A Successful Audit:It is now for real!

Introduction

Information technology audit is the systematic evaluation of management controls in an Information Technology framework.

The objective of the audit is to prepare a report of truth and fairness of the various statements as well as to detect and prevent frauds.It also aims to improve the efficiency of governance processes, risk management and controls.

In order to perform a successful audit, it is very important to understand the process of an audit.

Audit Process:Audit process consists of the following steps:

1. Notification: It starts with receiving notification from auditors regarding the audit schedule consisting of preliminary checklist and list of documents required to plan the audit.
2. Planning: Post review of the documents, auditors draft an audit plan and schedule the meeting.
3. Meeting: In the meeting the scope of the audit, timeframe of the audit etc. is discussed.
4. Fieldwork:After this, auditors finalize the plan and start meeting with staffs, reviewing the manuals regarding the business processes, testing for the compliance with the policies, laws and regulation, controls etc.
5. Communication:After this fieldwork, there is an opportunity to discuss the issues and its solutions with the auditors through meetings, emails, etc.
6. Reports: Report forms an important part of the audit. The report generally consists of several sections like an overview of the organization, the follow-up date, scope of the audit, any major audit concerns, the overall conclusion, and detailed description of the findings and proposed recommendations, distribution list mentioning the people to receive the report etc.
7. Response from Management: Once the report is finalized, next step is response from management consisting of: Acceptance/ refusal with the issues mentioned in report, action plan to correct the issues and the expected date for the completion.
8. Closing Meeting: A closing meeting is held to discuss the report and the responses providing an opportunity to discuss the audit and any issues related to it.
9. Distribution of list: The report is then distributed to the people listed in distribution list like managers, senior managers, internal auditors, externalauditors of the organization etc.
10. Follow-Up:Follow up is performed after expected completion date to ensure that the corrective actions are taken as per agreed terms. A communication is received from the auditors conveying whether the organization has satisfactorily rectified the issues or further actions are required.

To reduce the Gap between organization and Successful Audit:

As audit involves efforts and money, least we expect the failure. So, to achieve the success in the audit there are three keys:

• Preparation: It is the most important and longest phase for an audit.It involves various departments of the organization to work together. An audit committee along with Finance committee finalizes auditors, considering factors like budget, timing, industry knowledge, accessibility etc.Organization should follow appropriate processes to ensure the success of the audit. Proper documents required by auditors should be maintained.
• Communication: Communication needs to be maintained between various departments of an organization throughout the audit process. A convenient date could be established for post fieldwork update in order to discuss initial findings. Coordination between departments is required so as to provide timely evidences whenever asked to furnish by the auditors.
• Review: Management should review all the reports provided by the auditors for errors, typos, incorrect names of committee members, incorrect dates etc.

Conclusion: An Audit is challenging but a necessity for an organization. Successful Audit can be achieved with right preparation, communication and review.

About Author:

 Madhumita Mishra is a consultant in Systems Plus Pvt. Ltd. Within Systems Plus, she actively contributes to the areas of Technology and Information Security. She can be contacted at: 

madhumita.mishra@spluspl.com

Preparing for requirements gathering

One of the basic tasks of a business analyst is requirements gathering. As the saying goes “Well begun is half done” and a well conducted requirements gathering session will go a long way in ensuring smooth delivery of the project. Most of the requirements will come from the stakeholders. However a good business analyst will definitely have to do his / her homework before getting into requirements gathering mode. Some of the aspects to take care of prior to requirements gathering are listed below

• Domain Knowledge: This is the most important aspect to understand. The BA may or may not be an SME on the domain. However it would serve the BA well to read out as much as possible on the domain / industry for which requirements are to be gathered. This has multiple benefits. Stakeholders may be very used to using terms that is specific to the industry. It will help if the BA is already aware of the meaning and builds the confidence of the stakeholders. If the BA is a domain expert he can also suggest some additional functionality based on industry best practices which could be good for the business.

