1 Chapter Five MANAGING THE IT FUNCTION

2 Organizing the IT Function Locating the IT Function – to whom should the IT manager? Locating the IT Function – to whom should the IT manager? Stucturing the IT Function - Often determined by cultural, political and economic forces inherent in each organization. Stucturing the IT Function - Often determined by cultural, political and economic forces inherent in each organization.

3 Internal control considerations within an IT function Separate from one another : Separate from one another : –systems development –computer operations –computer security Must vest in different people: Must vest in different people: –Authorizing Transactions –Recording Transactions –Maintaining Custody of Assets

4 Systems Development Staff has access to operating systems, business applications and other key software. Staff has access to operating systems, business applications and other key software. Systems developers are authorized to create and alter software logic, therefore, they should not be allowed to process information Systems developers are authorized to create and alter software logic, therefore, they should not be allowed to process information They should not maintain custody of corporate data and business applications. They should not maintain custody of corporate data and business applications.

5 Computer Operations Operation staff are responsible for: Operation staff are responsible for: –Entering Data (similar to the internal control concept of ‘authorizing transactions’) –Processing information (similar to the internal control concept of ‘recording transactions’) –Disseminating Output (similar to the internal control concept of ‘maintaining custody’) Must segregate duties. Must segregate duties.

6 Computer Security Responsible for the safe-keeping of resources Responsible for the safe-keeping of resources –includes ensuring that business software applications are secure. –responsible for the safety (‘custody’) of corporate information, communication networks and physical facilities Systems analysts and programmers should not have access to the production library. Systems analysts and programmers should not have access to the production library.

7 Funding the IT Function Must be adequately funded to fulfill strategic objectives. Must be adequately funded to fulfill strategic objectives. –Audit risk of under-funding - Heavy workloads can lead to a culture of ‘working around’ the system of internal controls Two funding approaches Two funding approaches –Cost Center –Profit Center »Negative Outcome: IT can build excessive expenses into billing rates until the rates exceed costs of outside providers. »Auditor should confirm that reasonableness check is performed at least annually to ensure that billing rates are not excessive

8 Staffing the IT Function Business and audit risks can be effectively controlled via sound human resource procedures. Business and audit risks can be effectively controlled via sound human resource procedures. Hiring Hiring Recruiting Recruiting Verifying Verifying Testing Testing Interviewing Interviewing Reviewing Reviewing Rewarding Rewarding Evaluating Evaluating Compensating Compensating Promoting Promoting Training Training Terminating Terminating

9 Compensation Issues: Compression and Inversion Compression: The compensation of newly hired employees gets very close to experienced employees in similar positions or the compensation of subordinates is nearly the same as their superiors. Compression: The compensation of newly hired employees gets very close to experienced employees in similar positions or the compensation of subordinates is nearly the same as their superiors. Inversion: The compensation of new hires is greater than more experienced employees in the same position, or the compensation of subordinates exceeds that of superiors. Inversion: The compensation of new hires is greater than more experienced employees in the same position, or the compensation of subordinates exceeds that of superiors.

10Terminating A disgruntled employee can disrupt the company’s systems and controls. A disgruntled employee can disrupt the company’s systems and controls. The IT function needs to design and implement countervailing controls The IT function needs to design and implement countervailing controls –backup procedures –checks-and-balances –cross-training –job rotations –mandated vacations –immediately separate them from the computing environment –terminate all computer privileges

11 Directing the IT Function: Administering the Workflow Effective capacity planning Effective capacity planning Schedule and perform the work Schedule and perform the work –Have enough resources for peaks yet minimize idle time Develop formal workload schedules Develop formal workload schedules Monitor performance Monitor performance Denote actual-to-planned workload variances Denote actual-to-planned workload variances Continually adjust Continually adjust

12 Managing the Computing Environment The IT manager must The IT manager must –Must understand how the infrastructure elements work together. »Computer hardware »Network hardware »Communication systems »Operating systems »Application software and data files –establish policies for acquiring, disposing, and accounting for inventory –track rented equipment and software –comply with licensing agreements

13 Managing the Computing Environment The IT manager must ensure the physical environment is safe for humans and computers with The IT manager must ensure the physical environment is safe for humans and computers with –Fire suppression systems in place –A tested fire evacuation plan –A climate controlled environment –Facilities that are inconspicuous in location and design –Compliance with appropriate safety and health regulations

14 Third Party Services Examples: Examples: –Internet service providers (ISP), ASP, MSP –Communication companies –Security firms –Call centers Policies must be established for purchase, use, and termination of 3 rd party services. Policies must be established for purchase, use, and termination of 3 rd party services. –Must ensure the security and confidentiality of company information. –Must have a plan for disruption of services. –Must have backup and recover plan in place.

