ch04_s15

Chapter FourChapter FourINFORMATION TECHNOLOGYINFORMATION TECHNOLOGY

DEPLOYMENT RISKSDEPLOYMENT RISKS

Developing Strategic PlansDeveloping Strategic Plans

Serves as primary guideline for Serves as primary guideline for resourcesresources Keeps the organization headed in a Keeps the organization headed in a

profitable direction.profitable direction. Begins with a Begins with a visionvision..

Objectives

Strategy Policies

Mission Objectives

Strategy Policies

InformationTechnology Plans Must Complement & Support Company Plans

Mission

The IT Auditor & Strategic PlansThe IT Auditor & Strategic Plans The IT auditor should look for evidence of a The IT auditor should look for evidence of a

prescribed, documented IT strategic planning prescribed, documented IT strategic planning process.process.

The existence of an ongoing process of this The existence of an ongoing process of this nature indicates that the company is constantly nature indicates that the company is constantly and diligently seeking an optimal and diligently seeking an optimal ““fitfit”” between the information technology between the information technology infrastructure and the organizationinfrastructure and the organization’’s overall s overall goals. goals.

Mission StatementMission Statement

Guides the establishment of Guides the establishment of business business objectivesobjectives

Catalyst for strategic planning within Catalyst for strategic planning within functional areas of the firmsfunctional areas of the firms– Goals and objectives of each function to Goals and objectives of each function to

support the overall mission support the overall mission

QuestionQuestion

Write a mission Statement for VT.Write a mission Statement for VT.

VT Mission StatementVT Mission Statement

http://www.vt.edu/about/about-university.html



Example: Ben & JerryExample: Ben & Jerry’’s Mission Statements Mission Statement

Ben & JerryBen & Jerry’’s is dedicated to the creation & s is dedicated to the creation & demonstration of a new corporate concept of demonstration of a new corporate concept of linked prosperity. Our mission consists of three linked prosperity. Our mission consists of three interrelated parts. Underlying the mission is the interrelated parts. Underlying the mission is the determination to seek new and creative ways of determination to seek new and creative ways of addressing all three parts while holding a deep addressing all three parts while holding a deep respect for individuals inside and outside the respect for individuals inside and outside the company, and for the communities of which they company, and for the communities of which they are a part.are a part.

Product:Product: To make, distribute, and sell the finest quality all To make, distribute, and sell the finest quality all natural ice cream and related products in a wide variety of natural ice cream and related products in a wide variety of innovative flavors from Vermont dairy products.innovative flavors from Vermont dairy products.

Economic:Economic: To operate the Company on a sound financial To operate the Company on a sound financial basis of profitable growth, increasing value for our basis of profitable growth, increasing value for our shareholders, and creating career opportunities and financial shareholders, and creating career opportunities and financial rewards for our employees.rewards for our employees.

Social:Social: To operate the company in a way that actively To operate the company in a way that actively recognizes the central role that business plays in the recognizes the central role that business plays in the structure of society by initiating innovative ways to improve structure of society by initiating innovative ways to improve the quality of life of a broad community—local, national, the quality of life of a broad community—local, national, and international.and international.

Ben & JerryBen & Jerry’’s IT Mission Statement s IT Mission Statement Might Be:Might Be:

The Information Systems function intends to offer The Information Systems function intends to offer high-quality, innovative information processing high-quality, innovative information processing and management services to internal and external and management services to internal and external information consumers, while providing a reliable, information consumers, while providing a reliable, responsive, and leading-edge technology responsive, and leading-edge technology infrastructure throughout the entire organization infrastructure throughout the entire organization aimed at supporting new and creative ways of aimed at supporting new and creative ways of addressing the companyaddressing the company’’s three-part mission s three-part mission statement—comprised of product, economic and statement—comprised of product, economic and social components.social components.

IT Objectives might be:IT Objectives might be:1.1. Create an atmosphere that embraces Create an atmosphere that embraces innovationinnovation and and

change.change.

2.2. Apply computer hardware and software technologies to Apply computer hardware and software technologies to opportunities that promote prosperity.opportunities that promote prosperity.

3.3. Incorporate an enterprise-wide information system to Incorporate an enterprise-wide information system to facilitate the intra-company facilitate the intra-company coordinationcoordination of business of business activities.activities.

4.4. Develop a technology-based communications network Develop a technology-based communications network capable of linking suppliers, customers, and employees capable of linking suppliers, customers, and employees into a seamless, virtual and extended enterprise.into a seamless, virtual and extended enterprise.

