MANAGING THE IT FUNCTION

1
Chapter Five

• MANAGING THE IT FUNCTION

2
Organizing the IT Function

• The IT Function must be organized and structured.
• IT Manager must define the role and articulate
  the value of the IT Function.
• Configuration within a company depends on
  external and internal organizational factors.
• Sound internal controls are essential to the
  structural framework.

3
Locating the IT Function to whom should the IT
manager report?

• Important ramifications on It Managers
• Ability to acquire needed resources
• Ability to prioritize workloads.

4
Locating the IT Function

• Consider segregation of incompatible duties.
• Must vest in different people
• Authorizing Transactions
• Recording Transactions
• Maintaining Custody of Assets
• Can be accomplished with judicious choices with
  respect to
• placing the IT function in the organization
• integrating programmed controls into computing
  infrastructures and applications.

5
Should the IT manager report to the accounting
manager?

• Good Idea!
• Most IT applications deal with accounting
  transactions! So everyone would benefit by
  having the accounting manager involved from the
  start.
• Bad Idea!
• Most controllers perform 2 of the 3 incompatible
  duties. This would make 3 of the 3.
• Fraud would be difficult to detect.

6
Should the IT manager report to another
operations or administrative manager?

• Good Idea! Many software applications deal with
  these areas.
• Bad Idea!
• Many managers can authorize transactions, so
  custody of computing assets would attribute them
  with 2 of the 3 incompatible duties.
• Other managers would not likely have the
  expertise to guide and support an IT manager.
• Managers would likely give priority to their own
  IT needs and less to the rest of the company.
• The IT function may not have access to upper
  management for influencing decisions about
  placing priorities and setting strategies.

7
Should the IT manager report alongside another
line managers?

• Good Idea!
• Politically strong to compete for resources and
  set priorities and strategies.
• CEO has responsibility over, but rarely performs
  the 3 incompatible duties.
• With sound internal controls, can be effectively
  managed.

8
Should the IT manager report above another line
managers?

• In a VP position, the IT manager can
• coordinate strategies
• set standards
• establish priorities across the entire
  organization
• This structure allows the IT managers, who report
  to the Vice President, to focus on local issues
  and needs.

9
Chief Executive Officer (CEO)
Vice President Information Technology
Vice President North American Operations
Vice President Foreign Operations
Research Operations Manager
Human Resources Manager
Finance Accounting Manager
Information Technology Manager
Sales Marketing Manager
10
(No Transcript)
11
Designing the IT Function

• Designing the ultimate structure of the IT
  function is often determined by cultural,
  political and economic forces inherent in each
  organization.

12
Internal control considerations within an IT
function

• Separate from one another
• systems development
• computer operations
• computer security

13
Systems Development

• Staff has access to operating systems, business
  applications and other key software.
• Systems developers are authorized to create and
  alter software logic, therefore, they should not
  be allowed to process information
• They should not maintain custody of corporate
  data and business applications.

14
Computer Operations

• Operation staff are responsible for
• Entering Data (similar to the internal control
  concept of authorizing transactions)
• Processing information (similar to the internal
  control concept of recording transactions)
• Disseminating Output (similar to the internal
  control concept of maintaining custody)
• Must segregate duties.

15
Computer Security

• Responsible for the safe-keeping of resources
• includes ensuring that business software
  applications are secure.
• responsible for the safety (custody) of
  corporate information, communication networks and
  physical facilities
• Systems analysts and programmers should not have
  access to the production library.

16
IT Function Manager
Systems Development Manager (a)
Computer Operations Manager (b)
Computer Security Manager (c)
User Services Manager
Systems Analysis (a)
Data Input (a)
Technical Support
Software Security
Computer Programming (b)
Information Processing (b)
Application Support
Information Security
Information Output (c)
Database Administration (c)
User Training
Network Security
Continuity of Operations
Help Desk
Physical Security
Quality Control
17
IT Auditors examination of the IT Function

• Auditors should ensure that systems developers
  and computer operators are segregated.
• It is also advisable for the IT function to form
  a separate security specialization to maintain
  custody of software applications and corporate
  data.

