Controlling Information Systems: IT Processes

Learning Objectives Controlling Information Systems: IT Processes Learn the major IT resources Appreciate the problems in providing adequate controls over IT resources Study major IT control processes and practices organization use to manage IT resources Understand how IT and personnel control plans can help an organization achieve its strategic vision for IT Overview the major steps in acquiring and implementing new IT resources Examine business continuity and security controls that help ensure continuous, reliable IT service Value the integral part played by the monitoring function in ensuring the overall effectiveness of a system of internal controls Controlling Information Systems: IT Processes

Internal Control Processes on AIS Wheel In this chapter, we continue our investigation of internal accounting controls, as indicated by the shaded areas on the AIS Wheel icon. Herein, you will learn how to control information technology resources and processes, which form the underpinning of accounting information systems. Importantly, you will be exposed to a fundamental control concept that must be incorporated into every aspect of an organization; that is, managers need to segregate four key functions: authorizing events executing events recording events safeguarding resources.

Control Objectives for Information Technology (COBIT) Developed by the Information Systems Audit and Control Foundation to provide guidance—to managers, users, and auditors—on the best practices for the management of information technology. According to COBIT IT resources must be managed by IT control processes to ensure that the organization has the information it needs to achieve its objectives. Exhibit 8.1 defines the IT resources that must be managed and Chapter 1 describes the qualities that this information must exhibit in order for it to be of value to the organization.

IT Resources Data: Objects in their widest sense (i.e., external and internal), structured and nonstructured, graphics, sound, etc. Application systems: Application systems are understood to be the sum of manual and programmed procedures reflecting business processes. Technology: Technology covers hardware, operating systems, database management systems, networking, multimedia, etc. Facilities: Facilities are all resources used to house and support information systems. People: People include staff skills; awareness; and productivity to plan, organize, acquire, deliver, support, and monitor information systems and services.

A Hypothetical Computer System The IT resources are typically configured with some or all of the elements shown in Figure 8.1 This computer system consists of one or more mainframe computers connected to several networked client computers (CCs) and PCs perhaps through an LAN and to PCs and CCs located in the organization’s other facilities, perhaps through a WAN Computer facilities operated by other organizations are connected, perhaps via the Internet and through a firewall to the mainframe, servers, and PCs.

Hypothetical Computer System: Figure 8.1

Questions for the IT Control Process How we can protect the computer from misuse, whether intentional or inadvertent, from within and outside the organization? How do we protect the computer room, and other rooms and buildings where connected facilities are located? Do we have disaster plans in place for continuing our operations? What policies and procedures should be established to provide for efficient, effective, and authorized use of the computer? What measures can we take to help ensure that the personnel who operate and use the computer are competent and honest?

Organization Structures Centralized: CIO is central leader of all information system functions Decentralized: Assigns personnel to non-central (e.g., departments) organizational units Functional organization: Assigns personnel to skills-based units (e.g., programming, systems analysis). Used by both decentralized and centralized organizations Matrix: Assembles work groups or teams, comprised of members from different functional areas, under the authority of a team leader Project: Establishes permanent systems development structures such as “Financial Systems Development”

Centralized Information System Organization

Summary of Information Systems Functions

Summary of Information Systems Functions (continued)

Summary of Information Systems Functions (continued)

COBIT COBIT organizes IT internal control into domains and process Domains include: Planning and organization Acquisition and implementation Delivery and support Monitoring Processes detail steps in each domain

IT Control Domains and Processes

IT Control Processes & Domains Planning & Organization Domain IT Process 1: Establish strategic vision IT Process 2: Develop tactics to realize strategic vision Acquisition & Implementation Domain IT Process 3: Identify automated solutions IT Process 4: Develop & acquire IT solutions IT Process 5: Integrate IT solutions into operations IT Process 6: Manage change to existing IT systems

IT Control Processes & Domains (cont.) Delivery & Support Domain IT Process 7: Deliver required IT services IT Process 8: Ensure security & continuous service IT Process 9: Provide support services Monitoring Domain IT Process 10: Monitor Operations

IT Process 1 Elements of Strategic IT Plan A summary of the organizational strategic plan’s goals and strategies, and how they are related to the information systems function. IT goals and strategies, and a statement of how each will support organizational goals and strategies. An information architecture model encompassing the corporate data model and the associated information systems. An inventory of current information systems capabilities.

IT Process 1: Elements of Strategic IT Plan Acquisition and development schedules for hardware, software, and application systems and for personnel and financial requirements. IT-related requirements to comply with industry, regulatory, legal, and contractual obligations, including safety, privacy, transborder data flows, e-Business, and insurance contracts. IT risks and risk action plan Process for modifying the plan to accommodate changes to the organization’s strategic plan and changes in information technology conditions.

