying monitoring and continuous audit rules.3. Determining the process' frequency.4. Configuring continuous audit parameters.5. Following up.6. Communicating results.
Below is a description of each.
1. Establishing Priority Areas
The activity of choosing which organizational areas to audit should be integratedas part of the internal audit annual plan and the company's risk managementprogram. Many Internal Audit Departments also integrate and coordinate withother compliance plans and activities, if applicable. (Steps 2-6 below are applicableto all of the priority areas and processes being monitoring as part of the continuousaudit program.)
Typically, when deciding priority areas to continuously audit, internal auditors andmanagers should:
Identify the critical business processes that need to be audited by breakingdown and rating risk areas.
Understand the availability of continuous audit data for those risk areas. Evaluate the costs and benefits of implementing a continuous audit process
for a particular risk area. Consider the corporate ramifications of continuously auditing the particular
area or function.
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
37/126
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
38/126
Technology Audit
38 Dr Magdy El Messiry
Furthermore, other tools used by the manager of the continuous audit functioninclude an audit control panel in which frequency and parameter variations can beactivated. Hence, the nature of other continuous audit objectives, such as
deterrence or prevention, may determine their frequency and variation.
4. Configuring Continuous Audit Parameters
Rules used in each audit area need to be configured before the continuous auditprocedure (CAP) is implemented. In addition, the frequency of each parametermight need to be changed after its initial setup based on changes stemming fromthe activity being audited. Hence, rules, initial parameters, and the activity'sfrequency also a special type of parameter should be defined before the
continuous audit process begins and reconfigured based on the activity's
monitoring results.When defining a CAP, auditors should consider the cost benefits of error detectionand audit and management follow-up activities. For instance, in the example of the
bank described earlier, the excess threshold of US $1,000 could lead to a numberof false negatives (e.g., values that were ignored when the balance was smallerthan US $1,000 but were identified as representing a problem) and a number offalse positives (e.g., values with balances above US $1,000 that were flagged butwere accurate). If the threshold is increased to US $2,000, there will be an increasein false negatives and a decrease in false positives. Because follow up costs wouldgo up as the number of false positives increases and the presence of false negatives
may lead to high operational costs for the organization, internal auditors shouldregularly reevaluate if error detection and follow-up activities need to becontinued, reconfigured, temporarily halted, or used on an ad hoc basis.
Furthermore, the stratification of audited data into sub-groups allows organizationsto better monitor the activity and reconfigure any parameters (e.g., auditors will benotified when balances larger than 20 percent of the debt remain that are alsolarger than US $5,000). However, the more complex the rule and its conditionalcomponents, the more parameters that must be examined, monitored, andsometimes reconfigured.
5. Following UpAnother type of parameter relates to the treatment of alarms and detected errors.Questions such as who will receive the alarm (e.g., line managers, internalauditors, or both usually the alarm is sent to the process manager, the manager's
immediate supervisor, or the auditor in charge of that CAP) and when the follow-
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
39/126
Technology Audit
39 Dr Magdy El Messiry
up activity must be completed, need to be addressed when establishing thecontinuous audit process.Additional follow-up procedures that should be performed as part of the
continuous audit activity include reconciling the alarm prior to following up bylooking at alternate sources of data and waiting for similar alarms to occur beforefollowing up or performing established escalation guidelines. For instance, the
person receiving the alarm might wait to follow up on the issue if the alarm ispurely educational (i.e., the alarm verifies compliance but has no adverse economicimplications), there are no resources available for evaluation, or the area identifiedis a low benefit area that is mainly targeted for deterrence.
6. Communicating Results
A final item to be considered is how to communicate with auditors. Wheninforming auditors of continuous audit activity results, it is important for theexchange to be independent and consistent. For instance, if multiple system alarmsare issued and distributed to several auditors, it is crucial that steps 1-5 take place
prior to the communication exchange and that detailed guidelines for individualfactor considerations exist. In addition, the development and implementation ofcommunication guidelines and follow-up procedures must consider the risk ofcollusion. Much of the work on fraud indicates that the majority of fraud iscollusive and can be performed by an internal or external party. For example, inthe case of dormant accounts, both the clerk that moves money and the manager
that receives the follow-up money may be in collusion since the manager's keymay have to be used for certain transactions.
ADDITIONAL CONSIDERATIONS
Besides the six steps described in the previous section, two additional issues thatemerge when implementing continuous auditing are the infrastructure needed forthe process to work and its impact on the workplace.
Organizational Infrastructure
Because continuous auditing is a part of the company's audit function, it must bekept independent of management. Therefore, during the planning stages, auditorsneed to keep in mind the process' independence when designing its structure. Forinstance, a typical Internal Audit Departments structured so that areas of thedepartment focus on different cycles or business activities. In addition, thedepartment may be divided into financial and IT audit functions.
