Download pwc-systems-implementation-lessons-learned

ISACA
Systems Implementation Assurance –
Lessons Learned
February 2009
Agenda – Lessons Learned
1. Project Phase 1- Planning / Mobilization
2. Project Phase 2 – Design / Blueprint
3. Project Phase 3 – Realization / Build & Test
4. Project Phase 4 - Pre Go-live / Deliver Phase
5. Project Phase 5 - Post Go-live / Maintenance Phase
6. Example Project Discussion Document
Systems Implementation Assurance – Lessons Learned
PricewaterhouseCoopers
Phase 1- Planning/Mobilization
Careful planning, particularly in the early stages of a project, is
necessary to coordinate activities and manage project risks effectively.
The depth and formality of project plans should be commensurate with
the characteristics and risks of a given project.
 Outline Project Plan
 Define Roles and Responsibilities
 Define Project Communication and Reporting Requirements
 Define Deliverables and Expectations – Involvement of all Key Players
 Outline Risk Acceptance - Manage Internal and External Risks
 Define Project oversight activities – Definition of Standards
 Define Tollgates and Requirements
 Define Budget and estimated Project Costs
 Define Project Change Procedures
Systems Implementation Assurance – Lessons Learned
PricewaterhouseCoopers
Phase 1 Planning/ Mobilization – Lessons Learned
 Putting a proper project governance structure in place with
sufficient "checks and balances".
 Proper Executive and Senior Management buy-in and
involvement in project and milestones reached
 Projects are often comprised of international teams and must
consider both cultural issues and compliance with local laws
and regulations
 Broader industry and business issues must be taken into
consideration
Systems Implementation Assurance – Lessons Learned
PricewaterhouseCoopers
Phase 1 Planning/Mobilization – Lessons Learned cont.
 Underlying Data Model Consideration (e.g. US GAAP versus
IFRS)
Downstream impact on support functions such as internal
audit and security administration
 Additional Considerations to be aware of during the planning
stage:
 41% of projects fail to meet management’s objectives
 Only 28% of project fulfill management's expectations
 Only 16% of IT projects hit all their targets
 50% of projects end up late or over budget
Systems Implementation Assurance – Lessons Learned
PricewaterhouseCoopers
Planning/Mobilization – Lessons Learned cont.
Reasons for project failure in the planning stage:
 Bad estimates
 Scope changes
 Change in environment
 Insufficient resources
 Change in strategy
 Imprecise goals/ Insufficient budget
 Poor communication
 Insufficient support
 Wrong project management
 Insufficient motivation
 Stakeholders not adequately defined
 Poor quality of deliverables
Systems Implementation Assurance – Lessons Learned
PricewaterhouseCoopers
Project Phase 2 - Design/Blueprint
The design phase involves converting the informational, functional, and network
requirements identified during the initiation and planning phases into unified design
specifications that developers use to script programs during the development
phase

Application Control Standards

Designing appropriate security, audit, and automated controls

Standards should be in place to ensure end users, network
administrators, auditors, and security personnel are appropriately
involved during initial project phases.

Application control standards enhance the security, integrity, and
reliability of automated systems by ensuring input, processed, and
output information is authorized, accurate, complete, and secure.

Automated input controls help ensure employees accurately input
information, systems properly record input, and systems either reject,
or accept and record, input errors for later review and correction (e.g.
Check Digits, Completeness Checks, Duplication Checks, Validity
Checks, Reasonableness Checks, etc.)
Systems Implementation Assurance – Lessons Learned
PricewaterhouseCoopers
Project Phase 2 - Design/Blueprint cont.


