Upload
hannah-hudson
View
259
Download
0
Tags:
Embed Size (px)
Citation preview
MANAGING THE IT FUNCTION
Chapter Five
Organizing the IT FunctionThe IT Function must be organized and
structured.IT Manager must define the role and
articulate the value of the IT Function.Configuration within a company depends
on external and internal organizational factors.
Sound internal controls are essential to the structural framework.
Locating the IT Function – to whom should the IT manager report?Important ramifications on It Manager’s
Ability to acquire needed resourcesAbility to prioritize workloads.
Locating the IT FunctionConsider segregation of incompatible duties.Must vest in different people:
Authorizing TransactionsRecording TransactionsMaintaining Custody of Assets
Can be accomplished with judicious choices with respect toplacing the IT function in the organizationintegrating programmed controls into computing
infrastructures and applications.
Should the IT manager report to the accounting manager?
Good Idea!Most IT applications deal with accounting
transactions! So everyone would benefit by having the accounting manager involved from the start.
Bad Idea!Most controllers perform 2 of the 3
incompatible duties. This would make 3 of the 3.
Fraud would be difficult to detect.
Should the IT manager report to another operations or administrative manager?
Good Idea! Many software applications deal with these areas.
Bad Idea! Many managers can authorize transactions, so
custody of computing assets would attribute them with 2 of the 3 incompatible duties.
Other managers would not likely have the expertise to guide and support an IT manager.
Managers would likely give priority to their own IT needs and less to the rest of the company.
The IT function may not have access to upper management for influencing decisions about placing priorities and setting strategies.
Should the IT manager report alongside another line managers?
Good Idea!Politically strong to compete for resources
and set priorities and strategies.CEO has responsibility over, but rarely
performs the 3 incompatible duties.
With sound internal controls, can be effectively managed.
Should the IT manager report above another line managers?
In a VP position, the IT manager cancoordinate strategiesset standardsestablish priorities across the entire
organizationThis structure allows the IT managers, who
report to the Vice President, to focus on local issues and needs.
VicePresident
North American
Operations
Vice PresidentForeign
Operations
Vice President
InformationTechnology
Chief Executive Officer(CEO)
Sales &MarketingManager
HumanResourcesManager
Finance &AccountingManager
Information Technology
Manager
Research &OperationsManager
Profit
Growth
Control
Opportunity
Short-Term
Long-Term
Goals
Designing the IT Function
Designing the ultimate structure of the IT function is often determined by cultural, political and economic forces inherent in each organization.
Internal control considerations within an IT function
Separate from one another :
systems development
computer operations
computer security
Systems DevelopmentStaff has access to operating systems,
business applications and other key software. Systems developers are authorized to create
and alter software logic, therefore, they should not be allowed to process information
They should not maintain custody of corporate data and business applications.
Computer OperationsOperation staff are responsible for:
Entering Data (similar to the internal control concept of ‘authorizing transactions’)
Processing information (similar to the internal control concept of ‘recording transactions’)
Disseminating Output (similar to the internal control concept of ‘maintaining custody’)
Must segregate duties.
Computer SecurityResponsible for the safe-keeping of
resources includes ensuring that business software
applications are secure. responsible for the safety (‘custody’) of
corporate information, communication networks and physical facilities
Systems analysts and programmers should not have access to the production library.
IT Function Manager
SystemsDevelopment
Manager(a)
ComputerOperationsManager
(b)
ComputerSecurityManager
(c)
UserServicesManager
SystemsAnalysis (a)
ComputerProgrammin
g (b)
QualityControl
DataInput (a)
Information
Output (c)Continuity
ofOperations
DatabaseAdministrati
on (c)
Information
Processing (b)
TechnicalSupport
UserTraining
HelpDesk
ApplicationSupport
SoftwareSecurity
NetworkSecurity
PhysicalSecurity
Information
Security
IT Auditors examination of the IT FunctionAuditors should ensure that systems
developers and computer operators are segregated.
It is also advisable for the IT function to form a separate security specialization to maintain custody of software applications and corporate data.
