Case: Big Box Company

Company Background

Big Box Company is an international manufacturing company, specializing in manufacturing and maintaining packaging equipment to make boxes and cans to package other products. Big Box Company operates in the manufacturing industry, which is a very competitive industry. There are multiple suppliers who could easily replace Big Box equipment with their own machines at many of Big Boxs customer accounts. Getting the right equipment prepared, shipped to, and installed at customers facilities at the right time is very important for the continued success of Big Box. Big Box Company operates in the Americas, the European Union and in Asia. Because their own offerings of packaging equipment are evolving to meet the needs of their customers, and those customers are in an increasing number of countries around the world, the IT systems at Big Box are constantly being improved and extended to incorporate new features. Big Box Company has developed their own IT systems to drive their customer relationship management and sales management processes, and their IT-intensive manufacturing systems allow them to produce and repair equipment customized to the exacting specifications of their many customers. They are running a highlycustomized version of a widely-used manufacturing ERP system as the core of their IT-intensive manufacturing system. Big Boxs new Chief Information Officer (CIO) is very interested in improving their IT management processes and ensuring that her organization delivers IT services that are effective, delivered in a timely manner, and provide value to her customers.

External Consultants The key player is Infrastructure Consulting Experts, LLC, (ICE). ICE was hired by Big Box Company to perform an external review of their IT processes. ICE was asked to perform a comprehensive audit of the IT processes at Big Box, covering the processes for both for IT governance and for IT management.

Issues An earlier internal audit report showed that there may be issues with the processes that Big Box uses to make changes to its production systems. Because the basis for making changes to the systems is the program change control process, ICE has determined that the scope of their review of IT processes must include how Big Box makes changes to their systems and has included in their review an examination of the process and controls affecting the program change control system (PCCS).

The program change control system (PCCS) controls the production source and executable program code, operating system configuration parameters, and any batch control processes (including .BAT, .CMD and .JCL files). All programs running in the production environment must be executed from the PCCS directories.

Each programmer or programming team has their own development library (or directory). The test libraries that contain source and executable code are open to all programmers throughout Big Box Company and are also accessible to offsite contract programmers. After a programmer (either on site or remote/offsite) has completed the testing of a program and is ready to move into production, a link to the program source code is submitted to the program change administrator as a PCCS Production Order. The administrator copies the code, recompiles the program, and moves the source and executable code into a production staging library that is accessible only to the production control team. Once the PCCS Production Order is approved by the System Owner, the production control team will move (or schedule the move) of the code into a production library.

As a result of a recent cost-cutting initiative, the production control team, including all of the program change administrators, is now only available during regular business hours during the normal work week. After hours (outside 8 am to 5 pm, Monday to Friday), if a program change is required, one-time-use passwords are available. Since these passwords are only available from a single, non-networked PC in the production control teams office, only onsite programmers can make after hours changes. If an offsite or remote programmer needs to make a change, they must notify an onsite programmer to get a one-time password from the system in the production control teams office and to make the change for them.

The programmer who makes the change must create a change ticket, obtain the onetime password from the system in the production control teams office, and record in the password log on that system the change ticket number and the date and time of the change.

The programmer can then make the appropriate changes, move the program into production, and note on the move ticket the time and date of the completion of the move. Each morning, the program change administrator reviews the sign-out log and verifies that the appropriate paperwork has been completed.

During an initial interview, the program change administrator was asked whether any further examination or review of off-hours changes was performed; the response was, No, an incident reporting system records all processing disruptions, but there is no reconciliation between the incident reporting system and the PCCS.

External Auditor Concerns: The external auditors from ICE have expressed concern regarding the synchronisation of the production source and executable code and whether any unauthorised changes to production systems have occurred.

Your Role: You are a staff member at the internal IT department, and have used standards such as COBIT in previous assignments.

Your task: You are a member of the IT staff. You have been requested by the internal audit department to respond to the concern issued by external auditors from ICE, and to suggest changes to the process that might prevent these concerns from arising in the future.

You need to address following key questions: 1. What are the main steps required for managing change (i.e., what are the main steps of the program change control process today?) Include a process diagram clearly showing the flow of steps and roles in this process. (40 points)

2. Based on your response to Question 1, identify any risks relating to this process for Big Box Company (i.e., what are the risks that you see in the current program change control process?). Be sure to identify any highrisk areas that need improvements to the current process. (40 points)

3. What changes would you suggest Big Box Company make in their program change control process to (a) address the identified risks and (b) improve their current process? Include a process diagram clearly showing the revised flow of steps and roles in this process. (45 points)