Monday, November 5, 2007

My Life As A...

Since I really enjoyed last week's presentations, I thought I'd blog a bit about my life at work and what I do, currently. I work in Information Services at Wyeth Pharmaceuticals. The group I work in is IS Process Management. We are a part of IS Processes and Projects. Now, the name IS Process Management can be a bit misleading since, technically, we don't really manage any processes (or own very many, even). What we do, however, is take existing processes in IS and make them better by operationalizing them, simplifying them and streamlining them. A good example of this is one of the few processes in IS that we actually own.

My group started out a few years ago, managing the IS portion of the Sarbanes-Oxley activities at Wyeth on a global basis (again, we don't own the activities, we just ensure, on management's behalf, that they take place and are effective). Because of our success in the SOX audits, we were asked to develop a mechanism to report on the status of IS-related internal audit findings. At that point, there were two reports being generated of the open audit findings - one report for each of the two internal audit groups that audits IS. These reports were generated every six months. They took an average of 2-3 weeks to put together and usually resulted in a combined 70-80 page report (we called it the "Thud" report for the sound it made when it hit someone's desk). Obviously, it never got read, or at least not very much. Compounding that report was the fact that one of the internal audit groups is also required to report directly to the company's Board of Directors the number of their audit findings that remained open for more than one year. Two years ago, before we got involved, there were 20 IS-related audit findings on this report. Management (IS Management) needed a way to get a better handle on what was going on in terms of resolving these audit findings, so we were asked to step in.

The first thing we did was eliminated the Thud report. It was a waste of effort. Then we took all the open audit reports that we were aware of (and there were a lot of them) and developed a process (initially using spreadsheets and a document management application - eRoom, then last year implementing a web-based database system to replace the spreadsheets). The process starts with an audit report, we enter the audit finding information into the system (finding, any recommendations from the auditors, and the initial responses from the group that was audited). We then make the information available to the audited group and ask them to update when the finding should be resolved and then to go in and set the finding to closed when it has been resolved. Since we are a pharma company, there are a lot of audits and commitments that are made to resolve them. As a result, there are currently a number of audit and commitment tracking systems in the company that have been implemented and are used to varying degrees. Our system, however, is the only truly global system that can tell you the status of all audit findings in IS (some systems out there only track the major or critical findings).

In addition to the audit finding tracking system, we also developed a finding status scorecard (we do not call it the audit status scorecard because of the resulting acronym). The scorecard shows the number of open audit reports and findings by IS division, how long they've been open and a summary of all the audit related information. This scorecard is generated (which by the way takes less than a day now) on a quarterly basis and is sent to the IS Leadership Team.

Because of the increase in visibility provided by the scorecard as well as the ease of use in keeping the audit information up to date in the web-based application, we have achieved a number of significant improvements: The amount of time needed to resolve (or close) all findings in an audit has decreased from approximately 20 months to about 8 months, on average. In 2007, for the first time ever, there were no IS-related audit findings reported by the internal audit group to the Company's Board of Directors (which caused us some problems since this had never happened before and people were very reluctant to believe it was possible). We currently only have 2 of what I would call very old audit reports (one from 2004 and one from 2005) that are still open (and are currently scheduled to be resolved by the end of this year) - this is down from about 15 or 16 from a year ago.

Because of these types of successes, my group (there are three of us - myself, my boss, and my co-worker) is now starting to get asked to work with other groups to see how they can streamline some of their processes that don't have the same kind of visibility. I recently worked with one application group in our department to improve their annual recertification of users (each group that uses the application must make sure that the people in their groups with accounts are the appropriate people that should still have access). Last year, 89 of the more than 300 groups failed to recertify which caused an audit finding due to a failure to meet a SOX requirement. So far this year, there are only 16 groups that have not yet recertified, with a month to go on the deadline for the SOX requirement.

So, that's kind of a glimpse into what I'm working on from day to day, although we do get called in to help out with special projects (such as the DST Time Change project this year, which we received Team of the Quarter for back in the first quarter when the DST dates changed). We're in a good position right now because we no longer have to "market" our services to IS - groups are starting to come to us to help them out...

Questions? Hit the comments...
Posted by at

1 comment:

Anonymous said...

Hi Jim,
Why don't you do a live version of this presentation in class tomorrow so we could all ask question. I'm sure the rest of class would appreciate it so they don't have to read it from your blog.

November 7, 2007 at 9:02 AM

Post a Comment

Subscribe to: Post Comments (Atom)