Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Da Tp 1 Desarrollo Y AdquisicióN De Software

349 views

Published on

  • Be the first to comment

Da Tp 1 Desarrollo Y AdquisicióN De Software

  1. 1. IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico DA_TP 1 Titulo: Evaluación de un proveedor de Servicios. Código: DA-TP 1 Tipo: Grupal Objetivo: Evaluar el enfoque de Auditoría y los Objetivos de Control definidos para el proyecto Evaluar el alcance y la naturaleza del IS Control Assessment realizado Establecer fortalezas y debilidades del proyecto Desarrollar recomendaciones de mejora, en base a la narrativa del Control Assessment Antecedentes del Proyecto: Globus Inc., gestiona activos y proyectos de inversión de capital por U$S 13 bn, y ha decidido adquirir un SW de control de Proyectos de Inversión desarrollado por SolDev Group, así como los servicios de Hosting de dicha aplicación provistos por la Compañía RedPlaid. El producto, SD2K, está operativo (parcialmente) y en la actualidad gestiona 12 proyectos, en modalidad paralelo /prueba. SD2K es “a project management data warehousing software solution that allows project managers to manage accumulated costs for projects. The accumulated costs include costs from equipment, internal labor, contractor labor, project overhead, and expense reporting. The software has been purchased from SDG to help Globus manage costs on the pipeline system expansion projects that are currently underway. As the project data tracking requirements have grown in Globus, SDG was identified as the technology solution to capture, consolidate, analyze and report on major project data in this area. The system enables tracking to a level of granularity or currency that supports project managers in day to day PM decisions. The system enables collecting detailed incurred costs from the field. At the same time, projected disbursement data is collected from Globus’ Oracle Financials application. Comparison between projected and incurred costs provides daily visibility to project metrics and enhances project management decisions. Our Firm was engaged by Globus’ Major Projects group to assist in reviewing the controls of the SDG environment. Profesor: Ricardo Bria Menéndez 26/12/2008 1
  2. 2. IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico DA_TP 1 Objetivos del proyecto The overall objective of this project is to assess the SDG application environment with regards to controls governing security, availability, data integrity and customer service management. Criteria were developed for each of these controls areas and used as the basis of the review. Información de referencia 1. BACKGROUND INFORMATION: GLOBUS Inc. .............................................................................. 3 2. BACKGROUND INFORMATION: Solutions Development Group (SolDev Group) ........................ 3 3. IS CONTROL ASSESMENT: SolDev GROUP (SDG) ........................................................................ 6 Presentación: Oral Fecha límite: TBD Profesor: Ricardo Bria Menéndez 26/12/2008 2
  3. 3. IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico DA_TP 1 1. BACKGROUND INFORMATION: GLOBUS Inc. Corporate Overview Globus Inc. is a leader in energy transportation and distribution in North America and internationally. An Overview Globus operates, in Canada and the U.S., the world's longest crude oil and liquids pipeline system. The company owns and operates Globus Pipelines Inc. and a variety of affiliated pipelines in Canada, and has an approximate 27% interest in Globus Energy Partners, L.P. which owns the Pumpkinhead System in the U.S. These pipeline systems have operated for over 55 years and now comprise approximately 13 500 kilometres (8,500 miles) of pipeline, delivering more than 2 million barrels per day of crude oil and liquids. Globus is also the sponsor and manager of the Globus Income Fund. Globus is also involved in liquids marketing and international energy projects and has a growing involvement in the natural gas transmission and midstream businesses, through the Ally and Vostead pipelines and various U.S. assets that transport, gather, process and market natural gas and other petroleum products. As a distributor of energy, Globus owns and operates Canada's largest natural gas distribution company, Globus Gas Distribution, which provides gas to industrial, commercial and residential customers in Ontario, Quebec and New York State. Globus distributes gas to 1.9 million customers and is developing a gas distribution network in New Brunswick. The company employs more than 5,700 people, primarily in Canada, the U.S. and South America. Globus Inc. common shares trade on the Toronto Stock Exchange in Canada and on the New York Stock Exchange in the U.S. under the symbol quot;GLBquot;. 2. BACKGROUND INFORMATION: Solutions Development Group (SolDev Group) While The SolDev Group, Inc. is a Washington state registered company that started in Bellingham, Washington, the development team collaborates on the internet and is physically dispersed. Profesor: Ricardo Bria Menéndez 26/12/2008 3