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
40/126
Technology Audit
40 Dr Magdy El Messiry
Sometimes, however, IT audit activities are incorporated as part of existing IToperations. In organizations such as these, the development of continuous auditingis usually delayed because the activity may not get the necessary development
priority. Regardless of whether IT audit activities are part of the organization's ITor Internal Audit Department, the organization must maintain the process'independence as well as allocate resources in support of continuous audit activities.
Impact on Personnel
In addition, the audit manager in charge of the continuous audit process shouldhave a more technical understanding of IT as well as extensive experience on theactivities being audited. However, hiring, training, and retaining auditors who canimplement and monitor continuous audit activities might be challenging due to the
scarcity of internal auditors with knowledge in the area. Furthermore, thecontinuous audit process might create a daily stream of issues that need to beresolved, which might prove stressful given current personnel resources, and mightrequire the continuous audit manager to exert adequate authority in moments ofexceptions.
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
41/126
Technology Audit
41 Dr Magdy El Messiry
CHAPTER 3
PERFORMANCE IN TECHNOLOGY AUDIT
3.1. Introduction
Appointment of Auditor auditors are usually appointed by the organizationmangers at the administration council meeting.
Terms of Engagement an engagement letter provides written recognition of theauditors acceptance of appointment, sets out the scope of the audit plus auditors
and management responsibilities.
Audit Programsets out the extent and type of audit procedures. Auditors work tointernationally agreed auditing standards. Auditors start by gaining anunderstanding of the organizations activities. For each major activity listed in the
financial statements, auditors identify and assess risks that could have a significantimpact on the financial position or performance.
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
42/126
Technology Audit
42 Dr Magdy El Messiry
Detailed Examinationauditors perform testing and obtain evidence to satisfy therequirements of the audit program. Testing may include compliance with theorganizations accounting policies, examining accounting records and verifying the
existence of tangible items such as plant and equipment.
Audit Reportcontains the audit opinion on the financial report and basis of thatopinion. The scope of the audit plus auditors and management responsibilities arealso restated. The external auditor should maintain independence frommanagement and directors so that the tests and judgments are made objectively.
Auditors discuss the scope of the audit work with the organization. Auditorsdetermine the type and extent of the audit procedures they will perform dependingon the risks and controls they have identified. Auditors form an opinion on theinformation in the final report. However, the external auditor should not look atevery transaction carried out by the organization, test the adequacy of all of theorganizations internal controls, identify all possible irregularities, audit other
information provided to the members of the organization e.g. the directorsreport. Figure (9) gives the flowchart of the external audit.
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
43/126
Technology Audit
43 Dr Magdy El Messiry
Figure (9) Flowchart of the external auditSource: www.urenio.org
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
44/126
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
45/126
Technology Audit
45 Dr Magdy El Messiry
Figure (10) Duties of Leader of Auditor Team
Auditors
The role of an auditor, as shown in Figure (11), is to: Participate inthe opening meeting
Identify and gather information Analyses information Evaluate information Report findings Participate in the feedback session
Undertake other duties as requested by the lead auditor.
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
46/126
Technology Audit
46 Dr Magdy El Messiry
Figure (11) Role of Auditor
To understand better how a comprehensive, effective technology audit works, theprocess can be broken down into its various phases in order to draw a comparison
between the audit process and the activities associated with organizationaccreditation. Accreditation visit to occur can be segmented into three phases:
1) Getting ready;
2) On-site visit;
3) Results & follow up.
The greatest quantity of work occurs during the first phase. Therefore, the threephases will be examined accordingly.
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
47/126
Technology Audit
47 Dr Magdy El Messiry
Phase One: Pre-Audit
Whether the technology audit has been triggered by the organization internal desireto assess its accountability or whether the impetus has come from outside theorganization, the initial phase is the same. The organization must get ready for theaudit. Thus, this phase is sometimes called the pre-audit stage. At a macro level,the organization might want to establish a set of systems that can be put in place to
make auditors time more valuable, more efficient. Auditor may want to form agroup of teams to perform specific functions; a physical location may be specifiedas a gathering point for evidentiary documents; a series of focus group meetings
should be scheduled so organization leaders can encourage employees and
community members to voice their opinions and give their perspectives regardingthe organizations status; to create a system where all the hard work of engagedpeople, the data and reports auditor collect, and the supporting systems can beperpetuated.
Enrolling team members - To make your technology audit a success, it is essential
to have high-quality teams. The teams will be made up of the specialized members.The team leaders will ensure a strong and fluid cooperation among teams, allworking on a common end goal. Team building is a significant activity. Allorganization leaders realize this fully. Best leaders who build and grow the best
teams so they will accomplish the best results.
