ch08 - mgt ctrl of it-gelinas
DESCRIPTION
management control of information systemTRANSCRIPT
Chapter 8IT Governance: IT Governance: Management Control Management Control of Information of Information Technology and Technology and Information IntegrityInformation Integrity
Learning Objectives To explain why business organizations need to
achieve an adequate level of internal control To explain the importance of internal control to
organizational and IT governance, and business ethics
To enumerate IT resources and explain how difficult it is to control them
To describe management fraud, computer fraud, and computer abuse
Learning Objectives
To describe the major IT control processes organizations use to manage their IT resources
To identify operations and information process control goals and categories of control plans
Why Controls?
To ensure attainment of objectives Technological risks
computer fraud, security threats Organizational risks
fraud by management / employees Emergencies – natural / man-made disasters
Contingency planning
Fraud and Control Fraud
Deliberate act or untruth intended to obtain unfair or unlawful gain.
Management has the responsibility to prevent and/or disclose fraud. Control systems enable management to meet this
responsibility.
Agency Problem
Managers’ incentives are not the same as firm’s incentives
Principal – firm, agent – manager Control mechanisms are used to align the
incentives of managers with incentives of the firm
Internal Control A system of integrated elements—people, structure,
processes, and procedures—acting together to provide reasonable assurance that an organization achieves its process goals. The internal control system is the responsibility of top
management and therefore should: Reflect management’s careful assessment of risks. Be based on management’s evaluation of costs
versus benefits. Be built on management’s strong sense of business
ethics and personal integrity.
Ethics and Controls
COSO (Committee of Sponsoring Organizations of the National Commission on Fraudulent Financial Reporting) report stresses ethics as part of control environment
Ethics and integrity arise from corporate culture that includes standards for behavior, how they are communicated, how they are enforced.
Example – codes of conduct
Business Process Control Goals and Plans Goals
Objectives to be obtained Operations process objectives Information process objectives
Plans Policies and procedures that assist in
accomplishing control goals
Control Goals of Operations Process Effectiveness of operations
Ensure operations process is fulfilling its purpose Is the goal reached?
Efficiency of operations Is the use of resources optimal?
Security of resources Protection from loss, disclosure, misuse Example - Lock the door, use access
codes/passwords
Control Goals of the Information Process For transaction data (temporary)
Input validity (only approved/authorized data) Input completeness (all valid data captured/entered) Input accuracy (correct data entered correctly)
For master data (permanent) Update completeness (all data entered in updated
master) Update accuracy (data entered reflected accurately in
updated master)
Control Plans
Information processing policies and procedures that assist in accomplishing control goals Control environment – awareness of and
commitment to control Pervasive control plans – broad application of
controls (IT, financial, access controls) Process control plans – specific procedures
process by process
The Control EnvironmentOverall policies and procedures that demonstrate an
organization’s commitment to the importance of control
Pervasive Control PlansAddress multiple goals and apply to many processes
Process Control PlansRelate to specific business process or to
the technology used to implement the process
A Control Hierarchy
Overall protection:Enhances the effectiveness of the pervasive and application control plans.
Second level of protection:A major subset of these controls, IT processes (i.e., controls) are discussed in this chapter.
Third level of protection:Discussed and illustrated in Chapters 9–14.
Corporate ethics
Control Plans: Other Classifications Preventive – prevent a problem Detective – detect a problem Corrective – correct a problem
Four Broad IT Control Process Domains (from COBIT)
FIGURE 8.2FIGURE 8.2
Ten Important IT Control Processes
FIGURE 8.2FIGURE 8.2
IT Control Processes and Domains Planning and Organization
Process 1: Establish strategic vision Process 2: Develop tactics to realize strategic
vision Acquisition and Implementation
Process 3: Identify automated solutions Process 4: Develop and acquire IT solutions Process 5: Integrate IT solutions into operations Process 6: Manage change to existing IT systems
IT Control Processes and Domains (cont’d) Delivery and Support
Process 7: Deliver required IT services Process 8: Ensure security and continuous
service Process 9: Provide support services
Monitor operations
Process 1: Strategic Plan for IT Summary of the organization’s strategic goals
and how they relate to the IT function. Once strategic goals are established, they
can be transformed into short-term tactical objectives
Controls are about ensuring attainment of goals. Those goals and objectives are set starting from the strategic plan.
Process 2: Realization of strategic mission Many techniques are use to reach strategic
goals IT steering committee Project management techniques Quality assurance plan Reviews, audits, inspections, monitoring
Control Plans
Segregation of duties control plan Access control plans Personnel control plans
rotation of duties termination policies
Illustration of Segregation of Duties
TABLE 8.2aTABLE 8.2a
Function 1Authorizing
EventsApprove steps of event processing.
Function 2Executing
EventsPhysically move resources.
Complete source documents.
Function 3Recording
EventsRecord events in the
appropriate data store(s).Post event summaries to
the master data store.
Function 4Safeguarding Resources
Resulting from Consummating Events
Physically protect resources.Maintain accountability of
physical resources.
Illustration of Segregation of Duties (cont’d)
TABLE 8.2bTABLE 8.2b
• Develop/acquire application software• Acquire technology infrastructure• Develop service-level requirements and
application documentation
Process 4: Develop/Acquire IT Solutions
Process 3: Identify IT Solutions Develop solutions consistent the strategic IT
plan – ensure analysis stages of SDLC are carried through
• Change request, impact assessment• All changes are authorized, documented, and
properly implemented
Process 6: Manage Changes to Existing IT Systems
Process 5: Integrate IT Solutions Into Operational Processes Planned, tested, and controlled conversion to
new system
Process 7: Deliver Required IT Services Define service levels Manage Third-party services Manage IT Operations Manage data (backup) Identify and allocate costs
Process 8: Ensure Security and Continuous Service Disaster recovery
Mirror site – copy of all data Hot site (fully equipped) Cold site (equipped by customer)
Restrict Access Physical access to facilities Logical access to data / programs
Restricting Access to Computing Resources—Layers of Protection
FIGURE 8.4aFIGURE 8.4a
Restricting Access to Computing Resources—Layers of Protection (cont’d)
FIGURE 8.4bFIGURE 8.4b
Process 9: Provide Support Services Regular Training sessions should be provided Advice and assistance should be given Very often a “help desk” is set up for these purposes
• Gather data about processes• Generate performance reports.• Internal and external monitoring
Process 10: Monitor Operations