Friday, July 10, 2009

The Risks Associated with Business and IS/IT Change in Dole Davao

I and group 1 members namely: Anthony Rigor Aguilar, Athina Alorro, Jerusalem Alvaira, Michael George Guanzon had an interview with the MIS Programmer of Dole Davao and her name is Cristine Galindo. The interview was conducted in Dole Satellite Office located in SJRDC Building at around 12 noon last July 2. This interview was recorded through celfone recorder and PSP recorder.

Company Profile: Dole Philippines

Dole Food Company's worldwide team of growers, packers, processors, shippers and employees is committed to consistently providing safe, high-quality fresh fruit, vegetables, and food products, while protecting the environment in which its products are grown and processed. Dole's dedication to quality is a commitment solidly backed by: comprehensive programs for food safety, scientific crop protection programs, stringent quality control measures, state-of-the-art production and transportation technologies, continuous improvement through research and innovation, and dedication to the safety of our employees, communities and the environment. Dole is committed to nutrition education to communicate to the public the health benefits of eating a diet rich in fruits and vegetables. Dole is a founding member of the National 5 A Day for Better Health Program and is a leader in developing technology-based nutrition education programs for children.


Based on Dole Philippines (Davao) that I visited and its MIS Programmer that I interviewed, the risks associated with business and IS/IT change are:

1. Failure of the new System. This means that the new system does not achieve the full functionality of the old system. It also means that new system does not live up to the expectation of end-users. In this case, Backup, Recovery, and Business Continuity must be addressed by the system analyst. Disaster Recovery Planning is often not sufficiently addressed or is low on the priority list, as there is no immediate, detrimental impact to the entity, until a disaster or other situation preventing normal operations arises. The business entity should develop a Disaster Recovery Plan (DRP) that will cope with the unavailability of the computer application(s) during an unexpected outage. This plan should be written, approved by management and tested on a regular basis. The plan would address how the entity would recover from short or long-term outages, as well as how operations would continue during the recovery effort.

2. End-users will not accept the new System. The employees who will use the new system may not like the interface or the graphical user interface (GUI) because they are familiarized with the old system’s interface. This problem can be solved through proper training. The success of any application is greatly dependent upon the training provided to the end-users initially and on a continuing basis. Continuing education is necessary to ensure employees are aware of, and proficient with, application enhancements and new releases. Recurring education also addresses training needs of new employees. Adequate training curriculum must be available to application users

3. Synchronization of all applications of the new System. Synchronization of the system means that the functions and applications of the system occur at the same time or proceed at the same rate. Synchronization also means simultaneous flow of functions of the new system. In this factor, we have the Program Change Control. The purpose of program change control is to ensure that only appropriate changes to program logic are made, performed in a timely manner, do not negatively impact other logic and ultimately produce the results expected by the user that requested the change. We also have System Interfaces factor. The endless pursuit of efficiency gains has resulted in the ability to transfer data from one system to another electronically rather than expending time keying data into both systems. The exchange of data from one business application to another is considered an interface. The accuracy and completeness of data files transmitted to, or received from, other applications should be assured by a quality control process consistent with the receiving application’s edit standards.

4. Data must change not change in the new System. In this instance, the term Data Integrity arises. The purpose of data integrity is to ensure complete and accurate data, which can be reported in any manner users require, with all fields formatted according to data definition rules and within established ranges (date fields should not allow month>12, day>31, and a code field should only be populated with valid values). The risk of internal fraud increases if individuals are granted the ability to modify program logic as well as production data. Adequate data input edits in place to prevent data corruption (on-line or batch)

5. Upgrading from old system to the new System. Upgrading means to advance or raise to higher a new system. One feature of upgrading is Data Access Security. The purpose of data access security within any application is to grant users appropriate access privileges necessary for the job they perform while restricting privileges not needed for their job or that could create weaknesses in the Internal Control structure of the entity. Duties and responsibilities assigned to each job role should be defined by management that ensure adequate segregation of duties. Those job role definitions can then be used to establish specific application permissions granted and/or restricted. Data access security should also provide an audit trail, which could be utilized to identify specific users that made individual changes to the data. Network environments which allow users to access the data directly (typically via a database utility such as Paradox or MS Access), effectively voids data access security within the application and should not be allowed. This type of access allows users full update capability with no audit trail. Another feature is Network Security. This higher level of security would typically grant users the ability to access an application, then administration of the specific application security would be utilized to grant and/or restrict data access as necessary within the application. Networks become more complex as more efficient, effective and secure products are made available through advances in Information Systems technology. Preventive measures can reduce the risk associated with threats inherently caused by advances in technology.


No comments: