chapter 4

Chapter FourChapter Four

INFORMATION TECHNOLOGYINFORMATION TECHNOLOGYDEPLOYMENT RISKSDEPLOYMENT RISKS

Developing Strategic PlansDeveloping Strategic Plans

Serves as primary guideline for allocating Serves as primary guideline for allocating resources.resources.

Keeps the organization headed in a Keeps the organization headed in a profitable direction.profitable direction.

Begins with a vision.Begins with a vision.

Objectives Strategy Policies

Mission Objectives Strategy Policies

InformationTechnology Plans Must Complement & Support Company Plans

Mission

The IT Auditor & Strategic PlansThe IT Auditor & Strategic Plans The IT auditor should look for evidence of a The IT auditor should look for evidence of a

prescribed, documented IT strategic prescribed, documented IT strategic planning process.planning process.

The existence of an ongoing process of this The existence of an ongoing process of this nature indicates that the company is nature indicates that the company is constantly and diligently seeking an optimal constantly and diligently seeking an optimal “fit” between the information technology “fit” between the information technology infrastructure and the organization’s infrastructure and the organization’s overall goals.overall goals.

Example: Ben & Jerry’s Mission StatementExample: Ben & Jerry’s Mission Statement

Ben & Jerry’s is dedicated to the creation & Ben & Jerry’s is dedicated to the creation & demonstration of a new corporate concept of demonstration of a new corporate concept of linked prosperity. Our mission consists of three linked prosperity. Our mission consists of three interrelated parts. Underlying the mission is the interrelated parts. Underlying the mission is the determination to seek new and creative ways of determination to seek new and creative ways of addressing all three parts while holding a deep addressing all three parts while holding a deep respect for individuals inside and outside the respect for individuals inside and outside the company, and for the communities of which they company, and for the communities of which they are a part.are a part.

Product:Product: To make, distribute, and sell the finest quality all To make, distribute, and sell the finest quality all natural ice cream and related products in a wide variety of natural ice cream and related products in a wide variety of innovative flavors from Vermont dairy products.innovative flavors from Vermont dairy products.

Economic:Economic: To operate the Company on a sound financial To operate the Company on a sound financial basis of profitable growth, increasing value for our basis of profitable growth, increasing value for our shareholders, and creating career opportunities and financial shareholders, and creating career opportunities and financial rewards for our employees.rewards for our employees.

Social:Social: To operate the company in a way that actively To operate the company in a way that actively recognizes the central role that business plays in the recognizes the central role that business plays in the structure of society by initiating innovative ways to improve structure of society by initiating innovative ways to improve the quality of life of a broad community—local, national, the quality of life of a broad community—local, national, and international.and international.

Ben & Jerry’s IT Mission Statement Ben & Jerry’s IT Mission Statement Might Be:Might Be:

The Information Systems function intends to offer The Information Systems function intends to offer high-quality, innovative information processing high-quality, innovative information processing and management services to internal and external and management services to internal and external information consumers, while providing a reliable, information consumers, while providing a reliable, responsive, and leading-edge technology responsive, and leading-edge technology infrastructure throughout the entire organization infrastructure throughout the entire organization aimed at supporting new and creative ways of aimed at supporting new and creative ways of addressing the company’s three-part mission addressing the company’s three-part mission statement—comprised of product, economic and statement—comprised of product, economic and social components.social components.

IT Objectives might be:IT Objectives might be:1.1. Create an atmosphere that embraces innovation and Create an atmosphere that embraces innovation and

change.change.

2.2. Apply computer hardware and software technologies to Apply computer hardware and software technologies to opportunities that promote prosperity.opportunities that promote prosperity.

3.3. Incorporate an enterprise-wide information system to Incorporate an enterprise-wide information system to facilitate the intra-company coordination of business facilitate the intra-company coordination of business activities.activities.

4.4. Develop a technology-based communications network Develop a technology-based communications network capable of linking suppliers, customers, and employees capable of linking suppliers, customers, and employees into a seamless, virtual and extended enterprise.into a seamless, virtual and extended enterprise.

