Chapter 8 - Controlling Information Systems: Introduction to Pervasive Controls Accounting Information Systems 8e Ulric J. Gelinas and Richard Dull © 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

2 Learning Objectives Describe the major pervasive controls that organizations employ as part of their internal control structure. Explain how pervasive controls help ensure continuous, reliable operational and IT processes. Appreciate how an organization must plan and organize all resources, including IT resources, to ensure achievement of its strategic vision. Overview the major controls used to manage the design and implementation of new processes, especially new IT processes. Appreciate the integral part played by the monitoring function in ensuring the overall effectiveness of a system of internal controls.

Summary of Organizational Control Plans 3

Illustration of Segregation of Duties 4

5 Personnel Policy Control Plans Selection & Hiring Control Plans –Qualified personnel including technical background Retention Control Plans –Retaining may be harder than hiring –Provide challenging work and opportunities for advancement Personnel Development Control Plans –Training and development

6 Personnel Management Control Plans −Personnel Planning Control Plans Skills, turnover, filling positions − Job Description Control Plans Job descriptions written and updated −Supervision Control Plans Approving, monitoring, and observing the work of others −Personnel Security Control Plans Rotation of duties, forced vacations, bonding Personnel Termination Control Plans −Procedures when an employee voluntarily or involuntarily leaves an organization. Personnel Policy Control Plans (cont’d.)

Monitoring Control Plans Assessment to determine if control plans are continuing to function over time. Timely communication of control weaknesses. Appropriate corrective action. Differ from normal control plans, as they verify the operation of normal control plans. 7

8 Organizational Governance vs. IT Governance Organizational governance: processes employed by organizations to select objectives, establish processes to achieve objectives, and monitor performance. IT governance: process that ensures the enterprise’s IT sustains and extends the organization’s strategies and objectives.

9 Hypothetical Computer System

10 Hypothetical Computer System Consists of one or more servers clustered together and housed in a computer room within the organization’s headquarters. Connected to printers, external storage devices and PCs (clients) located within the building and to PCs located in the organization’s other facilities. Connections are via networks – LANs or WANs. Computer facilities operated by other organizations are connected, perhaps via the Internet and through a firewalls to the internal servers, PCs and other equipment.

Information Systems Organization 11

12 Summary of IT Organization Functions

Summary of IT Organization Functions (cont’d.) 13

14 Summary of IT Organization Functions (cont’d.)

15 Control Objectives for Information and Related Technology (COBIT) Developed by the IT Governance Institute to provide guidance on the best practices for the management of information technology. IT resources must be managed by IT control processes to ensure an organization has the information it needs to achieve its objectives. Provides a framework to ensure that IT: –is aligned with the business. –enables the business and maximizes benefits. –resources are used responsibly. –risks are managed appropriately.

16 IT Resources Applications: Automated systems and manual procedures that process information. Information: Data, in all their forms, that are input, processed, and output by information systems. Infrastructure: Technology and facilities that enable the processing of the applications. People: Personnel who plan, organize, acquire, deliver, support, monitor, and evaluate information systems and services.

17 Questions for the IT Control Process How we can protect the computer from misuse, whether intentional or inadvertent, from within and outside the organization? How do we protect the computer room, and other rooms and buildings where connected facilities are located? Do we have disaster plans in place for continuing our operations? What policies and procedures should be established to provide for efficient, effective, and authorized use of the computer? What measures can we take to help ensure that the personnel who operate and use the computer are competent and honest?