  4. 4. IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico DA_TP 1 The SolDev Group has contracted with a Managed Hosting company called RedPlaid to handle all of our servers and networking needs. I have attached a document that details the services that The SolDev Group currently obtains from RedPlaid. The SolDev Group does not own our own IP addresses – these are obtained from RedPlaid as needed. The SolDev Group develops software solution using database (SQL Anywhere) software on the back end to store the data. The front-end or user interface to the data is via Windows application (written in C++) and web applications written in VBScript, JavaScript and some C#. The process followed by The SolDev Group (SDG) in delivering software and services is similar to that of other companies and is as follows: Customer licenses software. SDG prepares servers for customer's solution – one server for production, testing and training and one server as a backup. SDG supplies SolDev Associates and embedded customer support analysts as requested to help the customer to acquire knowledge SolDev abilities and skills in SolDev 2k techniques. The development of SolDev solutions is a process that proceeds independently of the needs of a particular customer – in much the same way as the development of many software solutions. SolDev 2k's architecture permits us to manage each customer's unique business rules in a manner consistent with each customer's needs. The process of identifying and implementing these business rules is accomplished more efficiently by the use of SolDev Associates and embedded SolDev Analysts. Our Mission We wish to be recognized as a provider of client-empowering, data management solutions. It's your data. How do you want to manage it? We want to help you and your team to feel that this is your solution and you are in charge of it - no fear, no uncertainty, no doubt. Company Profile The SolDev Group, Inc. are a group of technical and business experts that develop and support data management solutions for clients in various industries. Profesor: Ricardo Bria Menéndez 26/12/2008 4
  5. 5. IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico DA_TP 1 The SolDev Group partners with Sybase and Microsoft. We also support organizations such as the Project Management Institute (PMI), the National Petrochemical and Refiners Association (NPRA) and the Association for the Advancement of Cost Engineering (AACE). Our combined expertise and training in engineering, project management and computer science have melded together to provide a useful software engineering design philosophy that is focused on developing innovative ways to use available tools and tool-sets such as database technology, scheduling tools, the web, hand-held computing, etc. Products SolDev 2000 (SD2k) is the name of a suite of products that provide wide-ranging improvements to data management solutions in the area of work management. A hallmark of these solutions is the level to which they empower our customers to implement their best practices and business processes in the system. Some of the business areas that we address include: SolDev 2000/TM - for managing Turnarounds, Shutdowns and Outages Manage all aspects of your turnaround including logistics, scope management, planning, materials management, resource management, scheduling and execution. SolDev 2003/RM Manage your routine maintenance backlog of work orders and the people, equipment and materials needed to complete this work. SolDev 2003/PD Manage all data that should be widely available to multiple departments and maintained by multiple departments. Remove the data redundancy that results from the use of ad hoc spreadsheets, databases, documents, etc. Provide a consistent interface for all of your team members, while maintaining control of your data. SolDev 2003/IS Plants are serviced by Industrial Services contractors. If you work with an Industrial Services Contractor, you know that you spend a lot of your effort in meeting specific requirements of each of your customers. SD2003/IS's business rule-driven system provides you with the tools to tailor your reports and data access to each of your clients' needs while maintaining a consistent system in-house. Profesor: Ricardo Bria Menéndez 26/12/2008 5
  6. 6. IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico DA_TP 1 3. IS CONTROL ASSESSMENT: SolDev GROUP (SDG) Control Objective Controls Description / Comments I Information Security Describe, at a high level: controls in existence that could apply to the (Logical and Physical) corresponding Control Objective 1. Information security is A formalized Security Policy to define, document and provide managed to guide standardized guidelines for Information Security does not exist. The only consistent security practice referenced by John Doe and Joyce Temple (SDG’s TOP implementation Management) is that all new hired employees are required to sign a Non- of security practices and that disclosure agreement (NDA). users are aware of the organization's The NDA (see: NDA - consulting Agreement in PBC folder) has two position with articles: Confidentiality and Ownership of Deliverables. In the first one, regard