The auditor team leader may clarify with organization employees by explaining tothem that a technology audit is coming and he wants to obtain their very bestthinking about some strategies that will assure success for the organization. During
this meeting, the auditor might want to engage in a simple brain storming activity,asking everyone to call out, as fast as they can, all the areas where is the use oftechnologies in the organization. Team leader might ask them to be frank andcandid in their comments, and then ask them to pinpoint areas where they perceivethat improvements could be made. If/when they mention some examples, the
auditor asks for substantiating evidence that may give the clues to other thingsneeding. The team leader tries to imagine how the auditors will see things/look atthings through their eyes. What would the auditors do? What would they say?What would they seek? How would they interpret what you give them? Whatwould they recommend? As the leader and the team of advisors go through theseconsiderations, they will have prepared themselves well for what lies ahead, and
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
48/126
Technology Audit
48 Dr Magdy El Messiry
will no longer fear the technology audit, or consider it as a negative event. Rather,they will see this as a profoundly important opportunity to engage in systemicimprovement, as well as great improvement at the individual level.
Phase Two: On-Site Visit
The time has come finally when auditors arrive at the organization and are
examining both the reports (data, information, and evidence) and the actual realityof technology integration. This guideline is intended to help auditors conduct morefocused reviews of technology acquisitions by enabling them to quickly identifysignificant areas of risk. Using these guidelines will help auditors identify criticalfactors not addressed by management, make a general evaluation of any
procurement risks, and provide rapid feedback to agency officials so they can takecorrective action in a timely and efficient manner. Use of the guidelines should beselectively tailored to the requirements of particular reviews and adapted to thestatus of the acquisition. Auditors will need to exercise professional judgment inassessing the significance of audit results or findings. Professional judgment is
necessary to evaluate this information and determine if the agency conducted anadequate requirements analysis.
There are five tasks within the audit process area:
1. Develop and implement a risk-based audit strategy for the organization incompliance with audit standards, guidelines and best practices.
2. Plan specific audits to ensure that IT and business systems are protectedand controlled.
3. Conduct audits in accordance with audit standards, guidelines and best
practices to meet planned audit objectives.
4. Communicate emerging issues, potential risks and audit results to key
stakeholders.
5. Advise on the implementation of risk management and control practiceswithin the organization while maintaining independence.
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
49/126
Technology Audit
49 Dr Magdy El Messiry
3.3. Audit planning
Audit planning consists of both short- and long-term planning, demonstrated in
Figure (12). Short-term planning takes into account audit issues that will becovered during the year, whereas long-term planning relates to audit plans that willtake into account risk-related issues regarding changes in the organizationstechnology strategic direction that will affect the organizations technologyenvironment. Analysis of short- and long-term issues should occur at leastannually.
Figure (12) Types of Audit Planning
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
50/126
Technology Audit
50 Dr Magdy El Messiry
Figure (13) Perform Audit Planning Steps
This is necessary to take into account new control issues, changing technologies,changing business processes and enhanced evaluation techniques. The results ofthis analysis for planning future audit activities should be reviewed by seniormanagement, approved by the audit committee, if available, or alternatively by theBoard of Directors, and communicated to relevant levels of management. Inaddition to overall annual planning, each individual audit assignment must beadequately planned. The auditor should understand that other considerations, suchas risk assessment by management, privacy issues and regulatory requirements,
may impact the overall approach to the audit. The auditor should also take intoconsideration system implementation/upgrade deadlines, current and future
technologies, requirements of business process owners, and resource limitations.
When planning an audit, the auditor must have an understanding of the overallenvironment under review. This should include a general understanding of thevarious business practices and functions relating to the audit subject, as well as thetypes of information systems and technology supporting the activity.
To perform audit planning which is shown in Figure (13), the auditor should
perform the following steps in this order:
Gain an understanding of the businesss mission, objectives, purpose andprocesses, which include information and processing requirements, such asavailability, integrity, security and business technology.
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
51/126
Technology Audit
51 Dr Magdy El Messiry
Identify stated contents, such as policies, standards and required guidelines,
procedures, and organization structure.
Evaluate risk assessment and any privacy impact analysis carried out bymanagement.
Perform a risk analysis.
Conduct an internal control review.
Set the audit scope and audit objectives.
Develop the audit approach or audit strategy.
Assign personnel resources to the audit and address engagement logistics.
Audit planning Short-term planning Long-term planning Things to consider
New control issues Changing technologies Changing business processes
Enhanced evaluation techniques Individual audit planning
Understanding of overall environment Business practices and functions Information systems and technology
3.4. Road Map for the External AuditTeam Audit Leader
The following are steps that the Team audit leader would perform to determine anorganizations level of compliance with external requirements:
Identify those government or other relevant external requirements dealing with:
Electronic data, copyrights, e-commerce, e-signatures, etc.