IT Strategy might be:IT Strategy might be: The IT function will utilize a decentralized, organic form of The IT function will utilize a decentralized, organic form of

organization that is adaptable and responsive to the dynamic organization that is adaptable and responsive to the dynamic nature of the Company. The IT function will include a nature of the Company. The IT function will include a Chief Information Officer (CIO) who, in coordination with Chief Information Officer (CIO) who, in coordination with other executive officers throughout the Company, will other executive officers throughout the Company, will determine the precise structure of the IT function, which is determine the precise structure of the IT function, which is expected to change over time depending on Company expected to change over time depending on Company needs. The CIO, along with his/her delegates, will strive to needs. The CIO, along with his/her delegates, will strive to cooperate and coordinate with all internal information cooperate and coordinate with all internal information consumers to ensure that the Company’s information consumers to ensure that the Company’s information system is fully integrated on an entity-wide basis, as well as system is fully integrated on an entity-wide basis, as well as listen and respond to external constituents to ensure that the listen and respond to external constituents to ensure that the Company’s business processes and related information Company’s business processes and related information technology infrastructure meet the ever-changing needs of technology infrastructure meet the ever-changing needs of the broader community of information consumers.the broader community of information consumers.

Important Policy Areas for IT FunctionsImportant Policy Areas for IT Functions

1.1. Planning PoliciesPlanning Policies1.1. ResponsibilityResponsibility (who is involved with (who is involved with

planning?)planning?)

2.2. TimingTiming (when does planning take place?) (when does planning take place?)

3.3. ProcessProcess (how should planning be conducted?) (how should planning be conducted?)

4.4. DeliverablesDeliverables (what planning documents are (what planning documents are produced?)produced?)

5.5. PrioritiesPriorities (what are the most to least critical (what are the most to least critical planning issues?)planning issues?)


2.2. Organizational PoliciesOrganizational Policies1.1. StructureStructure (what is the organizational form of the IT (what is the organizational form of the IT

function?)function?)

2.2. Information ArchitectureInformation Architecture (is the infrastructure (is the infrastructure aligned with the firm’s mission?)aligned with the firm’s mission?)

3.3. CommunicationCommunication (are the IT strategy and policies (are the IT strategy and policies known by all affected parties?)known by all affected parties?)

4.4. ComplianceCompliance (are all external regulations and laws (are all external regulations and laws being addressed?)being addressed?)

5.5. Risk assessmentRisk assessment (are IT risks identified, measured (are IT risks identified, measured and controlled?)and controlled?)

3.3. Human Resource PoliciesHuman Resource Policies1.1. TrainingTraining (what kind of training is provided and to (what kind of training is provided and to

whom?)whom?)

2.2. TravelTravel (what are the travel guidelines and priorities?) (what are the travel guidelines and priorities?)

3.3. HiringHiring (who determines needs and who screens (who determines needs and who screens applicants?)applicants?)

4.4. PromotionPromotion (what are the guidelines and how does the (what are the guidelines and how does the process work?)process work?)

5.5. TerminationTermination (what are voluntary and involuntary (what are voluntary and involuntary termination guidelines?)termination guidelines?)


4.4. Software PoliciesSoftware Policies1.1. Acquisition (how is software acquired from outside Acquisition (how is software acquired from outside

vendors?)vendors?)

2.2. StandardsStandards (what are the software compatibility (what are the software compatibility standards?)standards?)

3.3. Outside contractorsOutside contractors (should contractors be used for (should contractors be used for software development?)software development?)

4.4. ChangesChanges (how to control and monitor the software (how to control and monitor the software change process?)change process?)

5.5. ImplementationImplementation (how to handle conversions, interfaces, (how to handle conversions, interfaces, and users?)and users?)


5.5. Hardware PoliciesHardware Policies1.1. AcquisitionAcquisition (how is hardware acquired from outside (how is hardware acquired from outside

vendors?)vendors?)