Funding the IT FunctionMust be adequately funded to fulfill strategic
objectives.Business risk of under-funding:
Needs and demands of customers, vendors, employees and other stakeholders will go unfulfilled.
can adversely impact the success of the company. Audit risk of under-funding:
Heavy workloads can lead to a culture of ‘working around’ the system of internal controls
Two funding approaches
1. Cost Center ApproachSubmit detailed budget to upper managementJustify each line itemUse the IT function scorecard approach
Operational PerformanceUser satisfactionadaptability and scalabilityOrganizational contribution
Two funding approaches2. Profit Center Approach
Submit detailed budget to upper management.
Charge internal users for services through intra-company billing.Positive Outcome: Managers will not be overly
demanding of IT servicesNegative Outcome: IT can build excessive
expenses into billing rates until the rates exceed costs of outside providers.
Billing RatesIndependent Party within the company
should compare rates to outside services.IT Auditor should
Confirm that reasonableness check is performed at least annually to ensure that billing rates are not excessive
Acquiring IT ResourcesIT manager should justify IT Capital projects
using a methodological approach.Determine the net benefit
Present value of benefits minus costsUse Scorecard approach for non-quantifiable
paybacks.
Example with Scorecard ApproachJustify the in-house development of web-
based customer ordering system
ScorecardScorecard ActionAction
Operational Operational PerformancePerformance
Estimate the increased number of sales the system Estimate the increased number of sales the system will handle each day.will handle each day.
Determine faster speed of each sale.Determine faster speed of each sale.
User SatisfactionUser Satisfaction Survey customers for what they need and how they Survey customers for what they need and how they would receive proposed system.would receive proposed system.
Adaptability & Adaptability & ScalabilityScalability
Forecast increased sales.Forecast increased sales.
Show how new system integrates with existing Show how new system integrates with existing accounting & inventory systems.accounting & inventory systems.
Organizational Organizational ContributionContribution
Perform net benefit analysis.Perform net benefit analysis.
Estimate financial costs & benefits.Estimate financial costs & benefits.
Staffing the IT FunctionBusiness and audit risks can be effectively
controlled via sound human resource procedures in the areas of hiring, rewarding and terminating employees.
HIRINGShould have formal procedures that are
followedEach job should have a substantive
description of responsibilities and procedures.
Recruiting Carefully plan and execute each step in
compliance with company policy.1. Identify Needs2. Write a job description3. Obtain permissions4. Advertise5. Accept Applications6. Review Applications
VerifyingExtent depends on the position, but all candidates should have some checking.
Contact references, both personal and professional.
Conduct Background checksVerify EducationChecks for criminal or civil violations
Document everything!
TestingWritten and/or oral tests can be
administered to test skills.Company must be consistent in testing
procedures.
InterviewingFollow Sound ProceduresFollow Company, Regulatory & Statutory
RulesSteps of interviewing:
Select appropriate interviewersDevelop an internal interview scheduleArrange for interviews with intervieweesConduct the interviews
REWARDINGIt is important to continually challenge and
motivate employees.Improperly rewarding employees may result in
business and audit risks:
RewardingBusiness risks:
might develop a ‘bad attitude’ toward the IT manager and the company
leads to lower productivity frustrationturnover
Audit risks: employees can become bored and disgruntledengage in mischievous and criminal behaviors can threaten the availability, accuracy, security and
reliability of corporate information
EvaluatingMost common is the annual review.The evaluation process must have
structure and reasonableness.Evaluator must be as fair as possible to
prevent frustration and resentment.
CompensatingThe company should strive to compensate
employees at least as well as peer organizations.
Turnover:Can cause productivity lossesReplacement costs are highRisks the availability and reliability of systemsEmployees take sensitive information to
competitors
Compensation Issues:Equal Pay for Equal Work
IT Function must not discriminate in appearance or substance among employees.
Test by comparing the compensation packages of employees holding similar positions.
Compensation Issues:Compression and Inversion
Compression: The compensation of newly hired employees gets very close to experienced employees in similar positions or the compensation of subordinates is nearly the same as their superiors.