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
52/126
Technology Audit
52 Dr Magdy El Messiry
Computer system practices and controls
The manner in which computers, programs and data are stored
The organization or the activities of the information services
Document applicable laws and regulations
Assess whether the management of the organization and the information systems
function have considered the relevant external requirements in making plans and insetting policies, standards and procedures
Review internal information systems department/function/activity documents that
address adherence to laws applicable to the industry
Determine adherence to establishing procedures that address these requirements.
3.5. Notes to the Auditor
Auditor will not ask about any specific laws or regulations, but may questionabout how one would audit for compliance with laws and regulations.
Auditorshould be aware that it is important that the auditor understands the
relationships of control objectives and controls; control objectives and auditobjectives; criteria and sufficiency and competency of evidence; and auditobjective, criteria and audit procedures. Strong understanding of these elements is
a key for the auditors performance.
Auditor is the importance of setting legal advice. There are two key aspects thatcontrol needs to address, what the auditor should to achieve and what to avoid.
Auditor addresses not only to internal controls business/operational objectives,
but need to address undesired events through preventing, detecting, and correcting
undesired events. Types of control;
Internal accounting controls -Primarily directed at accounting operations, such as
the safeguarding of assets and the reliability of financial records
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
53/126
Technology Audit
53 Dr Magdy El Messiry
Operational controls - Directed at the day-to-day operations, functions and
activities to ensure that the operation is meeting the business objectives
Administrative controls -Concerned with operational efficiency in a functionalarea and adherence to management policies including operational controls. Thesecan be described as supporting the operational controls specifically concerned withoperating efficiency and adherence to organizational policy.
Figure (14) Elements to Development of Internal Control Manual
3.6. Control objectives
Every organization needs to have a sound internal control in place to keep theorganization on course toward profitability goals and achievement of its mission,to minimize surprises along the way and to be able to realize its opportunities.Elements to Development of Internal Control Manual are illustrated in Figure (14).
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
54/126
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
55/126
Technology Audit
55 Dr Magdy El Messiry
remain unchanged from those of a manual environment. However, control featuresmay be different. Thus, internal control objectives need to be addressed in amanner specific to related processes.
Figure (15) Internal Control Pyramid http://www-audits.admin.uillinois.edu/ICT/ICT-summary.html
Internal Control is a process within an organization designed to provide
reasonable assurance:
That information is reliable, accurate, and timely.
Of compliance with policies, plans, procedures, laws, regulations, andcontracts.
That assets (including people) are safeguarded. Of the most economical and efficient use of resources.
That overall established objectives and goals are met.
Internal controls are intended to prevent errors or irregularities, identify problems,
and ensure that corrective action is taken.
Figure (15) illustrates the internal control pyramid and the information andcommunication path.
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
56/126
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
57/126
Technology Audit
57 Dr Magdy El Messiry
Figure (16) SWOT Analysis Framework14
4.3. Limitations of SWOT Analysis
SWOT Analysis is not free from its limitations*. It may cause organizations toview circumstances as very simple because of which the organizations mightoverlook certain key strategic contact which may occur. Moreover, categorizing
aspects as strengths, weaknesses, opportunities and threats might be verysubjective as there is great degree of uncertainty in market. SWOT Analysis doesstress upon the significance of these four aspects, but it does not tell how anorganization can identify these aspects for itself.There are certain limitations of SWOT Analysis which are not in control of
management. These include:
a. Price increase;b. Inputs/raw materials;c. Government legislation;d. Economic environment;e. Searching a new market for the product which is not having overseas
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
58/126
Technology Audit
58 Dr Magdy El Messiry
market due to import restrictions; etc.
Internal limitations may include:
a. Insufficient research and development facilities;b. Faulty products due to poor quality control;c. Poor industrial relations;d. Lack of skilled and efficient labor; etc
The SWOT Analysis is an extremely useful tool for understanding anddecision-making for all sorts of situations in business and organizations. Acompany can use the SWOT Analysis while developing a strategic plan or
planning a solution to a problem that takes into consideration many differentinternal and external factors, and maximizes the potential of the strengths andopportunities while minimizing the impact of the weaknesses and threats
4.4. SWOT Analysis Framework
Action checklist
1. Establishing the objectivesThe first key step in any project is to be clear about what you are doing and why.The purpose of conducting SWOT Analysis may be wide or narrow, general orspecific.
2. Allocate research and information-gathering tasks. Background preparation is avital stage for the subsequent analysis to be effective, and should be dividedamong the SWOT participants. This preparation can be carried out in two stages:
Exploratory, followed by data collection.
Detailed, followed by a focused analysis. Gathering information on
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
59/126
Technology Audit
59 Dr Magdy El Messiry
Strengths and Weaknesses should focus on the internal factors of skills,resources and assets, or lack of them. Gathering information onOpportunities and Threats should focus on the external factors.
