Looking into SAS70: An Overview

Statement on Auditing Standards (SAS) No. 70, Service Organizations, is a widely recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). A service auditor's examination performed in accordance with SAS No. 70 ("SAS 70 Audit") is widely recognized, because it represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes. In today's global economy, service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. In addition, the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 make SAS 70 audit reports even more important to the process of reporting on the effectiveness of internal control over financial reporting.

SAS No. 70 is the authoritative guidance that allows service organizations to disclose their control activities and processes to their customers and their customers' auditors in a uniform reporting format. The issuance of a service auditor's report prepared in accordance with SAS No. 70 signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm. The service auditor's report, which includes the service auditor's opinion, is issued to the service organization at the conclusion of a SAS 70 examination.

SAS No. 70 provides guidance to enable an independent auditor ("service auditor") to issue an opinion on a service organization's description of controls through a Service Auditor's Report (see below). SAS 70 does not specify a pre-determined set of control objectives or control activities that service organizations must achieve. Service auditors are required to follow the AICPA's standards for fieldwork, quality control, and reporting. A SAS 70 Audit is not a "checklist" audit.
SAS No. 70 is generally applicable when an independent auditor ("user auditor") is planning the financial statement audit of an entity ("user organization") that obtains services from another organization ("service organization"). Service organizations that impact a user organization's system of internal controls could be application service providers, bank trust departments, claims processing centers, data centers, third party administrators, or other data processing service bureaus.
In an audit of a user organization's financial statements, the user auditor obtains an understanding of the entity's internal control sufficient to plan the audit as required in SAS No. 55, Consideration of Internal Control in a Financial Statement Audit. Identifying and evaluating relevant controls is generally an important step in the user auditor's overall approach. If a service organization provides transaction processing, data hosting, IT infrastructure or other data processing services to the user organization, the user auditor may need to gain an understanding of the controls at the service organization in order to properly plan the audit and evaluate control risk.

CMMI V1.3: What Could Change!

The next release of the CMMI Product Suite—an approach that provides organizations with the essential elements of effective processes that ultimately improve their performance—is expected in November 2010. This Version 1.3 (V1.3) release includes improvements to CMMI for Development (CMMI-DEV), CMMI for Acquisition (CMMI-ACQ), and CMMI for Services (CMMI-SVC) models all during the same development cycle. This cycle also includes improvements to the appraisal method (SCAMPI) and CMMI-related training. The improvements planned for CMMI models do not require major changes or retraining for those currently using CMMI.

The “CMMI Version 1.3 – Plans for the Next Version” [1] was published by the SEI in August 2009. It stated that it will focus on (but not be limited to):

1.  High maturity.
2. More effective GPs.
3. Appraisal efficiency.  
4. Commonality across the constellations.

It also required that any changes to the CMMI Product Suite (i.e., model(s), training materials, and appraisal method) must meet the following primary criteria, which will likely do the following (also from [1]):

1. Correct identified model, training material, or appraisal method defects or provide enhancements.
2. Incorporate amplifications and clarifications as needed. 
3. Accommodate potential additions to model coverage (e.g., safety, security, and life cycle) only by specific direction of the CMMI Steering Group.
4. Decrease overall model size in V1.3 if possible; increases, if any, must not be greater than absolutely necessary.
5. Model and method changes should avoid adversely impacting the legacy investment of adopting companies and organizations.
6. Changes to model architecture will only be incorporated with specific CMMI Steering Group authorization.
7. Changes can only be initiated by Change Requests or by the CMMI Steering Group.
8. Editorial changes to training may be released in advance of V1.3.
9. Changes must not require retraining the nearly 100,000 (as of Dec. 2008) personnel already trained in CMMI. Upgrade training may be needed, especially for instructors, lead appraisers, and appraisal team members.

 Reference

Phillips, Mike. “CMMI Version 1.3—Plans for the Next Version.” News at SEI. 7 Aug. 2009 .

CMMI & Agile: Value in Both Paradigms

CMMI and Agile are compatible. At the project level, CMMI focuses at a high level of abstraction on what projects do, not on what development methodology is used, while Agile methods focus on how projects develop products. Therefore, CMMI and Agile methods can co-exist. There can be much value gained from Agile and CMMI synergies. Today, many CMMI-adopting organizations have Agile development teams. Conversely, CMMI can be effectively introduced in an Agile setting where an iterative, time-boxed approach is used, which is perfectly compatible with CMMI.