15 Assisting Users Training and Education Training and Education Training and Education –Identify training needs. –Design curricula. –Deliver programs. –Use outside training programs. Help Desk Help Desk –design and monitor effective ways to assist users when they request help. –Effective handling of problems and incidences requires a formal set of policies and procedures.

16 Controlling the IT Function The major control categories involved in the IT function are The major control categories involved in the IT function are –Security –Input –Processing –Output –Databases –Backup and recovery (continuity) Each of these categories is intended to minimize business and audit risk via internal controls. Each of these categories is intended to minimize business and audit risk via internal controls.

17 Security Controls Secure the computing infrastructure from internal and external threats. Secure the computing infrastructure from internal and external threats. A compromise of the infrastructure can result in: A compromise of the infrastructure can result in: –business risk »network downtime »database corruption –audit risk »material misstatements in accounts due to incomplete or inaccurate data capturing

18 Physical Security Focuses on keeping facilities, computers, communication equipment and other tangible aspects of the computing infrastructure safe. Focuses on keeping facilities, computers, communication equipment and other tangible aspects of the computing infrastructure safe. Access Restriction Access Restriction –Authorized personnel only, Visitors must be accompnaied by authorized personnel at all times. –Entry Security - Security guards, keys, card readers, etc. Monitoring who is entering, roaming and leaving the facility. Monitoring who is entering, roaming and leaving the facility. –Security guards –Video Cameras –Penetration alarms

19 Security Issue Physical Controls Logical Controls Access Controls Security Guards Locks & Keys Biometric Devices ID and Passwords Authorization Matrix Firewalls & Encryption Monitor Controls Security Guards Video Cameras Penetration Alarms Access logs Supervisory Oversight Penetration alarms Review Controls Formal Reviews Signage Logs Violation Investigations Formal Reviews Activity Logs Violation Investigations Penetrating Tests Unauthorized attempts to enter IT facilities Attempts to break in through vulnerable points As authorized visitor, attempts to leave authorized personnel and wander around the facility without oversight Unauthorized attempts to enter servers and networks Attempts to override access controls (hacking) As authorized user, attempts to use unauthorized applications and view unauthorized information

20 Physical Security Communication & Power Lines Communication & Power Lines Communication & Power Lines –monitor the primary communication and power lines –install secondary (backup) lines in case the primary lines fail. –UPS

21 Logical Security Data and software nature known as ‘logical’ components of the infrastructure: Data and software nature known as ‘logical’ components of the infrastructure: –Corporate data –Computer software »user applications »network management software »communication systems »operating systems

22 Logical Security Points of Entry Computer Terminal Computer Terminal –Supply Authorized ID –Password Network/Internet Network/Internet –Controls need to control external access points –Firewalls –Track failed attempts to enter system

23 Information Controls Controls need to be in place and working effectively to ensure the integrity and accuracy of vital decision-making information. Controls need to be in place and working effectively to ensure the integrity and accuracy of vital decision-making information. –Input –Processing –Output Must Integrate sound backup controls. Must Integrate sound backup controls.

24 Information Controls Input Controls The company must have and follow written procedures regarding the proper authorization, approval and input of accounting transactions. The company must have and follow written procedures regarding the proper authorization, approval and input of accounting transactions. These are incompatible functions. These are incompatible functions. –they should be carefully segregated, to the extent possible, and controlled.

25 Information Controls Input Controls – 3 Scenarios- #1 A customer purchases goods at a store counter. A customer purchases goods at a store counter. –Authorizing the sale A cashier records the sale on the cash register A cashier records the sale on the cash register –Approving the sale, balances the register, logs the logs into the register with ID An accounting clerk later processes cash register sales in batches. An accounting clerk later processes cash register sales in batches. –Inputs sales transactions into accounting system in batches

26 Process Controls Validating Validating Error Handling Error Handling Updating Updating

27 Output controls Only properly authorized parties can request certain output – Only properly authorized parties can request certain output – –computer screens –printed reports Must have record retention and destruction policies per regulatory and company rules. Must have record retention and destruction policies per regulatory and company rules. –Permanent reports must be in secured area. –Temporary reports must by properly destroyed.

28 Output controls Computer Screens Screens need to be physically secure when output is visible. Screens need to be physically secure when output is visible. Output should be removed when user leaves the terminal. Output should be removed when user leaves the terminal. Return to the screen should require a password. Return to the screen should require a password.

29 Database Controls Roll-back and Recovery When there is an interruption, the database management system (DBMS) begins to restore. When there is an interruption, the database management system (DBMS) begins to restore. There are numerous technical processes depending on the DBMS in use. There are numerous technical processes depending on the DBMS in use.

