1. MANAGING THE IT FUNCTION Chapter Five

2. Organizing the IT Function The IT Function must be organized and structured. IT Manager must define the role and articulate the value of the IT Function. Configuration within a company depends on external and internal organizational factors. Sound internal controls are essential to the structural framework.

3. Locating the IT Function – to whom should the IT manager report? Important ramifications on It Manager’s Ability to acquire needed resources Ability to prioritize workloads.

4. Locating the IT Function Consider segregation of incompatible duties. Must vest in different people: Authorizing Transactions Recording Transactions Maintaining Custody of Assets Can be accomplished with judicious choices with respect to placing the IT function in the organization integrating programmed controls into computing infrastructures and applications.

5. Should the IT manager report to the accounting manager? Good Idea! Most IT applications deal with accounting transactions! So everyone would benefit by having the accounting manager involved from the start. Bad Idea! Most controllers perform 2 of the 3 incompatible duties. This would make 3 of the 3. Fraud would be difficult to detect.

6. Should the IT manager report to another operations or administrative manager? Good Idea! Many software applications deal with these areas. Bad Idea! Many managers can authorize transactions, so custody of computing assets would attribute them with 2 of the 3 incompatible duties. Other managers would not likely have the expertise to guide and support an IT manager. Managers would likely give priority to their own IT needs and less to the rest of the company. The IT function may not have access to upper management for influencing decisions about placing priorities and setting strategies.

7. Should the IT manager report alongside another line managers? Good Idea! Politically strong to compete for resources and set priorities and strategies. CEO has responsibility over, but rarely performs the 3 incompatible duties. With sound internal controls, can be effectively managed.

8. Should the IT manager report above another line managers? In a VP position, the IT manager can coordinate strategies set standards establish priorities across the entire organization This structure allows the IT managers, who report to the Vice President, to focus on local issues and needs.

9. Vice President North American Operations Vice President Foreign Operations Vice President Information Technology Chief Executive Officer (CEO ) Sales & Marketing Manager Human Resources Manager Finance & Accounting Manager Information Technology Manager Research & Operations Manager

10. Profit Growth Control Opportunity Short-Term Long-Term Goals

11. Designing the IT Function Designing the ultimate structure of the IT function is often determined by cultural, political and economic forces inherent in each organization.

12. Internal control considerations within an IT function Separate from one another : systems development computer operations computer security

13. Systems Development Staff has access to operating systems, business applications and other key software. Systems developers are authorized to create and alter software logic, therefore, they should not be allowed to process information They should not maintain custody of corporate data and business applications.

14. Computer Operations Operation staff are responsible for: Entering Data (similar to the internal control concept of ‘authorizing transactions’) Processing information (similar to the internal control concept of ‘recording transactions’) Disseminating Output (similar to the internal control concept of ‘maintaining custody’) Must segregate duties.

15. Computer Security Responsible for the safe-keeping of resources includes ensuring that business software applications are secure. responsible for the safety (‘custody’) of corporate information, communication networks and physical facilities Systems analysts and programmers should not have access to the production library.

16. IT Function Manager Systems Development Manager (a) Computer Operations Manager (b) Computer Security Manager (c) User Services Manager Systems Analysis (a) Computer Programming (b) Quality Control Data Input (a) Information Output (c) Continuity of Operations Database Administration (c) Information Processing (b) Technical Support User Training Help Desk Application Support Software Security Network Security Physical Security Information Security

17. IT Auditors examination of the IT Function Auditors should ensure that systems developers and computer operators are segregated. It is also advisable for the IT function to form a separate security specialization to maintain custody of software applications and corporate data.

18. Funding the IT Function Must be adequately funded to fulfill strategic objectives. Business risk of under-funding: Needs and demands of customers, vendors, employees and other stakeholders will go unfulfilled. can adversely impact the success of the company. Audit risk of under-funding: Heavy workloads can lead to a culture of ‘working around’ the system of internal controls

19. Two funding approaches 1. Cost Center Approach Submit detailed budget to upper management Justify each line item Use the IT function scorecard approach Operational Performance User satisfaction adaptability and scalability Organizational contribution

20. Two funding approaches 2. Profit Center Approach Submit detailed budget to upper management. Charge internal users for services through intra-company billing. Positive Outcome: Managers will not be overly demanding of IT services Negative Outcome: IT can build excessive expenses into billing rates until the rates exceed costs of outside providers.