Processing Controls - Automated processing controls help ensure systems
accurately process and record information and either reject, or process and
record, errors for later review and correction.
•
Batch Controls
•
Error Reporting
•
Transaction Logs
•
Run-to Run Totals
•
Sequence Checks
Output Controls - Automated output controls help ensure systems securely
maintain and properly distribute processed information
Systems Implementation Assurance – Lessons Learned
PricewaterhouseCoopers
Phase 2 Design/Blueprint – Lessons Learned
 Avoid excessive customization - companies desire to
"re-invent the wheel"
 Many key controls are application driven (e.g. controls which
depend on system generated reports, configuration settings
such as for the three-way match in the procurement cycle)
 Effective process to prioritize all the business "wish-lists”
 Decision Making from “Middle Management” – Timely
Decisions
Systems Implementation Assurance – Lessons Learned
PricewaterhouseCoopers
Project Phase 3 - Realization/Build & Test
Development
Development standards should be in place to address the responsibilities of
application and system programmers. Application programmers are responsible for
developing and maintaining end-user application.
 Library Controls - Libraries are collections of stored documentation, programs,
and data. Program libraries include reusable program routines or modules stored
in source or object code formats.
 Automated Password Controls – Management should establish logical
access controls for all libraries or objects within libraries
 Automated Library Applications – When feasible, management should
implement automated library programs, which are available from
equipment manufacturers and software vendors
Systems Implementation Assurance – Lessons Learned
PricewaterhouseCoopers
Project Phase 3 - Realization/Build & Test – cont.
 Version Controls
 Software Documentation
 System Descriptions – System descriptions provide narrative
explanations of operating environments and the interrelated input,
processing, and output functions of integrated application systems
 System Documentation – System documentation includes system
flowcharts and models that identify the source and type of input
information, processing and control actions (automated and manual), and
the nature and location of output information.
 System File Layouts – System file layouts describe collections of related
records generated by individual processing applications
 Naming Convention - critical part of program documentation
 End-User Instructions – Organizations should establish end-user instructions
that describe how to use an application.
Systems Implementation Assurance – Lessons Learned
PricewaterhouseCoopers
Project Phase 3 - Realization/Build & Test
Build & Test
The testing phase requires organizations to complete various tests to ensure the
accuracy of programmed code, the inclusion of expected functionality, and the
interoperability of applications and other network components. Thorough testing is
critical to ensuring systems meet organizational and end-user requirements.
 Acceptance Testing – to assess the overall functionality and interoperability of
an application
 End-to-End Testing - to assess the interoperability of an application and other
system components such as databases, hardware, software, or communication
devices
 Functional Testing - to assess the operability of a program against predefined
requirements
 Integration Testing - to assess the interfaces of integrated software
components
Systems Implementation Assurance – Lessons Learned
PricewaterhouseCoopers
Project Phase 3 - Realization/Build & Test – cont.
 Parallel Testing - to compare the output of a new application against a
similar, often the original, application
 Regression Testing - to assess functionality after programmers make
code changes to previously tested applications
 Stress Testing - to assess the maximum limits of an application
 String Testing - to assess the functionality of related code modules
 System Testing - to assess the functionality of an entire system
 Unit Testing - to assess the functionality of small modules of code
Systems Implementation Assurance – Lessons Learned
PricewaterhouseCoopers
Phase 3 Realization/Build & Test – Lessons Learned
 Project streams reporting 99% completion of tasks which, if
subject to deeper analysis, does not hold water
 Incomplete testing which can have a devastating post go-live
impact when "too lightly" tested configurations fail and disrupt
the business
 Data conversion is a task which many times are underestimated
Systems Implementation Assurance – Lessons Learned
PricewaterhouseCoopers
Project Phase 4 - Pre Go-live/Deliver Phase
The implementation phase involves installing approved applications into
production environments.
Primary tasks include…
 announcing the implementation schedule,
 training end users, and
 installing the product.
Additionally, organizations should…
 input and verify data,
 configure and test system and security parameters
Management should circulate implementation schedules to all affected
parties and should notify users of any implementation responsibilities.
Systems Implementation Assurance – Lessons Learned
PricewaterhouseCoopers
Phase 4 Pre Go-live/Deliver Phase – Lessons Learned
 Training is a key area where projects tend to cut corners:
 Insufficient training can be disastrous for the morale of
users, acceptance of the new application and company
productivity which can seriously hamper the pre-go-live
promises of more efficient post go-live environment.
 Strong personalities, ego's, compensation structures and a
mentality of "nothing will stop us from going live on x-date" can
mean that pre-determined exit factors for the deliver phase
such as successfully completed testing and completed cut-over
activities can be compromised
Systems Implementation Assurance – Lessons Learned
