Daca tot face vorbire presa ultimelor zile despre sumele impresionante cheltuite de statul român pe sisteme/solutii IT si lipsa auditarii unor astfel de proiecte, m-am gindit sa fac o prezentare succintă pe marginea acestui subiect.

Trebuie să spun de la bun inceput că în accepţiunea mea nu există proiecte IT. Există proiecte economice care pot să aibă o componentă tehnică/IT. Aşa stând lucrurile haideţi să vedem ce presupune auditul.

Punctul de pornire este dat de către ITAF:

3420—IT Project Management

3450—IT Processes

3490—IT Support of Regulatory Compliance

3630.8—Systems Development Life Cycle

3650—Auditing Application Controls

3657—Auditing Alternative Software Development Strategies

Apoi facem un salt la COBIT 5 – Process Reference Guide

“BAI01 – Manage Programmes and Projects

Manage all programmes and projects from the investment portfolio in a coordinated way. Initiate, plan, control, and execute programmes and projects, and close with a postIimplementation review.”

Doar cu titlu de exemplu amintesc ce include acest proces:

BAI01.01 – Maintain a standard approach for programme and project management.

BAI01.02 – Initiate a programme.

BAI01.03 – Manage stakeholder engagement.

BAI01.04 – Develop and maintain the programme plan.

BAI01.05 -Launch and execute the programme.

BAI01.06 – Monitor, control and report on the programme outcomes.

BAI01.07 – Start up and initiate projects within a programme.

BAI01.08 – Plan projects.

BAI01.09- Manage programme and project quality.

BAI01.10- Manage programme and project risk.

BAI01.11- Monitor and control a project.

BAI01.12 – Execute a project.

BAI01.13- Close a project.

BAI01.14 -Close a programme.

Următorul pe listă ar trebui să fie BAI02 – Define Requirements:

“Identify solutions and analyse requirements before acquisition or creation to ensure that they are in line with enterprise requirements covering business processes, applications, information/data, infrastructure and services. Review feasible options including relative costs and benefits, risk analysis, and approval of requirements and proposed solutions”.

Urmează unele lucruri de prin BAI03 – Identify and Build Solutions:

“Establish and maintain identified solutions in line with enterprise requirements covering design, development, procurement/sourcing, configuration, test preparation, testing, requirements management and maintenance of business processes, applications, information/data, infrastructure and service”

Se mai adaugă ingrediente din :

BAI05 – Enable Organisational Change :

Maximise the likelihood of successfully implementing sustainable enterprisewide organisational change quickly and with reduced risk covering the complete life cycle of the change and all affected stakeholders in the business and IT.

BAI08 – Manage Knowledge

Ensure that relevant knowledge is available, current, validated and reliable to facilitate decision making, and plan for the identification, gathering, organising, maintaining, use and retirement of knowledge

APO10 – Manage Suppliers

Ensure that IT related services provided by all types of suppliers meet enterprise requirements, including the selection of suppliers, management of relationships, management of contracts, and reviewing and monitoring of supplier performance for effectiveness and compliance.

BAI07- Accept and Transition Changes

Formally accept and make operational new solutions, including implementation planning, system and data conversion, acceptance testing, communication, release preparation, promotion to production of new or changed business processes and IT services, early production support, and a postIimplementation review.

Nu discutăm acum diferitele faze şi/sau etape prezente in PMBOK sau PRINCE2. Ne interesează doar perspectiva auditului motiv pentru care spun că cele mai importante faze sunt: planificarea proiectului, execuţia şi postimplementarea.

Planificarea include şi ceea ce ştim că se numeşte generic “iniţierea proiectului”. Iar aici auditorului ii place să vadă un “business case” :D. Indicatorul care oferă cele mai multe informaţii despre reuşita proiectului este: ROI – Return on investment. Apare aşa ceva prin business case?

Apoi ar mai fi interesant de văzut dacă tot în această fază iniţială regăsim o analiză a riscurilor proiectului…

Subiectul este destul de vast şi nu îl pot acoperi doar dintr-o postare. Mă opresc aici, dar concluzionez: dacă cineva doreşte să afle cum şi pe ce s-au cheltuit banii, se poate. E vorba doar de “dorinţă” şi de “independenţă”….