18
Funding the IT Function

• Must be adequately funded to fulfill strategic
  objectives.
• Business risk of under-funding
• Needs and demands of customers, vendors,
  employees and other stakeholders will go
  unfulfilled.
• can adversely impact the success of the company.
• Audit risk of under-funding
• Heavy workloads can lead to a culture of working
  around the system of internal controls

19
Two funding approaches

• 1. Cost Center Approach
• Submit detailed budget to upper management
• Justify each line item
• Use the IT function scorecard approach
• Operational Performance
• User satisfaction
• adaptability and scalability
• Organizational contribution

20
Two funding approaches

• 2. Profit Center Approach
• Submit detailed budget to upper management.
• Charge internal users for services through
  intra-company billing.
• Positive Outcome Managers will not be overly
  demanding of IT services
• Negative Outcome IT can build excessive expenses
  into billing rates until the rates exceed costs
  of outside providers.

21
Billing Rates

• Independent Party within the company should
  compare rates to outside services.
• IT Auditor should
• Confirm that reasonableness check is performed at
  least annually to ensure that billing rates are
  not excessive

22
Acquiring IT Resources

• IT manager should justify IT Capital projects
  using a methodological approach.
• Determine the net benefit
• Present value of benefits minus costs
• Use Scorecard approach for non-quantifiable
  paybacks.

23
Example with Scorecard Approach

• Justify the in-house development of web-based
  customer ordering system

Scorecard Action
Operational Performance Estimate the increased number of sales the system will handle each day. Determine faster speed of each sale.
User Satisfaction Survey customers for what they need and how they would receive proposed system.
Adaptability Scalability Forecast increased sales. Show how new system integrates with existing accounting inventory systems.
Organizational Contribution Perform net benefit analysis. Estimate financial costs benefits.
24
Staffing the IT Function

• Business and audit risks can be effectively
  controlled via sound human resource procedures in
  the areas of hiring, rewarding and terminating
  employees.

25
HIRING

• Should have formal procedures that are followed
• Each job should have a substantive description of
  responsibilities and procedures.

26
Recruiting

• Carefully plan and execute each step in
  compliance with company policy.
• Identify Needs
• Write a job description
• Obtain permissions
• Advertise
• Accept Applications
• Review Applications

27
Verifying

• Extent depends on the position, but all
  candidates should have some checking.
• Contact references, both personal and
  professional.
• Conduct Background checks
• Verify Education
• Checks for criminal or civil violations
• Document everything!

28
Testing

• Written and/or oral tests can be administered to
  test skills.
• Company must be consistent in testing procedures.

29
Interviewing

• Follow Sound Procedures
• Follow Company, Regulatory Statutory Rules
• Steps of interviewing
• Select appropriate interviewers
• Develop an internal interview schedule
• Arrange for interviews with interviewees
• Conduct the interviews

30
REWARDING

• It is important to continually challenge and
  motivate employees.
• Improperly rewarding employees may result in
  business and audit risks

31
Rewarding

• Business risks
• might develop a bad attitude toward the IT
  manager and the company
• leads to
• lower productivity
• frustration
• turnover
• Audit risks
• employees can become bored and disgruntled
• engage in mischievous and criminal behaviors
• can threaten the availability, accuracy, security
  and reliability of corporate information

32
Evaluating

• Most common is the annual review.
• The evaluation process must have structure and
  reasonableness.
• Evaluator must be as fair as possible to prevent
  frustration and resentment.

33
Compensating

• The company should strive to compensate employees
  at least as well as peer organizations.
• Turnover
• Can cause productivity losses
• Replacement costs are high
• Risks the availability and reliability of systems
• Employees take sensitive information to
  competitors

34
Compensation IssuesEqual Pay for Equal Work

• IT Function must not discriminate in appearance
  or substance among employees.
• Test by comparing the compensation packages of
  employees holding similar positions.

35
Compensation IssuesCompression and Inversion

• Compression The compensation of newly hired
  employees gets very close to experienced
  employees in similar positions or the
  compensation of subordinates is nearly the same
  as their superiors.
• Inversion The compensation of new hires is
  greater than more experienced employees in the
  same position, or the compensation of
  subordinates exceeds that of superiors.