PricewaterhouseCoopers
Project Phase 5 - Post Go-live/ Maintenance Phase
Management should…
 conduct post-implementation reviews at the end of a project to validate the
completion of project objectives and assess project management activities.
interview all personnel actively involved in the operational use of a product and
document and address any identified problems.
 analyze the effectiveness of project management activities by comparing,
among other things, planned and actual costs, benefits, and development times.
 document the results and present them to senior management.
The maintenance phase involves…
 making changes to hardware, software, and documentation to support its
operational effectiveness.
 making changes to improve a system’s performance, correct problems, enhance
security, or address user requirements.
Systems Implementation Assurance – Lessons Learned
PricewaterhouseCoopers
Phase 5 Post Go-live/Maintenance Phase – Lessons
Learned
 PwC was able to categorize post go-live issues in the
following 35 buckets, sorted by number of incidents, highest
number first:
 Locked user/UID validity date required resetting
 Abend related issues
 Report generation
 Authentication
 Batch processing/upload issues
Systems Implementation Assurance – Lessons Learned
PricewaterhouseCoopers
Phase 5 Post Go-live/Maintenance Phase – Lessons
Learned cont.
 Interface processing issues
 Transaction Processing issues - mostly FI, FI-AP, SD
 PO/EBP GR IR Processing issues
 Access - General
 SAP Mail/Inbox/Workflow Issues
 Process Chain Issues
 Authorization Issue
 Shopping Cart PTP
 Master Data issue
Systems Implementation Assurance – Lessons Learned
PricewaterhouseCoopers
Phase 5 Post Go-live/Maintenance Phase – Lessons
Learned cont.
 HR Transaction Processing Issue
 Non - PROD access issue - to DEV,QA etc
 ABAP Error
 Miscellaneous
 BW/BI/Related Reports Issues
 Cannot access ESS
 Missing Data/Unable to display issues
Systems Implementation Assurance – Lessons Learned
PricewaterhouseCoopers
Phase 5 Post Go-live/Maintenance Phase – Lessons
Learned cont.
 Backup Issues
 Project Systems/WBS Issue
 Data Entry / Update / Delete Request
 Runtime Error
 User error/Training Issue
 Extracting/Downloading Data from SAP
 SAP GUI Access Issues
 Financial Period End Consolidation
Systems Implementation Assurance – Lessons Learned
PricewaterhouseCoopers
Phase 5 Post Go-live/Maintenance Phase – Lessons
Learned cont.
 File error/File copy requests
 Network Issue
 Foreign language/Unicode
 MSS Data Display Issues
 Transport request / issues
 Operating System Issue
Systems Implementation Assurance – Lessons Learned
PricewaterhouseCoopers
Draft
Independent Project Assurance
February 2009
SDLC Selection Framework • IT Process Maturity
Understanding Your Objectives
Draft
The company is making a significant investment to implement a single pricing, billing,
invoicing, accounts receivable and cash management and collection system, utilizing
SAP as the core technology. With Business Blueprint of Phase II of Project SAP
complete, Executive Management would like to gain the appropriate assurance that
the project achieves it’s stated objectives:
 Realize the tangible and intangible business benefits outlined in the business case with the
priority to increase customer satisfaction with billing and an enhanced ability to efficiently and
effectively launch new products and services in the future.
 Deliver the project on time, within budget, with agreed critical functionality for the business as
quickly as possible.
 Leverage standard SAP business process design and core infrastructure to reduce risk and cost.
 Provide a standard platform to allow for ease of integration and reporting.
 Deliver a compliant system that addresses key stakeholder requirements, including financial and
regulatory reporting requirements.
SDLC Selection Framework • IT Process Maturity
Issues on Your Mind
Draft
Issue
Data Quality
•
Billing data quality and accuracy
•
Customer master conversion/migration
•
Customer rate accuracy
•
Interfacing of information to legacy systems
Customer First Focus
•
Invoice Presentation Quality and Accuracy
•
Shipment Rating Timeframe
Financial Reporting
•
Inaccurate Bad Debt Provision Calculation
•
Excessive Unapplied Cash Balance
•
Current system Upgrade
SDLC Selection Framework • IT Process Maturity
Possible Area of Assurance
•
Review controls around data cleansing and conversion for billing
and customer master data.
•
Share independent perspective on data conversion activities and
provide recommendations throughout the process.
•
Assess key interfaces identified and controls supporting
completeness, accuracy, validity, and restricted access risks.
•
Review controls and system configurations associated with invoice
generation and shipment rating and provide recommendations
related to validity, completeness, accuracy, efficiency, and
evidence of duplication.
•
Share independent perspective on good practices associated with
revenue cycle and billing/invoicing.
•
Share other client experiences regarding security, internal control
and risk management associated with SAP upgrade to ECC 6.0.
•
Provide independent perspective on technical strategy for cash
application.
•
Assess process to define key financial and management reporting
requirements and assess the effectiveness of the reporting
designed to meet these requirements.
Draft
Project Assurance – A Suggested Approach
•
Ongoing review of the project, control and business
outcomes focusing on the stated Project SAP business
objectives, risks, and priorities.
•
Project
Governance
Provide Executive Management with ongoing project
assurance reporting.
•
We would work along side the project identifying potential
issues as early as possible and hence allowing Executive
Management adequate time to consider, and if necessary
address such issues. This is critical if the independent