21. Billing Rates Independent Party within the company should compare rates to outside services. IT Auditor should Confirm that reasonableness check is performed at least annually to ensure that billing rates are not excessive

22. Acquiring IT Resources IT manager should justify IT Capital projects using a methodological approach. Determine the net benefit Present value of benefits minus costs Use Scorecard approach for non-quantifiable paybacks.

23. Example with Scorecard Approach Justify the in-house development of web-based customer ordering system ScorecardAction Operational Performance Estimate the increased number of sales the system will handle each day. Determine faster speed of each sale. User Satisfaction Survey customers for what they need and how they would receive proposed system. Adaptability & Scalability Forecast increased sales. Show how new system integrates with existing accounting & inventory systems. Organizational Contribution Perform net benefit analysis. Estimate financial costs & benefits.

24. Staffing the IT Function Business and audit risks can be effectively controlled via sound human resource procedures in the areas of hiring, rewarding and terminating employees.

25. HIRING Should have formal procedures that are followed Each job should have a substantive description of responsibilities and procedures.

26. Recruiting Carefully plan and execute each step in compliance with company policy. 1. Identify Needs 2. Write a job description 3. Obtain permissions 4. Advertise 5. Accept Applications 6. Review Applications

27. Verifying Extent depends on the position, but all candidates should have some checking. Contact references, both personal and professional. Conduct Background checks Verify Education Checks for criminal or civil violations Document everything!

28. Testing Written and/or oral tests can be administered to test skills. Company must be consistent in testing procedures.

29. Interviewing Follow Sound Procedures Follow Company, Regulatory & Statutory Rules Steps of interviewing: Select appropriate interviewers Develop an internal interview schedule Arrange for interviews with interviewees Conduct the interviews

30. REWARDING It is important to continually challenge and motivate employees. Improperly rewarding employees may result in business and audit risks:

31. Rewarding Business risks: might develop a ‘bad attitude’ toward the IT manager and the company leads to lower productivity frustration turnover Audit risks: employees can become bored and disgruntled engage in mischievous and criminal behaviors can threaten the availability, accuracy, security and reliability of corporate information

32. Evaluating Most common is the annual review. The evaluation process must have structure and reasonableness. Evaluator must be as fair as possible to prevent frustration and resentment.

33. Compensating The company should strive to compensate employees at least as well as peer organizations. Turnover: Can cause productivity losses Replacement costs are high Risks the availability and reliability of systems Employees take sensitive information to competitors

34. Compensation Issues: Equal Pay for Equal Work IT Function must not discriminate in appearance or substance among employees. Test by comparing the compensation packages of employees holding similar positions.

35. Compensation Issues: Compression and Inversion Compression: The compensation of newly hired employees gets very close to experienced employees in similar positions or the compensation of subordinates is nearly the same as their superiors. Inversion: The compensation of new hires is greater than more experienced employees in the same position, or the compensation of subordinates exceeds that of superiors.

36. Promoting Should be based on merit Compensation should be commensurate with the new job’s role and responsibilities. Must be formal written procedures that are consistently followed.

37. Learning Training benefits the employee, the employer and society as a whole. Failure to offer learning opportunities create: Business Risk: potential loss of competitive positioning due to an uneducated workforce low employee morale Audit Risk: stagnate and frustrated employees attitude of complacency toward internal controls or utter disregard for internal controls

38. Terminating A disgruntled employee can disrupt the company’s systems and controls. The IT function needs to design and implement countervailing controls backup procedures checks-and-balances cross-training job rotations mandated vacations immediately separate them from the computing environment terminate all computer privileges

39. Directing the IT Function: Administering the Workflow Effective capacity planning Schedule and perform the work Have enough resources for peaks yet minimize idle time Develop formal workload schedules Monitor performance Denote actual-to-planned workload variances Continually adjust

40. Managing the Computing Environment Responsible for the computing infrastructure: Computer hardware Network hardware Communication systems Operating systems Application softtware and data files

41. Managing the Computing Environment The IT manager must understand how the infrastructure elements work together. establish policies for acquiring, disposing, and accounting for inventory track rented equipment and software comply with licensing agreements

42. Managing the Computing Environment The IT manager must ensure the physical environment is safe for humans and computers with Fire suppression systems in place A tested fire evacuation plan A climate controlled environment Facilities that are inconspicuous in location and design Compliance with appropriate safety and health regulations

43. Third Party Services Examples: Internet service providers (ISP) Communication companies Security firms Call centers Offer economies of scale Use of 3 rd party services is increasing.

44. Third Party Services Key Issues Policies must be established for purchase, use, and termination of 3 rd party services. Must have legally binding contracts. Must ensure the security and confidentiality of company information. Must have a plan for disruption of services. Must have backup and recover plan in place.

45. Assisting Users Training and Education Identify training needs. Design curricula. Deliver programs. Use outside training programs.

46. Assisting Users Help Desk

47. . The IT manager needs to design and monitor effective ways to assist users when they request help. Must create an atmosphere of mutual trust and respect between the IT function and user community. Effective handling of problems and incidences requires a formal set of policies and procedures.

48. Assisting Users Help Desk Requests for help generally arise from users’ lack of understanding about how applications work. Problems and incidences reflect improperly functioning elements of the computing infrastructure, and require the intervention of experienced technicians and programmers.

49. Controlling the IT Function The major control categories involved in the IT function are Security Input Processing Output Databases backup and recovery Each of these categories is intended to minimize business and audit risk via internal controls.

50. Security Controls Secure the computing infrastructure from internal and external threats. A compromise of the infrastructure can result in: business risk network downtime database corruption audit risk material misstatements in accounts due to incomplete or inaccurate data capturing

51. Physical Security Focuses on keeping facilities, computers, communication equipment and other tangible aspects of the computing infrastructure safe from harm.

52. Physical Security Access Restriction Only authorized personnel should be allowed into the facility. Visitors should be accompanied by authorized personnel at all times. Use at all ingress and egress points --Security guards-- Keys & lock --Card readers-- Biometric devices Penetration points should be adequately secured

53. Physical Security Monitor Access Monitor who is entering, roaming and leaving the facility. Security guards Video Cameras Penetration alarms Review access evidence. Signage log, paper or electronic Formal review procedures in place.

54. Security Issue Physical Controls Logical Controls Access Controls Security Guards Locks & Keys Biometric Devices ID and Passwords Authorization Matrix Firewalls & Encryption Monitor Controls Security Guards Video Cameras Penetration Alarms Access logs Supervisory Oversight Penetration alarms Review Controls Formal Reviews Signage Logs Violation Investigations Formal Reviews Activity Logs Violation Investigations Penetrating Tests Unauthorized attempts to enter IT facilities Attempts to break in through vulnerable points As authorized visitor, attempts to leave authorized personnel and wander around the facility without oversight Unauthorized attempts to enter servers and networks Attempts to override access controls (hacking) As authorized user, attempts to use unauthorized applications and view unauthorized information

55. Physical Security Communication & Power Lines The IT manager should: monitor the primary communication and power lines via cameras and guards install secondary (backup) lines in case the primary lines fail. Contingency plan must address the possible failure of lines.

56. Physical Security Off-Site Equipment Equipment located in other places needs to be monitored in the same way. Effective backup plan must be in place.

57. Logical Security Data and software nature known as ‘logical’ components of the infrastructure: Corporate data Computer software user applications network systems communication systems operating systems

58. Sample Authorization Matrix Applications A/R A/P Information Customers Vendors Sales Purchasing Receipts Payments User #3 [ID = XXXXX, Password = YYYYY] User #2x [ID = XXXXX, Password = YYYYY] User #1 [ID = XXXXX, Password = YYYYY] Add Edit Read Delete Add Edit Read Delete Add Edit Read Delete Add Edit Read Delete Add Edit Read Delete x Add Edit Read Delete

59. Logical Security Physical controls most corporate data and software are located on computers, servers, storage devices Computer controlled access, monitor & review systems

60. Logical Security Points of Entry Computer Terminal Supply Authorized ID Password Internet Controls need to control external access Points Firewalls Track failed attempts to enter system

61. Logical Security Access and Monitor Systems Supervisory Oversight Penetration alarms Track usage patterns Report failed attempts Formal review procedure

62. Information Controls Controls need to be in place and working effectively to ensure the integrity and accuracy of vital decision-making information. Must Integrate sound backup controls.

63. Information Controls Input Controls The company must have and follow written procedures regarding the proper authorization, approval and input of accounting transactions. These are incompatible functions. they should be carefully segregated, to the extent possible, and controlled.

64. Information Controls Input Controls – 3 Scenarios- #1 A customer purchases goods at a store counter. Authorizing the sale A cashier records the sale on the cash register Approving the sale, balances the register, logs the logs into the register with ID An accounting clerk later processes cash register sales in batches. Inputs sales transactions into accounting system in batches

65. Information Controls Input Controls – 3 Scenarios- #2 Same except cash register automatically records the sale into the accounting system.

66. Process Controls Validating Error Handling Updating

67. Database Controls Database processing involves simultaneous updating of multiple tables. Multiple tables and data items can be instantaneously corrupted when an interruption occurs.

68. Database Controls Why corruption is so quick 1. Related tables are inexorably linked to one another. 2. Update routines often incorporate one or more of the following processing techniques: Multi-tasking -- where the computer executes more than one task [program] at a time Multi-processing -- where multiple CPUs simultaneously execute interdependent tasks [programs] Multi-threading -- where a computer executes multiple parts of a program [threads] at one time.

69. Database Controls Roll-back and Recovery Databases operate on a transaction principle. A logical unit of work is considered a transaction. The processing of a transaction takes the database from an initial state to an altered state, to the new initial state. Each step must be completed. Any failure will result in database corruption.

70. Database Controls Roll-back and Recovery When there is an interruption, the database management system (DBMS) begins to restore. There are numerous technical processes depending on the DBMS in use.

71. Database Controls Roll-back and Recovery – Basic Recovery A unique identifier tags each transaction. An activity log tracks the transaction as it processes. After interruption, the DBMS identifies the transactions in process. Roll-back procedure is performed: Uncompleted transactions placed back into queue Recovery takes place.

72. Database Controls Concurrency Control Multiple users attempt to update the same data item simultaneously. or when One user is updating while another user is reading the same data item.

73. Database Controls Concurrency Control A common way to prevent concurrency problems is to lock a database object while it is in use and release the object upon completion. The DBMS can determine which operation to perform in what order, as it timestamps each transaction when the processing request is initiated.

74. Database Controls Concurrency Control – Levels of Granularity Course level – database is locked during updates. No one can use the database until update is complete. Moderate level – Database locks at tuple (record) level. No one else could use the record until update is finished. Fine level – Database locks at attribute (field) level. Only the field being updated would be locked.

75. Database Controls Concurrency Control – Levels of Granularity Tradeoff: There is an inverse relationship between the granularity level and system performance. A lower level of granular locking equates to slower computer performance.

76. Output controls Only properly authorized parties can request certain output – computer screens printed reports Such logical access control is accomplished via the ID-password authorization matrix procedure.

77. Output controls Computer Screens Screens need to be physically secure when output is visible. Output should be removed when user leaves the terminal. Return to the screen should require a password.

78. Output controls Printed Reports Printer rooms need trail of accountability. Locks to prevent unauthorized access. Logs to sign in anyone entering. Logs to sign for reports. End user report requests should be password protected. Network printers should be placed where unauthorized persons will not have access.

79. Output controls Printed Reports Must have record retention and destruction policies. Mandated by regulatory agency. Dictated by company policy. Permanent reports must be in secured area. Temporary reports must by properly destroyed.

81. Continuity Controls Must develop and follow a sound backup strategy to prevent disruption of business activity due to computer failures and disasters. Two key considerations: downtime and cost. Shorter downtime requirements equate to higher backup costs.

82. Impact Analysis Criteria LevelImpactFinancial CriteriaReputation 5CatastrophicOver $10 millionNational media coverage or major product withdrawal 4Intolerable$5 to $10 millionLocal media coverage and reduced professional reputation 3Major$1 to $5 millionMedia coverage in trade publications and customer complaints 2Significant$50,000 to $1 million Limited coverage in media and some customer complaints 1MinorLess than $50,000Negligible impact on reputation 0No Impact

83. Continuity Controls Backup Controls – Data Backup Slow Company Can Survive for days without its computer system. Would perform full backup each week. Medium Company Must be back on computers same day. Would perform weekly full backups Daily incremental backups

84. Continuity Controls Backup Controls – Data Backup Fast Company Must be back on computers within hours Needs daily full backup Hourly incremental backups Lightening Company Must be back on computers within minutes Needs real-time backup Simultaneouse updating on remote computer

85. Continuity Controls Storage location & hardware redundancy Physical Vaulting One backup on-site, one off-site On site copy is readily accessible if no disaster Off-site copy retrievable if disaster Strategy involves more time and money

86. Continuity Controls Storage location & hardware redundancy Electronic Vaulting Send backup data over a communications network (such as the Internet) to an off-site storage medium. Send to home of employee. Send to another company location. Purchase outside service. Costs and accessibility are considerations.

