Controlling Information Systems: IT Processes

• • • • • • •

Learning Objectives

Learn the major IT resources Appreciate the problems in providing adequate controls over IT resources Study major IT control processes and practices organization use to manage IT resources Understand how IT and personnel control plans can help an organization achieve its strategic vision for IT Overview the major steps in acquiring and implementing new IT resources

Controlling Information Systems: IT Processes

Examine business continuity and security controls that help ensure continuous, reliable IT service Value the integral part played by the monitoring function in ensuring the overall effectiveness of a system of internal controls 2

Internal Control Processes on AIS Wheel

• In this chapter, we continue our investigation of internal accounting controls, as indicated by the shaded areas on the AIS Wheel icon. • Herein, you will learn how to control information technology resources and processes, which form the underpinning of accounting information systems. • Importantly, you will be exposed to a fundamental control concept that must be incorporated into every aspect of an organization; that is, managers need to segregate four key functions: – authorizing events – executing events – recording events – safeguarding resources.

3

Control Objectives for Information Technology (COBIT)

• Developed by the Information Systems Audit and Control Foundation to provide guidance —to managers, users, and auditors • According to COBIT achieve its objectives.

—on the best practices for the management of information technology. – IT resources must be managed by IT control processes to ensure that the organization has the information it needs to – Exhibit 8.1 defines the IT resources that must be managed and Chapter 1 describes the qualities that this information must exhibit in order for it to be of value to the organization.

4

IT Resources

• • • • •

Data:

Objects in their widest sense (i.e., external and internal), structured and nonstructured, graphics, sound, etc.

Application systems:

processes.

Application systems are understood to be the sum of manual and programmed procedures reflecting business

Technology:

Technology covers hardware, operating systems, database management systems, networking, multimedia, etc.

Facilities:

Facilities are all resources used to house and support information systems.

People:

services.

People include staff skills; awareness; and productivity to plan, organize, acquire, deliver, support, and monitor information systems and 5

A Hypothetical Computer System

• The IT resources are typically configured with some or all of the elements shown in Figure 8.1

• This computer system consists of one or more mainframe computers connected to several networked

client computers

(CCs) and PCs perhaps through an

LAN

and to PCs and CCs located in the organization’s other facilities, perhaps through a

WAN

• Computer facilities operated by other organizations are connected, perhaps via the

Internet

and through a

firewall

to the mainframe, servers, and PCs.

6

Hypothetical Computer System: Figure 8.1

7

Questions for the IT Control Process

• How we can protect the computer from misuse, whether intentional or inadvertent, from within and outside the organization?

• How do we protect the computer room, and other rooms and buildings where connected facilities are located? • Do we have disaster plans in place for continuing our operations?

• What policies and procedures should be established to provide for efficient, effective, and authorized use of the computer? • What measures can we take to help ensure that the personnel who operate and use the computer are competent and honest? 8

Organization Structures

• • • • •

Centralized:

CIO is central leader of all information system functions Decentralized: A ssigns personnel to non-central (e.g., departments) organizational units

Functional organization:

organizations Assigns personnel to skills based units (e.g., programming, systems analysis). Used by both decentralized and centralized

Matrix:

Assembles work groups or teams, comprised of members from different functional areas, under the authority of a team leader

Project:

Establishes permanent systems development structures such as “Financial Systems Development” 9

Centralized Information System Organization 10

Summary of Information Systems Functions

11

Summary of Information Systems Functions (continued)

12

Summary of Information Systems Functions (continued)

13

COBIT

• COBIT organizes IT internal control into domains and process • Domains include: – Planning and organization – Acquisition and implementation – Delivery and support – Monitoring • Processes detail steps in each domain 14

IT Control Domains and Processes

15

• •

IT Control Processes & Domains

Planning & Organization Domain

– IT Process 1: Establish strategic vision – IT Process 2: Develop tactics to realize strategic vision

Acquisition & Implementation Domain

– IT Process 3: Identify automated solutions – IT Process 4: Develop & acquire IT solutions – IT Process 5: Integrate IT solutions into operations – IT Process 6: Manage change to existing IT systems 16

IT Control Processes & Domains (cont.)

• •

Delivery & Support Domain

– IT Process 7: Deliver required IT services – IT Process 8: Ensure security & continuous service – IT Process 9: Provide support services

Monitoring Domain

– IT Process 10: Monitor Operations 17

IT Process 1 Elements of Strategic IT Plan

1.

A summary of the organizational strategic plan’s goals and strategies, and how they are related to the information systems function.

2. IT goals and strategies, and a statement of how each will support organizational goals and strategies.

3. An information architecture model encompassing the corporate data model and the associated information systems.

4. An inventory of current information systems capabilities.

18

IT Process 1: Elements of Strategic IT Plan

5. Acquisition and development schedules for hardware, software, and application systems and for personnel and financial requirements. 6. IT-related requirements to comply with industry, regulatory, legal, and contractual obligations, including safety, privacy, transborder data flows, e-Business, and insurance contracts.