36
Promoting

• Should be based on merit
• Compensation should be commensurate with the new
  jobs role and responsibilities.
• Must be formal written procedures that are
  consistently followed.

37
Learning

• Training benefits the employee, the employer and
  society as a whole. Failure to offer learning
  opportunities create
• Business Risk
• potential loss of competitive positioning due to
  an uneducated workforce
• low employee morale
• Audit Risk
• stagnate and frustrated employees
• attitude of complacency toward internal controls
• or utter disregard for internal controls

38
Terminating

• A disgruntled employee can disrupt the companys
  systems and controls.
• The IT function needs to design and implement
  countervailing controls
• backup procedures
• checks-and-balances
• cross-training
• job rotations
• mandated vacations
• immediately separate them from the computing
  environment
• terminate all computer privileges

39
Directing the IT FunctionAdministering the
Workflow

• Effective capacity planning
• Schedule and perform the work
• Have enough resources for peaks yet minimize idle
  time
• Develop formal workload schedules
• Monitor performance
• Denote actual-to-planned workload variances
• Continually adjust

40
Managing the Computing Environment

• Responsible for the computing infrastructure
• Computer hardware
• Network hardware
• Communication systems
• Operating systems
• Application softtware and data files

41
Managing the Computing Environment

• The IT manager must
• understand how the infrastructure elements work
  together.
• establish policies for acquiring, disposing, and
  accounting for inventory
• track rented equipment and software
• comply with licensing agreements

42
Managing the Computing Environment

• The IT manager must ensure the physical
  environment is safe for humans and computers with
• Fire suppression systems in place
• A tested fire evacuation plan
• A climate controlled environment
• Facilities that are inconspicuous in location and
  design
• Compliance with appropriate safety and health
  regulations

43
Third Party Services

• Examples
• Internet service providers (ISP)
• Communication companies
• Security firms
• Call centers
• Offer economies of scale
• Use of 3rd party services is increasing .

44
Third Party ServicesKey Issues

• Policies must be established for purchase, use,
  and termination of 3rd party services.
• Must have legally binding contracts.
• Must ensure the security and confidentiality of
  company information.
• Must have a plan for disruption of services.
• Must have backup and recover plan in place.

45
Assisting UsersTraining and Education

• Identify training needs.
• Design curricula.
• Deliver programs.
• Use outside training programs.

46
Assisting UsersHelp Desk
47
Assisting UsersHelp Desk

• . The IT manager needs to design and monitor
  effective ways to assist users when they request
  help.
• Must create an atmosphere of mutual trust and
  respect between the IT function and user
  community.
• Effective handling of problems and incidences
  requires a formal set of policies and procedures.

48
Assisting UsersHelp Desk

• Requests for help generally arise from users
  lack of understanding about how applications
  work.
• Problems and incidences reflect improperly
  functioning elements of the computing
  infrastructure, and require the intervention of
  experienced technicians and programmers.

49
Controlling the IT Function

• The major control categories involved in the IT
  function are
• Security
• Input
• Processing
• Output
• Databases
• backup and recovery
• Each of these categories is intended to minimize
  business and audit risk via internal controls.

50
Security Controls

• Secure the computing infrastructure from internal
  and external threats.
• A compromise of the infrastructure can result in
• business risk
• network downtime
• database corruption
• audit risk
• material misstatements in accounts due to
  incomplete or inaccurate data capturing

51
Physical Security

• Focuses on keeping facilities, computers,
  communication equipment and other tangible
  aspects of the computing infrastructure safe from
  harm.

52
Physical SecurityAccess Restriction

• Only authorized personnel should be allowed into
  the facility.
• Visitors should be accompanied by authorized
  personnel at all times.
• Use at all ingress and egress points
• --Security guards -- Keys lock
• --Card readers -- Biometric devices
• Penetration points should be adequately secured

53
Physical SecurityMonitor Access

• Monitor who is entering, roaming and leaving the
  facility.
• Security guards
• Video Cameras
• Penetration alarms
• Review access evidence.
• Signage log, paper or electronic
• Formal review procedures in place.