87. Continuity Controls Storage location & hardware redundancy Hardware Backup usually needed for component failures: Power supplies Anything with moving parts There are 3 common configurations for redundant storage devices: Redundant Array of Independent Disks (RAID) Network Attached Storage (NAS) Server Area Network (SAN)

88. Continuity Controls Redundant Array of Independent Disks (RAID) Disk mirroring Data is simultaneously written to the primary disk and one or more redundant disks Disk striping An array of at least three, but usually five, disks is established scheme of parity checks is utilized if one disk drive in the array fails, the remaining drives can reconstruct the data on the failed drive and continue processing

89. Duplicate Recording On single mirrored disk RAID Mirroring and Striping Disk Mirroring (RAID)

90. Duplicate Recording On an array of disks RAID Mirroring and Striping Disk Striping (RAID)

91. Continuity Controls Network Attached Storage (NAS) Integrates one or more storage devices, (NAS appliances,) into the local area network (LAN). Comprised of one or more disk drives and an internal controller. Employs RAID technology to ensure hardware redundancy. Can be shared by multiple users on the network. Appliances are relatively affordable and scalable

92. User #1 User #2 Printer Scanner Network Attached Storage (NAS)

93. Continuity Controls Server Area Network (SAN) Expands NAS to wide area networks (WAN). SAN is a dedicated network. SAN can be linked to multiple LANs. Multiple SANs can be simultaneously utilized. SAN can be expensive and technically complicated Capable of handling very high volumes SAN is a great solution for large companies. SAN is designed to be very fault tolerant.

94. Disk Storage Input-Output Controller Disk Storage Disk Storage Disk Storage Wide Area Network

95. Disaster Recovery Controls The first step is to plan for various disaster scenarios: a) a single server is damaged b) an entire company site is demolished c) multiple company locations are simultaneously stuck with disaster d) the entire company is destroyed?

96. Disaster Recovery Controls IT managers and auditors should plan for what, who, when, where, how, which and why. determine what just happened specify who to contact, in what order, and what they are expected to do when to enact the remainder of the contingency plan

97. Disaster Recovery Controls where to transfer the lost computer processing load Plan to shift to one or more alternate company locations Establish contractual relationships with peer companies in the same industry Affordable, but needs may not be a priority. Compatibility problems with operation systems Establish contractual relationships with third-party providers of alternate computing sites.

98. Disaster Recovery Backup Strategy 1. Fully mirrored recovery operations Requires building that have linkages between the live site and the backup facility 2. Switchable Hot site facility Arrangement with a vendor who will guarantee to maintain an identical site with communications to enable the transfer of all data processing within an agreed time period 3. Traditional hot site Have a contract with a disaster recovery vendor with a compatible site 4. Cold Site Includes building & basic infrastructure Establishing emergency site space to allow the enterprise to begin processing

99. Disaster Recovery Backup Strategy 5. Relocate and restore Identification of a suitable location, hardware, and peripherals and the reinstallation of systems after an emergency has occurred 6. No Strategy No backup and restore strategy

100. Disaster Recovery Controls How is the company going to get the computer hardware, people, software and data to the alternate site? Which applications are mission critical? Why one application or set of applications is more time sensitive than another ?

101. DRP plans Detailed descriptions of IT systems components, including both IT servers, storage resources and network connection A summary of applications and key supporting data Detailed descriptions of the servers and other hardware The communication network, such as telephone, radio, wireless and Internet linkages External, third party connections IT infrastructure components, including logon services, software distribution and remote access services All supporting information management systems, including file rooms and both electric and manual document management systems

102. Internal Audit DRP Review Points 1. Review the existing DRP with the responsible manager 2. Examine the contents and format of DRP 3. Review the overall training and understanding of DRP 4. Review the results of recent DRP tests 5. Review of DRP backup procedures 6. Prepare IT internal audit documentation assessing the overall adequacy of the organization’s DRP

103. Disaster Recovery Controls All affected parties need to be involved in planning phase. The disaster recovery plan is a living document. It must be reviewed and updated on a recurrent basis. Everyone involved should be initially trained and required to attend periodic refresher sessions. Portions of the recovery plan should be tested on an unannounced basis.