Write IT Objectives for VTWrite IT Objectives for VTto serve the university community and the citizens of the to serve the university community and the citizens of the commonwealth of Virginia by applying and integrating commonwealth of Virginia by applying and integrating information resources toinformation resources to•Enhance and support instruction, teaching and leaning Enhance and support instruction, teaching and leaning •Participate in, support and enhance researchParticipate in, support and enhance research•Foster outreach, develop partnership withFoster outreach, develop partnership with

IT Strategy might be:IT Strategy might be: The IT function will utilize a The IT function will utilize a decentralizeddecentralized, organic form of , organic form of

organization that is organization that is adaptable and responsive adaptable and responsive to the dynamic to the dynamic nature of the Company. The IT function will include a nature of the Company. The IT function will include a Chief Information Officer (CIO) who, in coordination with Chief Information Officer (CIO) who, in coordination with other executive officers throughout the Company, will other executive officers throughout the Company, will determine the precise structure of the IT function, which is determine the precise structure of the IT function, which is expected to change over time depending on Company expected to change over time depending on Company needs. The CIO, along with his/her delegates, will strive to needs. The CIO, along with his/her delegates, will strive to cooperate and coordinate with all internal information cooperate and coordinate with all internal information consumers to ensure that the Companyconsumers to ensure that the Company’’s information s information system is fully integrated on an entity-wide basis, as well as system is fully integrated on an entity-wide basis, as well as listen and respond to listen and respond to external constituents external constituents to ensure that the to ensure that the CompanyCompany’’s business processes and related information s business processes and related information technology infrastructure meet the ever-changing needs of technology infrastructure meet the ever-changing needs of the broader community of information consumers.the broader community of information consumers.

Important Policy Areas for IT FunctionsImportant Policy Areas for IT Functions

1.1. Planning PoliciesPlanning Policies1.1. ResponsibilityResponsibility (who is involved with (who is involved with

planning?)planning?)

2.2. TimingTiming (when does planning take place?) (when does planning take place?)

3.3. ProcessProcess (how should planning be conducted?) (how should planning be conducted?)

4.4. DeliverablesDeliverables (what planning documents are (what planning documents are produced?)produced?)

5.5. PrioritiesPriorities (what are the most to least critical (what are the most to least critical planning issues?)planning issues?)


2.2. Organizational PoliciesOrganizational Policies1.1. StructureStructure (what is the organizational form of the IT (what is the organizational form of the IT

function?)function?)

2.2. Information ArchitectureInformation Architecture (is the infrastructure (is the infrastructure aligned with the firmaligned with the firm’’s mission?)s mission?)

3.3. CommunicationCommunication (are the IT strategy and policies (are the IT strategy and policies known by all affected parties?)known by all affected parties?)

4.4. ComplianceCompliance (are all external regulations and laws (are all external regulations and laws being addressed?)being addressed?)

5.5. Risk assessmentRisk assessment (are IT risks identified, measured (are IT risks identified, measured and controlled?)and controlled?)

3.3. Human Resource PoliciesHuman Resource Policies1.1. TrainingTraining (what kind of training is provided and to (what kind of training is provided and to

whom?)whom?)

2.2. TravelTravel (what are the travel guidelines and priorities?) (what are the travel guidelines and priorities?)

3.3. HiringHiring (who determines needs and who screens (who determines needs and who screens applicants?)applicants?)

4.4. PromotionPromotion (what are the guidelines and how does the (what are the guidelines and how does the process work?)process work?)

5.5. TerminationTermination (what are voluntary and involuntary (what are voluntary and involuntary termination guidelines?)termination guidelines?)


4.4. Software PoliciesSoftware Policies1.1. AcquisitionAcquisition (how is software acquired from outside (how is software acquired from outside

vendors?)vendors?)

2.2. StandardsStandards (what are the software compatibility (what are the software compatibility standards?)standards?)

3.3. Outside contractorsOutside contractors (should contractors be used for (should contractors be used for software development?)software development?)

4.4. ChangesChanges (how to control and monitor the software (how to control and monitor the software change process?)change process?)

5.5. ImplementationImplementation (how to handle conversions, interfaces, (how to handle conversions, interfaces, and users?)and users?)


5.5. Hardware PoliciesHardware Policies1.1. AcquisitionAcquisition (how is hardware acquired from outside (how is hardware acquired from outside

vendors?)vendors?)

2.2. StandardsStandards (what are the hardware compatibility (what are the hardware compatibility standards?)standards?)

3.3. PerformancePerformance (how to test computing capabilities?) (how to test computing capabilities?)

4.4. ConfigurationConfiguration (where to use client-servers, personal (where to use client-servers, personal computers, and so on?)computers, and so on?)

