HelpSource Q&A 

Download Article Article in Digital Form

We invite you to send your information systems audit, control and security questions to:

HelpSource Q&A
ISACA Journal
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA

Q My employer recently bought one of our competitors, and integration between the two entities is occurring now. One of the key challenges is that the two entities use completely different and incompatible IT systems. Our audit team has been assigned the task of auditing the integration project and reporting to the leadership on the effectiveness of the approach used for integration. The business objective is to combine the positives from both systems into one. One of the major drivers behind the purchase was that the IT systems of the competitor were far superior to ours and were providing them an edge in terms of customer service delivery.

Can you help me with a quick checklist that I can use for my work?

A Whenever an acquisition happens, the target organisation feels vulnerable in terms of continued use of its systems and processes. There is a lot of cultural integration that needs to take place. Setting aside all those issues, let us try to develop a checklist that you may use to audit the IT systems integration project. As always, please note that this list is indicative only, and not exhaustive:

  • An inventory of all the IT systems and applications should exist comprising all those used by both the entities. This inventory must include the complete details of the applications—platform, whether in-house developed/maintained or a third-party-supplied application, etc. It can be packaged software or customized packaged software. All such details must be gathered.
  • An inventory of all the business processes in place must also exist.
  • Various business processes have to be mapped with the different IT systems used.
  • It should not be difficult to gather the inventory lists discussed in the previous bullets. If the entities have good business continuity plans in place, they will have the same automatically developed and used as part of business continuity management.
  • When assessing the business processes at both entities, a decision has to be made about which of the processes will continue to be used. It may also be possible that the new merged entity may have a different set of processes developed to suit the new and changed environment. Once this decision is made, an inventory of the to-be-used processes—the previously used and to-be-developed— must be created.
  • The newly developed process inventory must now be used to map the IT systems in use and bucket them into the following categories, making some key decisions on future systems use:
      – Systems that may be shelved
      – Systems that may continue to be used without any changes
      – Systems that may continue to be used with changes made to them
      – Systems that may be required to be developed new

Once this list is available, the rest of the work is relatively simple, though not easy. (Simple and easy may sound synonymous, but, in reality, they are not!) The next steps are:

  • Given that systems and applications undergo continuous changes, a change freeze must be put in place immediately. A change freeze means that none of the systems and applications will undergo any changes in terms of either fault fixing or enhancements. Lack of a change freeze will lead to chaos.
  • There should be a robust testing environment to support comprehensive testing on the various changes made to the different systems and applications.
  • Change management processes, if any, ought to be audited in order to check their effectiveness. In particular, those relating to system go-live after the testing of various changes must be audited.
  • It is essential to revisit the continuity plans or disaster recovery plans for the various IT systems used prior to the commencement of the integration work. Required improvements must be made to the plans to make them complete, so that if any of the systems fail during the integration work, they can be recovered appropriately to ensure continuity of business operations.
  • The major assumption here is that all the systems and applications are supported, managed and hosted in an in-house environment. This need not be the case on all occasions. Steps must be taken to assess the third-party vendor-operated environment, and, if necessary, the enterprise may choose to bring those systems in-house. Such transitions carry a different set of risks.
  • Changes that ought to be made to facilitate integration alone must be made. Change freeze will ensure that no other changes are made.
  • Integration of the IT systems should commence only after putting in place a conducive environment in terms of supporting processes and controls. Needless to say, appropriate programme management processes and controls aimed to ensure the proper execution and completion of various processes must be in place.
  • Governance processes that monitor the integration work must be in place, and the progress must be measured using appropriate metrics. The stakeholders from both organisations—prior to the merger—must find a place in the governance structure.
  • It is assumed that the IT organisation has done assessments on both environments with an aim to co-develop a new environment, fit for purpose in terms of the changed organisation.
  • Continuous audit of the integration programme, until completion, is recommended. Then, a post-integration audit should take place, given the impact should the programme fail.

Gan Subramaniam, CISA, CISM, CCNA, CCSA, CIA, CISSP, ISO 27001 LA, SSCP
is the global IT security lead for a management consulting, technology services and outsourcing company’s global delivery network. Previously, he served as head of IT security group compliance and monitoring at a Big Four professional services firm. With more than 16 years of experience in IT development, IS audit and information security, Subramaniam’s previous work includes heading the information security and risk functions at a top UK-based business process owner (BPO). His previous employers include Ernst & Young, UK; Thomas Cook (India); and Hindustan Petroleum Corp., India. As an international conference speaker, he has chaired and spoken at a number of conferences around the world.

Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2011 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.