IT Control Domains and Processes 18

19 IT Control Process Domains COBIT groups IT processes into four broad domains: –Plan and organize –Acquire and implement –Deliver and support –Monitor and evaluate

20 IT Control Process Domains Plan & Organize Domain –IT Process 1: Establish Strategic Vision for Information Technology –IT Process 2: Develop Tactics to Plan, Communicate, & Manage Realization of the Strategic Vision Acquire & Implement Domain –IT Process 3: Identify Automated Solutions –IT Process 4: Develop & Acquire IT Solutions –IT Process 5: Integrate IT Solutions into Operational Processes –IT Process 6: Manage Changes to Existing IT Systems

21 IT Control Process Domains (cont’d.) Deliver & Support Domain –IT Process 7: Deliver Required IT Services –IT Process 8: Ensure Security & Continuous Service –IT Process 9: Provide Support Services Monitor & Evaluate Domain –IT Process 10: Monitor & Evaluate the Processes

22 IT Process 1: Establish Strategic Vision for Information Technology Summary of the organizational strategic plan’s goals and strategies, and how they relate to IT. IT goals and strategies, and a statement of how each will support organizational goals and strategies. An information architecture model encompassing the corporate data model and associated information systems. An inventory of current IT capabilities.

23 IT Process 1: Establish Strategic Vision for Information Technology Acquisition and development schedules for hardware, software, and application systems and for personnel and financial requirements. IT-related requirements to comply with industry, regulatory, legal, and contractual obligations, including safety, privacy, transborder data flows, e-business, and insurance contracts. IT risks and the risk action plan. Process for modifying the plan to accommodate changes to the organization’s strategic plan and changes in IT conditions.

24 IT Process 2: Develop Tactics to Plan, Communicate, and Manage Realization of the Strategic Vision Manage IT resources. Policies consistent with the control environment established by senior management. Project-management framework. Quality Assurance (QA) plan with activities to ensure the attainment of IT customer requirements. Organizational design principles and segregation of duties.

Segregation of Duties within the IT Department 25

26 IT Process 3: Identify Automated Solutions SDLC must include procedures to: –define information requirements –formulate alternative courses of action –perform feasibility studies –assess risks Solutions should be consistent with the strategic IT plan Organization must decide what approach will be taken to satisfy users’ requirements and – whether it will develop the IT solution in-house OR –contract with third parties for all or part of the development

27 IT Process 4: Develop and Acquire IT Solutions Develop and acquire application software Acquire technology infrastructure Develop service level requirements and application documentation which typically includes the following: –Systems documentation –Program documentation –Operations run manual –User manual –Training materials

28 IT Process 5: Integrate IT Solutions Into Operational Processes Provide for a planned, tested, controlled, and approved conversion to the new system. After installation review to determine that the new system has met users’ needs in a cost-effective manner.

29 IT Process 6: Manage Changes to Existing IT Systems Changes to the IT infrastructure must be managed via change request, impact assessment, documentation, authorization, release and distribution policies, and procedures. Program change controls provide assurance that all modifications to programs are authorized, and that changes are completed, tested, and properly implemented. These controls take on a higher level of significance with enterprise systems due to the interdependence and complexity of the business processes and their connections.

Program Change Controls 30

31 IT Process 7: Deliver Required IT Services Define service levels –Minimum levels must be established so that quality of service can be evaluated Manage third-party services Manage IT operations Manage data (backup) –Pervasive and application controls must be established to protect data Identify and allocate costs

Delivering Required Services 32

33 IT Process 8: Ensure Security and Continuous Service Ensure Continuous Service –Business continuity planning identifies events that may threaten an organization and provides a framework to ensure operations will continue. Secure IT Assets –Restrict physical access to computer facilities. –Restrict logical access to stored programs, data, and documentation. Ensure Physical Security –Smoke detectors, fire alarms, fire extinguishers, fire-resistant construction materials, insurance. –Waterproof ceilings, walls, and floors; adequate drainage; water and moisture detection alarms; insurance. –Regular cleaning of rooms and equipment, dust-collecting rugs at entrances, separate dust-generating activities from computer, good housekeeping. –Voltage regulators, backup batteries and generators.

34 Restricting Access to Computing Resources – Layers of Protection

Hacking techniques 35

Environmental Controls 36

37 IT Process 9: Provide Support Services Identify training needs of all personnel - internal and external. Conduct timely training sessions. Provide assistance through a “help desk” function.

38 IT Process 10: Monitor and Evaluate the Processes Establish a system for defining service indicators Gather data about processes Generate performance reports Outside confirmation based on independent review WebTrust - ISP

39 Trust Services Principles