2.2. StandardsStandards (what are the hardware compatibility (what are the hardware compatibility standards?)standards?)

3.3. PerformancePerformance (how to test computing capabilities?) (how to test computing capabilities?)

4.4. ConfigurationConfiguration (where to use client-servers, personal (where to use client-servers, personal computers, and so on?)computers, and so on?)

5.5. Service ProvidersService Providers (should third-party service bureaus (should third-party service bureaus be used?)be used?)


6.6. Network PoliciesNetwork Policies1.1. AcquisitionAcquisition (how is network technology acquired from (how is network technology acquired from

outside vendors?)outside vendors?)

2.2. StandardsStandards (compatibility of local area networks, (compatibility of local area networks, intranets, extranets, and so on?)intranets, extranets, and so on?)

3.3. PerformancePerformance (how much bandwidth is needed and is (how much bandwidth is needed and is the network fast enough?)the network fast enough?)

4.4. ConfigurationConfiguration (use of servers, firewalls, routers, hubs, (use of servers, firewalls, routers, hubs, and other technology?)and other technology?)

5.5. AdaptabilityAdaptability (capability to support emerging e-business (capability to support emerging e-business models?)models?)


7.7. Security PoliciesSecurity Policies1.1. TestingTesting (how is security tested?) (how is security tested?)

2.2. AccessAccess (who can have access to what information and (who can have access to what information and applications?)applications?)

3.3. MonitoringMonitoring (who monitors security?) (who monitors security?)

4.4. FirewallsFirewalls (are they effectively utilized?) (are they effectively utilized?)

5.5. ViolationsViolations (what happens if an employee violates (what happens if an employee violates security?)security?)


8.8. Operations PoliciesOperations Policies1.1. StructureStructure (how is the operations function structured?) (how is the operations function structured?)

2.2. ResponsibilitiesResponsibilities (who is responsibility for transaction (who is responsibility for transaction processing?)processing?)

3.3. InputInput (how does data enter into the information (how does data enter into the information system?)system?)

4.4. ProcessingProcessing (what processing modes are used?) (what processing modes are used?)

5.5. Error HandlingError Handling (who should correct erroneous (who should correct erroneous input/processing items?)input/processing items?)


9.9. Contingency PoliciesContingency Policies1.1. BackupBackup (what are the backup procedures?) (what are the backup procedures?)

2.2. RecoveryRecovery (what is the recovery process?) (what is the recovery process?)

3.3. DisastersDisasters (who is in charge and what is the plan?) (who is in charge and what is the plan?)

4.4. Alternate SitesAlternate Sites (what types of sites are available for off- (what types of sites are available for off-site processing?)site processing?)


10.10. Financial and Accounting PoliciesFinancial and Accounting Policies1.1. Project ManagementProject Management (are IT projects prioritized, (are IT projects prioritized,

managed, and monitored?)managed, and monitored?)

2.2. Revenue GenerationRevenue Generation (should services be sold inside or (should services be sold inside or outside the organization?)outside the organization?)

3.3. Technology InvestmentsTechnology Investments (are the investment returns (are the investment returns being properly evaluated?)being properly evaluated?)

4.4. Funding PrioritiesFunding Priorities (where to most effectively allocate (where to most effectively allocate resources?)resources?)

5.5. BudgetsBudgets (are budgets aligned with funding levels and (are budgets aligned with funding levels and priorities?)priorities?)


Planning ProcessPlanning Process Follows a clearly defined path:Follows a clearly defined path:

Vision Vision Mission Mission

Objectives Objectives Strategy Strategy

PoliciesPolicies

Planning Process increases the likelihood that the Planning Process increases the likelihood that the company is making the most efficient & effective company is making the most efficient & effective use of IT throughout the organizationuse of IT throughout the organization

““Red Flags” for IT AuditorsRed Flags” for IT Auditors

The following are planning risks indicators, The following are planning risks indicators, should trigger red flags for the IT auditor. should trigger red flags for the IT auditor.