to Confidential Information is defined and non-disclosure and protection of information such information is required. In the Ownership of Deliverables article, security, as it Intellectual Property and Company Work Product are defined and rights pertains to of the Company are made explicit. financial reporting data. Logical access 2. Logical and physical access to As per conversations with John Doe and Paul Jones, the logical access to IT computing computer resources is restricted by appropriate identification (unique resources is User IDs), authentication (individual passwords) and authorization appropriately mechanisms. Logical security is administered by two people: John Doe restricted by the implementation and Joe Cook. of identification, authentication As related by John, there are basically two categories of employees: and authorization Developers and Support, and the general approach is that Developers mechanisms to have access to code, while Support personnel does not. reduce the risk of unauthorized / Further written information provided by John revealed one exception to inappropriate this rule. Paul Jones, listed initially both as an Associate and a Project access to the Manager has current access to Globus’s database. organization’s relevant financial Interviewed Paul Jones who related that aside from being the Project reporting Manager for the Globus implementation project, he also performs (non- applications or Profesor: Ricardo Bria Menéndez 26/12/2008 6
  7. 7. IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico DA_TP 1 data technical) development functions. Although we had no access to a written policy, according to John Doe, the password policy in effect calls for the following: system does not remember the previous passwords, user is not required to give different passwords upon password change password expires after 90 days password must be at least 8 characters in length passwords are not stored internally password complexity is enforced If 5 invalid login attempts are made within 3 minutes, then the login will be disabled for 3 minutes. Physical access All SDG’s resources (servers, communications and additional equipment) used to provide the SD2K application service to Globus, are physically located at REDPLAID’s data center in Saint Louis, Missouri. REDPLAID, a division of Connectria Corporation and responsible for the physical security of the mentioned resources is located in a highly secured area and has an on-site Network operations Center monitored 24/7. Through information gathered (see: REDPLAID Security and Support Overview for the SolDev Group 8-1-08 in PBC folder) and interviews with Peter Clumsy and Johnny Piannon from REDPLAID we identified, among others, the following implemented physical security measures: electronic security codes to access the building and elevators, additional biometric and access cards to enter de Data Center, closed circuit digital cameras and the prohibition of unescorted visitors at any time. As per John Doe, the process to assign / revoke user ids for new hires, 3. Procedures have changes and terminated employees, it is not formalized. been established so that user Only John Doe and Joyce Temple (SDG Top Management), have the accounts are authority and responsibility for authorizing the assignment, modification added, modified and deleted in a and revocation of user ids and access rights to all employees. timely manner to The SDG’s Organizational Chart provided by Joyce (see: SolDevOrg in PBC reduce the risk of Profesor: Ricardo Bria Menéndez 26/12/2008 7
  8. 8. IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico DA_TP 1 unauthorized / folder), shows that the company has only 20 employees (including John inappropriate and Joyce), distributed in the following areas: access to the organization's Development (Client and Server): 7, relevant financial Technical Testing: 2, reporting applications or Associates: 4, data Project Mangers:2, Data Analysts: 3 and Administration: 2. Given SDG’s two tier organizational structure, the different areas’ assigned responsibilities and the low number of employees, in our view, the reporting scheme and security function assignment partially act as a compensatory control for the lack of formality in the assurance of a timely action regarding user accounts addition, changes and deletions.. 4. An effective During our interview with John Doe, he stated that there is not a specific control process is process in place to achieve this control. in place to Reviewing the organizational chart provided, we noted that some of periodically SDG’s employees perform more than one function (server development review the and client development, client development and technical testing). appropriateness of access rights in In addition, we have learned that the application architecture for Globus order to reduce contemplates two Servers; one that holds the production, test and the risk of training environments, and a second Serverf used as a backup. unauthorized / inappropriate access to the organization’s relevant financial reporting applications or data 5. Physical controls are in place to See #2 above. prevent unauthorized access to Profesor: Ricardo Bria Menéndez 26/12/2008 8