5.5. Service ProvidersService Providers (should third-party service bureaus (should third-party service bureaus be used?)be used?)


6.6. Network PoliciesNetwork Policies1.1. AcquisitionAcquisition (how is network technology acquired from (how is network technology acquired from

outside vendors?)outside vendors?)

2.2. StandardsStandards (compatibility of local area networks, (compatibility of local area networks, intranets, extranets, and so on?)intranets, extranets, and so on?)

3.3. PerformancePerformance (how much bandwidth is needed and is (how much bandwidth is needed and is the network fast enough?)the network fast enough?)

4.4. ConfigurationConfiguration (use of servers, firewalls, routers, hubs, (use of servers, firewalls, routers, hubs, and other technology?)and other technology?)

5.5. AdaptabilityAdaptability (capability to support emerging e-business (capability to support emerging e-business models?)models?)


7.7. Security PoliciesSecurity Policies1.1. TestingTesting (how is security tested?) (how is security tested?)

2.2. AccessAccess (who can have access to what information and (who can have access to what information and applications?)applications?)

3.3. MonitoringMonitoring (who monitors security?) (who monitors security?)

4.4. FirewallsFirewalls (are they effectively utilized?) (are they effectively utilized?)

5.5. ViolationsViolations (what happens if an employee violates (what happens if an employee violates security?)security?)


8.8. Operations PoliciesOperations Policies1.1. StructureStructure (how is the operations function structured?) (how is the operations function structured?)

2.2. ResponsibilitiesResponsibilities (who is responsible for transaction (who is responsible for transaction processing?)processing?)

3.3. InputInput (how does data enter into the information (how does data enter into the information system?)system?)

4.4. ProcessingProcessing (what processing modes are used?) (what processing modes are used?)

5.5. Error HandlingError Handling (who should correct erroneous (who should correct erroneous input/processing items?)input/processing items?)


9.9. Contingency PoliciesContingency Policies1.1. BackupBackup (what are the backup procedures?) (what are the backup procedures?)

2.2. RecoveryRecovery (what is the recovery process?) (what is the recovery process?)

3.3. DisastersDisasters (who is in charge and what is the plan?) (who is in charge and what is the plan?)

4.4. Alternate SitesAlternate Sites (what types of sites are available for off- (what types of sites are available for off-site processing?)site processing?)


10.10. Financial and Accounting PoliciesFinancial and Accounting Policies1.1. Project ManagementProject Management (are IT projects prioritized, (are IT projects prioritized,

managed, and monitored?)managed, and monitored?)

2.2. Revenue GenerationRevenue Generation (should services be sold inside or (should services be sold inside or outside the organization?)outside the organization?)

3.3. Technology InvestmentsTechnology Investments (are the investment returns (are the investment returns being properly evaluated?)being properly evaluated?)

4.4. Funding PrioritiesFunding Priorities (where to most effectively allocate (where to most effectively allocate resources?)resources?)

5.5. BudgetsBudgets (are budgets aligned with funding levels and (are budgets aligned with funding levels and priorities?)priorities?)


Planning ProcessPlanning Process Follows a clearly defined path:Follows a clearly defined path:

Vision Vision Mission Mission

Objectives Objectives Strategy Strategy

PoliciesPolicies

Planning Process increases the likelihood that the Planning Process increases the likelihood that the company is making the most efficient & effective company is making the most efficient & effective use of IT throughout the organizationuse of IT throughout the organization

““Red FlagsRed Flags”” for IT Auditors for IT Auditors

The following are planning risks indicators, The following are planning risks indicators, should trigger red flags for the IT auditor. should trigger red flags for the IT auditor.

Key Planning Risk IndicatorsKey Planning Risk Indicators

1.1. A strategic planning process is not used.A strategic planning process is not used.

2.2. Information technology risks are not Information technology risks are not assessed.assessed.

3.3. Investment analyses are not performed.Investment analyses are not performed.

4.4. Quality assurance reviews are not conducted.Quality assurance reviews are not conducted.

5.5. Plans and goals are not communicated.Plans and goals are not communicated.

Key Planning Risk IndicatorsKey Planning Risk Indicators

6.6. Information technology personnel are disgruntled.Information technology personnel are disgruntled.

7.7. Software applications do not support business Software applications do not support business processes.processes.

8.8. The technology infrastructure is inadequate.The technology infrastructure is inadequate.

9.9. The user community is unhappy with the level of The user community is unhappy with the level of support.support.

10.10. ManagementManagement’’s information needs are not met. s information needs are not met.

CobiT GuidelinesCobiT Guidelines

Guidelines suggest eleven processes should Guidelines suggest eleven processes should be incorporated into IT strategic plans.be incorporated into IT strategic plans.

