Internal AuditBusiness Process Documentation Tool

Symposium on Information Systems Assurance

October 22, 2005

Tom Crouch

IT Audit Manager

tom.crouch@sunlife.com

The nice thing about standards is that there are so many to choose from.- Andrew S. Tannenbaum

Symposium on Information Systems Assurance, October 20-22, 2005 2

About Sun Life• Financial Services company offering wealth

management, insurance and protection products• Head Office – Toronto

– Offices in Canada, US, UK, Asia• Market cap, year-end 2004 of $23.8 billion CDN• 2004 Revenue - $21.75 billion CDN• Serve approximately 7 million Canadians

Symposium on Information Systems Assurance, October 20-22, 2005 3

Brief History of the Tool• Audit documentation consisted of Narratives and

Data Flow Diagrams

– Not collected in one spot

– No ability to correlate

– Depended on drawing ability of Auditor• Too much time making it “pretty”• Difficult to edit

– Large chunks of process easily missed• Too easy to make assumptions

Symposium on Information Systems Assurance, October 20-22, 2005 4

The Vision• To create a tool that would facilitate the capture of

process documentation that would

– provide a level of consistency and rigor– do so in an Auditor friendly manner (efficient / easy)

– be easily understood by clients

– allow processes to be interrelated

– allow analysis and rollup of data

– allow drill down exploration of processes

– combine business and IT documentation

– be easy to maintain

Symposium on Information Systems Assurance, October 20-22, 2005 5

Our “solution”• “Audit Universe”

– Developed in-house over period of years (beginning 1998)

– Written in Clarion 6.2 Enterprise Edition• Rapid Application Integrated Development

Environment (http://www.softvelocity.com )

– Multi-user, MS Windows, LAN based

– Proprietary database structure (encrypted)• Conversion to SQL possible and ‘relatively’

painless

Symposium on Information Systems Assurance, October 20-22, 2005 6

The ‘model’ – Interaction Diagram• Based on Object Oriented principles• Combines Narrative and Data Flow in one diagram• No artistic talent required

– Standardized format, automatically drawn• Connect-the-dots

– minimizes missed, forgotten or not well understood pieces

• Client friendly – “I get it!”– We have had several requests to provide

documentation to projects that are doing business process reengineering.

Symposium on Information Systems Assurance, October 20-22, 2005 7

The basic look (Illustrative example)

Symposium on Information Systems Assurance, October 20-22, 2005 8

Sample output (Illustrative example)

Symposium on Information Systems Assurance, October 20-22, 2005 9

Demo• Let’s take a look

Symposium on Information Systems Assurance, October 20-22, 2005 10

Other capabilities (Illustrative example)• ‘House’ view – hierarchical view of Business Unit

Symposium on Information Systems Assurance, October 20-22, 2005 11

• Tree View – all levels in same view (Illustrative Example)

Symposium on Information Systems Assurance, October 20-22, 2005 12

Security

Symposium on Information Systems Assurance, October 20-22, 2005 13

Summary• More efficient & accurate documentation

– Physical view of process• Creates a universe of documentation that is

– Relational

– Sharable

– Searchable

– Clear and understood

Symposium on Information Systems Assurance, October 20-22, 2005 14

Symposium on Information Systems Assurance, October 20-22, 2005 15

Thank you for your attention!tom.crouch@sunlife.com