  9. 9. IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico DA_TP 1 information technology and data. As described in information provided by John Doe, REDPLAID’s facility 6. Environmental was designed taking into consideration environmental controls to house controls are in critical telecommunications equipment and data centers. place to prevent or reduce the The office is located within a US Federal “No Fly Zone” (airplanes are not effects of allowed to fly over the area) and contemplates dual Power Feeds from disasters, such as floods, fire and separate Power Grids, redundant UPS systems and 5 1,500 KVA power surges) Generators, to lower the risks of power outages and surges. As per the information provided, the Data Center is equipped according to the best practices for environmental controls for this type of installation and includes: Anti-Static, Fireproof Raised Floor, Air conditioned, temperature and humidity controls, water detection and fire suppression systems. 7. Procedures exist to protect against According to information provided by John Doe and Johnny Piannon, infection by REDPLAID has deployed, and provides to SDG, an integrated and computer viruses, comprehensive set of resources and tools to provide protection from malicious codes, virus infection and malicious software that include: Co-Managed Firewall, and unauthorized software. Web Console & Security Zone, Network Intrusion Prevention (IPS), Vulnerability Scanning, Server AntiVirus Protection, Server Hardening Of Operating Systems & System Software, Server Integrity Monitoring and Distributed Denial Of Service (DDOS) Protection Each of these components report back to central management consoles which are monitored and managed 24/7 by REDPLAID's Network Operations Center staff. Any exceptions are escalated to REDPLAID’s Security Incident Response Team, made up of REDPLAID’s senior security engineers As an additional service, not yet engaged by SDG, REDPLAID provides the execution of quarterly Penetration Tests, to assure their perimeter defenses are not being unduly exposed. II Program Describe, at a high level: controls in existence that could apply to the Profesor: Ricardo Bria Menéndez 26/12/2008 9
  10. 10. IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico DA_TP 1 Development corresponding The SD2K application is currently being implemented by an Globus 8. Management has Implementation Team of 5 people, including an Implementation controls in place Manager, and the assistance of Paul Jones, as SDG’s Project Manager, to ensure that new program and and John Doe infrastructure The following process summary and controls were corroborated with developments and acquisitions John Doe and Paul Jones. have been approved by an Requirements for SD2K’s new developments and changes are made by appropriate level the Implementation Team via Word documents and Excel spreadsheets, of both IT and which are controlled by Globus’s internal issue tracking system. business management Upon reception of a requirement, Joe proceeds to its analysis and categorization (minor, medium and large) depending on impact / effort required. Minor requirements can be made by anyone on the Team, but medium and major ones require the Implementation Manager’s approval. Currently, no one outside the Implementation is making requirements. Outstanding requirements are reviewed by the Implementation Manager on a weekly basis. John Doe stated that SDG’s intentions were to “provide our Issue Manager application, eIssues, to Globus to perform as a tool for managing all aspects of management of all issues, incidents,requests, etc.”. This would also allow the automated tracking of issues that SDG today performs manually, via a spreadsheet (see SolDev_Action_List80820 in the PBC folder). Based on the above description, it appears that most (if not all) the control over requirements resides on Globus, as we could not identify, on SDG’s part, a clearly defined process so assure that only properly authorized requirements are attended. In addition to the use of a common tool (workflow) for requirements tracking and management, an authorization chart for requesting and approving requirements and changes, we suggest a defined and formalized change management procedure be implemented. Profesor: Ricardo Bria Menéndez 26/12/2008 10