3. Create a workshop environmentIf compiling and recording the SWOT lists takes place in meetings, then do
exploit the benefits of workshop sessions. Encourage an atmosphere conducive tothe free flow of information and to participants saying what they feel to beappropriate, free from blame. The leader/facilitator has a key role and shouldallow time for free flow of thought, but not too much. Half an hour is oftenenough to spend on Strengths, for example, before moving on. It is important to
be specific, evaluative and analytical at the stage of compiling and recording theSWOT lists.
4. List Strengths, Weaknesses, Opportunities, Threats in theSWOT Matrix
5. Evaluate listed ideas against objectives.
With the lists compiled, sort and group facts and ideas in relation to the
objectives. It may be necessary for the SWOT participants to select from the listin order to gain a wider view.
The SWOT Analysis template is normally presented as a grid, comprising four
sections, one for each of the SWOT headings: Strengths, Weaknesses,Opportunities, and Threats. The SWOT template given in Chapter 5 includessample questions, whose answers are inserted into the relevant section of theSWOT grid. The questions are examples, or discussion points, and obviously can
be altered depending on the subject of the SWOT Analysis.
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
60/126
Technology Audit
60 Dr Magdy El Messiry
Figure (17 ) SWOT Analysis Framework
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
61/126
Technology Audit
61 Dr Magdy El Messiry
CHAPTER 5
EXAMPLE OF FORMATION OF SWOT MATRIX PARAMETERS
Figure (18) SWOT Matrix Environment Analysis
5.1 Introduction
The analysis of the company situation starts by defining the strength, weakness,opportunities and threats. Table below shows some common parameters whichmay be considered.
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
62/126
Technology Audit
62 Dr Magdy El Messiry
Strengths
Advantages of proposition?
Capabilities?
Competitive advantages? USP's (unique selling points)?
Resources, Assets, People?
Experience, knowledge, data?
Financial reserves, likely returns?
Marketing - reach, distribution,awareness?
Innovative aspects? Location and geographical?
Price, value, quality?
Accreditations, qualifications,certifications?
Processes, systems, IT,communications?
Cultural, attitudinal, behavioral?
Management cover, succession?
Weaknesses
Disadvantages of proposition?
Gaps in capabilities?
Lack of competitive strength? Reputation, presence and reach?
Financials?
Own known vulnerabilities?
Timescales deadlines andpressures?
Cash flow, start-up cash-drain?
Continuity, supply chainrobustness?
Effects on core activities,distraction?
Reliability of data, planpredictability?
Moral, commitment, leadership?
Accreditations, etc?
Processes and systems, etc?
Management cover, succession?
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
63/126
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
64/126
Technology Audit
64 Dr Magdy El Messiry
5.2. Tips for Design Your SWOT Analysis
For the successes of the SWOT Analysis some constrictions depending on theenvironment of the origination should be taken into consideration.Following are some tips
15for the auditors;
Top Tips But remember
1 Never copy an existing SWOT Analysis; it willinfluence your thinking. Start with a fresh
piece of paper every time
You could use a standard
template to help the ideas flow
2 Set aside enough time to complete it You may need to come back toit several times before you are
happy
3 The SWOT Analysis itself is NOT the result.Itsonly a tool to help you analyze your
business
Before you begin any analysis,
you should know what you
intend to do with the results
4 A SWOT Analysis is not a business school fad.It is a proven technique used throughout the
business community
You need to be comfortable
working with it in your
business
5 Keep your SWOT Analysis simple, readable,short and sharp
It needs to make sense to
outsiders (e.g. bank managers
or investors) so dont use
phrases or acronyms that only
you understand
6 Make sure you create an action plan based onyour SWOT Analysis
You need to communicate this
clearly to everyone involved
7 A SWOT Analysis only gives you insight at asingle point in time
You need to review it
probably quarterlyto see
how the situation has changed
8 Dont over-analyze. Try not to worry if it isntperfect, just get the analysis done
If you are going to act on the
results, it needs to be accurate
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
65/126
Technology Audit
65 Dr Magdy El Messiry
The role of SWOT Analysis is to take the information from the environmental
analysis and separate it into internal issues (strengths and weaknesses) and externalissues (opportunities and threats). Once this is completed, SWOT Analysisdetermines if the information indicates something that will assist the firm inaccomplishing its objectives (a strength or opportunity), or if it indicates anobstacle that must be overcome or minimized to achieve desired results (weaknessor threat). When doing SWOT Analysis, remember that the S and W areINTERNAL and the O and T are external.