Inversion: The compensation of new hires is greater than more experienced employees in the same position, or the compensation of subordinates exceeds that of superiors.
PromotingShould be based on meritCompensation should be commensurate
with the new job’s role and responsibilities.Must be formal written procedures that are
consistently followed.
LearningTraining benefits the employee, the employer and
society as a whole. Failure to offer learning opportunities create:
Business Risk:potential loss of competitive positioning due to an
uneducated workforcelow employee morale
Audit Risk:stagnate and frustrated employeesattitude of complacency toward internal controls or utter disregard for internal controls
TerminatingA disgruntled employee can disrupt the
company’s systems and controls.The IT function needs to design and implement
countervailing controlsbackup procedureschecks-and-balancescross-trainingjob rotationsmandated vacationsimmediately separate them from the computing
environment terminate all computer privileges
Directing the IT Function:Administering the WorkflowEffective capacity planningSchedule and perform the work
Have enough resources for peaks yet minimize idle time
Develop formal workload schedulesMonitor performanceDenote actual-to-planned workload
variancesContinually adjust
Managing the Computing EnvironmentResponsible for the computing
infrastructure:Computer hardwareNetwork hardwareCommunication systemsOperating systemsApplication softtware and data files
Managing the Computing EnvironmentThe IT manager must
understand how the infrastructure elements work together.
establish policies for acquiring, disposing, and accounting for inventory
track rented equipment and softwarecomply with licensing agreements
Managing the Computing EnvironmentThe IT manager must ensure the
physical environment is safe for humans and computers withFire suppression systems in placeA tested fire evacuation planA climate controlled environmentFacilities that are inconspicuous in location
and designCompliance with appropriate safety and
health regulations
Third Party ServicesExamples:
Internet service providers (ISP)Communication companiesSecurity firmsCall centers
Offer economies of scaleUse of 3rd party services is increasing .
Third Party ServicesKey IssuesPolicies must be established for purchase,
use, and termination of 3rd party services.Must have legally binding contracts.Must ensure the security and confidentiality
of company information.Must have a plan for disruption of services.Must have backup and recover plan in
place.
Assisting UsersTraining and EducationIdentify training needs.Design curricula.Deliver programs.Use outside training programs.
Assisting UsersHelp Desk
Assisting UsersHelp Desk. The IT manager needs to design and
monitor effective ways to assist users when they request help.Must create an atmosphere of mutual trust
and respect between the IT function and user community.
Effective handling of problems and incidences requires a formal set of policies and procedures.
Assisting UsersHelp DeskRequests for help generally arise from
users’ lack of understanding about how applications work.
Problems and incidences reflect improperly functioning elements of the computing infrastructure, and require the intervention of experienced technicians and programmers.
Controlling the IT FunctionThe major control categories involved in
the IT function areSecurityInputProcessingOutputDatabasesbackup and recovery
Each of these categories is intended to minimize business and audit risk via internal controls.
Security ControlsSecure the computing infrastructure from
internal and external threats.A compromise of the infrastructure can
result in:business risk
network downtimedatabase corruption
audit riskmaterial misstatements in accounts due to
incomplete or inaccurate data capturing
Physical Security
Focuses on keeping facilities, computers, communication equipment and other tangible aspects of the computing infrastructure safe from harm.
Physical SecurityAccess Restriction
Only authorized personnel should be allowed into the facility.
Visitors should be accompanied by authorized personnel at all times.
Use at all ingress and egress points--Security guards -- Keys & lock--Card readers -- Biometric devices
Penetration points should be adequately secured
Physical SecurityMonitor Access
Monitor who is entering, roaming and leaving the facility.Security guardsVideo CamerasPenetration alarms
Review access evidence.Signage log, paper or electronic
Formal review procedures in place.