30 Database Controls Concurrency Control Multiple users attempt to read/update the same data item simultaneously Multiple users attempt to read/update the same data item simultaneously A common way to prevent concurrency problems is to lock a database object while it is in use A common way to prevent concurrency problems is to lock a database object while it is in use –Course level – database is locked during updates. –Moderate level – Database locks at tuple (record) level. –Fine level – Database locks at attribute (field) level. –A lower level of granular locking equates to slower computer performance.

31 Continuity Controls Must develop and follow a sound backup strategy to prevent disruption of business activity due. Must develop and follow a sound backup strategy to prevent disruption of business activity due. –Two key considerations: downtime and cost. –Shorter downtime requirements equate to higher backup costs. Backup Types Backup Types –Normal (full), Copy*, –Incremental, Differential*, –Daily*

32 Continuity Controls Backup Controls – Data Backup Fast Company Fast Company –Must be back on computers within hours –Needs daily full backup –Hourly incremental backups Lightening Company Lightening Company –Must be back on computers within minutes –Needs real-time backup –Simultaneouse updating on remote computer

33 Continuity Controls Storage location & hardware redundancy Physical Vaulting One backup on-site, one off-site One backup on-site, one off-site –On site copy is readily accessible if no disaster –Off-site copy retrievable if disaster Electronic Vaulting Send backup data over a communications network (such as the Internet) to an off-site storage medium. Send backup data over a communications network (such as the Internet) to an off-site storage medium. Strategy involves more time and money Strategy involves more time and money

34 Continuity Controls Storage location & hardware redundancy Hardware Backup usually needed for component failures: Hardware Backup usually needed for component failures: –Power supplies –Anything with moving parts There are 3 common configurations for redundant storage devices: There are 3 common configurations for redundant storage devices: –Redundant Array of Independent Disks (RAID) –Network Attached Storage (NAS) –Server Area Network (SAN)

35 Continuity Controls Redundant Array of Independent Disks (RAID) Disk mirroring Disk mirroring –Data is simultaneously written to the primary disk and one or more redundant disks Disk striping Disk striping –An array of at least three, but usually five, disks is established –scheme of parity checks is utilized –if one disk drive in the array fails, the remaining drives can reconstruct the data on the failed drive and continue processing

36 Continuity Controls Network Attached Storage (NAS) Integrates one or more storage devices, (NAS appliances,) into the local area network (LAN). Integrates one or more storage devices, (NAS appliances,) into the local area network (LAN). Comprised of one or more disk drives and an internal controller. Comprised of one or more disk drives and an internal controller. Employs RAID technology to ensure hardware redundancy. Employs RAID technology to ensure hardware redundancy. Can be shared by multiple users on the network. Can be shared by multiple users on the network. Appliances are relatively affordable and scalable Appliances are relatively affordable and scalable

37 User #1 User #2 Printer Scanner Network Attached Storage (NAS)

38 Continuity Controls Server Area Network (SAN) Expands NAS to wide area networks (WAN). Expands NAS to wide area networks (WAN). SAN is a dedicated network. SAN is a dedicated network. SAN can be linked to multiple LANs. SAN can be linked to multiple LANs. Multiple SANs can be simultaneously utilized. Multiple SANs can be simultaneously utilized. SAN can be expensive and technically complicated SAN can be expensive and technically complicated Capable of handling very high volumes Capable of handling very high volumes SAN is a great solution for large companies. SAN is a great solution for large companies. SAN is designed to be very fault tolerant. SAN is designed to be very fault tolerant.

39 Disk Storage Input-Output Controller Disk Storage Disk Storage Disk Storage Wide Area Network

40 Disaster Recovery Controls IT managers and auditors should plan for what, who, when, where, how, which and why. IT managers and auditors should plan for what, who, when, where, how, which and why. –determine what just happened –specify who to contact, in what order, and what they are expected to do –when to enact the remainder of the contingency plan –where to transfer the lost computer processing load

41 Disaster Recovery Controls ( where ) Three Levels: Three Levels: 1.Cold Site: Includes building & basic infrastructure »bring own computing equipment »establish the necessary infrastructure telephone service - Internet connections telephone service - Internet connections specialized computer cooling systems (if needed) specialized computer cooling systems (if needed) unique power requirements unique power requirements 2.Warm Site: provides basic computer needs »Not the computers 3.Hot Site: Ready to Go! »Complete with computers »Operating system

42 Disaster Recovery Controls How is the company going to get the computer hardware, people, software and data to the alternate site? How is the company going to get the computer hardware, people, software and data to the alternate site? Which applications are mission critical? Which applications are mission critical? Why one application or set of applications is more time sensitive than another ? Why one application or set of applications is more time sensitive than another ? All affected parties need to be involved in planning phase. All affected parties need to be involved in planning phase. It must be reviewed and updated on a recurrent basis. It must be reviewed and updated on a recurrent basis.