Chapter 8 by HC120808144835


IT Processes
                    Learning Objectives
•   Learn the major IT resources
•   Appreciate the problems in
    providing adequate controls over IT
•   Study major IT control processes
    and practices organization use to
    manage IT resources
•   Understand how IT and personnel
    control plans can help an
    organization achieve its strategic
    vision for IT                           Information Systems:
•   Overview the major steps in
    acquiring and implementing new IT
                                                 IT Processes
•   Examine business continuity and
    security controls that help ensure
    continuous, reliable IT service
•   Value the integral part played by the
    monitoring function in ensuring the
    overall effectiveness of a system of
    internal controls
        Internal Control Processes on
                  AIS Wheel
• In this chapter, we continue our
  investigation of internal accounting
  controls, as indicated by the shaded
  areas on the AIS Wheel icon.
• Herein, you will learn how to control
  information technology resources and
  processes, which form the underpinning
  of accounting information systems.
• Importantly, you will be exposed to a
  fundamental control concept that must
  be incorporated into every aspect of an
  organization; that is, managers need to
  segregate four key functions:
   –   authorizing events
   –   executing events
   –   recording events
   –   safeguarding resources.

Control Objectives for Information
      Technology (COBIT)
• Developed by the Information Systems Audit and
  Control Foundation to provide guidance—to
  managers, users, and auditors—on the best practices
  for the management of information technology.
• According to COBIT
   – IT resources must be managed by IT control processes to
     ensure that the organization has the information it needs to
     achieve its objectives.
   – Exhibit 8.1 defines the IT resources that must be managed
     and Chapter 1 describes the qualities that this information
     must exhibit in order for it to be of value to the organization.

               IT Resources
• Data: Objects in their widest sense (i.e., external and
  internal), structured and nonstructured, graphics,
  sound, etc.
• Application systems: Application systems are
  understood to be the sum of manual and
  programmed procedures reflecting business
• Technology: Technology covers hardware,
  operating systems, database management systems,
  networking, multimedia, etc.
• Facilities: Facilities are all resources used to house
  and support information systems.
• People: People include staff skills; awareness; and
  productivity to plan, organize, acquire, deliver,
  support, and monitor information systems and
  A Hypothetical Computer System
• The IT resources are typically configured with some or
  all of the elements shown in Figure 8.1
• This computer system consists of one or more
  mainframe computers connected to several networked
  client computers (CCs) and PCs perhaps through an
  LAN and to PCs and CCs located in the organization’s
  other facilities, perhaps through a WAN
• Computer facilities operated by other organizations are
  connected, perhaps via the Internet and through a
  firewall to the mainframe, servers, and PCs.

Hypothetical Computer System: Figure 8.1

Questions for the IT Control Process
• How we can protect the computer from misuse,
  whether intentional or inadvertent, from within and
  outside the organization?
• How do we protect the computer room, and other
  rooms and buildings where connected facilities are
• Do we have disaster plans in place for continuing our
• What policies and procedures should be established
  to provide for efficient, effective, and authorized use
  of the computer?
• What measures can we take to help ensure that the
  personnel who operate and use the computer are
  competent and honest?

       Organization Structures
• Centralized: CIO is central leader of all information
  system functions
• Decentralized: Assigns personnel to non-central (e.g.,
  departments) organizational units
• Functional organization: Assigns personnel to skills-
  based units (e.g., programming, systems analysis).
  Used by both decentralized and centralized
• Matrix: Assembles work groups or teams, comprised of
  members from different functional areas, under the
  authority of a team leader
• Project: Establishes permanent systems development
  structures such as “Financial Systems Development”

Centralized Information System Organization




• COBIT organizes IT internal control into
  domains and process
• Domains include:
  – Planning and organization
  – Acquisition and implementation
  – Delivery and support
  – Monitoring
• Processes detail steps in each domain
IT Control Domains and Processes

        IT Control Processes &
• Planning & Organization Domain
  – IT Process 1: Establish strategic vision
  – IT Process 2: Develop tactics to realize strategic
• Acquisition & Implementation Domain
  – IT Process 3: Identify automated solutions
  – IT Process 4: Develop & acquire IT solutions
  – IT Process 5: Integrate IT solutions into
  – IT Process 6: Manage change to existing IT
    systems                                        16
 IT Control Processes & Domains
• Delivery & Support Domain
  – IT Process 7: Deliver required IT services
  – IT Process 8: Ensure security &
    continuous service
  – IT Process 9: Provide support services
• Monitoring Domain
  – IT Process 10: Monitor Operations

         IT Process 1
  Elements of Strategic IT Plan
1. A summary of the organizational strategic plan’s
   goals and strategies, and how they are related
   to the information systems function.
2. IT goals and strategies, and a statement of how
   each will support organizational goals and
3. An information architecture model
   encompassing the corporate data model and the
   associated information systems.
4. An inventory of current information systems
 IT Process 1: Elements of Strategic IT Plan
5. Acquisition and development schedules for
   hardware, software, and application systems and
   for personnel and financial requirements.
6. IT-related requirements to comply with industry,
   regulatory, legal, and contractual obligations,
   including safety, privacy, transborder data flows,
   e-Business, and insurance contracts.
7. IT risks and risk action plan
8. Process for modifying the plan to accommodate
   changes to the organization’s strategic plan and
   changes in information technology conditions.
         IT Process 2
  Organizational Control Plans
• Segregation of duties control plan
• Organizational Control Plans for the
  Information Systems Function
• Personnel Control Plans

 of Duties

Segregation of Duties Applied to
          IS Function

  IT Process 2: Organizational Control Plans
• Organizational Control Plans for the
  Information Systems Function
  – The information systems function (ISF) normally
    acts in a service capacity for other operating units
    in the organization. In this role, it should be
    limited to carrying recording events and posting
    event summaries.
  – Approving and executing events along with
    safeguarding resources should be carried out by
    departments other than IS.