Security IssueSecurity Issue Physical ControlsPhysical Controls Logical ControlsLogical Controls
Access ControlsAccess Controls
Security GuardsSecurity Guards
Locks & KeysLocks & Keys
Biometric DevicesBiometric Devices
ID and PasswordsID and Passwords
Authorization MatrixAuthorization Matrix
Firewalls & EncryptionFirewalls & Encryption
Monitor ControlsMonitor Controls Security GuardsSecurity Guards
Video CamerasVideo Cameras
Penetration AlarmsPenetration Alarms
Access logsAccess logs
Supervisory OversightSupervisory Oversight
Penetration alarmsPenetration alarms
Review ControlsReview Controls Formal ReviewsFormal Reviews
Signage LogsSignage Logs
Violation InvestigationsViolation Investigations
Formal ReviewsFormal Reviews
Activity LogsActivity Logs
Violation InvestigationsViolation Investigations
Penetrating TestsPenetrating Tests
Unauthorized attempts to Unauthorized attempts to enter IT facilitiesenter IT facilities
Attempts to break in through Attempts to break in through vulnerable pointsvulnerable points
As authorized visitor, As authorized visitor, attempts to leave authorized attempts to leave authorized personnel and wander around personnel and wander around the facility without oversightthe facility without oversight
Unauthorized attempts to enter Unauthorized attempts to enter servers and networksservers and networks
Attempts to override access Attempts to override access controls (hacking)controls (hacking)
As authorized user, attempts to As authorized user, attempts to use unauthorized applications use unauthorized applications and view unauthorized and view unauthorized informationinformation
Physical SecurityCommunication & Power LinesThe IT manager should:
monitor the primary communication and power lines via cameras and guards
install secondary (backup) lines in case the primary lines fail.
Contingency plan must address the possible failure of lines.
Physical SecurityOff-Site EquipmentEquipment located in other places needs to
be monitored in the same way.
Effective backup plan must be in place.
Logical SecurityData and software nature known as
‘logical’ components of the infrastructure:Corporate dataComputer software
user applicationsnetwork systemscommunication systemsoperating systems
Sam
ple
A
uth
ori
zati
on
Matr
ixApplications
A/R A/PInformation
Customers
Vendors
Sales
Purchasing
Receipts
Payments
User #3 [ID = XXXXX, Password = YYYYY]
User #2x [ID = XXXXX, Password = YYYYY]
User #1 [ID = XXXXX, Password = YYYYY]
AddEditReadDelete
AddEditReadDelete
AddEditReadDelete
AddEditReadDelete
AddEditReadDelete x
AddEditReadDelete
Logical SecurityPhysical controls
most corporate data and software are located on computers, servers, storage devices
Computer controlled access, monitor & review systems
Logical SecurityPoints of EntryComputer Terminal
Supply Authorized IDPassword
InternetControls need to control external access
PointsFirewallsTrack failed attempts to enter system
Logical SecurityAccess and Monitor SystemsSupervisory OversightPenetration alarms
Track usage patternsReport failed attempts
Formal review procedure
Information ControlsControls need to be in place and working
effectively to ensure the integrity and accuracy of vital decision-making information.
Must Integrate sound backup controls.
Information ControlsInput ControlsThe company must have and follow written
procedures regarding the proper authorization, approval and input of accounting transactions.
These are incompatible functions.they should be carefully segregated, to the
extent possible, and controlled.
Information ControlsInput Controls – 3 Scenarios- #1A customer purchases goods at a store
counter.Authorizing the sale
A cashier records the sale on the cash registerApproving the sale, balances the register, logs the
logs into the register with IDAn accounting clerk later processes cash
register sales in batches. Inputs sales transactions into accounting system
in batches
Information ControlsInput Controls – 3 Scenarios- #2Same except cash register automatically
records the sale into the accounting system.
Process ControlsValidatingError HandlingUpdating
Database ControlsDatabase processing involves simultaneous
updating of multiple tables.Multiple tables and data items can be
instantaneously corrupted when an interruption occurs.
Database ControlsWhy corruption is so quick
1. Related tables are inexorably linked to one another.
2. Update routines often incorporate one or more of the following processing techniques:
Multi-tasking -- where the computer executes more than one task [program] at a time
Multi-processing -- where multiple CPUs simultaneously execute interdependent tasks [programs]
Multi-threading -- where a computer executes multiple parts of a program [threads] at one time.