7. IT risks and risk action plan 8. Process for modifying the plan to accommodate changes to the organization’s strategic plan and changes in information technology conditions.

19

IT Process 2 Organizational Control Plans

• Segregation of duties control plan • Organizational Control Plans for the Information Systems Function • Personnel Control Plans 20

Segregation of Duties

21

Segregation of Duties Applied to IS Function

22

IT Process 2: Organizational Control Plans

• Organizational Control Plans for the Information Systems Function – The information systems function (ISF) normally acts in a service capacity for other operating units in the organization. In this role, it should be limited to carrying recording events and posting event summaries. – Approving and executing events along with safeguarding resources should be carried out by departments other than IS. 23

•

IT Process 2: Organizational Control Plans

Within

the ISF we segregate duties –

Data librarian

operators.

grants access to stored data and programs to authorized personnel to reduce the risk of unauthorized computer operation by programmers or unauthorized programming by – The

security officer

checks assigns passwords, monitors employees’ network access, grants security clearance for sensitive projects, and works with human resources on interview practices and background – The

information technology steering committee

• Coordinates the organizational and IT strategic planning processes • Reviews and approves the strategic IT plan • Helps the organization establish and meet user information requirements Help ensure effective and efficient use of IT resources. • The committee should consist of about seven executives from major functional areas of the organization, including the information systems executive; report to senior management; and meet regularly.

24

IT Process 2: Personnel Control Plans

• Selection & Hiring Control Plans – Qualified personnel including technical background • Retention Control Plans – Retaining may be harder than hiring – Provide challenging work and opportunities for advancement • Personnel Development Control Plans – Training and development • Personnel Management Control Plans – Personnel Planning Control Plans • Skills, Turnover, Filling Positions – Job Description Control Plans • Job descriptions written and updated – Supervision Control Plans • Approving, monitoring, and observing the work of others – Personnel Security Control Plans • Rotation of duties, Forced vacations, Bonding – Personnel Termination Control Plans • procedures when an employee voluntarily or involuntarily leaves an organization.

25

IT Process 3: Identify Automated Solutions

• To ensure selection of the best approach to satisfying users’ IT requirements, an organization’s

systems development lifecycle

studies; – assess risks must include procedures to: – define information requirements – formulate alternative courses of action – perform technological, economic, and operational feasibility • Solutions should be consistent with the strategic information technology plan • At completion of this process – Organization must decide what approach will be taken to satisfy users’ requirements, and whether it will develop the IT solution in house or will contract with third parties for all or part of the development 26

IT Process 4 Develop/Acquire IT Solutions

• Develop and Acquire Application Software • Acquire Application Infrastructure • Develop Service Level Requirements and Application Documentation which typically includes the following: – Systems documentation – Program documentation – Operations run manuals – User manuals – Training materials 27

IT Process 5: Integrate IT Solutions Into Operational Processes • To ensure that a new or significantly revised system is suitable, the organization’s manner. their connections.

SDLC

should provide for a planned, tested, controlled, and approved conversion to the new system. • After installation, the SDLC should call for a review to determine that the new system has met users’ needs in a cost-effective • When organizations implement difficult and more important.

enterprise systems

, the successful integration of new information systems modules into existing information and operations processes becomes more • The challenges are the result of the interdependence of the business processes and the complexity of these processes and • Any failure in a new system can have catastrophic results.

28

IT Process 6: Manage Changes to Existing IT Systems • • To ensure processing integrity between versions of systems and to ensure consistency of results from period to period, changes to the IT infrastructure (hardware, systems software, and applications) must be managed via change request, impact assessment, documentation, authorization, release and distribution policies, and procedures.

Program change controls

provide assurance that all modifications to programs are authorized, and ensure that the changes are completed, tested, and properly implemented.

• Changes in documentation should mirror the changes made to the related programs.

29

IT Process 7: Deliver Required IT Services 1. Define service levels 2. Manage Third-party services 3. Manage IT Operations 4. Manage data (backup) 5. Identify and allocate costs 30

IT Process 8: Ensure Security & Continuous Service • Ensure Continuous Service – Disaster recovery planning; Contingency planning; Business interruption planning; Business continuity planning.

• Restricting Access to Computing Resources – Restrict physical access to computer facilities.

– Restrict logical access to stored programs, data, and documentation.

• Ensure Physical Security – Smoke detectors, fire alarms, fire extinguishers, fire-resistant construction materials, insurance – Waterproof ceilings, walls, and floors; adequate drainage; water and moisture detection alarms; insurance – Regular cleaning of rooms and equipment, dust-collecting rugs at entrances, separate dust-generating activities from computer, good housekeeping – Voltage regulators, backup batteries and generators 31

IT Process 8 (Cont.)

32

IT Process 9: Provide Support Services • Identify the training needs of all personnel, internal and external, who make use of the organization’s information services, and should see that timely training sessions are conducted.

• Assistance through a “help desk” function 33

IT Process 10: Monitor Operations

• Gather data about processes • Generate performance reports • WebTrust - ISP 34

Web Trust Principles

35