Figure(19) http://www.taygro.co.za/aboutus.html
in all the important areas
http://www.taygro.co.za/aboutus.htmlhttp://www.taygro.co.za/aboutus.html -
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
66/126
Technology Audit
66 Dr Magdy El Messiry
CHAPTER 5
PRACTICAL EXAMPLES OF SWOT ANALYSIS
5.1. Health centers
Subject of SWOT Analysis example: the achievement of a health centers mission.The scenario is based on the SWOT Analysis
17, which has been performed by a
health centre in order to determine the forces that promoted or hindered theachievement of its mission.Starting position of the health centre:
The staff lack of motivation
The building was really small
The facility was old
There was a lot of paper work and bureaucracy
Those characteristics resulted in this health centre facing up to a lot of problemswith the accommodation of the patients. Moreover, the establishing of a newadvanced hospital in the city made the situation even worse. Therefore, theydecided to perform a SWOT Analysis in order to execute the best decision-makingfor all the problems that they faced.
Step 1: Purpose of conducting SWOT Analysis - the achievement of a health
centers mission.
Step 2: The gathering of information on Strengths and Weaknesses focused on theinternal factors of skills, resources and assets, or lack of them. The gatheringinformation on Opportunities and Threats should focus on the external factors.
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
67/126
Technology Audit
67 Dr Magdy El Messiry
Step 3: The manager of the health centre encouraged all the staff members tofreely express their opinions about what they felt to be appropriate.
Step 4: SWOT matrix
Step 5: After completing the SWOT matrix the SWOT participants had a widerview of the situation at the centre so they were able to propose the alternatives thathelped considerably in the operation of the health centre.
The alternatives where:
training of the staff in interactive techniques of quality improvement
coordination with other providers to cover all user needs remodeling of the facility with local government funds and international
help
cost recovery of drugs and lab supplies with user fees
payment of incentives to staff based on performance
review of procedures for decreasing costs and waiting times and increasingperceived quality.
Strengths:
Willingness of staff to change
Good location of the health centre
Perception of quality services
Weaknesses:
Staff lack of motivation
Building was really small
Paper work and bureaucracy
Cultural differences with users
Opportunities:
Support of local government
Threats:
Low income of users
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
68/126
Technology Audit
68 Dr Magdy El Messiry
High felt need of users
Internationally funded projects
Bad roads
Low salaries
Lack of budget
Paradigms of providers
High competition
This strategic analysis and planningof the health centre had the below results:
27% increase of patients
reduction of waiting times to
15minutes
20% increase of staff performance
remodeling of the facility
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
69/126
Technology Audit
69 Dr Magdy El Messiry
5.2. University SWOT Analysis
University strengths, weaknesses, opportunities and threats (SWOT Analysis) were
identified by members of University Strategic Goals and Priorities Committeeduring a brain storming session. Administrators, faculties, and students reviewedthe analysis and provided input. Background information on the Organization isopportunities and threats it faces can be useful in considering strategic issues.The SWOT Analysis was used to develop the attached strategic questions. Thesequestions and others raised by participants at the workshop will help definestrategic directions important to the university in the next five year.
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
70/126
Technology Audit
70 Dr Magdy El Messiry
SWOT ANALYSIS
Strengths:
Positive reputation in the externalcommunity- Positive experience with those whointeract with the campus- Proactive Partnerships with otheruniversities, community colleges, andcorporations- Past performance- Many Accredited Programs- Successful 6 year graduation rates
- Faculty and staff support the campusmission- Proactive student support- Access to services- Faculty involvement with students- Student leadership programs- Learning communities developing toenhance learning and student-facultyinteraction- Campus Characteristics- Medium size campus with small class size
-Facilities include new and well-maintained,attractive buildings and grounds withgrowth potential- Potential for growth in Turlock andStockton- Friendly and safe- Diverse student body, Hispanic ServingInstitution- Dedicated and Expert faculty- Campus wide involvement in planning- Healthy shared governance
- Strong, active external boards- Residential Campus Development- Artistic and Cultural Performances
Weaknesses:
Distinguishing qualities and identity not wellknown- Operational structure/bureaucracy- Sluggish responsiveness to student andcommunity needs- Fiscal uncertainty- Lack of pride of internal community- Match between research expectation &support- High and unequal workloads faculty &
staff- Ability to hire & retain faculty- Student preparedness at entrance- Adjusting to pressures of growth- Varying perceptions of appropriateproportions of major employee categories(faculty, staff, and administrators)- Lack of strong, pervasive presence in theexternal community- Limited resources for faculty and staffdevelopment
- Highly competitive market for diversefaculty and staff- Promulgating egalitarianism- Reporting perceived as a ritual andmeaningless- Reporting requirements absorb a largepercentage of resources
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
71/126
Technology Audit
71 Dr Magdy El Messiry
Opportunities:
Partnerships in support of university
initiatives- Expanded possibilities for the workforce- Diversity of region (students industry)- External Community and Universityrelationships- Interest in academic program expansion- Interest in expansion of cultural activities- Interest in University services (PolicyCenter, Bridge,- Growth potential- New construction
- Societal trends- Increased value of higher educationcompletion- Growing demand for graduates- Match between curricular & societalinterests- Increase demand for mid-careerredirection and lifelong learning- Increased interest in global initiatives- Technological advances- Partnership opportunities
- Increased focus on higher education- development of university park- large student pool- increased interest in universityconnections
Threats:
State budget crisis
- Private, for-profit, and on-line universitiesresponsiveness to program and studentscheduling demands- Increase in reporting expected bygovernment and society- Shift in focus on numerical achievementvs. qualitative achievement- Negative public perception- Development of another university in thearea- Societal and student perception of
education as solely a means to a job- Reporting perceived as a ritual andmeaningless- Reporting requirements absorb a largepercentage of resources.- Historical public perceptions/lack ofknowledge about higher Education.- Historical lack of knowledge.
