1 / 87

IT Governance and Strategy: Maximizing Organizational Performance

This article explores the importance of IT governance and strategy in achieving organizational objectives. It discusses the classification of internal controls, the role of general and application controls, and the responsibilities of the board and IT steering committee. The impact of CIO reporting structure and the value of IT investments are also examined.

lmcbride
Download Presentation

IT Governance and Strategy: Maximizing Organizational Performance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. “He who controls the present, controls the past. He who controls the past, controls the future.” - George Orwell EECS4482 2015

  2. Session 3 – IT Governance • Understanding the importance of IT strategy • Governance vs strategy • Governance vs internal controls • Types of IT controls • General controls’ relationship with application controls. EECS4482 2015

  3. IT Strategy • Must conform to the business strategy. • Covers a rolling forward 3 year span. • Beginning of IT governance. • Addresses infrastructure, software, information and people. Procedures are not part of it, but rather will need to be developed to support the strategy’s implementation. EECS4482 2015

  4. Corporate Governance vs. IT Governance Corporate governance: processes employed by organizations to select objectives, establish processes to achieve objectives, and monitor performance. IT governance: process that ensures the enterprise’s IT infrastructure, systems and people support the organization’s strategies and objectives. EECS4482 2015 4

  5. IT Governance • Chief information officer is accountable, setting corporate policies and providing the IT infrastructure. • All executives are responsible for participation, e.g., approving IT expenditure and IT projects, monitoring IT projects and developing procedures. EECS4482 2015

  6. Internal Control • It is a system function, instruction, tool or procedure to mitigate risk. • It is not simply a statement of what should be done, e.g., the company should …. • It is not a statement of what management wants done, e.g, to ensure… This is a control objective. • Management is responsible for control design and implementation. EECS4482 2015

  7. Classifying Internal Controls by Function • Preventive • Detective • Corrective • Difference between preventive and detective is timing EECS4482 2015

  8. Classifying Internal Controls by Scope • General • Application EECS4482 2015

  9. General Controls • IT controls that apply to more than one systems. • Should be implemented before application controls as there is likely better value for money. • But not every system has the same risk so application controls are needed. • General controls form the foundation for application controls, e.g., a strong network password makes a payroll system password more reliable. EECS4482 2015

  10. Application Controls • IT controls that apply to one system or a suite of related systems. • Their effectiveness depends on the strength of general controls. • An example is a system check of credit limit. EECS4482 2015

  11. General Controls • Should be reviewed before application controls • Implemented and carried out by the IT department • Consists of automated and manual controls EECS4482 2015

  12. Types of General Controls • Organization controls (including segregation of duties) • Software change controls • Access controls • Systems development controls • Disaster prevention and recovery controls • Network controls • Computer operations controls EECS4482 2015

  13. Organization Controls • IT governance • Organization chart and job description • Segregation of duties • Hiring practice. • Policies and procedures. • Management supervision, management review and independent review. EECS4482 2015

  14. IT Governance • Board responsibilities • System steering committee • Policies and standards EECS4482 2015

  15. IT Governance • Strategic direction • Staffing and training • Monitoring processes EECS4482 2015

  16. Board Responsibilities • Understand the importance of IT to the organization. • Understand the magnitude of IT investments. • Challenge the adequacy, necessity and validity of IT investments and usage. EECS4482 2015

  17. Board Responsibilities • Review IT performance • Approve eBusiness strategy • Consider legal and privacy issues • Approve major outsourcing contracts EECS4482 2015

  18. IT Steering Committee • Consists of executives representing a cross section of the organization • CIO and CFO are default members; CFO should be there to provide financial monitoring • Sets IT strategy and IT control environment/structure EECS4482 2015

  19. Systems Steering Committee • Approves and reviews major projects • IT capacity planning • Monitor IT usage and outsourcing • Develops key performance indicators • Sets policies EECS4482 2015

  20. Organization Chart • The first audit consideration is segregation of duties • The CIO should report to a senior level to ensure the organization understands the value and challenges of IT and applies IT appropriately. • CIO should report to CEO or COO. EECS4482 2015

  21. CIO Reporting to CFO? • This can result in IT resources being allocated to the finance and accounting functions more than the business areas and strategic initiatives. • Difficult to attract top calibre CIOs. EECS4482 2015

  22. CIO Reporting to Chief Administrative Officer? • This will promote the idea that IT is used primarily to streamline and automate, an out-of-date concept. • It downplays the strategic importance of information systems. • Difficult to attract top calibre CIOs. EECS4482 2015

  23. The IT Department • Systems development (separate from operations) • Computer operations (separate from development) • Quality assurance (may be part of systems development in a small company) • Security (may be part of operations in a small company) • Database administration (may be part of operations in a small company) EECS4482 2015

  24. Systems Development Functions • Systems analysis. • Systems architecture. • Systems design. • Programming. • Testing • Project control. The above apply to systems development projects and systems maintenance. EECS4482 2015

