350 likes | 477 Views
Controlling Information Systems: IT Processes. Learn the major IT resources Appreciate the problems in providing adequate controls over IT resources Study major IT control processes and practices organization use to manage IT resources
E N D
Controlling Information Systems: IT Processes
Learn the major IT resources Appreciate the problems in providing adequate controls over IT resources Study major IT control processes and practices organization use to manage IT resources Understand how IT and personnel control plans can help an organization achieve its strategic vision for IT Overview the major steps in acquiring and implementing new IT resources Examine business continuity and security controls that help ensure continuous, reliable IT service Value the integral part played by the monitoring function in ensuring the overall effectiveness of a system of internal controls Learning Objectives Controlling Information Systems: IT Processes
Internal Control Processes on AIS Wheel • In this chapter, we continue our investigation of internal accounting controls, as indicated by the shaded areas on the AIS Wheel icon. • Herein, you will learn how to control information technology resources and processes, which form the underpinning of accounting information systems. • Importantly, you will be exposed to a fundamental control concept that must be incorporated into every aspect of an organization; that is, managers need to segregate four key functions: • authorizing events • executing events • recording events • safeguarding resources.
Control Objectives for Information Technology (COBIT) • Developed by the Information Systems Audit and Control Foundation to provide guidance—to managers, users, and auditors—on the best practices for the management of information technology. • According to COBIT • IT resources must be managed by IT control processes to ensure that the organization has the information it needs to achieve its objectives. • Exhibit 8.1 defines the IT resources that must be managed and Chapter 1 describes the qualities that this information must exhibit in order for it to be of value to the organization.
IT Resources • Data: Objects in their widest sense (i.e., external and internal), structured and nonstructured, graphics, sound, etc. • Application systems: Application systems are understood to be the sum of manual and programmed procedures reflecting business processes. • Technology: Technology covers hardware, operating systems, database management systems, networking, multimedia, etc. • Facilities: Facilities are all resources used to house and support information systems. • People: People include staff skills; awareness; and productivity to plan, organize, acquire, deliver, support, and monitor information systems and services.
A Hypothetical Computer System • The IT resources are typically configured with some or all of the elements shown in Figure 8.1 • This computer system consists of one or more mainframe computers connected to several networked client computers (CCs) and PCs perhaps through an LAN and to PCs and CCs located in the organization’s other facilities, perhaps through a WAN • Computer facilities operated by other organizations are connected, perhaps via the Internet and through a firewall to the mainframe, servers, and PCs.
Questions for the IT Control Process • How we can protect the computer from misuse, whether intentional or inadvertent, from within and outside the organization? • How do we protect the computer room, and other rooms and buildings where connected facilities are located? • Do we have disaster plans in place for continuing our operations? • What policies and procedures should be established to provide for efficient, effective, and authorized use of the computer? • What measures can we take to help ensure that the personnel who operate and use the computer are competent and honest?
Organization Structures • Centralized:CIO is central leader of all information system functions • Decentralized: Assigns personnel to non-central (e.g., departments) organizational units • Functional organization: Assigns personnel to skills-based units (e.g., programming, systems analysis). Used by both decentralized and centralized organizations • Matrix: Assembles work groups or teams, comprised of members from different functional areas, under the authority of a team leader • Project: Establishes permanent systems development structures such as “Financial Systems Development”
COBIT • COBIT organizes IT internal control into domains and process • Domains include: • Planning and organization • Acquisition and implementation • Delivery and support • Monitoring • Processes detail steps in each domain
IT Control Processes & Domains • Planning & Organization Domain • IT Process 1: Establish strategic vision • IT Process 2: Develop tactics to realize strategic vision • Acquisition & Implementation Domain • IT Process 3: Identify automated solutions • IT Process 4: Develop & acquire IT solutions • IT Process 5: Integrate IT solutions into operations • IT Process 6: Manage change to existing IT systems
IT Control Processes & Domains (cont.) • Delivery & Support Domain • IT Process 7: Deliver required IT services • IT Process 8: Ensure security & continuous service • IT Process 9: Provide support services • Monitoring Domain • IT Process 10: Monitor Operations
IT Process 1Elements of Strategic IT Plan • A summary of the organizational strategic plan’s goals and strategies, and how they are related to the information systems function. • IT goals and strategies, and a statement of how each will support organizational goals and strategies. • An information architecture model encompassing the corporate data model and the associated information systems. • An inventory of current information systems capabilities.
IT Process 1: Elements of Strategic IT Plan • Acquisition and development schedules for hardware, software, and application systems and for personnel and financial requirements. • IT-related requirements to comply with industry, regulatory, legal, and contractual obligations, including safety, privacy, transborder data flows, e-Business, and insurance contracts. • IT risks and risk action plan • Process for modifying the plan to accommodate changes to the organization’s strategic plan and changes in information technology conditions.
