Post on 17-Jan-2016
transcript
Internal AuditBusiness Process Documentation Tool
Symposium on Information Systems Assurance
October 22, 2005
Tom Crouch
IT Audit Manager
tom.crouch@sunlife.com
The nice thing about standards is that there are so many to choose from.- Andrew S. Tannenbaum
Symposium on Information Systems Assurance, October 20-22, 2005 2
About Sun Life• Financial Services company offering wealth
management, insurance and protection products• Head Office – Toronto
– Offices in Canada, US, UK, Asia• Market cap, year-end 2004 of $23.8 billion CDN• 2004 Revenue - $21.75 billion CDN• Serve approximately 7 million Canadians
Symposium on Information Systems Assurance, October 20-22, 2005 3
Brief History of the Tool• Audit documentation consisted of Narratives and
Data Flow Diagrams
– Not collected in one spot
– No ability to correlate
– Depended on drawing ability of Auditor• Too much time making it “pretty”• Difficult to edit
– Large chunks of process easily missed• Too easy to make assumptions
Symposium on Information Systems Assurance, October 20-22, 2005 4
The Vision• To create a tool that would facilitate the capture of
process documentation that would
– provide a level of consistency and rigor– do so in an Auditor friendly manner (efficient / easy)
– be easily understood by clients
– allow processes to be interrelated
– allow analysis and rollup of data
– allow drill down exploration of processes
– combine business and IT documentation
– be easy to maintain
Symposium on Information Systems Assurance, October 20-22, 2005 5
Our “solution”• “Audit Universe”
– Developed in-house over period of years (beginning 1998)
– Written in Clarion 6.2 Enterprise Edition• Rapid Application Integrated Development
Environment (http://www.softvelocity.com )
– Multi-user, MS Windows, LAN based
– Proprietary database structure (encrypted)• Conversion to SQL possible and ‘relatively’
painless
Symposium on Information Systems Assurance, October 20-22, 2005 6
The ‘model’ – Interaction Diagram• Based on Object Oriented principles• Combines Narrative and Data Flow in one diagram• No artistic talent required
– Standardized format, automatically drawn• Connect-the-dots
– minimizes missed, forgotten or not well understood pieces
• Client friendly – “I get it!”– We have had several requests to provide
documentation to projects that are doing business process reengineering.
Symposium on Information Systems Assurance, October 20-22, 2005 7
The basic look (Illustrative example)
Symposium on Information Systems Assurance, October 20-22, 2005 8
Sample output (Illustrative example)
Symposium on Information Systems Assurance, October 20-22, 2005 9
Demo• Let’s take a look
Symposium on Information Systems Assurance, October 20-22, 2005 10
Other capabilities (Illustrative example)• ‘House’ view – hierarchical view of Business Unit
Symposium on Information Systems Assurance, October 20-22, 2005 11
• Tree View – all levels in same view (Illustrative Example)
Symposium on Information Systems Assurance, October 20-22, 2005 12
Security
Symposium on Information Systems Assurance, October 20-22, 2005 13
Summary• More efficient & accurate documentation
– Physical view of process• Creates a universe of documentation that is
– Relational
– Sharable
– Searchable
– Clear and understood
Symposium on Information Systems Assurance, October 20-22, 2005 14
Symposium on Information Systems Assurance, October 20-22, 2005 15
Thank you for your attention!tom.crouch@sunlife.com