  25. Systems Development Function • Should not have access to customer data. • Should not have update access to programs used in operation. EECS4482 2015

  26. Computer Operation Function • Hardware support • Server administration • Operations scheduling and monitoring • Database administration • Network operations EECS4482 2015

  27. Computer Operations Function • System and data backup • Data retention schedule • Data file label indicating when data can be erased • Implementation of application programs and system software • Help desk • Incident response • Capacity planning EECS4482 2015

  28. Quality Assurance Function • Develops policies and procedures. • User education. • Change control testing, authorization tracking and software version management. EECS4482 2015

  29. Segregation of Duties • To ensure checks and balances to minimize error • To focus expertise for efficiency • To deter frauds and improper practices • To avoid concentration of power that can be abused • Less practical for small organizations. EECS4482 2015

  30. Segregation of Duties • Separate IT department from business areas, this is analogous to separating custody with record keeping. IT plays a key role in record keeping. • Separate development from operations to prevent unauthorized or incorrect program changes. • Security should be a dedicated function. EECS4482 2015

  31. Segregation of Duties • Software change implementation and database administration should be separate functions so the person who controls programs have no access to information and this helps to prevent fraud. • Relies on access controls. EECS4482 2015

  32. Policies and Procedures • Systems development methodology • Computer operations • Change control • Database administration • Security • Help desk EECS4482 2015

  33. How to Assess Organization Controls • Review organization chart for segregation of duties. • IT should be segregated from business areas. • Segregation of duties within IT EECS4482 2015

  34. Software Change • A new program or a change to an existing program. • Risk can materialize when the program is implemented. • Changes may be ad hoc or part of a systems development project. • Software change controls apply to both types. EECS4482 2015

  35. Assessment of Software Change Risks • Non-occurrence – Implementing a software change that was not requested - High • Incomplete implementation - Moderate • Unauthorized implementation - High • Inaccurate implementation - High • Untimely implementation – Moderate EECS4482 2015

  36. Software Change Control • Purpose is to ensure that program changes are documented and implemented with authorization and correctly • Relies on access control EECS4482 2015

  37. Preventive Software Change Control • Change standards and procedures • Library controls • Testing • Change approval EECS4482 2015

  38. Library Control • Need to keep separate libraries: - Development for programmer testing - Testing for independent testing - Staging for user acceptance testing - Production for the live system (in operation) EECS4482 2015

  39. Software Operating Environments • An environment is a separate computer, data centre or a partition of a computer logically segregated from other environments in order to control the operation, development or testing. It can also be used to separate different business units or companies to prevent access and avoid data corruption or mix-up. EECS4482 2015

  40. Environments • Development – houses the programmers’ libraries and development library (for programmers’ testing. • Test – houses the programs for integration independent testing. EECS4482 2015

  41. Environments • Staging – houses the programs for user testing, has all the programs in the production environment and also new programs being tested. Only needed for systems development projects. • Production – houses the programs for live operation. EECS4482 2015

  42. Production Environment • The source code does not have to be on the computer for transaction processing, but should be readily accessible for program changes, in order to allow space on the online disks for transaction storage. • Storing production source code offline is better security. EECS4482 2015

  43. Development Library • Programmers perform programming, self testing and peer testing. Needs source code and object code. • Can be further divided into a library for each project, group or programmer. • Access to deposit or change should be restricted to programmer(s). • Programmers copy programs from production library into development library to commence work. EECS4482 2015

  44. Test Library • Contains programs that are to be tested by independent people, not the programmers. • Can be further divided by projects. • Access control for depositing or changing restricted to people who have no access to deposit or change the development and production libraries. EECS4482 2015

  45. Test and Staging Libraries • If errors found in testing, the program has to be returned to the previous library through the previous library’s controlling person. • Movement to test or staging library has to be supported by IT management approval. EECS4482 2015

  46. Test and Staging Libraries • Object code must be there because computers need that for data processing. • Source code should be there to maintain consistency with object code. EECS4482 2015

  47. Production Library • Contains programs used for transaction processing. • Should be divided by applications. • Source code should be contained in a separate computer from the actual computers used for transaction processing in order not to disrupt operation and to avoid improper changes; a copy of the corresponding object code should be there. EECS4482 2015

  48. Production Library • Access to deposit or change should be restricted to people who do not control the development and test libraries. • If the object code is contained in a computer other than the ones used for transaction processing, there should be periodic comparison with the object code in the computers for transaction processing. EECS4482 2015

  49. Production Library • Movement to production library has to be supported by IT management and user approvals. • Movements have to be tracked to show who moved, who approved and when. • Movement to production should be done by 2 people together to ensure authorization and correctness. EECS4482 2015

  50. Library Control • Source code and object code should reside in each library. • Access to move between libraries should be restricted. • Only people who did not work on the current library version can move to the next library, to prevent unauthorized change. EECS4482 2015

More Related