Each process is integrated throughout IT Each process is integrated throughout IT policy areas.policy areas.

Processes designed to manage the key IT Processes designed to manage the key IT risks.risks.

11 Processes11 Processes

1.1. Develop a strategic IT plan.Develop a strategic IT plan.2.2. Articulate the information architecture.Articulate the information architecture.3.3. Find an optimal fit between IT and the Find an optimal fit between IT and the

companycompany’’s strategy.s strategy.4.4. Design the IT function to match the companDesign the IT function to match the compan

yy’’s needs.s needs.5.5. Maximize the IT investment.Maximize the IT investment.6.6. Communicate IT policies to the user Communicate IT policies to the user

community.community.

11 Processes11 Processes

7.7. Manage the IT workforce.Manage the IT workforce.

8.8. Comply with external regulations, laws, and Comply with external regulations, laws, and contracts.contracts.

9.9. Conduct IT risk assessments.Conduct IT risk assessments.

10.10. Maintain a high-quality systems Maintain a high-quality systems development process.development process.

11.11. Incorporate sound project management Incorporate sound project management techniques.techniques.

Balanced ScorecardBalanced Scorecard

Concept introduced in 1996 by Kaplan & Concept introduced in 1996 by Kaplan & NortonNorton

Scorecard measures financial and Scorecard measures financial and

non-financialnon-financial performanceperformance

KaplanKaplan’’s Balanced Scorecards Balanced Scorecard

Mission andVision

Goals Measures Targets InitiativesFINANCIAL and SOCIAL COST

“While achieving our vision, how shall we minimize cost and maximize profit?”

Goals Measures Targets InitiativesLEARNING and GROWTH

“To achieve our vision, how will we sustain our ability to change and improve?”

Goals Measures Targets InitiativesCUSTOMER and CONSTITUENTS

“To achieve our vision, how must customers and constituents view our words and actions?”

Goals Measures Targets InitiativesINTERNAL BUSINESS PROCESS

“To satisfy our customers and the public, what business processes must we excel at?”

Goals Targets Initiatives

VALUE and BENEFIT

“To achieve our vision, what values and benefits must we create?”

Measures

4 Perspectives of Scorecard4 Perspectives of Scorecard

1.1. FinancialFinancial

Non-financial indicators: Non-financial indicators: customer satisfactioncustomer satisfaction

2.2. Customer satisfactionCustomer satisfaction

3.3. Internal processes Internal processes

4.4. Organizational learning and growthOrganizational learning and growth

Three Layered StructureThree Layered Structure

3-Layered Structure was devised for each 3-Layered Structure was devised for each of the 4 perspectives:of the 4 perspectives:

1.1. MissionMission

2.2. ObjectivesObjectives

3.3. MeasuresMeasures

More than Performance MeasureMore than Performance Measure Scorecard evolved into an intra-Scorecard evolved into an intra-

organizational management system to:organizational management system to:

– Facilitate the establishment of long term strategic Facilitate the establishment of long term strategic goals.goals.

– Communicate the goals throughout the firm.Communicate the goals throughout the firm.

– Align the initiatives and incentives to the goals.Align the initiatives and incentives to the goals.

– Allocate resources to match the goals.Allocate resources to match the goals.

– Gain feedback and learning about the strategy.Gain feedback and learning about the strategy.

IT Function ScorecardIT Function Scorecard

Use the balanced scorecard to plan & monitor IT Use the balanced scorecard to plan & monitor IT performance:performance:

FinancialFinancial Organizational Organizational

Performance Performance = = Contribution Contribution

Examples: ROI, Discounted Cash Flow, Before and after Examples: ROI, Discounted Cash Flow, Before and after transaction costs of IT projects (implementing SAP)transaction costs of IT projects (implementing SAP)

. .


CustomerCustomer User User

Satisfaction Satisfaction = = Satisfaction Satisfaction

Examples: Surveys of user attitudes for ease of use, Examples: Surveys of user attitudes for ease of use, system reliability, and perceptions about the IT system reliability, and perceptions about the IT staff.staff.


InternalInternal Operational Operational

Processes Processes = = PerformancePerformance

Examples: Number of security breaches, number of Examples: Number of security breaches, number of backlogged requests, % of downtime.backlogged requests, % of downtime.


LearningLearning Adaptability Adaptability && = = & &

Growth Growth Scalability Scalability

Examples: Examples: Resources expended on developing Resources expended on developing interfaces, ease of integrating new technology, interfaces, ease of integrating new technology, and ability to keep pace with organizationand ability to keep pace with organization’’ss IT IT growthgrowth..