• Identify Stakeholders: Another important aspect to consider to identify who are the stakeholders who can provide the requirements. This is more crucial in case the requirements gathering sessions are going to be conducted onsite. Since stakeholders may not be available full time it is always a good idea to catch up with them (over emails etc.) prior to the actual visit and block times for meetings. It is also a good idea to have an agenda in place for the meetings so that everyone is clear on what is expected from the meet rather than to just leave it open ended.

• Predefine templates: Where ever possible have some pre- defined templates prepared and approved from the client. This helps to channelize the requirements gathering towards meeting a specific issues or addressing a particular pain point. Also sharing this before starting the actual requirements gathering will be beneficial. Not only can stakeholders provide their inputs on how the templates can be made better, it also helps them to be prepared with any extra information that may be needed for the requirements gathering sessions. 

• Review any material available: As part of preparation for requirements gathering, a BA should also request for any existing material that is available regarding the topics under scope. This could be in the form of training materials, user manuals, forms or process flows etc. A review of such documents should give the BA a good feeling on the sort of pain points the users may be experiencing and what direction the requirements gathering sessions will lead to.

• Understanding various techniques: A BA should be able to use all available techniques to gather the requirements. Not all requirements can be clearly spelt out. The key is to understand the unsaid word. The BA should make sure that they also notice user actions and identify issues / pain points that may need to addressed and get it confirmed from various stakeholders.

• Listen first, analyze later: An aspect that a BA should try to avoid doing is confuse requirements gathering with requirements analysis. Many a time the tendency is to start evaluating what the requirement means in terms of development / coding etc. Ideally the focus should remain on just understanding the requirements clearly and analysis of the requirements should be only from the perspective of getting clarifications or eliciting detailed requirements.

• Prioritize requirements: It is also a good idea to understand the priority of the requirements. Some requirements may be easily attainable but not a priority. In some cases, requirements may just be a nice to have feature but not really something that is essentially needed for a “GO LIVE” scenario. It is important that the BA is able to understand the requirements along with the priority and get it aligned with the stakeholders. This is an important aspect even from the overall project planning perspective.

• Conclude the session: The most important aspect of the requirement gathering phase is the conclusion of the phase. At the end of the phase, a clearly documented list of requirements should be agreed upon by the BA and the various stakeholders. This could be in the form of a simple excel sheet or a BRD / SSRS etc. Whatever the format is should be formally signed of and forms the basis of project scoping, effort estimation, timelines and not to forget costs!!

The above mentioned pointers are by no means exhaustive. Also these are just generic guidelines which can help a BA in gathering and consolidating requirements in a more efficient way. This can lead to significant reduction / savings in time and effort of both, the BA as well as the stakeholders. It can also ensure that all requirements get captured within a specified time frame. A well listed out set of requirements also helps developers, project managers and QA tests to ensure that the final delivery meets stakeholder’s expectations in terms of functionality and quality

About Author:

 Ashish Akulkar is a consultant in Systems Plus Pvt. Ltd. Within Systems Plus, he actively contributes to the areas of Technology and Information Security. He can be contacted at: 

ashish.akulkar@spluspl.com

Project Management Framework

Project management framework is established for correct prioritization and co-ordination of all projects. This framework helps in defining the scope and boundaries of projects. It also helps in defining project methodology to be implemented and applied to each project undertaken.

A standard project should follow the below phases to ensure successful implementation.

1.Feasibility & Analysis

In this phase, the business sponsors, the stakeholders and project manager must be able to answer these core questions

• Is the project really required?

• How feasible will it be to the business?

• What will be the high level budget for the project?

• How beneficial will it be to the business?

In order to find answers to these questions, the business case will be created i.e. project abstract which will help in understanding the reasoning behind the project undertaken and answering the above questions.

2.Scope and Planning

Planning is the most important phase in the project lifecycle. Here, the project plan, project team, scope of the project, constraints and dependencies, timelines and deliverables for the project will be decided and documented within the project charter and finalized by the business sponsors.

3.Requirement Analysis and Design

During this phase, high level design and detailed level design documents will be prepared based on the requirements captured. DLD includes scope of the project, review of user requirements, low level design of the module, technology to be used etc. Along with the designs, the test plans for unit and integration testing will also be prepared during this phase.