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
72/126
Technology Audit
72 Dr Magdy El Messiry
SWOT ANALYSIS OF AUC37
I-Introduction:SWOT analysis: a method of analyzing an organizations competitive situation
that involves assessing organizational strengths (S), weaknesses (W),environmental opportunities (O), and threats (T).
Both strengths and weaknesses are internal factors, that are subject to changefrom within the organization itself. Opportunities and threats are the conditionswithin the external environment that affects the organization, such as:technological, economic, legal-political, sociocultural, and the internationalelement.
II-SWOT ANALYSIS of AUC:
1-Strengths:
a - Highly qualified full time, and part time faculty.b - Highly skilled students due to the highly competitive selection in admissions.c - Advanced technology in the University facilities; optic fiber network, ACS
server, well-equipped engineering, natural sciences, and computer labs (relative tothe Egyptian universities) , and research centers (Desert research center).
d - Distinctive rank in the private universities market in Egypt, in comparison toother universities,
e - Continuous renovations either in facilities (New campuses in Falaki and NewCairo), technology, and staff.
f - Well defined managerial policy; well-defined hierarchy.g - Monopolizing the employment market of some majors, such as: construction
management and industrial engineering, business administration, political science,and computer science.
h - Private university, accredited by several authorities, such as: the Egyptian
ministry of education, Egyptian Syndicates, ABET (Accreditation Board ofEngineering and Technology), the higher council of universities in Egypt, MSA
(Commission on Higher education of the Middle States Association of colleges andschools) and AACU (American Association for Colleges and Universities).
i - An integrated modern library, containing books, microfilms, periodicals, andother documents, arranged on the same model of the Congress library. Moreover,
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
73/126
Technology Audit
73 Dr Magdy El Messiry
the university has a special collection library, which is actually a fortune.j - Paying great care to social sciences research due to the presence in a good
field for research in the Middle East, and Egypt in specific.
k - The university has a hostel, which serves all the international students.l - Absence of unemployment among AUC graduates due to the presence of
Career Advising and Placement Service (CAPS office).m - The university appreciates the extra-curricular activities and encourages them,
and that is what makes AUC graduates different.
2-Weaknesses:
a - High tuition fee, relative to the other private universities in Egypt, and even to
the American state-universities.b - Unbalanced budget, where about 60% of the budget is composed of money
from tuition, while the rest comes through donations from companies, like Esso,Shlumberger, Ford foundation, General Electric, USAID, etc.
c - Absence of adequate facilities in the field of graduate research, incomparison to other American Universities.
d - The absence of an undergraduate research program.
e - Weak image in the Egyptian society (market), because of the claim that AUCwesternizes the Egyptian students.f - Weak marketing techniques, limited to advertisement in the newspapers.g - The absence of financing source, other than tuition and donations, like
research centers.h - Currently before the new campuses end, the university suffers from an un-
limited problem of space, in addition to the parking area around the existingcampuses and the traffic from and to them.
3-Opportunities:
a - Dominating the market of the private universities in Egypt with othercompeting universities, like 6th of October Univ., and perhaps the Middle East,
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
74/126
Technology Audit
74 Dr Magdy El Messiry
like AUB and AUD, after the construction of the new campuses.b - The ability to serve more customers of students in the Under-grad, and Grad.
Levels after building the news campuses (Currently AUC serves 3,584 Under-grad,
and 592 Grad. )c - Attraction of more foreign students.d - The chance of finding more financial resources through fundraising, by the
newly appointed President.e - Establishment of well-equipped campus in Falaki that will serve as an
Engineering faculty that will include electronics engineering.f - The use of optic fibers network in the new Cairo campus to link all the
university through a powerful link.g - By strengthening the existence of AUC, the AUCians might get better image
and they might be accepted by the all the categories of the society.
