Professional Documents
Culture Documents
in IT Projects
ISACA Geek Week 2013
8/21/2013
PwC 1
Introductions and Projects Overview
Presenters
Charlie Miller
and
Andrew Gerndt
The Coca-Cola Company Atlanta, GA
Principal IT Auditors CISA
Mike Shipham
PricewaterhouseCoopers LLP Chicago, IL
Project Assurance Director CISA and PRINCE2
PwC 3
Agenda
Topic Timing
1. Introductions and Projects Overview 15 minutes
2. IT projects- the risks 15 minutes
3. Key areas to audit 20 minutes
PwC 4
Coca-Cola at a glance
PwC 5
Project- sharing a Coke
PwC 6
Getting to know you
a. Mostly in planning
b. Mostly in execution
d. Not at all
PwC 7
Getting to know you
a. Planning
b. Execution
c. Post implementation
d. Other
PwC 8
Sound familiar?
PwC 9
IT Projects– the risks
Are IT projects successful?
PwC’s 2012 survey indicates that 200 global companies were spending over $4.5 B on
projects to deliver changes required to implement their strategy.
71% of ERP projects do not meet 84% of projects do not meet all
the expectations of senior criteria for success
management (Standish Group)
(CSC Index/AMA Survey)
PwC 11
IT project risks
PwC 12
Reasons for program failures
Technology Governance
• Infrastructure • Strategic Alignment
• System architecture • Senior Management
• Networking Commitment
• Security • Sponsorship / Champions
• Availability • Governance and Decision
• Performance making
• Disaster recovery • Synergy identification and
tracking
Data Program Management
• Data Structures $
• Time schedules
• Mapping $ $ • Budgets
• Cleansing Effort $ • Resources/staffing
• Conversion and • Vendors
validation • Knowledge transfer
• Data governance • Issue and Risk management
• Backup and recovery * • Scope management
• BI and reporting *
strategy Organization
Process and Solution • Business impacts
• Requirements • Training
• Business processes • Communication
• System Development Life Cycle • Organizational alignment
• Data • Change management
• Controls • Compliance and controls
• Bolt-ons • Business continuity
• Interfaces/integrations
PwC 14
Key areas to audit
PM Maturation Model
Maturity Levels Characteristics
Strategic resource management crosses the enterprise
5. Enterprise Standards
and Program Program value management occurs through project portfolio
Management Culture management, prioritization and interdependency management
Exists
Change issues address organizational design and culture change
4. Cross Business Unit Measures of process quality are collected and processes are managed
Program Management
Implemented Process performance target zones are established
PwC 18
How can audit add value? Controls are often
overlooked
UAT
TestBuild
Implement
Go Live
high
Solution Blueprint Post imp.
Build
Cost of controls
Design
Cost of controls
increases as
Pre-implementation project progresses
During
development
low
PwC 19
Managing risk over the program lifecycle
Assess Design Construct Implement Operate & Review
• Solution testing
• Project • Business process • Test and training
and remediation
governance design results
• Training plans and
and mgt review • Data and • Go-live process
execution
• Planning and reporting design • Data conversion • 30-90 day support
Delivering Change
• Data conversion
mobilization • Test and data process • Business adoption
• Security and
• Business case conversion • Transition to • Benefits
control
review strategies business as realization
configuration
• High level target • Security & usual (BAU) • Compliance and
• Business
operating model controls planning controls
continuity planning
• Organization • People and Org • Stakeholder certification
• Benefits
change strategy Design engagement
management plan
• Deployment • Dedicated vendor • Go-live readiness
• Support model
strategy management assessment
design
*
*
Is the organization engaging key stakeholders (including existing vendors/partners) throughout the change?
Is the program being effectively governed against guiding principles and managed across all workstreams?
$
Is delivery of business benefits a key focus throughout the lifecycle?
$ $
PwC 20
Further reading and Appendix Slides
Charlie Miller
The Coca-Cola Company 678-516-8149
Principal IT Auditor cmiller@coca-cola.com
Andrew Gerndt
The Coca-Cola Company 404-676-4897
Principal IT Auditor agerndt@coca-cola.com
Mike Shipham
PricewaterhouseCoopers LLP 312-298-4188
Director michael.a.shipham@us.pwc.com
PwC 22
Thank you
© 2013 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the United States
member firm, and may sometimes refer to the PwC network. Each member firm is a separate
legal entity. Please see www.pwc.com/structure for further details.
Video
PwC 24
Appendix Slides- Examples of control considerations
by project phase
PwC 25
Top 10 Keys to success
Key events that may contribute to a successful Project Audit:
1. Stakeholder buy-in & tone at the top, understanding & acceptance of engagement
2. Staffing, proper technical skills, qualifications and capabilities allowing the team to quickly
establish credibility
3. Understanding project needs and expectations, as well as the level of comfort desired
4. Scoping appropriately, leveraging a risk based approach and delivering upon the agreed scope
5. Up-front communication regarding scope of review, extent of review, timing of review and level of
details to be provided in reporting
6. Execution and completion of work within defined budget and schedule
7. Change agility, being able to change with the project needs (adjust timeline, etc.) but avoiding
scope creep
8. Communication to all parties
9. Relevance, providing actionable useful and timely deliverables (reporting) – consider requirements
of the audience (i.e. Audit Committee, Sponsor, Project Manager, etc.)
10. Monitoring project progress between checkpoint reviews to minimize ramp-up time required at
each checkpoint
PwC 26
Project assurance – Control considerations
Build Imp.
Define Design Deliver Maintain
& Test Support
ITGCs
• A clear understanding of Business Processes in Scope.
• A clear understanding of the current status of controls and the proposed change.
• A clear understanding of the control risks to be addressed:
H
- Operational
Business - Compliance
Process - Financial Reporting
• Understanding of the efficiency improvements required
• Appropriate expertise assigned to deliver appropriate controls
• Appropriate activities included in project plan to deliver appropriate controls
Interfaces
Data
Quality
PwC 27
Project assurance – Control considerations
Build Imp.
Define Design Deliver Maintain
& Test Support
ITGCs
H
Business
Process • Design appropriate ITGCs based on the risks identified
• Determine what the key controls are
• Ensure specifications of ITGCs are produced for input into the
next phase.
Interfaces
Data
Quality
PwC 28
Project assurance – Control considerations
Build Imp.
Define Design Deliver Maintain
& Test Support
ITGCs
Business
Process
• Ensure there is a clear understanding of current
interfaces and interface controls and how these
may be changing
H
• A high level plan has been developed to show
Interfaces interface development activities, priorities, and
contingency plans should desired interfaces be
unavailable when needed by business teams.
Data
Quality
PwC 29
Project assurance – Control considerations
Build Imp.
Define Design Deliver Maintain
& Test Support
ITGCs
H
developed (in line with the specifications from
Business the previous phases)
Process • Make sure controls that are developed are tested
appropriately
Interfaces
Data
Quality
PwC 30
Project assurance – Control considerations
Build Imp.
Define Design Deliver Maintain
& Test Support
ITGCs
Business
• Setup of integration test environment should
Process
include execution of data conversion procedures
to validate completeness and accuracy of
conversion procedures.
• Data conversion reconciliation specifies tests to
Interfaces prove that the converted data is sufficiently
“clean” to be used within the new environment
and data inaccuracies have not been introduced
H
during the conversion process
Data
Quality
PwC 31
Project assurance – Control considerations
Build Imp.
Define Design Deliver Maintain
& Test Support
ITGCs
Business
Process
Interfaces
H
system), is the historical data available in a read
Data
only environment for reference purposes?
Quality
PwC 32