HelpSource
We invite you to send your information
systems audit, control and security
questions to:
HelpSource Q&A
bgansub@yahoo.com or
publication@isaca.org
Fax to: + 1.847.253.1443
Or mail to:
ISACA Journal
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Gan Subramaniam, CISA,
CISM, CCNA, CCSA, CIA,
CISSP, ISO 27001 LA, SSCP,
is the global IT security lead
for a management consulting,
technology services and
outsourcing company’s global
delivery network. Previously,
he served as head of IT
security group compliance
and monitoring at a Big Four
professional services firm.
With more than 16 years of
experience in IT development,
IS audit and information
security, Subramaniam’s
previous work includes heading
the information security and
risk functions at a top UK-based business process owner
(BPO). His previous employers
include Ernst & Young, UK;
Thomas Cook (India); and
Hindustan Petroleum Corp.,
India. As an international
conference speaker, he has
chaired and spoken at a
number of conferences around
the world.
Do you have
something
to say about
this article?
Visit the Journal pages
of the ISACA web site
( www.isaca.org/journal),
find the article, and
choose the Comments
tab to share your
thoughts.
My employer recently bought one of
our competitors, and integration
between the two entities is occurring now. One
of the key challenges is that the two entities use
completely different and incompatible IT systems.
Our audit team has been assigned the task of
auditing the integration project and reporting
to the leadership on the effectiveness of the
approach used for integration. The business
objective is to combine the positives from both
systems into one. One of the major drivers behind
the purchase was that the IT systems of the
competitor were far superior to ours and were
providing them an edge in terms of customer
service delivery.
Can you help me with a quick checklist that I
can use for my work?
Q
Whenever an acquisition happens, the
target organisation feels vulnerable in
terms of continued use of its systems and processes.
There is a lot of cultural integration that needs to
take place. Setting aside all those issues, let us try to
develop a checklist that you may use to audit the IT
systems integration project. As always, please note
that this list is indicative only, and not exhaustive:
• An inventory of all the IT systems and
applications should exist comprising all those
used by both the entities. This inventory
must include the complete details of the
applications—platform, whether in-house
developed/maintained or a third-party-supplied
application, etc. It can be packaged software or
customized packaged software. All such details
must be gathered.
• An inventory of all the business processes in
place must also exist.
• Various business processes have to be mapped
with the different IT systems used.
• It should not be difficult to gather the inventory
lists discussed in the previous bullets. If the
entities have good business continuity plans in
place, they will have the same automatically
developed and used as part of business
continuity management.
A
• When assessing the business processes at both
entities, a decision has to be made about which
of the processes will continue to be used. It may
also be possible that the new merged entity may
have a different set of processes developed to
suit the new and changed environment. Once
this decision is made, an inventory of the to-be-used processes—the previously used and to-be-developed—must be created.
• The newly developed process inventory must
now be used to map the IT systems in use and
bucket them into the following categories,
making some key decisions on future
systems use:
– Systems that may be shelved
– Systems that may continue to be used without
any changes
– Systems that may continue to be used with
changes made to them
– Systems that may be required to be
developed new
Once this list is available, the rest of the work
is relatively simple, though not easy. (Simple and
easy may sound synonymous, but, in reality, they
are not!) The next steps are:
• Given that systems and applications undergo
continuous changes, a change freeze must
be put in place immediately. A change freeze
means that none of the systems and applications
will undergo any changes in terms of either fault
fixing or enhancements. Lack of a change freeze
will lead to chaos.
• There should be a robust testing environment
to support comprehensive testing on the
various changes made to the different systems
and applications.
• Change management processes, if any, ought to
be audited in order to check their effectiveness.
In particular, those relating to system go-live
after the testing of various changes must
be audited.
• It is essential to revisit the continuity plans
or disaster recovery plans for the various IT
systems used prior to the commencement of the
integration work. Required improvements must