  11. 11. IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico DA_TP 1 The SolDev application and metadata framework are the basis for 9. Management has development. controls in place to ensure that an SD2K is actually a proprietary environment where the client data is adequate centrally managed, after being consolidated and integrated from program different sources and systems. The application is data driven and thus, development methodology is in solutions to organize, aggregate and present (report) results for the end place and is user are flexible and quick to develop. followed for the development of SD2K’s architecture allows the management of the customer's business systems / rules in a manner consistent with their needs, which are first identified applications used and then built and implemented. Although SDG does not have a formal development methodology, there are standard steps that are followed: identify the business needs, identify the supporting data required, design and build a central repository for the data, and provide for the client access at the reports and data views as defined. 10. When new work packages and work items are added and tracked systems are implemented or modified, controls are either added, modified, or redesigned so that applicable control objectives are achieved Issue Manager provides the framework for the central tracking and 11. Controls exist to signing off on issues as they progress through their different phases. ensure there is adequate testing This component however, is not yet operational al Globus. Currently, all for the requests, documentation, incidents and tracking controls are handled development of “manually” via Word or Excel documents. It is estimated that this module systems / applications and will be implemented at Globus within the next two weeks. that testing is signed off by both the users at an appropriate level Profesor: Ricardo Bria Menéndez 26/12/2008 11
  12. 12. IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico DA_TP 1 of IT and business management 12. A post- implementation review is performed to ensure that new financial-reporting systems/applicati ons are operating properly III Availability Describe, at a high level: controls in existence that could apply to the corresponding From the information made available to us to review, we determined 13. Management has that REDPLAID provides managed backup and recovery services that implemented includes Daily Incremental / Weekly Full Data Backups and Offsite Tape appropriate backup and Backups recovery procedures so that data, transactions and programs that are necessary for financial reporting can be recovered REDPLAID’s backup environment for The SolDev Group utilizes a large 14. Effective RAID-protected disk storage environment that is tested and utilized daily. procedures exist and are followed to periodically test the effectiveness of the restoration process and the quality of backup media relevant to systems and applications used during financial reporting Profesor: Ricardo Bria Menéndez 26/12/2008 12
  13. 13. IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico DA_TP 1 processes According to information provided by REDPLAID, the backup 15. Appropriate environment is accessible only by a limited subset of staff. Although controls are in there is an option for server and back up encryption, we were told that place over the back-up media for the SolDev Group does not currently encrypt their backups. systems and For general security, confidentiality and integrity purposes, we applications used during financial recommend Globus to consider and evaluate the encryption option reporting offered by REDPLAID. processes, including that only authorized people have access to the tapes and tape- storage IV Data Integrity 16. Management has SolDev's only involvement with financial processes is in the downloading implemented of the data from Oracle system. No data is passed back to Oracle. SolDev procedures to 2k is a cost tracking system as opposed to a cost accounting system. As ensure accuracy, such, we guess at what costs will be before they are incurred. completeness, These are not processes that occur in a cost tracking system. and timely processing of system jobs, including batch jobs and interfaces, for relevant financial reporting applications or data 17. There are controls These are not processes that occur in a cost tracking system. in place to ensure that data migration retains its integrity (i.e., reconciliations to Profesor: Ricardo Bria Menéndez 26/12/2008 13
  14. 14. IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico DA_TP 1 prove pre and post balances, etc) 18. There are controls These are not processes that normally occur in a cost tracking system. in place to ensure However, where needed we do add protection of appropriate data from that data changes. attributes, such as “date entered”, “transaction date”, “data entered by”, and other attributes relevant to the customer are captured and prevented from modification or change. From discussions held, we learned that SD2K users are identified by their 19. Controls exist to functional role. Approval of budgets, for example, can be done by provide managers only, based on the business rules of the group, division, appropriate segregation of department, corporation, etc. duties within key John also indicated that Globus has implemented 5 Functions, namely: processes. For instance, users Planning, Scheduling, Project Management, Contracts Management and should not be Timekeeping. able to initiate In relation to the Segregation of Duties issue, John explained that proper and approve their SOD is provided by Roles defined within each Function, according to the own transaction. clien’t operational model and rules. In turn, each Role has an associated Security Level of 0=Read Only, 1=Read Write or 3=Supervisor. The assignment and maintenance of User ID’s/Roles is done by Globus. Based on the information available, it appears that the application provides for the proper controls to assure an adequate SOD among users. 20. Controls are in Yes.. Change management controls are available in SolDev 2k. place to ensure that any changes to the systems/applicati ons providing control over Profesor: Ricardo Bria Menéndez 26/12/2008 14