User Satisfaction

Adaptability &Scalability

OrganizationalContribution

IT Function

Strategy


OperationalPerformance

Project ManagementProject Management

Sound Techniques apply to most situationsSound Techniques apply to most situations Structure minimizes risk of failure:Structure minimizes risk of failure:

– Late deliveryLate delivery– Cost overrunCost overrun– Lack of functionsLack of functions– Poor qualityPoor quality

IT auditor should check that project IT auditor should check that project management techniques are employed.management techniques are employed.

Question?Question?

What is an outcome measure?What is an outcome measure?the result of a test – do you generate the F/S accurately?the result of a test – do you generate the F/S accurately?

What is a process measure?What is a process measure?do you have the segregation of duties?do you have the segregation of duties?

Project ManagerProject Manager

First step is to assign project to a managerFirst step is to assign project to a manager Needs experience in areaNeeds experience in area Needs skill at managing projectsNeeds skill at managing projects Must work well with staff on planning and Must work well with staff on planning and

executing the project.executing the project.

Generic Project Life CycleGeneric Project Life Cycle

Activity Resources

Activity Resources

Activity ResourcesParameters

Deliverable

Deliverable DeliverableActivit

y 1

Parameters

Activity Resources

Activity 2

Parameters

Activity 4

Parameters

Deliverable

Activity 3

ProjectOutcom

e

Planning

Scheduling

Monitoring Controlling

ProjectResource

s

BoundaryConditions

ScopeTimeCost

Beginning End

Closing

Project Life Cycle Phase OneProject Life Cycle Phase One

Plan the ProjectPlan the Project

Set the Time, Cost & ScopeSet the Time, Cost & ScopeIdentify resourcesIdentify resourcesArticulate outcomeArticulate outcomeWork with specialistsWork with specialistsDetermine the WBS – Work Breakdown Determine the WBS – Work Breakdown

StructureStructure

Project Life Cycle Phase TwoProject Life Cycle Phase Two

Schedule the ProjectSchedule the Project

Create Time Table for each activity.Create Time Table for each activity.

Gantt chartsGantt charts

Critical Path AnalysisCritical Path Analysis

Critical Math MethodCritical Math Method

Microsoft ProjectMicrosoft Project

Project Life Cycle Phase ThreeProject Life Cycle Phase Three

Continuous MonitoringContinuous Monitoring

Use benchmarks, milestones, deliverables.Use benchmarks, milestones, deliverables.

Frequency varies by project.Frequency varies by project.

Rule of Thumb: Determine the maximum Rule of Thumb: Determine the maximum percent deviation allowed & monitor percent deviation allowed & monitor activities at the half-way point.activities at the half-way point.

Project Life Cycle Phase FourProject Life Cycle Phase Four

ControllingControlling

Keep project movingKeep project moving

Adjust to unexpected issuesAdjust to unexpected issues

Continually adjust the planContinually adjust the plan

Project Life Cycle Phase FiveProject Life Cycle Phase Five

Closing the ProjectClosing the Project

Obtain client acceptance in writingObtain client acceptance in writing

Release and evaluate project personnelRelease and evaluate project personnel

Identify & reassign remaining project assetsIdentify & reassign remaining project assets

Evaluations of projectEvaluations of project

Chronicle project historyChronicle project history

Key Project Risk IndicatorsKey Project Risk Indicators1.1. Management does not use a formal project Management does not use a formal project

management methodology.management methodology.

2.2. Project leaders are not adequately. experienced at Project leaders are not adequately. experienced at managing projects.managing projects.

3.3. Project leaders have insufficient domain expertise.Project leaders have insufficient domain expertise.

4.4. Project teams are unqualified to handle the project Project teams are unqualified to handle the project size/complexity.size/complexity.

5.5. Project team members are dissatisfied and Project team members are dissatisfied and frustrated.frustrated.

Key Project Risk IndicatorsKey Project Risk Indicators

6.6. Projects do not have senior-level executive Projects do not have senior-level executive support.support.

7.7. Projects do not include input from all affected Projects do not include input from all affected parties.parties.

8.8. Project recipients are dissatisfied with project Project recipients are dissatisfied with project outcomes.outcomes.

9.9. Projects are taking longer to develop than Projects are taking longer to develop than planned.planned.

10.10. Projects are costing more than budgeted.Projects are costing more than budgeted.

Acquiring SoftwareAcquiring Software

IT auditor should determine if the new IT auditor should determine if the new application would fit into the companyapplication would fit into the company’’s s strategic plan.strategic plan.

There should be a formal software There should be a formal software application acquisition policy.application acquisition policy.