Key Planning Risk IndicatorsKey Planning Risk Indicators

1.1. A strategic planning process is not used.A strategic planning process is not used.

2.2. Information technology risks are not Information technology risks are not assessed.assessed.

3.3. Investment analyses are not performed.Investment analyses are not performed.

4.4. Quality assurance reviews are not conducted.Quality assurance reviews are not conducted.

5.5. Plans and goals are not communicated.Plans and goals are not communicated.

Key Planning Risk IndicatorsKey Planning Risk Indicators

6.6. Information technology personnel are disgruntled.Information technology personnel are disgruntled.

7.7. Software applications do not support business Software applications do not support business processes.processes.

8.8. The technology infrastructure is inadequate.The technology infrastructure is inadequate.

9.9. The user community is unhappy with the level of The user community is unhappy with the level of support.support.

10.10. Management’s information needs are not met. Management’s information needs are not met.

CobiT GuidelinesCobiT Guidelines

Guidelines suggest eleven processes should Guidelines suggest eleven processes should be incorporated into IT strategic plans.be incorporated into IT strategic plans.

Each process is integrated throughout IT Each process is integrated throughout IT policy areas.policy areas.

Processes designed to manage the key IT Processes designed to manage the key IT risks.risks.

11 Processes11 Processes

1.1. Develop a strategic IT plan.Develop a strategic IT plan.2.2. Articulate the information architecture.Articulate the information architecture.3.3. Find an optimal fit between IT and the Find an optimal fit between IT and the

company’s strategy.company’s strategy.4.4. Design the IT function to match the Design the IT function to match the

company’s needs.company’s needs.5.5. Maximize the IT investment.Maximize the IT investment.6.6. Communicate IT policies to the user Communicate IT policies to the user

community.community.

11 Processes11 Processes

7.7. Manage the IT workforce.Manage the IT workforce.

8.8. Comply with external regulations, laws, and Comply with external regulations, laws, and contracts.contracts.

9.9. Conduct IT risk assessments.Conduct IT risk assessments.

10.10. Maintain a high-quality systems Maintain a high-quality systems development process.development process.

11.11. Incorporate sound project management Incorporate sound project management techniques.techniques.

Balanced ScorecardBalanced Scorecard

Concept introduced in 1996 by Kaplan & Concept introduced in 1996 by Kaplan & NortonNorton

Scorecard measures financial and Scorecard measures financial and

non-financialnon-financial performances performances

4 Perspectives of Scorecard4 Perspectives of Scorecard

1.1. FinancialFinancial

Non-financial indicators:Non-financial indicators:

2.2. Customer satisfactionCustomer satisfaction

3.3. Internal processes Internal processes

4.4. Organizational Learning and GrowthOrganizational Learning and Growth

Three Layered StructureThree Layered Structure

3-Layered Structure was devised for each 3-Layered Structure was devised for each of the 4 perspectives:of the 4 perspectives:

1.1. MissionMission

2.2. ObjectivesObjectives

3.3. MeasuresMeasures

More than Performance MeasureMore than Performance Measure

Scorecard evolved into an intra-Scorecard evolved into an intra-organizational management system to:organizational management system to:

– Facilitate the establishment of long term strategic Facilitate the establishment of long term strategic goals.goals.

– Communicate the goals throughout the firm.Communicate the goals throughout the firm.

– Align the initiatives and incentives to the goals.Align the initiatives and incentives to the goals.

– Allocate resources to match the goals.Allocate resources to match the goals.

– Gain feedback and learning about the strategy.Gain feedback and learning about the strategy.

IT Function ScorecardIT Function Scorecard

Use the balanced scorecard to plan & monitor Use the balanced scorecard to plan & monitor IT performance:IT performance:

FinancialFinancial Organizational Organizational

==

Performance Performance Contribution Contribution

Examples: ROI, Discounted Cash Flow, Before and after Examples: ROI, Discounted Cash Flow, Before and after transaction costs of IT projects.transaction costs of IT projects.


