managing the it function_students.pdf

7/27/2019 Managing the IT Function_students.pdf

1/38

Managing the

it function


2/38

2


3/38

IT Managers

Must establish sound policies andprocedures aimed at controlling keyrisk associated with running the IT

function

3


4/38

I. Organizing the IT Function

IT manager must define the role andarticulate the value of the IT functionwithin the organization

they must balance many influences(profit, opportunity, growth, control)

against constant pressure to achieveST and LT goals

4


5/38

a. Locating the IT Function

To whom should the IT manager report?

5


6/38


Segregation of duties:

recording transactions

authorizing transactions

maintaining custody of assets

6


7/38


To whom should the IT managerreport?

Functional/ Line Managers?

Controllers that manages corporateaccounting?

CEOs/ Presidents?

7


8/38

b. Designing the IT Function

separation of :

systems development

( systems analysis, computer programming,

database administration, quality control)

computer operations

( data input, information processing,information output)

computer security

8


9/38

II. Financing the IT Function

IT function must be adequatelyfunded, or else will be unable toconduct day-to-day operations and

fulfill strategic objectives.

9


10/38

a. Funding IT Operations

Cost Center

IT manager prepares a budget, submits toupper management and justifies request

for operating funds Profit Center

Same budgeting process. Additionally, IT

function can charge internal users for ITservices (intracompany funding)

10


11/38

b. Acquiring IT Resources

IT managers engage in LT planning,which includes developing, purchasing &implementing various components of the

computing infrastructure(application software, computer hardware,

communication systems)

Net benefit = PV of benefits - costs

11


12/38

III. Staffing the IT Function

Human resources is the most valuableof all IT resources

Business risk : lack of sufficientknowledge and experience; inefficient andineffective use of human resources

Audit risk : unaware and unconcerned on

internal controls

12


13/38

Hiring

Recruiting

Verifying

Testing

Interviewing

13


14/38


15/38

Terminating

Voluntary

Involuntary

15


16/38

IV. Directing the IT Function

IT Managers perform thisresponsibility to minimize businessand audit risks

16


17/38

a. Administering theWorkflow

Define levels of service that the ITfunction promises to deliver to users

(Service Level Agreements or SLAs)

Schedule and perform the work IT resources are efficiently and effectively

used at a fairly steady rate

17


18/38

b. Managing theComputing Environment

Taking responsibility for thecomputing infrastructure Computer hardware, network, communication

systems, operating systems, applicationsoftware, data files

Maintaining physical facilities safe for humans and computers

18


19/38

c. Handling 3rd PartyServices

establish policies and proceduresregarding the purchase, use andtermination of 3rd party services

defining the roles and responsibilitiesof each party

ensure security and confidentiality

dealing with unexpected disruption

19


20/38

d. Assisting users

environment of learning and growththrough user training and education

providing helpful advice when needed

(i.e. helpdesk)

20


21/38

21


22/38

V. Controlling the IT Function

IT Auditor must assess whethercontrol risk is within a tolerable range;otherwise, (i) existing controls may

have to be strengthened or(ii)compensating controls may have to bedeveloped in order to lower control

risk to acceptable level.

22


23/38

a. Security Controls

Physical Security Access Security

Security system for monitoring entering,

roaming, leaving the facility Penetration alarms

Periodic review of access evidence

Backup lines (power and communication)

23


24/38

a. Security Controls

Logical Security corporate data & computer software =

most valuable portion of computinginfrastructure

Points of entry:

Computer terminal

Internet

Periodic monitoring

Penetration testing

24


25/38


26/38

b. Information Controls

Case 1:

Customer Cashier

Accounting

Clerk

26


27/38


Case 2:

Customer Cashier

Accounting

Clerk

27


28/38


Case 3:

Customer

Accounting

Clerk

28


29/38


Process Controls Validating

Error handling

Updating

29


30/38


CustomerAccounting

Clerk

30

Customer

MF

Inventory

MFJournalLedger


31/38


Database Controls Risk of corruption during glitches

DBMS = roll-back and recovery

(processing queue; initial state)

Concurrency control

(lock and release) , timestamps,

granular level (coarse, moderate, fine)

31


32/38


Output Controls Authorized persons can request and

possess

Printer proximity Reports disposal

32


33/38

c. Continuity Controls

Backup Controls Downtime

Cost

Data Backup

Hardware Backup

33


34/38


Data Backup Weekly, incremental, hourly, real-time

Key issues:

a. Storage locationb. Hardware redundancy

Physical and Electronic Vaulting

34


35/38


Hardware Backup Power lines redundancy

Extra disk drives

Common configurations:a. Redundant Array of Independent Disks

(RAID)

= disk mirroring; disk striping

b. Network Attached Storage (NAS)

c. Server Area Network (SAN)

35


36/38

d. Disaster Recovery Controls

Proactive, not reactive What (scenario)

Who (contacts)

W hen (timing)

36


37/38


Where (to transfer comp. processing load) Peer company = same industry or 3PSP

Cold site = bldg space and basicinfrastructure

Warm site = has basic computinginfrastructure

Hot site = complete infrastructure

37


38/38


How (logistics) Which (priorities) and Why

periodic testing of plan

38

managing the it function_students.pdf

Documents