54
Security Issue Physical Controls Logical Controls
Access Controls Security Guards Locks Keys Biometric Devices ID and Passwords Authorization Matrix Firewalls Encryption
Monitor Controls Security Guards Video Cameras Penetration Alarms Access logs Supervisory Oversight Penetration alarms
Review Controls Formal Reviews Signage Logs Violation Investigations Formal Reviews Activity Logs Violation Investigations
Penetrating Tests Unauthorized attempts to enter IT facilities Attempts to break in through vulnerable points As authorized visitor, attempts to leave authorized personnel and wander around the facility without oversight Unauthorized attempts to enter servers and networks Attempts to override access controls (hacking) As authorized user, attempts to use unauthorized applications and view unauthorized information
55
Physical SecurityCommunication Power Lines

• The IT manager should
• monitor the primary communication and power lines
  via cameras and guards
• install secondary (backup) lines in case the
  primary lines fail.
• Contingency plan must address the possible
  failure of lines.

56
Physical SecurityOff-Site Equipment

• Equipment located in other places needs to be
  monitored in the same way.
• Effective backup plan must be in place.

57
Logical Security

• Data and software nature known as logical
  components of the infrastructure
• Corporate data
• Computer software
• user applications
• network systems
• communication systems
• operating systems

58
Sample Authorization Matrix
User 3 ID XXXXX, Password YYYYY
User 2x ID XXXXX, Password YYYYY
User 1 ID XXXXX, Password YYYYY
Applications
Information
A/R A/P
Add Edit Read Delete
Customers Vendors Sales Purchasing Receipt
s Payments
Add Edit Read Delete
Add Edit Read Delete
Add Edit Read Delete
Add Edit Read Delete
Add Edit Read Delete
59
Logical Security

• Physical controls
• most corporate data and software are located on
  computers, servers, storage devices
• Computer controlled access, monitor review
  systems

60
Logical SecurityPoints of Entry

• Computer Terminal
• Supply Authorized ID
• Password
• Internet
• Controls need to control external access Points
• Firewalls
• Track failed attempts to enter system

61
Logical SecurityAccess and Monitor Systems

• Supervisory Oversight
• Penetration alarms
• Track usage patterns
• Report failed attempts
• Formal review procedure

62
Information Controls

• Controls need to be in place and working
  effectively to ensure the integrity and accuracy
  of vital decision-making information.
• Must Integrate sound backup controls.

63
Information ControlsInput Controls

• The company must have and follow written
  procedures regarding the proper authorization,
  approval and input of accounting transactions.
• These are incompatible functions.
• they should be carefully segregated, to the
  extent possible, and controlled.

64
Information ControlsInput Controls 3
Scenarios- 1

• A customer purchases goods at a store counter.
• Authorizing the sale
• A cashier records the sale on the cash register
• Approving the sale, balances the register, logs
  the logs into the register with ID
• An accounting clerk later processes cash register
  sales in batches.
• Inputs sales transactions into accounting system
  in batches

65
Information ControlsInput Controls 3
Scenarios- 2

• Same except cash register automatically records
  the sale into the accounting system.

66
Process Controls

• Validating
• Error Handling
• Updating

67
Database Controls

• Database processing involves simultaneous
  updating of multiple tables.
• Multiple tables and data items can be
  instantaneously corrupted when an interruption
  occurs.

68
Database ControlsWhy corruption is so quick

• Related tables are inexorably linked to one
  another.
• Update routines often incorporate one or more of
  the following processing techniques
• Multi-tasking -- where the computer executes more
  than one task program at a time
• Multi-processing -- where multiple CPUs
  simultaneously execute interdependent tasks
  programs
• Multi-threading -- where a computer executes
  multiple parts of a program threads at one
  time.

69
Database ControlsRoll-back and Recovery

• Databases operate on a transaction principle.
• A logical unit of work is considered a
  transaction.
• The processing of a transaction takes the
  database from an initial state to an altered
  state, to the new initial state.
• Each step must be completed.
• Any failure will result in database corruption.

70
Database ControlsRoll-back and Recovery

• When there is an interruption, the database
  management system (DBMS) begins to restore.
• There are numerous technical processes depending
  on the DBMS in use.

71
Database ControlsRoll-back and Recovery Basic
Recovery

• A unique identifier tags each transaction.
• An activity log tracks the transaction as it
  processes.
• After interruption, the DBMS identifies the
  transactions in process.
• Roll-back procedure is performed
• Uncompleted transactions placed back into queue
• Recovery takes place.