CMMI and Agile can complement each other by creating synergies that benefit the organization using them. Agile methods provide software development how-to’s that are missing from CMMI best practices that work well—especially with small, co-located project teams. CMMI provides the systems engineering practices that help enable an Agile approach on large projects. CMMI also provides the process management and support practices that help deploy, sustain, and continuously improve the deployment of an Agile approach in any organization.

Think TRIZ for Creative Problem Solving !

What's your secret for staying in business? Is it continuous quality improvement? Define-measure-

analyze-improve-control (DMAIC) and design for Six Sigma (DFSS)? Plan-do-check-act (PDCA)? Plan-do-study-act (PDSA)? Quality circles? Process improvement? Total quality management? Kaizen? Or just plain old troubleshooting?

No matter what you call it, the vast majority of successful organizations have some way of tracking down their problems and doing something about them. The quality profession has been at the center of both the tracking and the doing since its birth.

Quality improvement has grown from simple inspection to inspection with statistical process control to the array of analysis tools and teamwork methodologies now used to create and deliver services and products that do what our customers require. These tools work: In product and service development and delivery, we're able to identify problems and determine whether they're the result of special or common causes. We protect our customers by immediate corrective action, and we protect our business and customers by preventing future problems.

So why do we need new methods, tools and techniques for creativity? Because identifying a problem and its root causes doesn't always give us the ideas we need to find a solution. For at least the last 10 years, quality improvement leaders have been saying that the next step for quality is the merger of quality with creativity. ^1,2

"Standard" quality improvement systems such as DMAIC and PDCA have always incorporated brainstorming as a key method for finding creative solutions to problems. Brainstorming is designed to liberate a team's thinking from past patterns and uncover ideas that people might have unconsciously suppressed. When it works, it's fast, and the team reaches a high level of consensus fairly quickly because the idea is usually improved by the entire team and is seen as a collective product rather than one person's idea.

But brainstorming doesn't always work. If the solution lies outside the experience of the team, this tool won't reveal it. Some teams try to compensate by inviting outsiders to join them for brainstorming sessions. This works if the new members happen to have the information the team needs, but there's been no good method for determining that in advance. It's a classic "Catch-22": If you know what the solution is, then you know whom to invite, but then you don't need to invite them because you know the solution.

TRIZ defined

TRIZ--a Russian acronym for "Theory of Inventive Problem Solving"--is a different kind of creativity system. It's based on the analysis of creative solutions to past problems. TRIZ applies to both continuous improvement and development of new products and services because continuous improvement requires solving current problems, and development requires finding a way to solve customers' problems.

Research on the TRIZ method was done in the former Soviet Union from 1946 to 1985 and has continued globally since then. Quality Digest featured an extensive introduction to the method in its February 2004 issue ("Enhance Six Sigma Creativity With TRIZ").

Two basic principles in TRIZ maintain that:

 Somebody, someplace, has already solved your problem or one similar to it. Creativity means finding that solution and adapting it to the current problem.

 Don't accept compromises. Eliminate them.

The quality improvement profession embraces these principles because quality thinking integrates benchmarking, which is strongly related to the first principle, and eliminating root causes rather than just improving symptoms, which is related to the second.

To illustrate the concept of "Somebody, someplace, has already solved your problem," consider the situation of dairy farmers in California. Producing milk requires handling large quantities of manure. In the past, the manure was dried in large ovens for deodorizing, ship--ping and recycling as fertilizer. But with the increasing cost of energy, drying ovens became uneconomical. The TRIZ method for looking at other technologies for potential solutions starts with restating the problem in general terms, emphasizing the functions being performed, rather than the technology itself. Thus, dairy farmers didn't search for better ways to dry manure; they looked for ways to separate a liquid from solids. A simple search with TRIZ techniques turned up a method, using a hydrophilic gas, in which the gas carries the water molecules away. This method has been used for more than 40 years for concentrating orange juice. ³

Other examples of this principle include:

 The pharmaceutical industry found ways to manage foam in the production process by studying the beer industry.

 Medical information technology requires stringent privacy protection under Health Insurance Portability and Accountability Act (1996) regulations. Many solutions are being found in systems developed for the banking and securities industries.

 Paint companies have problems with the accumulation of sludge in processing equipment. The nuclear waste disposal industry has found many ways to prevent the buildup of sludge because removing it is extremely difficult and requires shutting down the facility for a long time.