Needs must be identified and prioritized.Needs must be identified and prioritized. Determine which applications can be Determine which applications can be

developed in-house, and which to purchase.developed in-house, and which to purchase.

Selection ProcessSelection Process Assign a project managerAssign a project manager

– Must know the needs of users & include them in Must know the needs of users & include them in decisionsdecisions

Identify alternatives and compare:Identify alternatives and compare: Ease of useEase of use Internal controlsInternal controls

FunctionalityFunctionality Integration with existing systemsIntegration with existing systems

ReportingReporting Future scalabilityFuture scalability

DocumentationDocumentation PerformancePerformance

Security featuresSecurity features CostCost

Total Cost of SoftwareTotal Cost of Software

Price of acquisitionPrice of acquisition User trainingUser training Multiple licensesMultiple licenses Service and supportService and support Future upgradesFuture upgrades Software modificationsSoftware modifications

Key Acquisition Risk IndicatorsKey Acquisition Risk Indicators

1.1. Software acquisitions are not mapped to the Software acquisitions are not mapped to the strategic plan.strategic plan.

2.2. There are no documented policies aimed at There are no documented policies aimed at guiding software acquisitions.guiding software acquisitions.

3.3. There is no process for comparing the There is no process for comparing the ““develop develop versus purchaseversus purchase”” option. option.

4.4. No one is assigned responsibility for the No one is assigned responsibility for the acquisition process.acquisition process.

5.5. Affected parties are not involved with assessing Affected parties are not involved with assessing requirements and needs.requirements and needs.

Key Acquisition Risk IndicatorsKey Acquisition Risk Indicators

6.6. There is insufficient knowledge of software There is insufficient knowledge of software alternatives.alternatives.

7.7. Security features and internal controls are not Security features and internal controls are not assessed.assessed.

8.8. Benchmarking and performance tests are not Benchmarking and performance tests are not carried out.carried out.

9.9. Integration and scalability issues are not taken Integration and scalability issues are not taken into account.into account.

10.10. Total cost of ownership is not fully considered.Total cost of ownership is not fully considered.

Developing SoftwareDeveloping Software

Information Systems Development Proposal Information Systems Development Proposal – formal documentation of requested – formal documentation of requested project.project.

Steering Committee reviews each proposal.Steering Committee reviews each proposal.

Feasibility Group studies potential projects.Feasibility Group studies potential projects.

Feasibility StudyFeasibility Study Recommends to the Steering CommitteeRecommends to the Steering Committee Provides preliminary assessment Provides preliminary assessment

– Technical FeasibilityTechnical Feasibility: Whether current, affordable : Whether current, affordable and reliable technology can be reasonable applied t and reliable technology can be reasonable applied t the project.the project.

– Financial FeasibilityFinancial Feasibility: Calculates return based on : Calculates return based on company policy.company policy.

– Cultural FeasibilityCultural Feasibility: Do the employees have : Do the employees have skills to run the system? Will they use it? Are skills to run the system? Will they use it? Are there legal or regulatory concerns?there legal or regulatory concerns?

Feasibility ReportFeasibility Report

Feasibility group prepares report to make a Feasibility group prepares report to make a recommendation on the project.recommendation on the project.

Report is submitted to Steering Committee.Report is submitted to Steering Committee. Steering Committee assigns project to Project Steering Committee assigns project to Project

Leader.Leader. Project Leader assembles Project Team.Project Leader assembles Project Team.

– Includes functional area representativesIncludes functional area representatives– Includes at least one senior lever managerIncludes at least one senior lever manager

Additional Systems Development IssuesAdditional Systems Development Issues

Business Process AnalysisBusiness Process Analysis Must complete Must complete beforebefore starting technical starting technical

development.development. Use Various modeling techniques.Use Various modeling techniques. Develop and consider alternative business Develop and consider alternative business

process designs.process designs. Look to external sources.Look to external sources. Compare models.Compare models. Select best model.Select best model.


Development & TestingDevelopment & Testing

Create Libraries in a secured area of computer.Create Libraries in a secured area of computer. Create secure places for code and data.Create secure places for code and data. Prevent destruction and/or alterations.Prevent destruction and/or alterations. Company must have security procedures Company must have security procedures

continuously monitored.continuously monitored.

Development, Test and Production Development, Test and Production LibrariesLibraries

DevelopmentLibrary

No Data

Development Source Code

ProgrammersOnly

TestLibrary

Test Data

Test Object Code

Programmers& Users

ProductionLibrary

Live Data

Production Object Code

Users Only

Secure Handoff

Secure Handoff


Security and ControlsSecurity and Controls

Project team must plan security & control Project team must plan security & control features in development stage.features in development stage.