CustomerCustomer User User

==

Satisfaction Satisfaction Satisfaction Satisfaction

Examples: Surveys of user attitudes for ease of use, Examples: Surveys of user attitudes for ease of use, system reliability, and perceptions about the IT system reliability, and perceptions about the IT staff.staff.


InternalInternal Operational Operational

==

Processes Processes PerformancePerformance

Examples: Number of security breaches, number of Examples: Number of security breaches, number of backlogged requests, % of downtime.backlogged requests, % of downtime.


LearningLearning Adaptability Adaptability && = = & &

Growth Growth Scalability Scalability

Examples: Examples: Resources expended on developing Resources expended on developing interfaces, ease of integrating new technology, interfaces, ease of integrating new technology, and ability to keep pace with organization’sand ability to keep pace with organization’s IT IT growthgrowth..

User Satisfaction

Adaptability &Scalability

OrganizationalContribution

IT Function

Strategy


OperationalPerformance

Project ManagementProject Management

Sound Techniques apply to most situationsSound Techniques apply to most situations Structure minimizes risk of failure:Structure minimizes risk of failure:

– Late deliveryLate delivery– Cost overrunCost overrun– Lack of functionsLack of functions– Poor qualityPoor quality

IT auditor should check that project IT auditor should check that project management techniques are employed.management techniques are employed.

Project ManagerProject Manager

First step is to assign project to a managerFirst step is to assign project to a manager Needs experience in areaNeeds experience in area Needs skill at managing projectsNeeds skill at managing projects Must work well with staff on planning and Must work well with staff on planning and

executing the project.executing the project.

Project Life Cycle Phase OneProject Life Cycle Phase One

Plan the ProjectPlan the Project

Set the Time, Cost & ScopeSet the Time, Cost & ScopeIdentify resourcesIdentify resourcesArticulate outcomeArticulate outcomeWork with specialistsWork with specialistsDetermine the WBS – Work Breakdown Determine the WBS – Work Breakdown

StructureStructure

Project Life Cycle Phase TwoProject Life Cycle Phase Two

Schedule the ProjectSchedule the Project

Create Time Table for each activity.Create Time Table for each activity.

Gantt ChartsGantt Charts

Critical Path AnalysisCritical Path Analysis

Critical Math MethodCritical Math Method

Microsoft ProjectMicrosoft Project

Project Life Cycle Phase ThreeProject Life Cycle Phase Three

Continuous MonitoringContinuous Monitoring

Use benchmarks, milestones, deliverables.Use benchmarks, milestones, deliverables.

Frequency varies by project.Frequency varies by project.

Rule of Thumb: Determine the maximum Rule of Thumb: Determine the maximum percent deviation allowed & monitor percent deviation allowed & monitor activities at the half-way point.activities at the half-way point.

Project Life Cycle Phase FourProject Life Cycle Phase Four

ControllingControlling

Keep project movingKeep project moving

Adjust to unexpected issuesAdjust to unexpected issues

Continually adjust the planContinually adjust the plan

Project Life Cycle Phase FiveProject Life Cycle Phase Five

Closing the ProjectClosing the Project

Obtain client acceptance in writingObtain client acceptance in writing

Release and evaluate project personnelRelease and evaluate project personnel

Identify & reassign remaining project assetsIdentify & reassign remaining project assets

Evaluations of projectEvaluations of project

Chronicle project historyChronicle project history

Key Project Risk IndicatorsKey Project Risk Indicators1.1. Management does not use a formal project Management does not use a formal project

management methodology.management methodology.

2.2. Project leaders are not adequately experienced at Project leaders are not adequately experienced at managing projects.managing projects.

3.3. Project leaders have insufficient domain expertise.Project leaders have insufficient domain expertise.

4.4. Project teams are unqualified to handle the project Project teams are unqualified to handle the project size/complexity.size/complexity.