Database ControlsRoll-back and RecoveryDatabases operate on a transaction
principle.A logical unit of work is considered a
transaction.The processing of a transaction takes the
database from an initial state to an altered state, to the new initial state.
Each step must be completed.Any failure will result in database corruption.
Database ControlsRoll-back and RecoveryWhen there is an interruption, the database
management system (DBMS) begins to restore.
There are numerous technical processes depending on the DBMS in use.
Database ControlsRoll-back and Recovery – Basic Recovery
A unique identifier tags each transaction.An activity log tracks the transaction as it
processes.After interruption, the DBMS identifies the
transactions in process.Roll-back procedure is performed:
Uncompleted transactions placed back into queue
Recovery takes place.
Database ControlsConcurrency ControlMultiple users attempt to update the same
data item simultaneously. or when
One user is updating while another user is reading the same data item.
Database ControlsConcurrency Control
A common way to prevent concurrency problems is to lock a database object while it is in use and release the object upon completion.
The DBMS can determine which operation to perform in what order, as it timestamps each transaction when the processing request is initiated.
Database ControlsConcurrency Control – Levels of GranularityCourse level – database is locked during updates.
No one can use the database until update is complete.Moderate level – Database locks at tuple (record)
level. No one else could use the record until update is
finished.Fine level – Database locks at attribute (field)
level. Only the field being updated would be locked.
Database ControlsConcurrency Control – Levels of Granularity
Tradeoff:
There is an inverse relationship between the granularity level and system performance.
A lower level of granular locking equates to slower computer performance.
Output controlsOnly properly authorized parties can request
certain output –computer screensprinted reports
Such logical access control is accomplished via the ID-password authorization matrix procedure.
Output controlsComputer ScreensScreens need to be physically secure when
output is visible.Output should be removed when user
leaves the terminal.Return to the screen should require a
password.
Output controlsPrinted ReportsPrinter rooms need trail of accountability.
Locks to prevent unauthorized access.Logs to sign in anyone entering.Logs to sign for reports.
End user report requests should be password protected.
Network printers should be placed where unauthorized persons will not have access.
Output controlsPrinted ReportsMust have record retention and destruction
policies.Mandated by regulatory agency.Dictated by company policy.
Permanent reports must be in secured area.
Temporary reports must by properly destroyed.
Continuity ControlsMust develop and follow a sound backup
strategy to prevent disruption of business activity due to computer failures and disasters.
Two key considerations: downtime and cost.
Shorter downtime requirements equate to higher backup costs.
Impact Analysis Criteria
Level Impact Financial Criteria
Reputation
5 Catastrophic
Over $10 million
National media coverage or major product withdrawal
4 Intolerable $5 to $10 million
Local media coverage and reduced professional reputation
3 Major $1 to $5 million
Media coverage in trade publications and customer complaints
2 Significant $50,000 to $1 million
Limited coverage in media and some customer complaints
1 Minor Less than $50,000
Negligible impact on reputation
0 No Impact
Continuity ControlsBackup Controls – Data Backup
Slow CompanyCan Survive for days without its computer system.Would perform full backup each week.
Medium CompanyMust be back on computers same day.Would perform weekly full backupsDaily incremental backups
Continuity ControlsBackup Controls – Data BackupFast Company
Must be back on computers within hoursNeeds daily full backupHourly incremental backups
Lightening CompanyMust be back on computers within minutesNeeds real-time backupSimultaneouse updating on remote computer
Continuity ControlsStorage location & hardware redundancy
Physical VaultingOne backup on-site, one off-site
On site copy is readily accessible if no disaster
Off-site copy retrievable if disasterStrategy involves more time and money
Continuity ControlsStorage location & hardware redundancy
Electronic VaultingSend backup data over a communications
network (such as the Internet) to an off-site storage medium.
Send to home of employee.Send to another company location.Purchase outside service.Costs and accessibility are considerations.