Prevents patching program code later.Prevents patching program code later.

Ultimate goal is to design as many automated Ultimate goal is to design as many automated features as possible to optimize system features as possible to optimize system reliability.reliability.


Conversions and InterfacesConversions and Interfaces Conversion: Put existing data in correct Conversion: Put existing data in correct

format for the new systemformat for the new system– Scrub the dataScrub the data– Correct errors and omissions before it goes into the Correct errors and omissions before it goes into the

new systemnew system

Interfaces: Bridge the developed application to Interfaces: Bridge the developed application to related external applicationsrelated external applications– Be able to pass data back & forth.Be able to pass data back & forth.


Implementation TestingImplementation Testing Three Phases of Testing before going live:Three Phases of Testing before going live:

1.1. __________:__________: Tests in isolation for simple tasks Tests in isolation for simple tasks

2.2. ________________:________________: Test related programs that Test related programs that are joined & handle multiple tasks.are joined & handle multiple tasks.

3.3. System Testing:System Testing: Test related modules that join Test related modules that join the entire application.the entire application.

Stress Testing:Stress Testing: Test final product under extreme Test final product under extreme conditions.conditions.


Training & DocumentationTraining & Documentation Training should:Training should:

– Take place earlyTake place early– Be all-encompassing Be all-encompassing – Continue throughout project life cycleContinue throughout project life cycle

Documentation should:Documentation should:– Be complete for entire project and all programsBe complete for entire project and all programs– Include user manualsInclude user manuals

Key Development Risk IndicatorsKey Development Risk Indicators1.1. Development projects are not aligned with the Development projects are not aligned with the

strategic planstrategic plan

2.2. Feasibility studies do not consider the following Feasibility studies do not consider the following areas:areas:

• technical feasibilitytechnical feasibility• financial feasibilityfinancial feasibility• cultural feasibilitycultural feasibility

3.3. Senior management and users are not involvedSenior management and users are not involved

4.4. Business process analyses are not performedBusiness process analyses are not performed

Key Development Risk IndicatorsKey Development Risk Indicators

5.5. Alternative designs are not comparedAlternative designs are not compared

6.6. Separate development, test, and production Separate development, test, and production libraries are not usedlibraries are not used

7.7. Security and control features are not designed into Security and control features are not designed into the systemthe system

8.8. Conversion and interface issues are not taken into Conversion and interface issues are not taken into accountaccount

9.9. System testing is inadequateSystem testing is inadequate

10.10. Training and documentation is poor Training and documentation is poor

Changing SoftwareChanging Software

Change RequestChange Request– Specifies the changeSpecifies the change– Justifies the needJustifies the need– Approvals givenApprovals given

» All parties agree change is necessaryAll parties agree change is necessary

» Change is congruent with Strategic PlanChange is congruent with Strategic Plan

– Submitted to ITSubmitted to IT

Change RequestsChange Requests

IT logs in the requests & assigns tracking IT logs in the requests & assigns tracking numbernumber

Software Change Committee reviews and Software Change Committee reviews and prioritizesprioritizes– May refer to a feasibility groupMay refer to a feasibility group

Change is assign to IT staff person(s)Change is assign to IT staff person(s)

Change design & programmingChange design & programming

Follow same structure as in new Follow same structure as in new developmentdevelopment– Secured procedure of separate development, Secured procedure of separate development,

test, and production librariestest, and production libraries– Incorporated security & control proceduresIncorporated security & control procedures– Tests for integration (Unit, module, system Tests for integration (Unit, module, system

tests)tests)– DocumentationDocumentation

Key System Change Risk IndicatorsKey System Change Risk Indicators

1.1. A structured system change methodology is not in A structured system change methodology is not in place.place.

2.2. A software change request procedure is not used.A software change request procedure is not used.

3.3. Change requests are not reviewed/prioritized by a Change requests are not reviewed/prioritized by a representative group.representative group.

4.4. Feasibility studies are not performed when Feasibility studies are not performed when appropriate.appropriate.

5.5. Alternative software change designs are not Alternative software change designs are not considered.considered.

Key System Change Risk IndicatorsKey System Change Risk Indicators

6.6. Separate development, test, and production Separate development, test, and production libraries are not used.libraries are not used.

7.7. Security and controls implications are not Security and controls implications are not considered.considered.

8.8. Integration issues are not taken into account.Integration issues are not taken into account.

9.9. Testing is inadequately conducted.Testing is inadequately conducted.

10.10. Application changes are poorly documented.Application changes are poorly documented.

Implementation StrategiesImplementation Strategies

Purchased software needs testing.Purchased software needs testing. Strategy must be chosen that best fits the Strategy must be chosen that best fits the

situation.situation. Consider risks of business interruption, Consider risks of business interruption,

costs, time, ability of legacy system to costs, time, ability of legacy system to function.function.