5.5. Project team members are dissatisfied and Project team members are dissatisfied and frustrated.frustrated.

Key Project Risk IndicatorsKey Project Risk Indicators

6.6. Projects do not have senior-level executive Projects do not have senior-level executive support.support.

7.7. Projects do not include input from all affected Projects do not include input from all affected parties.parties.

8.8. Project recipients are dissatisfied with project Project recipients are dissatisfied with project outcomes.outcomes.

9.9. Projects are taking longer to develop than Projects are taking longer to develop than planned.planned.

10.10. Projects are costing more than budgeted.Projects are costing more than budgeted.

Acquiring SoftwareAcquiring Software

IT auditor should determine if the new IT auditor should determine if the new application would fit into the company’s application would fit into the company’s strategic plan.strategic plan.

There should be a formal software There should be a formal software application acquisition policy.application acquisition policy.

Needs must be identified and prioritized.Needs must be identified and prioritized. Determine which applications can be Determine which applications can be

developed in-house, and which to purchase.developed in-house, and which to purchase.

Total Cost of SoftwareTotal Cost of Software

Price of acquisitionPrice of acquisition User trainingUser training Multiple licensesMultiple licenses Service and supportService and support Future upgradesFuture upgrades Software modificationsSoftware modifications

Key Acquisition Risk IndicatorsKey Acquisition Risk Indicators

1.1. Software acquisitions are not mapped to the Software acquisitions are not mapped to the strategic plan.strategic plan.

2.2. There are no documented policies aimed at There are no documented policies aimed at guiding software acquisitions.guiding software acquisitions.

3.3. There is no process for comparing the “develop There is no process for comparing the “develop versus purchase” option.versus purchase” option.

4.4. No one is assigned responsibility for the No one is assigned responsibility for the acquisition process.acquisition process.

5.5. Affected parties are not involved with assessing Affected parties are not involved with assessing requirements and needs.requirements and needs.

Key Acquisition Risk IndicatorsKey Acquisition Risk Indicators

6.6. There is insufficient knowledge of software There is insufficient knowledge of software alternatives.alternatives.

7.7. Security features and internal controls are not Security features and internal controls are not assessed.assessed.

8.8. Benchmarking and performance tests are not Benchmarking and performance tests are not carried out.carried out.

9.9. Integration and scalability issues are not taken Integration and scalability issues are not taken into account.into account.

10.10. Total cost of ownership is not fully considered.Total cost of ownership is not fully considered.

Developing SoftwareDeveloping Software

Information Systems Development Proposal Information Systems Development Proposal – formal documentation of requested – formal documentation of requested project.project.

Steering Committee reviews each proposal.Steering Committee reviews each proposal.

Feasibility Group studies potential projects.Feasibility Group studies potential projects.

Feasibility StudyFeasibility Study Recommends to the Steering CommitteeRecommends to the Steering Committee Provides preliminary assessment Provides preliminary assessment

– Technical FeasibilityTechnical Feasibility: Whether current, affordable : Whether current, affordable and reliable technology can be reasonable applied t and reliable technology can be reasonable applied t the project.the project.

– Financial FeasibilityFinancial Feasibility: Calculates return based on : Calculates return based on company policy.company policy.

– Cultural FeasibilityCultural Feasibility: Do the employees have : Do the employees have skills to run the system? Will they use it? Are skills to run the system? Will they use it? Are there legal or regulatory concerns?there legal or regulatory concerns?

Feasibility ReportFeasibility Report

Feasibility group prepares report to make a Feasibility group prepares report to make a recommendation on the project.recommendation on the project.

Report is submitted to Steering Committee.Report is submitted to Steering Committee. Steering Committee assigns project to Project Steering Committee assigns project to Project

Leader.Leader. Project Leader assembles Project Team.Project Leader assembles Project Team.

– Includes functional area representativesIncludes functional area representatives– Includes at least one senior lever managerIncludes at least one senior lever manager

Additional Systems Development IssuesAdditional Systems Development Issues

Business Process AnalysisBusiness Process Analysis Must complete Must complete beforebefore starting technical starting technical

development.development. Use Various modeling techniques.Use Various modeling techniques. Develop and consider alternative business Develop and consider alternative business

process designs.process designs. Look to external sources.Look to external sources. Compare models.Compare models. Select best model.Select best model.