project assurance role is to add value to the project and
help assist in its successful outcome. To this end we
believe the independent assurance function should:
–
Attend and provide input to key project team meetings
–
Provide a rolling progress report on issues identified
through our work
–
Brief key program stakeholders on the status of our work
and issues arising on a regular basis
Project
Management
Business
Case
Functional
Readiness
Technical
Readiness
Project
Outcomes
Organizational
Readiness
Benefits
Realization
Plan
Business
Outcomes
Implementation
Methodology
Data
Quality
Controls
Outcomes
Interfaces
Project
Structure
ITGCs
Business
Processes
SDLC Selection Framework • IT Process Maturity
Our Value Proposition to the company
Draft
• Flexible, tailored approach to focus on management’s priorities for assurance regarding the achievement of Project SAP
objectives.
– Efforts embedded in and integrated with overall Project SAP approach with a focus on value-add
– “One touch” integration of effort with external audit requirements to minimize disruption to project and avoid
surprises
– Evaluate and leverage work performed by others (e.g., Parent Company Internal Audit, SAP, etc.)
• “Hub and Spoke” deployment of world class functional and technical capabilities from PwC to the project:
– SAP Risk Management, Security, and Control
– Transportation & Logistics
– Business Process
– Data Assurance
– Program/Project Management
– Internal Control and Financial Reporting
• Distinguished history of providing independent project assurance services to the company and the parent company.
– Experience navigating the Demand and Supply IT Model
– Invested in relationships throughout the service center and the company.
– Teams deployed alongside of the company in Houston, Scottsdale, and Plantation.
SDLC Selection Framework • IT Process Maturity
Integrating our Audit into Project SAP
Draft
Control Design/Gap
Analysis
Agreement of expected key
controls within the draft
documentation during the
Blueprint and Realization
phases of the project allows
maximum opportunity to
correct any issues within the
design.
Realization
Blueprint
TIMETABLE
Business Process/ IT General Controls
Management Reporting
Testing Framework
Data Conversion/ Cleansing
Management Reporting
Many key business process
controls rely upon system
generated data. The
requirement to manipulate this
data as part of its use adds
additional risk. Effective design
and implementation of system
reports maximises process
efficiency and reduces the audit
risk.
Go-live & support
Testing Framework
Our experience of large
implementations has
found that the proving of
the system is complex and
difficult to manage
effectively. A key factor
are the controls around
the remediation of issues
reported during the testing
phase.
Security and Access Control
Data Conversion
and Cleansing
Security and Access Control
As greater use of system based controls
are built into the control environment, the
reliance upon the proper allocation of
access increases. Getting this right from
day one both for business and support
users reduces the risk that gaps are
found post live that affect our strategy.
SDLC Selection Framework • IT Process Maturity
Data integrity is a key risk
within any environment;
this risk is increased
during periods of
changes such as a
system replacement.
Example Workplan
Draft
Business Process
/IT General Controls
Review proposed
business process control
documentation
containing the following
types of controls:
configurable, reports,
manual procedures,
automated, and
interfaces.
Evaluate key controls
over financial reporting
(selected by the
company) for
completeness, accuracy,
validity, restricted
access, efficiency,
resilience, and evidence
of duplication.
Management Reporting
Testing Framework
Assess process to define
key financial and
management reporting
requirements and
assess the effectiveness
of the reporting designed
to meet these
requirements.
Ensure requirements for unit
testing, integration testing,
system testing, UAT,
interface and performance
testing are adequately
considered with a focus on
testing of key controls.
Assess whether an adequate
testing monitoring system is
in place.
Baseline key custom
reports used to support
the operation of manual
controls for financial
reporting (completeness,
accuracy).
Review of SAP screens
to confirm settings of
configurable controls.
Walkthrough of business
process controls to
confirm
existence/operation of
the automated and
manual controls.
Assess SAP ITGCs
SDLC Selection Framework • IT Process Maturity
Assess coordination of
testing between business
and IT.
Review configuration
management and change
control strategy and plan.
Review sample of testing
scenarios and results
focusing on consistency in
approach and compliance
with policy in relation to key
controls.
Data
Conversion/Cleansing
Security/Access Controls
Review scope,
approach, and
requirements for data
cleansing and
conversion.
Review proposed SAP
access related controls
for sensitive access (SA)
and Segregation of
Duties (SOD) rule set;
role maintenance; and
user provisioning.
Assess quality controls
within the conversion,
setup and cleansing
processes to ensure
data integrity.
Assess SAP user roles
against SA and SOD rule
sets.
Review controls over
the data cleansing and
conversion process.
Review sample of data
cleansing and
conversion results.
Review strategy for
master data
maintenance.
Walkthrough user
provisioning and role
maintenance process.
Assess existence of
processes to manage
access during
implementation and
during early stages of live
operation.
Draft
Questions
 Contact Information
– Peter Harries, Partner 213 – 356 – 6760
– Charles Lewis, Partner 602 – 364 – 8290
– Pablo Hernandez, Senior Manager 602 – 364 – 8064
– JJ Marais, Senior Manager 602 – 364 – 8232
SDLC Selection Framework • IT Process Maturity