BPR Review
BPR Review
BPR Review
Standards define mandatory requirements for IS auditing and reporting. They inform:
− IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code
of Professional Ethics for IS auditors
− Management and other interested parties of the profession’s expectations concerning the work of practitioners
®
− Holders of the Certified Information Systems Auditor (CISA ) designation of requirements. Failure to comply with these standards may
result in an investigation into the CISA holder's conduct by the ISACA Board of Directors or appropriate ISACA committee and, ultimately,
in disciplinary action.
Guidelines provide guidance in applying IS Auditing Standards. The IS auditor should consider them in determining how to achieve
implementation of the standards, use professional judgment in their application and be prepared to justify any departure. The objective of the
IS Auditing Guidelines is to provide further information on how to comply with the IS Auditing Standards.
Procedures provide examples of procedures an IS auditor might follow in an audit engagement. The procedure documents provide
information on how to meet the standards when performing IS auditing work, but do not set requirements. The objective of the IS Auditing
Procedures is to provide further information on how to comply with the IS Auditing Standards.
COBIT resources should be used as a source of best practice guidance. Each of the following is organised by IT management process, as
defined in the COBIT Framework. COBIT is intended for use by business and IT management as well as IS auditors; therefore, its usage
enables the understanding of business objectives, and communication of best practices and recommendations, to be made around a
commonly understood and well-respected standard reference. COBIT includes:
− Control Objectives—High-level and detailed generic statements of minimum good control
− Control Practices—Practical rationales and guidance on how to implement the control objectives
− Audit Guidelines—Guidance for each control area on how to obtain an understanding, evaluate each control, assess compliance and
substantiate the risk of controls not being met
− Management Guidelines—Guidance on how to assess and improve IT process performance, using maturity models, metrics and critical
success factors
Glossary of terms can be found on the ISACA web site at www.isaca.org/glossary. The words audit and review are used interchangeably.
Disclaimer: ISACA has designed this guidance as the minimum level of acceptable performance required to meet the professional
responsibilities set out in the ISACA Code of Professional Ethics for IS auditors. ISACA makes no claim that use of this product will assure a
successful outcome. The publication should not be considered inclusive of any proper procedures and tests or exclusive of other procedures
and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific procedure or test, the
controls professional should apply his/her own professional judgment to the specific control circumstances presented by the particular
systems or information technology environment.
The ISACA Standards Board is committed to wide consultation in the preparation of the IS Auditing Standards, Guidelines and Procedures.
Prior to issuing any documents, the Standards Board issues exposure drafts internationally for general public comment. The Standards
Board also seeks out those with a special expertise or interest in the topic under consideration for consultation where necessary. The
Standards Board has an ongoing development programme and welcomes the input of ISACA members and other interested parties to
identify emerging issues requiring new standards. Any suggestions should be e-mailed ([email protected]), faxed (+1.847. 253.1443) or
mailed (address at the end of document) to ISACA International Headquarters, for the attention of the director of research standards and
academic relations.
2.1 Definition
2.1.1 Although there is no universally accepted definition of business process reengineering, the definition most often quoted is that
offered by Hammer and Champy: The fundamental rethinking and radical redesign of business processes to bring about dramatic
1
improvements in critical, contemporary measures of performance, such as cost, quality, service and speed.
2.1.2 BPR aims to improve business processes by substantially revising their structure and by dramatically changing the way in which
the processes are managed and implemented. This ordinarily produces a great effect on the people involved and the working
practices and supporting technologies, particularly information technologies.
1
Hammer and Champy, Reengineering the Corporation, 1993
2.3.3 Others, including Carter and Handfield, suggest carrying out the BPR activities in sequence: 1) simplification (which includes
elimination of nonvalue added activities), 2) standardisation, 3) integration, 4) parallelism, 5) variance control, 6) resource
allocation, 7) automation. They indicate the BPR process should tackle steps 1 to 7 in a strict sequence. It would, for example, be
wrong to attempt automating a process with an IT application without first considering its simplification; not only could
simplification make automation redundant but the full benefits of automation may not be realised either. However, there is a
danger in restricting the thinking process to a strict sequence. For example, integration of activities requiring different resources
into a single activity to be carried out by an individual may sometimes become possible only with automation.
2.3.4 Sometimes a holistic view is the best approach.
2.4 BPR Methodology
2.4.1 Reengineering is inherently highly situational and creative. Basically, there are two distinct approaches to BPR that can be found
in the literature.
2.4.2 The methodology originally prescribed by Hammer and Champy is a top-down approach, which suggests that the BPR team
should focus on determining how the strategic objectives of the organisation can be met without letting its thinking be constrained
by the existing process. The emphasis is on the to-be process, and is consistent with the step-change philosophy that the authors
presented.
2.4.3 The more incremental change methodology outlined by Harrington is a bottom-up approach which advocates modeling the
existing process to gain understanding of it, and then streamlining it appropriately to meet the strategic objectives. The focus is on
changing the as-is process by identifying opportunities for improving it.
2.4.4 In practice, a BPR team will ordinarily need to adopt a mixed approach. If the top-down methodology is used as the basis, there is
still a need to understand the current functionality and to define carefully the transition path from the current to the preferred future
process. With a bottom-up methodology, BPR teams can spend too much time on detailing the current process and lose
innovative thinking. A mixed approach would encourage the team to consider high-level changes without being cluttered by the
details of the current process.
2.4.5 It is important to recognise that an initial BPR study may lead to recommendations for a number of more detailed projects on
improving subprocesses, which may only require relatively small changes (perhaps to remove some bottlenecks).
3. AUDIT CHARTER
4. INDEPENDENCE
5. COMPETENCE
6.1 Framework for Consideration by the IS Auditor When Reviewing a BPR Project
6.1.1 The initiate and diagnose phases are when the existing processes, the information and the IT systems currently in use are
analysed and compared with other systems via benchmarking. At this time, for each of the processes chosen for investigation, the
IS auditor can measure the relevant current performance variables and identify the performance gaps. As the use of information
and IT can be the levers for dramatic changes in the organisation processes, the IS auditor can provide useful contributions from
the early stages of the BPR process.
6.1.2 The redesign phase is when the:
New processes are redesigned
New information or new ways to use existing information are searched
Blueprint of the new business system is defined
Migration strategy is developed
Migration action plan is created
6.1.4 The evaluate phase is when the new processes and IS systems are operating. It is a specific task of the IS auditor to determine if
the BPR project has met its goals, the transition to the new structure is effective and reliable, and a total quality program has been
activated.
8. REPORTING
9. EFFECTIVE DATE
9.1 This guideline is effective for all information systems audits beginning on or after 1 July 2004. A full glossary of terms can be
found on the ISACA web site at www.isaca.org/glossary.
.
APPENDIX
Reference Literature
■ Carter, M.; R. Handfield; Identifying Sources of Cycle-time Reduction, Reengineering for Time-based Competition, Quorum Books,
1994
■ Hammer, M.; J. Champy; Reengineering the Corporation: A Manifesto for Business Revolution, Harper-Collins, USA, 1993
■ Harrington, H.J.; Business Process Improvement, McGraw-Hill, USA, 1991
The IS auditor should be aware of the risk of an overemphasis on modeling the as-is process as that can become a substitute for actual
decisions.
COBIT Reference
Selection of the most relevant material in COBIT, applicable to the scope of the particular audit, is based on the choice of specific COBIT IT
processes and consideration of COBIT information criteria.
Copyright 2004
Information Systems Audit and Control Association
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Telephone: +1.847.253.1545
Fax: +1.847.253.1443
E-mail: [email protected]
Web site: www.isaca.org