   IT Process 2: Organizational Control Plans
• Within the ISF we segregate duties
   – Data librarian grants access to stored data and programs to
     authorized personnel to reduce the risk of unauthorized computer
     operation by programmers or unauthorized programming by
   – The security officer assigns passwords, monitors employees’
     network access, grants security clearance for sensitive projects, and
     works with human resources on interview practices and background
   – The information technology steering committee
       • Coordinates the organizational and IT strategic planning processes
       • Reviews and approves the strategic IT plan
       • Helps the organization establish and meet user information requirements
         Help ensure effective and efficient use of IT resources.
       • The committee should consist of about seven executives from major
         functional areas of the organization, including the information systems
         executive; report to senior management; and meet regularly.

     IT Process 2: Personnel Control Plans
• Selection & Hiring Control Plans
   – Qualified personnel including technical background
• Retention Control Plans
   – Retaining may be harder than hiring
   – Provide challenging work and opportunities for advancement
• Personnel Development Control Plans
   – Training and development
• Personnel Management Control Plans
   – Personnel Planning Control Plans
       • Skills, Turnover, Filling Positions
   – Job Description Control Plans
       • Job descriptions written and updated
   – Supervision Control Plans
       • Approving, monitoring, and observing the work of others
   – Personnel Security Control Plans
       • Rotation of duties, Forced vacations, Bonding
   – Personnel Termination Control Plans
       • procedures when an employee voluntarily or involuntarily leaves an organization.
  IT Process 3: Identify Automated Solutions
• To ensure selection of the best approach to satisfying
  users’ IT requirements, an organization’s systems
  development lifecycle must include procedures to:
   – define information requirements
   – formulate alternative courses of action
   – perform technological, economic, and operational feasibility
   – assess risks
• Solutions should be consistent with the strategic
  information technology plan
• At completion of this process
   – Organization must decide what approach will be taken to satisfy
     users’ requirements, and whether it will develop the IT solution in-
     house or will contract with third parties for all or part of the

          IT Process 4
   Develop/Acquire IT Solutions
• Develop and Acquire Application Software
• Acquire Application Infrastructure
• Develop Service Level Requirements and Application
  Documentation which typically includes the following:
   – Systems documentation
   – Program documentation
   – Operations run manuals
   – User manuals
   – Training materials

 IT Process 5: Integrate IT Solutions Into
         Operational Processes
• To ensure that a new or significantly revised system is suitable,
  the organization’s SDLC should provide for a planned, tested,
  controlled, and approved conversion to the new system.
• After installation, the SDLC should call for a review to determine
  that the new system has met users’ needs in a cost-effective
• When organizations implement enterprise systems, the
  successful integration of new information systems modules into
  existing information and operations processes becomes more
  difficult and more important.
• The challenges are the result of the interdependence of the
  business processes and the complexity of these processes and
  their connections.
• Any failure in a new system can have catastrophic results.

        IT Process 6: Manage Changes to
               Existing IT Systems
• To ensure processing integrity between versions of
  systems and to ensure consistency of results from period to
  period, changes to the IT infrastructure (hardware, systems
  software, and applications) must be managed via change
  request, impact assessment, documentation, authorization,
  release and distribution policies, and procedures.
• Program change controls provide assurance that all
  modifications to programs are authorized, and ensure that
  the changes are completed, tested, and properly
• Changes in documentation should mirror the changes
  made to the related programs.

             IT Process 7:
     Deliver Required IT Services

1.   Define service levels
2.   Manage Third-party services
3.   Manage IT Operations
4.   Manage data (backup)
5.   Identify and allocate costs

                 IT Process 8:
      Ensure Security & Continuous Service
• Ensure Continuous Service
   – Disaster recovery planning; Contingency planning; Business
     interruption planning; Business continuity planning.
• Restricting Access to Computing Resources
   – Restrict physical access to computer facilities.
   – Restrict logical access to stored programs, data, and documentation.
• Ensure Physical Security
   – Smoke detectors, fire alarms, fire extinguishers, fire-resistant
     construction materials, insurance
   – Waterproof ceilings, walls, and floors; adequate drainage; water and
     moisture detection alarms; insurance
   – Regular cleaning of rooms and equipment, dust-collecting rugs at
     entrances, separate dust-generating activities from computer, good
   – Voltage regulators, backup batteries and generators
IT Process 8 (Cont.)

 IT Process 9: Provide Support Services
• Identify the training needs of all
  personnel, internal and external, who
  make use of the organization’s
  information services, and should see
  that timely training sessions are
• Assistance through a “help desk”

      IT Process 10: Monitor
• Gather data about processes
• Generate performance reports
• WebTrust - ISP

Web Trust Principles


To top