Business Process Review

Business Process Review (BPR) assesses the efficiency and effectiveness of administrative, financial and operational business processes, and evaluates the alternatives.  BPR considers process effectiveness and efficiency, including the presence of appropriate controls, to mitigate business risk.  BPR identifies opportunities for improvement, highlights areas of risk or control deficiency, and suggests “best practices” to spur company-wide performance.  The BPR team partners with the client, who becomes a valuable contributor in the risk identification process.

A high level analysis is conducted by discussions with management.  Optionally, a more detailed analysis is conducted based on interviews with key personnel.  The detailed analysis is recommended when management is unsure of the nature and extent of existing problems.  The objective of the BPR is to identify opportunities for business process improvement, which are identified and evaluated from a business case perspective.  The detailed analysis will lead to a more accurate business case.

Contingency Planning

IT systems are vulnerable to a variety of disruptions, ranging from mild (e.g., short-term power outage, disk drive failure) to severe (e.g., equipment destruction, fire) from a variety of sources such as natural disasters to terrorists actions. While many vulnerabilities may be minimized or eliminated through technical, management, or operational solutions as part of the organization’s risk management effort, it is virtually impossible to completely eliminate all risks. In many cases, critical resources may reside outside the organization’s control (such as electric power or telecommunications), and the organization may be unable to ensure their availability. Thus effective contingency planning, execution, and testing are essential to mitigate the risk of system and service unavailability. Accordingly, in order for contingency planning to be successful agency management must ensure the following:

1. Understand the IT Contingency Planning Process and its place within the overall Continuity of Operations Plan and Business Continuity Plan process.
2. Develop or reexamine their contingency policy and planning process and apply the elements of the planning cycle, including preliminary planning, business impact analysis, alternate site selection, and recovery strategies.
3. Develop or reexamine their IT contingency planning policies and plans with emphasis on maintenance, training, and exercising the contingency plan.

Business Continuity planning requires a thorough review of your organization's entire operation for safety and operational vulnerabilities.  This business impact assessment (BIA) should include not only day-to-day operations but also include key suppliers, business, and data partners as well as infrastructure components that are deemed vital. Planning must include detailed contingency plans that will guide your organization in performing its critical functions during a disruption or disaster.

You must start the process by identifying all critical processes and by evaluating threats at every location, identifying all the key components, their interdependencies, and their relative importance.

This planning should include:

• A review of all hazards and threats quantifying the potential for impact.
• Triage to identify processes, systems, functions, and partners that are most critical and at risk.
• Developing contingency and disaster-recovery plans for each process. 
• Identification of mitigation steps.
• A review of the functionality, practicality, and cost-benefit of various contingency and recovery options.
• Crisis communication and notification plans for employees and stakeholders.

Contingency planning should be an integral part of your overall business continuity management process.

System Development Life Cycle (SDLC) Review

Companies spend millions of dollars each year on the acquisition, design, development, implementation, and maintenance of information systems vital to their various business and administrative functions. The need for safe, secure, and reliable system solutions is heightened by the increasing dependence on computer systems and technology to provide services and develop products, administer daily activities, and perform short- and long-term management functions. There is also a need to ensure privacy and security when developing information systems, to establish uniform privacy and protection practices, and to develop acceptable implementation strategies for these practices.

Companies need a systematic and uniform methodology for information systems development. Using the SDLC will ensure that systems developed meet IT mission critical objectives; are compliant with the current and planned Information Technology Architecture (ITA); and are easy to maintain and cost-effective to enhance. Sound life cycle management practices include planning and evaluation in each phase of the information system life cycle. The appropriate level of planning and evaluation is commensurate with the cost of the system, the stability and maturity of the technology under consideration, how well defined the user requirements are, the level of stability of program and user requirements and security considerations.

We have extensive experience in reviewing the SDLC methodology compliance within our client companies and to recommend specific corrective actions to ensure that the system development activities are being carried out in the most efficient manner. We look at the activities being performed in all stages of the SDLC. Our recommendations take into account benchmarking data from our project experiences with other client companies in similar industries.

Application Controls Review

Application controls are the controls over input, processing, and output of data associated with individual applications.  An application controls review examines the methods and procedures designed for each application to ensure the authority of data origination, the accuracy of data input, integrity of processing, and verification and distribution of output. 