72
Database ControlsConcurrency Control

• Multiple users attempt to update the same data
  item simultaneously.
• or when
• One user is updating while another user is
  reading the same data item.

73
Database ControlsConcurrency Control

• A common way to prevent concurrency problems is
  to lock a database object while it is in use and
  release the object upon completion.
• The DBMS can determine which operation to perform
  in what order, as it timestamps each transaction
  when the processing request is initiated.

74
Database ControlsConcurrency Control Levels of
Granularity

• Course level database is locked during updates.
• No one can use the database until update is
  complete.
• Moderate level Database locks at tuple (record)
  level.
• No one else could use the record until update is
  finished.
• Fine level Database locks at attribute (field)
  level.
• Only the field being updated would be locked.

75
Database ControlsConcurrency Control Levels of
Granularity

• Tradeoff
• There is an inverse relationship between the
  granularity level and system performance.
• A lower level of granular locking equates to
  slower computer performance.

76
Output controls

• Only properly authorized parties can request
  certain output
• computer screens
• printed reports
• Such logical access control is accomplished via
  the ID-password authorization matrix procedure.

77
Output controlsComputer Screens

• Screens need to be physically secure when output
  is visible.
• Output should be removed when user leaves the
  terminal.
• Return to the screen should require a password.

78
Output controlsPrinted Reports

• Printer rooms need trail of accountability.
• Locks to prevent unauthorized access.
• Logs to sign in anyone entering.
• Logs to sign for reports.
• End user report requests should be password
  protected.
• Network printers should be placed where
  unauthorized persons will not have access.

79
Output controlsPrinted Reports

• Must have record retention and destruction
  policies.
• Mandated by regulatory agency.
• Dictated by company policy.
• Permanent reports must be in secured area.
• Temporary reports must by properly destroyed.

80
(No Transcript)
81
Continuity Controls

• Must develop and follow a sound backup strategy
  to prevent disruption of business activity due to
  computer failures and disasters.
• Two key considerations downtime and cost.
• Shorter downtime requirements equate to higher
  backup costs.

82
Impact Analysis Criteria
Level Impact Financial Criteria Reputation
5 Catastrophic Over 10 million National media coverage or major product withdrawal
4 Intolerable 5 to 10 million Local media coverage and reduced professional reputation
3 Major 1 to 5 million Media coverage in trade publications and customer complaints
2 Significant 50,000 to 1 million Limited coverage in media and some customer complaints
1 Minor Less than 50,000 Negligible impact on reputation
0 No Impact
83
Continuity ControlsBackup Controls Data Backup

• Slow Company
• Can Survive for days without its computer system.
• Would perform full backup each week.
• Medium Company
• Must be back on computers same day.
• Would perform weekly full backups
• Daily incremental backups

84
Continuity ControlsBackup Controls Data Backup

• Fast Company
• Must be back on computers within hours
• Needs daily full backup
• Hourly incremental backups
• Lightening Company
• Must be back on computers within minutes
• Needs real-time backup
• Simultaneouse updating on remote computer

85
Continuity ControlsStorage location hardware
redundancy

• Physical Vaulting
• One backup on-site, one off-site
• On site copy is readily accessible if no disaster
• Off-site copy retrievable if disaster
• Strategy involves more time and money

86
Continuity ControlsStorage location hardware
redundancy

• Electronic Vaulting
• Send backup data over a communications network
  (such as the Internet) to an off-site storage
  medium.
• Send to home of employee.
• Send to another company location.
• Purchase outside service.
• Costs and accessibility are considerations.

