how to make auditors happy (and you happy too) 2014-12-23آ  how to make auditors happy (and you...

Download How to Make Auditors Happy (and You Happy Too) 2014-12-23آ  How to Make Auditors Happy (and You Happy

Post on 19-May-2020

0 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • How to Make Auditors Happy (and You Happy Too)

    Michael Solomon, CISSP PMP CISM

  • © 2011 Tugboat Software. All rights reserved. 2

    Overview

     All about auditing and what fun it is (or not)

     What auditing demands and the ideal solution

    Selecting the right tools

     Version Control vs. Software Configuration Management

     How SCM can make both you and your auditors happy

    Questions

    Session Agenda

  • © 2011 Tugboat Software. All rights reserved. 3

    All about auditing and what fun it is (or not)

  • © 2011 Tugboat Software. All rights reserved. 4

    For Enterprise Resource Management (ERM), auditing is …

    “a process, effected by an entity’s board of directors, management, and other personnel ,applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

    - The Committee of Sponsoring Organizations

    of the Treadway Commission

    Auditing is about managing risk

  • © 2011 Tugboat Software. All rights reserved. 5

     Governance essentially provides monitoring of ERM • Monitors both risk events and responses

    • Risks are not always negative

    • Governance includes responding to positive events

     Strategic in nature

     Requires that organizations show how activities support objectives

    Governance is a necessary step

  • © 2011 Tugboat Software. All rights reserved. 6

    It’s purpose is to ensure the organization is “on track.”

    Auditing is a part of that step

    Similar to GPS Tracking

    1. Preplan a route to a destination. 2. During the trip, detect current location. 3. Display current location. 4. If location is not on the selected route:

    update the route (“recalculating”).

  • © 2011 Tugboat Software. All rights reserved. 7

     Compares performance to goals

     Each organization adheres to different types of goals • Policies

    • Standards

    • Regulations

    • Best Practices

     Auditing helps organizations understand how well they meet goals

     Auditors are just looking for evidence of what happened

    Auditing benefits you

  • © 2011 Tugboat Software. All rights reserved. 8

    Poorly perceived

     Frustrating - points out deficiencies and failures

     Painful - uncomfortable to expose weaknesses

     Interruption – takes time away from producing a product

    Our perception of auditing

  • © 2011 Tugboat Software. All rights reserved. 9

    1. Regulatory compliance is the key outcome • Compliance is only a small part of audit goals

    • Meeting organizational goals is the real target

    2. Audit results are only pass/fail • Fine-grained results are more valuable

    3. Auditing implies advanced technology • Sometimes the simple solutions work best

    4. Risks are separate from opportunities • Important to identify both

    Skewed perception … to myths

  • © 2011 Tugboat Software. All rights reserved. 10

    Done well, auditing can be positive

     Reduces overall risk • Identifying problems early makes addressing them easier

     Identifies opportunities • Auditing results can help identify new productive directions

    • Identifies variances from goals, both positive and negative

     Crucial for continuous improvement • Necessary to reduce negative variances

    The reality of auditing

  • © 2011 Tugboat Software. All rights reserved. 11

    Improves  Product quality

     Product visibility

     Product control

     Customer confidence

    Decreases  Rework

     Confusion

     Project risk

    The benefits of auditing

  • © 2011 Tugboat Software. All rights reserved. 12

    What auditing demands and the ideal solution

  • © 2011 Tugboat Software. All rights reserved. 13

    1. Audit Objective Identification • What are you trying to do?

    • In our context, manage software development process

    2. Control Selection • What tools will you use to reduce risk

    • Software Configuration Management tools

    3. Audit Procedures • What information will the auditors need?

    4. Audit Evidence Evaluation • How will auditors verify the controls meet the objectives?

    What auditing demands

  • © 2011 Tugboat Software. All rights reserved. 14

    A proactive audit response … that avoids redundancy.

    The ideal solution

  • © 2011 Tugboat Software. All rights reserved. 15

     Understand your organization’s goals • Policies

    • Regulatory requirements

    • Best practices

     Be ready to provide evidence of performance • You should already have project progress documentation

    • This is the key! Just show how you met goals

     Know how to show you are on track • Project management helps here

    • More than just being on schedule

    A proactive audit response

  • © 2011 Tugboat Software. All rights reserved. 16

     Capture evidence in the process • Fresher information

    • Quicker and more accurate

     Don’t revisit completed work • Takes time to recall what was done in the past

     Use tools that collect evidence automatically • Avoid any user interaction when possible

    • Evidence should be a by product of normal process

    • Avoid adding new processes just to create evidence

    … that avoids redundancy

  • © 2011 Tugboat Software. All rights reserved. 17

    Version Control vs. Software Configuration Management

  • © 2011 Tugboat Software. All rights reserved. 18

     Does the final product meet its goals? • Features

    • Performance

    • Cost

     Did the process meet its goals? • Risk

    • Quality

    Selecting the right tools

  • © 2011 Tugboat Software. All rights reserved. 19

     Many version control tools; fewer SCM tools

     Most common tools for OpenEdge development (ordered from most basic to sophisticated solution)

    • CVS - version control

    • Subversion - version control

    • Mercurial - distributed source code control

    • Roundtable TSMS – software configuration management

    Change management tools

  • © 2011 Tugboat Software. All rights reserved. 20

    Version control (also known as source code control) is a process of tracking changes to source code. This is typically done by checking objects to be worked on out of a centralized repository and then back in when work is completed.

    Version control is one aspect of software configuration management.

    Version control

  • © 2011 Tugboat Software. All rights reserved. 21

    Software Configuration Management is the discipline of managing the entire lifecycle of a software project. It creates a structure – based on the principles of the manufacturing industry– that delivers repeatable, high-quality production of software applications.

    Whereas version control is a check-in / check-out system; SCM is an assembly line for application development. As an assembly line, it can streamline and provide controls for (and evidence from) all stages in the development lifecycle, making it an ideal tool to satisfy auditors.

    Software configuration management

  • © 2011 Tugboat Software. All rights reserved. 22

     Defines the process

     Applies controls

     Manages changes • Who?

    • What?

    • When?

    • Why?

    • Revert back.

     Audits results

    How SCM works

  • © 2011 Tugboat Software. All rights reserved. 23

    … applied to every level

    Test Environment

    Development Environment

    Pre-production Environment

    Custom Environment

    Partner source code (when applicable)

    Deployment

  • © 2011 Tugboat Software. All rights reserved. 24

     SCM tools ease the process of evidence collection

     SCM process requires creating evidence auditors need • Configuration identification information

    • Version information for changes

    • Change grouping to associate multiple changes with higher level requests

    • Build management and process flow evidence

     SCM tracks answers to most questions auditors ask

    What a SCM solution offers

  • © 2011 Tugboat Software. All rights reserved. 25

    How a SCM solution can make both you and your auditors happy

  • © 2011 Tugboat Software. All rights reserved. 26

    Culligan chose Roundtable TSMS:  A full-featured SCM solution (much more than just version control)

     Integrates evidence collection into ongoing processes – it manages the flow of all activities throughout the develo