Development & TestingDevelopment & Testing

Create Libraries in a secured area of computer.Create Libraries in a secured area of computer. Create secure places for code and data.Create secure places for code and data. Prevent destruction and/or alterations.Prevent destruction and/or alterations. Company must have security procedures Company must have security procedures

continuously monitored.continuously monitored.

Development, Test and Production Development, Test and Production LibrariesLibraries

DevelopmentLibrary

No Data

Development Source Code

ProgrammersOnly

TestLibrary

Test Data

Test Object Code

Programmers& Users

ProductionLibrary

Live Data

Production Object Code

Users Only

Secure Handoff

Secure Handoff


Training & DocumentationTraining & Documentation Training should:Training should:

– Take place earlyTake place early– Be all-encompassing Be all-encompassing – Continue throughout project life cycleContinue throughout project life cycle

Documentation should:Documentation should:– Be complete for entire project and all programsBe complete for entire project and all programs– Include user manualsInclude user manuals

Key Development Risk IndicatorsKey Development Risk Indicators1.1. Development projects are not aligned with the Development projects are not aligned with the

strategic planstrategic plan

2.2. Feasibility studies do not consider the following Feasibility studies do not consider the following areas:areas:

• Technical feasibilityTechnical feasibility• Financial feasibilityFinancial feasibility• Cultural feasibilityCultural feasibility

3.3. Senior management and users are not involvedSenior management and users are not involved

4.4. Business process analyses are not performedBusiness process analyses are not performed

Key Development Risk IndicatorsKey Development Risk Indicators

5.5. Alternative designs are not comparedAlternative designs are not compared

6.6. Separate development, test, and production Separate development, test, and production libraries are not usedlibraries are not used

7.7. Security and control features are not designed into Security and control features are not designed into the systemthe system

8.8. Conversion and interface issues are not taken into Conversion and interface issues are not taken into accountaccount

9.9. System testing is inadequateSystem testing is inadequate

10.10. Training and documentation is poor Training and documentation is poor

Changing SoftwareChanging Software

Change RequestChange Request– Specifies the changeSpecifies the change– Justifies the needJustifies the need– Approvals givenApprovals given

» All parties agree change is necessaryAll parties agree change is necessary

» Change is congruent with Strategic PlanChange is congruent with Strategic Plan

– Submitted to ITSubmitted to IT

Change RequestsChange Requests

IT logs in the requests & assigns tracking IT logs in the requests & assigns tracking numbernumber

Software Change Committee reviews and Software Change Committee reviews and prioritizesprioritizes– May refer to a feasibility groupMay refer to a feasibility group

Change is assign to IT staff person(s)Change is assign to IT staff person(s)

Change design & programmingChange design & programming

Follow same structure as in new Follow same structure as in new developmentdevelopment– Secured procedure of separate development, Secured procedure of separate development,

test, and production librariestest, and production libraries– Incorporated security & control proceduresIncorporated security & control procedures– Tests for integration (Unit, module, system Tests for integration (Unit, module, system

tests)tests)– DocumentationDocumentation

Key System Change Risk IndicatorsKey System Change Risk Indicators

1.1. A structured system change methodology is not in A structured system change methodology is not in place.place.

2.2. A software change request procedure is not used.A software change request procedure is not used.

3.3. Change requests are not reviewed/prioritized by a Change requests are not reviewed/prioritized by a representative group.representative group.

4.4. Feasibility studies are not performed when Feasibility studies are not performed when appropriate.appropriate.

5.5. Alternative software change designs are not Alternative software change designs are not considered.considered.

Key System Change Risk IndicatorsKey System Change Risk Indicators

6.6. Separate development, test, and production Separate development, test, and production libraries are not used.libraries are not used.