4.Development and Infrastructure

In this phase, the application will be built and code review will be conducted to ensure its alignment with the requirements. Unit and Integration testing will be undertaken in this phase and corresponding test reports will be provided for review. Test environment will be set up and testing teams will be identified for each testing type to continue work in the testing phase.

5.Testing

Each step of testing has a different purpose. Different phases of testing help us to assess various parts of the module, and work towards testing the entire system as a whole. Below are different/important phases of testing.

6.Training and Go-Live preparation

The objective of this phase is to complete the final preparation (including reviewing all the required plans and end user training) to finalize the willingness to go live. Here, training will be provided to the users (IT and Business) as well as to the support team and feedback will be obtained from them in the end of the session. Also, the technical infrastructure will be validated and critical open issues will be resolved during this phase. On obtaining the approvals from the concerned stakeholders and business sponsors, the system will be prepared to Go-Live.

7.Go Live

Success of Go-live depends upon the preparation done in the previous phase. Here, all the plans will be updated and the concerned resources will be made aware of their roles and responsibilities.  In addition to this, mitigation plan will also be prepared for the risks and impacts identified during this phase. Ensure that the concerned teams involved do not deviate from the plan in the last moment.

8.Project Closure

This is the last phase in the project life cycle. Here, the project team will formally close the project and submit the final post implementation review to the business sponsors. It involves handing over the final deliverables to the business, submitting the final documentation to the customer, releasing resources and informing stakeholders of the closure of the project. It also involves documenting the lessons learnt and user feedbacks.

The point of all this is: how you begin and end your project will often determine the success or failure of your project and project management framework is more than just another way of doing business i.e. a particular roadway that is already documented.

Nisha Bhatt is a consultant in Systems Plus Pvt. Ltd. Within Systems Plus, She actively contributes to the areas of Technology and Information Security. She can be contacted at:nisha.bhatt@spluspl.com

Outsourcing Models

Let’s first understand what is outsourcing and then will move forward to different outsourcing and pricing models available.

What is Outsourcing?

A practice used by IT and manufacturing industry where they transfer some work to the third party vendors rather than completing it internally. The main reasons why companies opt for ‘Outsourcing’ is to save the production costs or when they don’t have the required skills internally to complete the work. It sometimes involves transfer of employees and assets from one organization to another and not always.

How Outsourcing works in IT industry?

In traditional IT outsourcing methods, a vendor used to provide the services like managing servers, monitoring networks, databases and developing applications and customer used to pay for the services used either at fixed price, as per use basis (cost and material basis) or cost plus basis.

Nowadays customers’ expectations has increased a lot, now they want more value from the IT Suppliers or vendors. Suppliers also expect to have more margin values from the services provided and it has given birth to various new pricing models for the services.

Outsourcing Models:

• Staff Augmentation: It is one of the simplest model used by companies where they expand their existing staff with the outsourced staff. It involves high involvement from client to supervise the augmented staff i.e. client is responsible for project management and technical leadership. The responsibility of the augmented staff is only to develop the quality software and perform the testing of the software if required. In this model there is very less innovation involved from the augmented staff as they have been given a set of clearly defined responsibilities and expectations by the client.

• Build-Operate-Transfer (BOT): It is also termed as ‘BOT’ model. In this model, a company lets an outsourcing vendor establish an offshore development center for them. This model is opted by the companies where they want to have optimized costs and access to a large pool of skilled professionals. Here the outsourced company keeps the core competencies with them only. The offshore partner have local knowledge and relationships, while client do not have to learn the local intricacies of doing business, hiring, or finding office space. They simply focus on their core business while the offshore partner takes care of development of the offshore center and transfers back the ownership to the client company when they are ready for it. 

It conserves client’s capital expenditure, reduces the operating risk and gives them the ability to launch a complete end-to-end solution in a short duration.

• Offshore Development Center (ODC): It is similar to BOT model with only one difference that in the end the ownership is transferred to client whereas in ODC it remains with the vendor. It helps outsourcer to accommodate a high variety of projects and activities such as new product development, legacy modernization and maintenance, testing services and other long-term activities whereas the ODC staff is managed by outsourcing vendor. Here the outsourcer has to take care of initial knowledge transfer between the company and the vendor. The outsourcer gets a consistent and dedicated resources for a specific duration (contract duration) and the infrastructure costs can be reduced by over 40%. 