Parallel ImplementationParallel Implementation New and Old system process side by side with New and Old system process side by side with

live datalive data Problems can be identified and correctedProblems can be identified and corrected Least riskyLeast risky Heavy resource use:Heavy resource use:

– Time to input, process, and create reports on two Time to input, process, and create reports on two systemssystems

– Time for reconciliation of outputTime for reconciliation of output– Hardware requirements to run two systemsHardware requirements to run two systems


Big-Bang ImplementationBig-Bang Implementation The old system is discontinued and the new The old system is discontinued and the new

one becomes live the next instant.one becomes live the next instant. Resources are not tied up running the old Resources are not tied up running the old

system.system. Staff is focused on success of new system.Staff is focused on success of new system. New system failure could interrupt business New system failure could interrupt business

processes.processes.


Partial ImplementationPartial Implementation Phase-in strategy starts one application of a Phase-in strategy starts one application of a

system at a timesystem at a time Problems are resolved before the next Problems are resolved before the next

application begins.application begins. Minimizes risk of business interruption.Minimizes risk of business interruption. May take a long time to implement entire new May take a long time to implement entire new

system.system.


Focused ImplementationFocused Implementation Implements system first with small user groups Implements system first with small user groups

(office, departments, divisions, locations, etc.)(office, departments, divisions, locations, etc.) Group would use one of the previous strategies.Group would use one of the previous strategies. Problems would be identified & resolved before Problems would be identified & resolved before

larger groups begin. larger groups begin. Could take a long time for full implementation Could take a long time for full implementation

to be completedto be completed

Formal Implementation PlansFormal Implementation Plans

Process should be handled as a projectProcess should be handled as a project Organize tasks into Work Breakdown Organize tasks into Work Breakdown

StructureStructure Develop a formal change management Develop a formal change management

policypolicy

Change ManagementChange Management

Establish an open line of communication Establish an open line of communication among all affected parties.among all affected parties.

Develop thorough training and educational Develop thorough training and educational programs.programs.

Allow all affected parties to provide Allow all affected parties to provide instrumental input into the implementation instrumental input into the implementation process as it unfolds.process as it unfolds.

Final TestingFinal Testing

Move object code from development library Move object code from development library to the test libraryto the test library

Test built-in security and control featuresTest built-in security and control features Effectiveness observed, tested and approved Effectiveness observed, tested and approved

by qualified overseersby qualified overseers Test interface programsTest interface programs

Final ConversionFinal Conversion Run programs that convert live data from old Run programs that convert live data from old

to new formatto new format– Use archived data up to several days priorUse archived data up to several days prior– Fix data until programs work successfullyFix data until programs work successfully

Convert last days of dataConvert last days of data After successful conversion, move into the After successful conversion, move into the

production library:production library:– Application object codeApplication object code– Converted dataConverted data– Interface object codeInterface object code

Application is Live!Application is Live!

Team still needs to work with users!Team still needs to work with users!– Answer questionsAnswer questions– Fix ProblemsFix Problems– Monitor performanceMonitor performance– Performance TuningPerformance Tuning– User AcceptanceUser Acceptance

Prepare a Post-implementation reportPrepare a Post-implementation report

Key Implementation Risk IndicatorsKey Implementation Risk Indicators1.1. Alternative implementation strategies are not Alternative implementation strategies are not

considered:considered:a)a) ParallelParallel

b)b) Big-BangBig-Bang

c)c) PartialPartial

d)d) Focused Focused

2.2. Formal implementation plans are not followed.Formal implementation plans are not followed.

3.3. All affected parties are not involved.All affected parties are not involved.

4.4. Implementation teams are uncoordinated.Implementation teams are uncoordinated.

Key Implementation Risk IndicatorsKey Implementation Risk Indicators

5.5. Implementation processes are rushed.Implementation processes are rushed.

6.6. Change management procedures are not Change management procedures are not developed.developed.

7.7. System users are inadequately trained.System users are inadequately trained.

8.8. Security and control issues are slighted.Security and control issues are slighted.

9.9. Final testing is insufficient.Final testing is insufficient.

10.10. Post-implementation reviews are not conducted.Post-implementation reviews are not conducted.

ch04_s15

Documents

mission statementguides

vt mission statementhttp

overall mission questionwrite

companys threepart mission

innovative ways

information systems

strategic planning process

external information