7.7. Security and controls implications are not Security and controls implications are not considered.considered.

8.8. Integration issues are not taken into account.Integration issues are not taken into account.

9.9. Testing is inadequately conducted.Testing is inadequately conducted.

10.10. Application changes are poorly documented.Application changes are poorly documented.

Implementation StrategiesImplementation Strategies

Purchased software needs testing.Purchased software needs testing. Strategy must be chosen that best fits the Strategy must be chosen that best fits the

situation.situation. Consider risks of business interruption, Consider risks of business interruption,

costs, time, ability of legacy system to costs, time, ability of legacy system to function.function.


Parallel ImplementationParallel Implementation New and Old system process side by side with New and Old system process side by side with

live datalive data Problems can be identified and correctedProblems can be identified and corrected Least riskyLeast risky Heavy resource use:Heavy resource use:

– Time to input, process, and create reports on two Time to input, process, and create reports on two systemssystems

– Time for reconciliation of outputTime for reconciliation of output– Hardware requirements to run two systemsHardware requirements to run two systems


Big-Bang ImplementationBig-Bang Implementation The old system is discontinued and the new The old system is discontinued and the new

one becomes live the next instant.one becomes live the next instant. Resources are not tied up running the old Resources are not tied up running the old

system.system. Staff is focused on success of new system.Staff is focused on success of new system. New system failure could interrupt business New system failure could interrupt business

processes.processes.


Partial ImplementationPartial Implementation Phase-in strategy starts one application of a Phase-in strategy starts one application of a

system at a timesystem at a time Problems are resolved before the next Problems are resolved before the next

application begins.application begins. Minimizes risk of business interruption.Minimizes risk of business interruption. May take a long time to implement entire new May take a long time to implement entire new

system.system.


Focused ImplementationFocused Implementation Implements system first with small user groups Implements system first with small user groups

(office, departments, divisions, locations, etc.)(office, departments, divisions, locations, etc.) Group would use one of the previous strategies.Group would use one of the previous strategies. Problems would be identified & resolved before Problems would be identified & resolved before

larger groups begin. larger groups begin. Could take a long time for full implementation Could take a long time for full implementation

to be completedto be completed

Formal Implementation PlansFormal Implementation Plans

Process should be handled as a projectProcess should be handled as a project Organize tasks into Work Breakdown Organize tasks into Work Breakdown

StructureStructure Develop a formal change management Develop a formal change management

policypolicy

Change ManagementChange Management

Establish an open line of communication Establish an open line of communication among all affected parties.among all affected parties.

Develop thorough training and educational Develop thorough training and educational programs.programs.

Allow all affected parties to provide Allow all affected parties to provide instrumental input into the implementation instrumental input into the implementation process as it unfolds.process as it unfolds.

Final TestingFinal Testing

Move object code from development library Move object code from development library to the test libraryto the test library

Test built-in security and control featuresTest built-in security and control features Effectiveness observed, tested and approved Effectiveness observed, tested and approved

by qualified overseersby qualified overseers Test interface programsTest interface programs

Key Implementation Risk IndicatorsKey Implementation Risk Indicators1.1. Alternative implementation strategies are not Alternative implementation strategies are not

considered:considered:a)a) ParallelParallel

b)b) Big-BangBig-Bang

c)c) PartialPartial

d)d) Focused Focused

2.2. Formal implementation plans are not followed.Formal implementation plans are not followed.

3.3. All affected parties are not involved.All affected parties are not involved.

4.4. Implementation teams are uncoordinated.Implementation teams are uncoordinated.

Key Implementation Risk IndicatorsKey Implementation Risk Indicators

5.5. Implementation processes are rushed.Implementation processes are rushed.

6.6. Change management procedures are not Change management procedures are not developed.developed.

7.7. System users are inadequately trained.System users are inadequately trained.

8.8. Security and control issues are slighted.Security and control issues are slighted.

9.9. Final testing is insufficient.Final testing is insufficient.

10.10. Post-implementation reviews are not conducted.Post-implementation reviews are not conducted.

chapter 4

Documents

information systems

internal information

companys information

external information

innovative ways

chief information officer

companys threepart mission

creative ways