• Project Based/ Tactical Outsourcing: Whenever a business need is identified, the outsourcer looks for the offshore resource vendors if they don’t have the bandwidth to develop it in-house. This model gives high level flexibility and focus but with a higher cost and knowledge transfer challenge. This model gives outsourcer the access to a pool of skilled professional which they need for a specified duration to match the requirements. It is very easy for the outsourcer to change the staff as per the needs. Outsourcer has the ability to terminate the contract at any point of time if they are not happy with the quality of services. The outsourcer need not have to bring the specific knowledge internally and get in to the cumbersome process of hiring as the outsourcing partner does the same for them. 

The main difference between offshore development center and project based outsourcing is that the resources are dedicated to the outsourcer 100% for the specified duration.

Outsourcing Pricing Models:

Selection of an outsourcing pricing model depends upon the organization’s budget and cash flow requirements. These days’ outsourcers have multiple options to pick from various models available

• Fixed Rate Pricing Model:  It is one of the most commonly used model in Industry. Both the parties agrees for a fixed price after discussing the scope and requirements of the project. This is helpful for the projects which has defined scope, objectives and a predefined set of requirements. The service provider and the outsourcer, both parties are aware of each other’s skills, capabilities and duties.

• Variable Rate Pricing Model: In this model, the outsourcer pays a fixed basic rate and have the flexibility to pay additional for additional services or can even pay less if the market price goes down. This method is best when you want to try out a new vendor, if you are satisfied with the quality of work you have to pay little additional for additional services.

• Time and Material Model: In this model, one has to pay as per usage i.e. pricing is based on time and material used to complete the project. It is mainly used for application development and maintenance projects which have long time duration. It is also known as Cost and material model. The outsourcing company may agree upon monthly/hourly rates depending upon the skills and experience of the resources engaged for the project or if any non-standard software or hardware is installed to meet their requirements. It is very beneficial for outsourcer as they can modify the specifications at any point of time based on the changed business needs and market requirements and can get the desired experience without any hassles of searching the required skills and hiring them.

• Cost plus Profit Pricing Model / Open Book Model: In this model, the outsourcer has to pay a fixed amount for the services used along with a pre-defined percentage or amount as agreed by both the parties. Here outsourcer knows exactly how much he is paying and for what he is paying i.e. its transparent model and hence also called as ‘Open book’. The only drawback of this model is its inflexibility to incorporate the business objective or technology changes.

• Incentive Based Model: This is a hybrid model which is used along with Fixed Price or Time and Material Model where the outsourcer decides to pay some bonus or incentive to the service provider at an agreed rate when they achieve some key metrics which adds value to business such as early completion, project completion at a lower cost than the estimated one and delivery exceeding service levels specified in contract. In some cases, outsourcer also adds a clause of penalty if delivery is delayed or metrics are not achieved and business faces loss because of that.

• Shared Risk/Reward Model: It is not very popular model and is used by the companies to fund new products and solutions with a deal to share the profit between the service provider and the outsourcer. Outsourcers has an advantage here that if the product or business ideas fails then the loss is divided among both the parties. Another advantage of this model is that Outsourcer can easily take the risk of launching new innovative ideas and solutions without much worrying about the loss and risk as it is shared by both the parties.

• Pay as you use/ per unit Model: This models offers the outsourcer to pay only for the services used i.e. a unit based rate is set and payment is made as per usage. This model is beneficial for the business which has variable demand based work and require random number of resources like maintenance services. At times, the services usage is at its peak and in off-screen it is hardly used service.

There is no single model which is the best one. The selection of outsourcing model depends upon the business requirements, business constraints and the budget. Both the parties should discuss together to find out which model will work best for them and which pricing model will serve their interests.

Aashima Chetal is a consultant in Systems Plus Pvt. Ltd. Within Systems Plus, She actively contributes to the areas of Technology and Information Security. She can be contacted at:aashima.chetal@spluspl.com