IT Process 2Organizational Control Plans • Segregation of duties control plan • Organizational Control Plans for the Information Systems Function • Personnel Control Plans
IT Process 2: Organizational Control Plans • Organizational Control Plans for the Information Systems Function • The information systems function (ISF) normally acts in a service capacity for other operating units in the organization. In this role, it should be limited to carrying recording events and posting event summaries. • Approving and executing events along with safeguarding resources should be carried out by departments other than IS.
IT Process 2: Organizational Control Plans • Within the ISF we segregate duties • Data librarian grants access to stored data and programs to authorized personnel to reduce the risk of unauthorized computer operation by programmers or unauthorized programming by operators. • The security officer assigns passwords,monitors employees’ network access, grants security clearance for sensitive projects, and works with human resources on interview practices and background checks • The information technology steering committee • Coordinates the organizational and IT strategic planning processes • Reviews and approves the strategic IT plan • Helps the organization establish and meet user information requirements Help ensure effective and efficient use of IT resources. • The committee should consist of about seven executives from major functional areas of the organization, including the information systems executive; report to senior management; and meet regularly.
Selection & Hiring Control Plans Qualified personnel including technical background Retention Control Plans Retaining may be harder than hiring Provide challenging work and opportunities for advancement Personnel Development Control Plans Training and development Personnel Management Control Plans Personnel Planning Control Plans Skills, Turnover, Filling Positions Job Description Control Plans Job descriptions written and updated Supervision Control Plans Approving, monitoring, and observing the work of others Personnel Security Control Plans Rotation of duties, Forced vacations, Bonding Personnel Termination Control Plans procedures when an employee voluntarily or involuntarily leaves an organization. IT Process 2: Personnel Control Plans
IT Process 3: Identify Automated Solutions • To ensure selection of the best approach to satisfying users’ IT requirements, an organization’s systems development lifecycle must include procedures to: • define information requirements • formulate alternative courses of action • perform technological, economic, and operational feasibility studies; • assess risks • Solutions should be consistent with the strategic information technology plan • At completion of this process • Organization must decide what approach will be taken to satisfy users’ requirements, and whether it will develop the IT solution in-house or will contract with third parties for all or part of the development
IT Process 4Develop/Acquire IT Solutions • Develop and Acquire Application Software • Acquire Application Infrastructure • Develop Service Level Requirements and Application Documentation which typically includes the following: • Systems documentation • Program documentation • Operations run manuals • User manuals • Training materials
IT Process 5: Integrate IT Solutions Into Operational Processes • To ensure that a new or significantly revised system is suitable, the organization’s SDLC should provide for a planned, tested, controlled, and approved conversion to the new system. • After installation, the SDLC should call for a review to determine that the new system has met users’ needs in a cost-effective manner. • When organizations implement enterprise systems, the successful integration of new information systems modules into existing information and operations processes becomes more difficult and more important. • The challenges are the result of the interdependence of the business processes and the complexity of these processes and their connections. • Any failure in a new system can have catastrophic results.
IT Process 6: Manage Changes to Existing IT Systems • To ensure processing integrity between versions of systems and to ensure consistency of results from period to period, changes to the IT infrastructure (hardware, systems software, and applications) must be managed via change request, impact assessment, documentation, authorization, release and distribution policies, and procedures. • Program change controls provide assurance that all modifications to programs are authorized, and ensure that the changes are completed, tested, and properly implemented. • Changes in documentation should mirror the changes made to the related programs.
IT Process 7:Deliver Required IT Services • Define service levels • Manage Third-party services • Manage IT Operations • Manage data (backup) • Identify and allocate costs
IT Process 8: Ensure Security & Continuous Service • Ensure Continuous Service • Disaster recovery planning; Contingency planning; Business interruption planning; Business continuity planning. • Restricting Access to Computing Resources • Restrict physical access to computer facilities. • Restrict logical access to stored programs, data, and documentation. • Ensure Physical Security • Smoke detectors, fire alarms, fire extinguishers, fire-resistant construction materials, insurance • Waterproof ceilings, walls, and floors; adequate drainage; water and moisture detection alarms; insurance • Regular cleaning of rooms and equipment, dust-collecting rugs at entrances, separate dust-generating activities from computer, good housekeeping • Voltage regulators, backup batteries and generators
IT Process 9: Provide Support Services • Identify the training needs of all personnel, internal and external, who make use of the organization’s information services, and should see that timely training sessions are conducted. • Assistance through a “help desk” function
IT Process 10: Monitor Operations • Gather data about processes • Generate performance reports • WebTrust - ISP