Enterprise Resource Planning (ERP) Pre/Post Reviews

ERP Pre-Reviews

Companies expend significant time and cost in selecting an appropriate enterprise resource planning (ERP) system to support their business processes and management decision making. The process of such selection is never easy. It requires significant coordination of various requirements from different functional departments. These requirements have to be carefully tallied and matched against the ERP software capabilities to ensure that the software selected truly will meet the company needs. There are numerous ERP systems in the market and thus this selection task has become even more critical since selecting the wrong system can be inordinately expensive for a company, no matter what its size.

We provide a structured methodology to review the business requirements of a company and match it with the appropriate ERP software available in the marketplace. We understand that no ERP software can match the company requirements 100% and thus may need “work-around” solutions or sometimes customization to satisfy the business process requirements. Through a careful selection methodology, we minimize such customization efforts.

Our methodology also takes into account the significant differences in specific functionality required in terms of its criticality to the business objectives. We categorize the business requirements in terms of the importance and criticality and thus are able to prioritize the fit of the ERP functionality appropriately.

In addition, the various soft criteria which need to be incorporated into the selection process are also carefully included. These are factors related to fit with the people culture of the company, readiness for change in the business processes which might result from the ERP implementation and project team structure and skill sets. We are well versed in ERP implementations and its pitfalls and are able to anticipate and minimize them through our careful selection methodology.

ERP Post Reviews

Companies generally go through a difficult organizational transformation in implementing an ERP system. Even though it is expected that it takes a certain period before the ERP system truly is effective in a company, companies generally find that the ERP systems after a considerable gestation period still have not provided the truly benefits realization which was expected at the outset of the implementation process. We find this to be true in most companies we serve and thus have developed a comprehensive methodology to review the status of the ERP implementation and ERP usage in a company as a post-implementation effort.

We examine the ERP effectiveness in a company on the following key dimensions:

• Meeting company transaction processing needs as originally set
• Satisfying company’s strategic goals and transformational needs
• Examining the total cost of ownership of the system and associated infrastructure
• Level of knowledge of the system functionality and processing in the company employees and management personnel
• Managing the risks associated with the business processes and IT systems
• Monitoring the ERP effectiveness on an on-going basis within the company

Our initial assessments provide concrete recommendations for management action to moving the ERP implementation and usage in a company to get “more from your ERP investment”.

Industry Specific Reviews

Through our industry specialists, we provide reviews to ensure that our client companies are equipped with industry best practices in their business processes and information systems deployment. We utilize benchmarking data acquired through our vast industry experience in manufacturing, distribution, retail, construction, governmental and other selected industries in which we have numerous clients. We collect such information on an ongoing basis and also acquire such information through industry benchmarking databases.

In addition, we constantly review and monitor industry specific software for the above mentioned industry segments and thus are able to advise on deploying industry appropriate software. Many industries have significantly different business requirements, some regulatory and some from a best practice perspective, and thus the business software necessary to support such processes is specialized as well.

Enterprise Resource Planning (ERP) Pre/Post Review(s)

ERP systems, which evolved out of manufacturing resource planning systems for the manufacturing industry, use data from a wide range of business areas to provide cross-departmental management and process information.  The term ERP is no longer about just planning; rather it refers to core critical business processes of an organization.  Despite principal usefulness of the concept, ERP system implementations can fail to deliver expected results if not adequately managed and controlled.  Further, there are emerging trends and changing technologies that support expanded use of ERP systems (such as, web-enabled customer interfaces), which will increase the importance of the security and control consideration for ERP.  An ERP system internal audit requires specific knowledge and an understanding of the complex features and integrated processes built into and required for the successful implementation, use and control of specific vendor products.

Specialized Industry Review

Industries such as healthcare, government, and manufacturing have attributes and characteristics that make them unique and define the way in which operations are conducted. From an understanding of this delineation and the corresponding unique internal processes and controls, our work is tailored to meet the specific needs of each industry.

System Development Life Cycle (SDLC) Review

The process of putting software to work in support of critical business objectives has become an increasing burden for most organizations that are not primarily in the business of developing software as a core competency. There are a number of reasons for this, which we will discuss in the context of the challenge they represent for systems development life cycle (SDLC) controls. We understand that the DOL follows a SDLC based on a standard of seven phases, each of which is intended to result in a specific set of deliverables and critical decisions on how to proceed to the next phase. Our approach is ideally suited to address the phase-specific risks and opportunities for improved, well-controlled outcomes following this methodology.