87
Continuity ControlsStorage location hardware
redundancy

• Hardware Backup usually needed for component
  failures
• Power supplies
• Anything with moving parts
• There are 3 common configurations for redundant
  storage devices
• Redundant Array of Independent Disks (RAID)
• Network Attached Storage (NAS)
• Server Area Network (SAN)

88
Continuity ControlsRedundant Array of
Independent Disks (RAID)

• Disk mirroring
• Data is simultaneously written to the primary
  disk and one or more redundant disks
• Disk striping
• An array of at least three, but usually five,
  disks is established
• scheme of parity checks is utilized
• if one disk drive in the array fails, the
  remaining drives can reconstruct the data on the
  failed drive and continue processing

89
RAID Mirroring and Striping Disk Mirroring (RAID)
Duplicate Recording On single mirrored disk
90
RAID Mirroring and Striping Disk Striping (RAID)
Duplicate Recording On an array of disks
91
Continuity ControlsNetwork Attached Storage
(NAS)

• Integrates one or more storage devices, (NAS
  appliances,) into the local area network (LAN) .
• Comprised of one or more disk drives and an
  internal controller.
• Employs RAID technology to ensure hardware
  redundancy.
• Can be shared by multiple users on the network.
• Appliances are relatively affordable and
  scalable

92
(No Transcript)
93
Continuity ControlsServer Area Network (SAN)

• Expands NAS to wide area networks (WAN).
• SAN is a dedicated network.
• SAN can be linked to multiple LANs.
• Multiple SANs can be simultaneously utilized.
• SAN can be expensive and technically complicated
• Capable of handling very high volumes
• SAN is a great solution for large companies.
• SAN is designed to be very fault tolerant.

94
LAN
Wide Area Network
Input-Output Controller
Storage Area Network (SAN)
Disk Storage
Disk Storage
Disk Storage
Disk Storage
95
Disaster Recovery Controls

• The first step is to plan for various disaster
  scenarios
• a) a single server is damaged
• b) an entire company site is demolished
• c) multiple company locations are simultaneously
  stuck with disaster
• d) the entire company is destroyed?

96
Disaster Recovery Controls

• IT managers and auditors should plan for what,
  who, when, where, how, which and why.
• determine what just happened
• specify who to contact, in what order, and what
  they are expected to do
• when to enact the remainder of the contingency
  plan

97
Disaster Recovery Controls

• where to transfer the lost computer processing
  load
• Plan to shift to one or more alternate company
  locations
• Establish contractual relationships with peer
  companies in the same industry
• Affordable, but needs may not be a priority.
• Compatibility problems with operation systems
• Establish contractual relationships with
  third-party providers of alternate computing
  sites.

98
Disaster Recovery Backup Strategy

• Fully mirrored recovery operations
• Requires building that have linkages between the
  live site and the backup facility
• Switchable Hot site facility
• Arrangement with a vendor who will guarantee to
  maintain an identical site with communications to
  enable the transfer of all data processing within
  an agreed time period
• Traditional hot site
• Have a contract with a disaster recovery vendor
  with a compatible site
• Cold Site
• Includes building basic infrastructure
• Establishing emergency site space to allow the
  enterprise to begin processing

99
Disaster Recovery Backup Strategy

• Relocate and restore
• Identification of a suitable location, hardware,
  and peripherals and the reinstallation of systems
  after an emergency has occurred
• No Strategy
• No backup and restore strategy

100
Disaster Recovery Controls

• How is the company going to get the computer
  hardware, people, software and data to the
  alternate site?
• Which applications are mission critical?
• Why one application or set of applications is
  more time sensitive than another ?

101
DRP plans

• Detailed descriptions of IT systems components,
  including both IT servers, storage resources and
  network connection
• A summary of applications and key supporting data
• Detailed descriptions of the servers and other
  hardware
• The communication network, such as telephone,
  radio, wireless and Internet linkages
• External, third party connections
• IT infrastructure components, including logon
  services, software distribution and remote access
  services
• All supporting information management systems,
  including file rooms and both electric and manual
  document management systems

102
Internal Audit DRP Review Points

1. Review the existing DRP with the responsible
   manager
2. Examine the contents and format of DRP
3. Review the overall training and understanding of
   DRP
4. Review the results of recent DRP tests
5. Review of DRP backup procedures
6. Prepare IT internal audit documentation assessing
   the overall adequacy of the organizations DRP

103
Disaster Recovery Controls

• All affected parties need to be involved in
  planning phase.
• The disaster recovery plan is a living document.
• It must be reviewed and updated on a recurrent
  basis.
• Everyone involved should be initially trained and
  required to attend periodic refresher sessions.
• Portions of the recovery plan should be tested on
  an unannounced basis.