Chapter 2 (Management, Planning, And Organization of Information System)

Information Management and AuditingIS Organization

I S S T R A T E G YSTRATEGIC PLANNING:Strategic planning determines the LONG TERM direction of the firm. It is the responsibility of top management.

STEERING COMMITTEE:An organization’s senior management should appoint a planning or steering committee to oversee information systems department activities. Its duties and responsibilities should be defined in a formal charter.It provides an organization with direction in harmony with the corporate mission and objectives. The committee consists of various managers that are representative of all the business areas in the organization.Functions: Reviewing goals to ensure consistency with corporate objectives. Reviewing major acquisitions (hardware/software) under limits determined by

BOD. Approving and monitoring major projects. Approving outsourcing activities. Reviewing adequacy of resources. Making decisions of delegation of responsibility. Developing and implementing security management program. Reporting BOD on IS activities.The Steering Committee should meet at least quarterly to review the on going projects and to review IT activities. It is essential to document the proceedings of the meeting and keep the record of the minutes of the meeting.

POLICIES – high level documents:Policies represent the corporate philosophy of doing business. They should be CLEAR and CONCISE, and EFFECTIVELY COMMUNICATED. Individual department should develop their own policies consistent with corporate policies. There are two approaches of policy development:1) Top down:

Policies are developed at top level and then flow down to the hierarchy – consistency is objective.

2) Bottom up:Policies are developed at lower levels and then are integrated at top level – danger of inconsistency.

Critical points: Policies should periodically be reviewed to reflect recent developments. IS auditor should review policies and test to ensure compliance. IS auditor uses policies as BENCHMARK for performance evaluation.

PROCEDURES – detailed documents:Procedures should be clear and concise to understand and comply with.

KeyNote:It is vital to review that policies & procedures are documented, understood, & implemented.

1Prepared by: Muhammad

Umar Munir


I S M A N A G E M E N T P R A C T I C E SInformation system management practices reflect the implementation of policies and procedures developed for various IS-related management activities.

KeyPoint:Information System is a SERVICE DEPARTMENT. Its role is to help other departments perform their function efficiently and effectively.

IS SECURITY POLICIES:A fist step to develop security infrastructure…IS security policy communicates a coherent security standards to users, management, and technical staff. It should be approved, documented, and communicated.

PERSONNEL MANAGEMENT:Personnel management refers to the organization policies related to hiring, promotion, retention, and termination. Broadly, personnel management relates to the following activities:

1) Hiring:Hiring practices are important to ensure that the most effective and efficient staff is chosen and that the company is in compliance with legal recruitment requirements. Some controls are:

Background checks. Confidentiality agreements. Employee bonding. Conflict of interest

agreement. Noncompete

agreement.

2) Employee handbook:Distributed to all employees upon being hired, should explain items such as:

Security policies and procedures.

Company expectations.

Employee benefits. Vacation policies. Performance evaluation. Emergency

procedures. Disciplinary actions. Outside employment.

3) Promotion policies:


Umar Munir


Must be fair and understood by employees. Policies should be based on objective criteria and consider an individual's performance, education, experience and level of responsibility.

4) Training:Training should be provided on a fair and regular basis to all employees. This is particularly important when new hardware and/or software is being implemented. Training should include relevant management training, project management training, and technical training.

5) Scheduling and time reporting:Proper scheduling provides for a more efficient operation and use of computing resources. Time reporting allows management to monitor the scheduling process.

6) Employee performance evaluation:Employee assessment must be a standard and regular feature for all IS staff. The HR department should ensure that IS managers and employees set mutually agreed goals/expected results. Remuneration should be performance driven.

7) Required vacations:It should be ensured that at least once a year someone else performs the function to reduce probability of fraud. Job rotation is another tool used to prevent possibility of fraud.

8) Termination policies:They are established to provide clearly defined steps for employee separation. All company property in the possession of employee should be returned to the company.

OUTSOURCING PRACTICES “SERVICE LEVEL AGREEMENTS”:Outsourcing refers to contractual agreement under which an organization hands over whole or a part of the functions of IS department to an external party. The contractor provides resources and skills necessary to perform the agreed service.

WHY OUTSOURCING:The most significant goal is to achieve meaningful achievement in business processes, taking advantage vendors’ core competencies. Other reasons are: Focusing core activities. Profit margin pressures. Increasing competition.

OUTSOURCING SERVICES: Data entry. System development. System maintenance. Help desk operations.

OUTSOURCING SECURITY CONCERNS: Contract protection. Audit rights. Operations

contiguity. Integrity.

Access control. Violation reporting. Network controls. Performance and capacity

management.

OUTSOURCING AUDIT:There are two ways in which outsourcing audit could be performed:1) Third party/independent auditor.


Umar Munir


2) User’s auditor.

I S O R G A N I Z A T I O N

KeyPoint: IS department is headed by Chief Information Officer (CIO).

1) Operations.Includes all the staff required to run the computer IPF (Information Processing Facility) efficiently and effectively.

2) Librarian:The librarian is required to record, issue and receive, and safeguard all program and data files that are maintained on computer tapes and/or disks in an IPF.

3) Data entry:Generally, in modern on-line environments, data entry is performed by personnel in the user departments. It could be batch or online entry.

4) System administration:System user has to manage multi-user computing systems. Typical responsibilities include the following: Adding and configuring new workstation. Setting up new user accounts. Installing system wide software. Preventing, detecting, and correcting security exposures. Allocating mass storage space.