4-Threats:
a - Any expected political conflictsin the Middle East, either between Egypt andIsrael, or Egypt and USA itself, or even like Gulf War. This may drop admissionsto a destructive level. Moreover, the university might have to do without the
American faculty and employees, and most of the university supports mightwithdraw their support. Thus the budget might be seriously harmedb - Any expected security or political problems in Egypt, either like terrorism or
any serious changes in the current regime. The admissions of international studentsmight drop to a serious level.
c - Competition with other low cost competitors, like 6th October Univ., Misr
International Univ.d - Increase in the Egyptian cultural persistence, and their refusal of the
AUCians. Thus, AUC image continues to deteriorate.e - Increase in the number of offered AUC graduates to what the market demands.
Thus unemployment appears among the AUC graduates like any Egyptianuniversity
f - Failure in the process of fundraising for the construction of the new campuses.
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
75/126
Technology Audit
75 Dr Magdy El Messiry
5.3. Retail Industry SWOT Analysis*
This is an example of a SWOT Analysis for a Retail Business, whilst every efforthas been made to ensure our examples are accurate, their accuracy depends onwhere you live in the world and what has changed since they were developed.
You may use our SWOT examples as a guide to indicate what your SWOT mightlook like but please do not build a plan based on these examples without validatingtheir accuracy for your business in your region of the world.
The first of our SWOT Analysis examples is for a retail business, the business was
established by an entrepreneur stocks brand name clothing imported frommanufacturers around the world. The business currently only stocks 3 brands ofmens clothing, pitched at the 18 to 28 single young adult.
SWOT Analysis Examples StrengthsPossible Strengths Response Is it strength?Tangible Strengths
Consider your assets includingplant and equipment
Assets are reallyonly shop fittingsand stock with twocomputers andsoftware.
No
Do you have long-term rentalcontracts for your businesslocations?
3 + 3 + 3 year leasein major shoppingcenter, locationwithin the shop is atthe will of thecenter, poor sales
No, same as ourcompetitors
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
76/126
Technology Audit
76 Dr Magdy El Messiry
will result in a shiftto a low foot traffic
location.
Are your products unique ormarket leading?
No, stock is thesame as ourcompetitors. Wecan pick and choosewhat styles to stock.
No
Have you got sufficientfinancial resources to fund any
changes you would like tomake?
No, we do tradeprofitably, but are
not able to fund anexpansion to a
larger footprintstore.
No
Do you have any cost
advantages over yourcompetitors?
No, rents are all
pretty standard, youcan save on rent butloose the foot
traffic, so it is allrelative.
No
Do you use superiortechnology in your business?
No No
Is your business high volume? No. We do sell alot, but not as muchas some of thelarger retail stores.
Our product is highquality, high marginand low volume incomparison
No
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
77/126
Technology Audit
77 Dr Magdy El Messiry
Can your scale up your volumeif you need to?
Not really, ordersare placed in
advance, shop sizeis restrictive.
No
Intangible Strengths
Do you have or stock strong
recognizable brands
Yes, though the
brand space isbecoming clutteredwith more and morerecognizable
brands. Depleting
the value of any onebrand.
Yes
Your reputation - are youconsidered a market leader? orexperts in youre filed?
No. No
Do you have good relationshipwith your customers?
(Goodwill)
Yes, we have agood connection
with our customers,our email list growsand manycustomers advisethey were referredto us by their mates.
We get a lot ofrepeat customers.
Yes
Do you have strongrelationships with yoursuppliers
Yes, though we arejust anothersupplier to them.We are able todifferentiate from
Yes
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
78/126
Technology Audit
78 Dr Magdy El Messiry
our competitors.We have long term
agreements in placewith some suppliersto be their solerepresentative in
this region.
Do you have a positiverelationship with your
employees
Yes, though weonly have a few
employees
No, ourcompetitors also
have goodemployee
relations
Do you have any uniquealliances with other
businesses?
No, maybe ourterritory agreementswith somesuppliers.
No
Do you own any patents orproprietary technology?
No No
Do you have a provenadvertising process that workswell?
Email news letterwith specials andnew stock, seems towork for retainingcustomers.Most newcustomers wereattracted to theshopping complex.
Yes
Do you have more experiencein your field?
No No
Are you managers highly No No
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
79/126
Technology Audit
79 Dr Magdy El Messiry
experienced?
Do you have superior industryknowledge? No, though we dohave a good set ofsales skills,
particularly upselling and formingrelationships.People feel goodcoming by and
seeing us.
No
Are you involved with industryassociations?
No No
Is your business Innovative? No, only in salesand relationship
building.
No
Other Strengths
Current location Current location in
the center has hightraffic, in an areawith several othershops targeting thesame market whichdraws people to thearea
No
Our innovation is inour sales techniqueand point of saledisplays
Yes
Summary
-
8/12/2019 technologyauditbymagdyelmessiry-130410144619-phpapp01
80/126