Continuity ControlsStorage location & hardware redundancyHardware Backup usually needed for
component failures:Power suppliesAnything with moving parts
There are 3 common configurations for redundant storage devices:Redundant Array of Independent Disks (RAID)Network Attached Storage (NAS)Server Area Network (SAN)
Continuity ControlsRedundant Array of Independent Disks (RAID)
Disk mirroringData is simultaneously written to the primary
disk and one or more redundant disks Disk striping
An array of at least three, but usually five, disks is established
scheme of parity checks is utilizedif one disk drive in the array fails, the remaining
drives can reconstruct the data on the failed drive and continue processing
Duplicate RecordingOn single mirrored disk
RAID Mirroring and Striping
Disk Mirroring (RAID)
Duplicate RecordingOn an array of disks
RAID Mirroring and StripingDisk Striping (RAID)
Continuity ControlsNetwork Attached Storage (NAS)
Integrates one or more storage devices, (NAS appliances,) into the local area network (LAN) .
Comprised of one or more disk drives and an internal controller.
Employs RAID technology to ensure hardware redundancy.
Can be shared by multiple users on the network. Appliances are relatively affordable and scalable
User #1 User #2
Printer
ScannerNetwork Attached Storage (NAS)
Continuity ControlsServer Area Network (SAN)
Expands NAS to wide area networks (WAN). SAN is a dedicated network.SAN can be linked to multiple LANs. Multiple SANs can be simultaneously utilized.SAN can be expensive and technically complicatedCapable of handling very high volumesSAN is a great solution for large companies.SAN is designed to be very fault tolerant.
DiskStorage
Input-OutputController
DiskStorage
DiskStorage
DiskStorage
Wide AreaNetwork
Disaster Recovery ControlsThe first step is to plan for various disaster
scenarios: a) a single server is damagedb) an entire company site is demolishedc) multiple company locations are simultaneously
stuck with disasterd) the entire company is destroyed?
Disaster Recovery ControlsIT managers and auditors should plan for what,
who, when, where, how, which and why.
determine what just happened specify who to contact, in what order, and what they
are expected to do when to enact the remainder of the contingency plan
Disaster Recovery Controlswhere to transfer the lost computer
processing loadPlan to shift to one or more alternate company
locations Establish contractual relationships with peer
companies in the same industry Affordable, but needs may not be a priority.Compatibility problems with operation systems
Establish contractual relationships with third-party providers of alternate computing sites.
Disaster Recovery Backup Strategy
1. Fully mirrored recovery operations Requires building that have linkages between
the live site and the backup facility2. Switchable Hot site facility
Arrangement with a vendor who will guarantee to maintain an identical site with communications to enable the transfer of all data processing within an agreed time period
3. Traditional hot site Have a contract with a disaster recovery vendor
with a compatible site4. Cold Site
Includes building & basic infrastructure Establishing emergency site space to allow the
enterprise to begin processing
Disaster Recovery Backup Strategy
5. Relocate and restore Identification of a suitable location,
hardware, and peripherals and the reinstallation of systems after an emergency has occurred
6. No Strategy No backup and restore strategy
Disaster Recovery Controls How is the company going to get the
computer hardware, people, software and data to the alternate site?
Which applications are mission critical? Why one application or set of applications is
more time sensitive than another ?
DRP plansDetailed descriptions of IT systems components,
including both IT servers, storage resources and network connectionA summary of applications and key supporting dataDetailed descriptions of the servers and other hardwareThe communication network, such as telephone, radio,
wireless and Internet linkagesExternal, third party connections
IT infrastructure components, including logon services, software distribution and remote access services
All supporting information management systems, including file rooms and both electric and manual document management systems
Internal Audit DRP Review Points1. Review the existing DRP with the
responsible manager2. Examine the contents and format of DRP3. Review the overall training and
understanding of DRP4. Review the results of recent DRP tests5. Review of DRP backup procedures6. Prepare IT internal audit documentation
assessing the overall adequacy of the organization’s DRP
Disaster Recovery ControlsAll affected parties need to be involved in planning
phase.The disaster recovery plan is a living document.It must be reviewed and updated on a recurrent
basis.Everyone involved should be initially trained and
required to attend periodic refresher sessions.Portions of the recovery plan should be tested on
an unannounced basis.