IT Process 2 Organizational Control Plans Segregation of duties control plan Organizational Control Plans for the Information Systems Function Personnel Control Plans

Segregation of Duties

Segregation of Duties Applied to IS Function

IT Process 2: Organizational Control Plans Organizational Control Plans for the Information Systems Function The information systems function (ISF) normally acts in a service capacity for other operating units in the organization. In this role, it should be limited to carrying recording events and posting event summaries. Approving and executing events along with safeguarding resources should be carried out by departments other than IS.

IT Process 2: Organizational Control Plans Within the ISF we segregate duties Data librarian grants access to stored data and programs to authorized personnel to reduce the risk of unauthorized computer operation by programmers or unauthorized programming by operators. The security officer assigns passwords, monitors employees’ network access, grants security clearance for sensitive projects, and works with human resources on interview practices and background checks The information technology steering committee Coordinates the organizational and IT strategic planning processes Reviews and approves the strategic IT plan Helps the organization establish and meet user information requirements Help ensure effective and efficient use of IT resources. The committee should consist of about seven executives from major functional areas of the organization, including the information systems executive; report to senior management; and meet regularly.

IT Process 2: Personnel Control Plans Selection & Hiring Control Plans Qualified personnel including technical background Retention Control Plans Retaining may be harder than hiring Provide challenging work and opportunities for advancement Personnel Development Control Plans Training and development Personnel Management Control Plans Personnel Planning Control Plans Skills, Turnover, Filling Positions Job Description Control Plans Job descriptions written and updated Supervision Control Plans Approving, monitoring, and observing the work of others Personnel Security Control Plans Rotation of duties, Forced vacations, Bonding Personnel Termination Control Plans procedures when an employee voluntarily or involuntarily leaves an organization.

IT Process 3: Identify Automated Solutions To ensure selection of the best approach to satisfying users’ IT requirements, an organization’s systems development lifecycle must include procedures to: define information requirements formulate alternative courses of action perform technological, economic, and operational feasibility studies; assess risks Solutions should be consistent with the strategic information technology plan At completion of this process Organization must decide what approach will be taken to satisfy users’ requirements, and whether it will develop the IT solution in-house or will contract with third parties for all or part of the development

IT Process 4 Develop/Acquire IT Solutions Develop and Acquire Application Software Acquire Application Infrastructure Develop Service Level Requirements and Application Documentation which typically includes the following: Systems documentation Program documentation Operations run manuals User manuals Training materials

IT Process 5: Integrate IT Solutions Into Operational Processes To ensure that a new or significantly revised system is suitable, the organization’s SDLC should provide for a planned, tested, controlled, and approved conversion to the new system. After installation, the SDLC should call for a review to determine that the new system has met users’ needs in a cost-effective manner. When organizations implement enterprise systems, the successful integration of new information systems modules into existing information and operations processes becomes more difficult and more important. The challenges are the result of the interdependence of the business processes and the complexity of these processes and their connections. Any failure in a new system can have catastrophic results.

IT Process 6: Manage Changes to Existing IT Systems To ensure processing integrity between versions of systems and to ensure consistency of results from period to period, changes to the IT infrastructure (hardware, systems software, and applications) must be managed via change request, impact assessment, documentation, authorization, release and distribution policies, and procedures. Program change controls provide assurance that all modifications to programs are authorized, and ensure that the changes are completed, tested, and properly implemented. Changes in documentation should mirror the changes made to the related programs.

IT Process 7: Deliver Required IT Services Define service levels Manage Third-party services Manage IT Operations Manage data (backup) Identify and allocate costs

IT Process 8: Ensure Security & Continuous Service Ensure Continuous Service Disaster recovery planning; Contingency planning; Business interruption planning; Business continuity planning. Restricting Access to Computing Resources Restrict physical access to computer facilities. Restrict logical access to stored programs, data, and documentation. Ensure Physical Security Smoke detectors, fire alarms, fire extinguishers, fire-resistant construction materials, insurance Waterproof ceilings, walls, and floors; adequate drainage; water and moisture detection alarms; insurance Regular cleaning of rooms and equipment, dust-collecting rugs at entrances, separate dust-generating activities from computer, good housekeeping Voltage regulators, backup batteries and generators

IT Process 8 (Cont.)

IT Process 9: Provide Support Services Identify the training needs of all personnel, internal and external, who make use of the organization’s information services, and should see that timely training sessions are conducted. Assistance through a “help desk” function

IT Process 10: Monitor Operations Gather data about processes Generate performance reports WebTrust - ISP

Web Trust Principles