  15. 15. IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico DA_TP 1 financial reporting have been properly authorized by an appropriate level of management (logging change requests, change assessments, change planning & scheduling) 21. Controls are in The tools for managing system, user and control documentation are in place to ensure place and ready to be used. that system, user and control documentation is modified to properly reflect changes to systems relevant for financial reporting 22. Controls are in Financial reporting is not a function that is supported by the SolDev 2k place to ensure system. However, a regimen of issue resolution that includes the testing that changes to process is supported. applications and systems used during financial reporting processes are tested, validated, and approved prior to being placed into production 23. Controls are in Financial reporting is not a part of the SolDev 2k system. place to restrict access for migrating changes into the production environment for Profesor: Ricardo Bria Menéndez 26/12/2008 15
  16. 16. IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico DA_TP 1 systems and applications used during financial reporting processes 24. Management has These files do not exist as SolDev 2k is not used for Financial reporting. controls in place to ensure unauthorized changes are not made to system files, for applications used during financial reporting processes, subsequent to migration into production 25. Controls are in The SolDev Group tests software for months before deploying it into place to production. appropriately address emergency changes to systems, applications, and infrastructure configuration 26. Management has Issue Manager is a process for doing this and is currently being defined and implemented implemented problem management procedures to record, analyze, and resolve problems, and errors for systems and applications in a timely manner (problem Profesor: Ricardo Bria Menéndez 26/12/2008 16
  17. 17. IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico DA_TP 1 determination, problem analysis, problem resolution) 27. Management has Issue Manager is the system for managing this process. defined and implemented incident management procedures to record, analyze, and resolve incidents, and errors for systems and applications in a timely manner 28. Management has There is not a formal configuration management system for SolDev defined and components that is currently in place, however, we do have a list of the implemented components and can establish a data repository for these that is configuration maintained consistently. management procedures to record, analyze, and resolve errors for systems and applications in a timely manner 29. Management has The SolDev Group's internal process for deployment development and defined and testing is not yet formalized into a work flow process - but this process is implemented in the process of being formalized and being implemented. release management procedures to record, analyze, and resolve errors for systems and applications in a timely manner (core release management Profesor: Ricardo Bria Menéndez 26/12/2008 17
  18. 18. IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico DA_TP 1 activities established within the organization; including: planning, design, build, testing, communication, acceptance, hardware installation, controlled software storage, software distribution & installation) 30. Management has Issue manager will handle the service desk functions for SolDev Group. defined and implemented service desk management to co-ordinates and resolve incidents reported by customers or employees 31. Relevant KPIs We do not yet have measures for KPI's for issue management, but plan such as to implement such measures over the next year. percentage of incidents handled within the agreed time frame or solved by the Service Desk are regularly and adequately calculated and monitored and timely actions undertaken as needed. Profesor: Ricardo Bria Menéndez 26/12/2008 18
  19. 19. IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico DA_TP 1 32. Management has We do not yet have such a system in place, but we plan to implement controls in place such a system over the next year. to ensure that appropriate system, user and control documentation is developed for new systems and applications 33. Management has SolDev Group plans to implement training processes that are system- controls in place based - for training new users in SolDev project management (not to ensure that financial) processes. users are trained on new systems/applicati ons used during financial reporting processes in accordance with an appropriately defined training plan Profesor: Ricardo Bria Menéndez 26/12/2008 19

×