5) Security administration:Security administration must begin with management's commitment. Upper management should develop and enforce a written policy that clearly states the standards and procedures to be followed. Typical tasks include: Defining access rules. Maintaining security and confidentiality. Monitoring security violations and taking corrective actions. Reviewing security policy. Increasing security awareness. Testing security architecture.

6) Quality assurance:Quality assurance persons perform two functions:a) Quality assurance – help determine whether personnel are following

prescribed quality processes, e.g. documentation etc.b) Quality control – perform reviews to test whether software is free from

errors and meets user expectations.7) Database administration:

The Data Base Administrator (DBA) is responsible for the actual design, definition, and the proper maintenance of the corporate databases. Since the DBA should have no application programming or end user responsibilities, he/she should be


Umar Munir


prohibited from accessing the production data within the data bases for which this person administers. DBA roles are: Data definition. Database implementation. Database testing. Query answering. Database monitoring. Backup and recovery. Performance and tuning.

8) System analysis:Systems analysts are specialists who design systems based on the needs of the user. This individual is responsible for interpreting the needs of the user and determining the programs and the programmers necessary to create the particular application.

9) Security architect:They evaluate security technologies and establish security policies based on requirements.

10) Application programming:The applications programming area is made up of the applications programmers who are responsible for developing new and maintaining systems in production. They should work in a test environment only and should not move test versions into the production environment.

11) System programming:Systems programmers are responsible for maintaining the systems software including the operating system. This function may allow for unrestricted access to the entire system.

12) Network management:This position is responsible for technical and administrative control over the local area network. Depending upon the policy of the company, this position can report to the director of the IPF or may report to the end-user manager.

SEGREGATION CONTROLS:

a) Transaction authorization:User department is responsible for transaction authorization. Periodic checks must be performed to detect unauthorized transactions.

b) Assets custody:Corporate assets custody must be determined. Data owners are assigned particular user departments. Data owner is responsible to determine appropriate level of required authorization.

c) Data access:Data access is ensures through security mechanisms installed at IPF. In addition, physical environment must also be secured.

d) Authorization forms:Managers of user departments must provide formal authorization forms to define employee access rights – who should access the data. Access privileges must periodically be reviewed to determine their currency and validity.

e) User authorization tables:


Umar Munir


IS departments maintains user authorization tables taking data from authorization forms. These tables serve as ready reckoners, providing readily available information.

COMPENSATION CONTROLS:Compensating controls are internal controls that are intended to reduce the risk of existing or potential control weakness when duties cannot be appropriately segregated.

a) Audit trials – Audit trial help retrace the flow of transactions. The IS auditor would be able to locate the initiator, time, date, and nature of transaction.

b) Reconciliation – reconciliation provide an assurance that the data are accurate.c) Exception reporting – exceptions reports are important means of identifying

abnormalities.d) Transaction logs – Transaction log provides the comprehensive list of

transactions occurred during a specific period of time.e) Supervisory reviews – They could be performed through observation.f) Independent reviews – Independent reviews are carried out to compensate

mistakes or intentional failures in following prescribed procedures.

IS ASSESSMENT METHODS:a) IS budgets:

Allow forecasting, monitoring and analyzing financial information. They allow for an adequate allocation of funds, especially in an IS environment where expenses can be cost-intensive.

b) Capacity and growth planning:It is used to assess whether the operation is running as efficiently and effectively as possible. This activity must be reflective of the long and short range business plans and must be considered within the budgeting process.

c) User satisfaction:It is one of the measures to ensure an effective information processing operation. Users and IT should agree on a level of service, which should be periodically audited.

d) Industry standards/benchmarking:Provide a means of determining the level of performance provided by similar information processing facility environments. These statistics can be obtained from vendor user groups, industry publications and professional associations.

e) Financial management practices:It is critical to have sound financial management practices in place.

f) Goal accomplishments:It involves comparing performance with predefined goals.

SIGNIFICANT PROBLEM INDICATORS: Unfavorable end use

attitude. Excessive costs. Budgets overruns.

Delayed projects. High staff turnover. Inexperienced staff.

Frequent system errors. Slow computing response.

Frequent upgrades.


Umar Munir


Extensive exception reports.

Poor motivation. Plan failures.

Narrow reliance. Inadequate training.

DOCUMENTATION REVIEWS:Following documents should be reviewed: IT strategy, plans, and budgets. Security policy documentation. Organization charts. Job descriptions. Steering committee reports. System development and program changes procedures. Operations procedures. HR manuals. Quality assurance procedures.

All documents should be authorized and updated.

INTERVIEWING & OBSERVATIONS:Interviewing and observing employees help IS auditor to determine the following: Actual Functions

Observation is the best test to ensure that the individual who is assigned and authorized to perform a particular function is the person who is actually doing the job.

Security AwarenessSecurity awareness should be observed to verify an individual's understanding and practice of good preventive and detective security measures to safeguard the company's assets and data.

Reporting RelationshipsReporting relationships should be observed to ensure that assigned responsibilities and adequate separation of duties are being practiced.

REVIEWING CONTRACTUAL COMMITMENTS: Development of contract

requirements Contract bidding

process Contract selection process Contract acceptance Contract maintenance Contract compliance


Umar Munir

Documents

Chapter 2 (Management, Planning, And Organization of Information System)