The idea of eliminating problems rather than accepting compromises goes against the grain of standard business and engineering teaching, which emphasizes tradeoffs, cost-benefit analyses and other methods of compromise. TRIZ recognizes two kinds of compromises (frequently called "contradictions"):

 Technical contradictions . These are the classic engineering and business trade-offs in which the desired state can't be reached because something else in the system prevents it. In other words, when something gets better, something else gets worse. Examples include:

 Product gets stronger (i.e., good), but the weight increases (i.e., bad).

 Bandwidth increases (good) but requires more power (bad).

 Service is customized to each customer (good), but the service delivery system becomes complicated (bad).

 Automobile airbags deploy quickly to protect the passenger (good), but the faster they deploy, the more likely they are to injure or kill small or out-of-position people (bad).

 Physical contradictions. Also called "inherent" contradictions, these include situations in which one object or system has contradictory or opposing requirements. Everyday examples abound:

 Surveillance aircraft should fly fast to their destinations but also slowly to collect data over the target.

 Software should be easy to use but include many complex features and options.

 Coffee should be hot for enjoyable drinking but cool enough to prevent burning consumers.

 Training should be thorough but not take too much time.

TRIZ doesn't depend on team members' knowledge or their personal creative capability to solve these problems. The first group, the "technical" or "tradeoff" contradictions, are solved using the 40 principles of problem solving. Many people have expanded on the original TRIZ research to demonstrate that the 40 principles apply to a wide variety of disciplines. (See The TRIZ Journal [www.triz-journal.com] for examples of the 40 principles in chemical engineering, sales, microelectronics, education and quality management, among others.)

The second group, the "physical" or "inherent" contradictions, are eliminated using four basic principles to separate the requirements that appear to be contradictory in time, space, between the parts and the whole, and between the supersystem, system and subsystems.

For example, the airbag problem can be solved at the subsystem level by changing the bag material so that it won't grab the skin of 

the face and twist the head of a small, out-of-position person. The problem can also be solved at the supersystem level, in several ways:

 If the car can't crash because it's part of a super system that knows the positions of all objects and controls their speeds (a technology that's fewer than eight years away, according to some predictions)

 If the structure of the car absorbs the force of the crash, and the airbag isn't needed

 If the social and/or legal system is such that small people never sit in the front passenger seat

TRIZ has been incorporated into the general corporate culture for global companies in a wide variety of industries--Siemens, Samsung, LG, Unilever, Agilent, Hitachi, Dow Chemical, Johnson & Johnson and Delphi are among those that have talked about their TRIZ experiences at recent conferences. Small and medium-sized organizations with less- familiar names are adopting TRIZ to support quality improvement in services, products and systems in fields as diverse as restoring the vitality of a downtown to creating software to improve sales of eyeglasses.

How do you recognize when quality requires creativity? When the solutions that your team creates don't get rid of the root cause. That's a strong indication that unrecognized contradictions are blocking you from finding a good solution, and that TRIZ will be the next tool you need.

Process Change Management Can be Emotional !

Implementing changes in an organization can generate a range of emotions within your stakeholders (employees, customers, suppliers, etc.) that can create barriers to realizing your original change objectives.  Understanding why people are responding the way they are to your proposed changes will help you to roll-out your improvements more smoothly and allow you to obtain the buy-in from your stakeholders that will actually deliver the performance improvement your changes were designed to realize.

When you start to communicate change and improvement throughout your organization you will take your stakeholders through five phases or states of mind.  Each phase is a normal emotional state that most people go through.  Developing a communication plan to help guide your stakeholders through each phase, with prepared responses for each one, can ensure a successful roll-out for your changes and improvements.


What are these phases of change and how should you respond?

1. Anticipation - introduce your strategy.
2. Confrontation - respond to objections.
3. Realization - provide training and support.
4. Depression - communicate monthly.
5. Acceptance - Review and obtain feedback.

Understanding why people are responding the way they are to your proposed change will help you to roll-out your improvements more successfully and obtain stakeholder-buy-in that will actually deliver the performance improvement your changes were designed to realize.

Simplify Change: Grow Faster & Cheaper

Simplifying Change is a great way to save money and at the same time prepare for growth. By simplifying your procedures, you can cut waste with confidence that you are not cutting essential value-added services customers want to buy. Simplifying procedures prepares your company for growth because it streamlines your operations, documents them, and thus makes it much easier to replicate your operations at another location.

A new operation based on proven procedures is easier to manage because you can evaluate its performance against known metrics. And should the metrics indicate a need for adjustments-typical when rolling out a new location-staff will have procedures in place to affect needed changes. This significantly reduces the risk of opening a new location.

Change should not be be associated with that always something NEW is taking place. It should be interpreted as creating instances which could be more Adaptable, Simpler and also Measurable.

Worldwide IT Spending Forecast

Audio Report: Gartner Predicts on 2010 IT Spending.


Worldwide IT Spending Forecast
Richard Gordon, Vice President, Gartner Research

The global economic downturn has continued to weigh on the ability and desire of businesses and consumers to make IT purchases. However, we assume the economy will recover, beginning towards the end of 2009 and tentatively at first. While initial growth in IT spending in 2010 and 2011 may come as the result, directly or indirectly, of the various government stimulus packages announced around the world in recent months, there will be a return to more sustained growth in IT spending in 2012 and 2013 as the economic recovery unfolds.

IT budget cuts may have slowed market growth in the short term but, even in the toughest of business environments, enterprises must preserve short-term spending on critical business operations and long-term technology investments. IT vendors should be sensitive to the challenges faced by their customers and plan pricing strategies accordingly. The global economic downturn may be easing, but IT budgets are still being cut and consumers will need more persuading before they feel confident enough to spend more. Worldwide IT spending is forecast to total $3.2 trillion in 2009, a 5.2 percent decrease from 2008 spending of $3.4 trillion .

Worldwide IT spending is expected to return to growth in 2010 as revenue is projected to reach $3.3 billion, a 3.3 percent increase from 2009.

Creating a Culture for Innovation

Creating a Culture for Innovation

Severe pressure induced by the current economic downturn pushes executives toward efforts related to cost reduction and internal restructuring. Nevertheless, innovation remains one of the high priorities on their agenda, which is mainly focused either on product/service innovation or on business process and business model innovation. Particularly in business model innovation, innovation consulting specialists see growing demand. Several of these providers, with service portfolio and go-to-market approaches focused primarily around innovation, have been evolving for some time now within the diverse corporate strategy services market. Facing more client demand, they are looking for new directions to expand their business. Chief executive officers (CEOs) and managing partners at innovation firms should embrace the notion of building their partner ecosystem, which will be the prerequisite for lasting success.


Crowdsourcing has become a media darling — which, rather paradoxically, represents a major threat to the very innovation vendors that market it. Why? Because trendiness breeds misinformation, confusion, and poorly reasoned use cases — making enterprises increasingly skeptical of crowdsourcing's value. The lesson for vendors: Honest-to-goodness customer education and business value supersede super-cool features and snazzy marketing tactics as winning market strategies. Rather than hyping it, vendors must help enterprises focus on four critical aspects of crowdsourcing — people, objectives, strategy, and technology, in that order. The heavy lifting of customer education is the only way to generate innovation value in each engagement and with it the word-of-mouth buzz that builds a strong brand and creates snowballing market share.

The Ideal Software Job: An Interesting Excerpt by Watts S. Humphrey

http://www.youtube.com/watch?v=eMnZ-9mvH34

The Business Process Consulting Radar

Leaders at firms of all sizes continue to face ever-increasing demands from customers, employees, partners, regulators, and other stakeholders. Increasingly, they must align resources and new technology across functions and along critical business processes to compete. This high-churn environment has also created great demand for business process consultants, who vary widely in the type and scope of their advice. Business process leaders must conduct research and analysis of their firm's needs against consultants' capabilities in order to choose the right partner for their process improvement efforts.

What to look in for while choosing a consultant?

1. Is he/she a practitioner? Has he lived the life of an implementor, so that he understand the practical nuances of the engagement.
2. Is he/she carrying credentials endorsed by the authority?
3. What does his clientele say about him?
4. What is his/her methodology and where is your space in the methodology?
5. And Finally how are you Measuring your Change?

CIOs have been searching for ways to measure, improve, and communicate the business value of IT for years without a lot of success. Many have implemented PMOs, hired certified project managers, and begun CMMI or Six Sigma initiatives, all designed to improve their project management and project execution capabilities.

But bringing IT projects in on time and on budget and delivering all of the specified functionality hasn't necessarily led to business value and improved business outcomes. The reason is that it isn't simply a matter of implementing technology, but using the technology as a means to enable business and/or organizational change. The technology is providing a capability, but if that capability is not used or not used effectively, it will not produce anything of value. Business value is only obtained when IT projects are done within the context of IT-enabled business change programs.