1 chapter five managing the it function. 2 organizing the it function locating the it function –...
TRANSCRIPT
1
Chapter FiveChapter Five
MANAGING THE IT FUNCTIONMANAGING THE IT FUNCTION
2
Organizing the IT FunctionOrganizing the IT Function Locating the IT Function – to whom should Locating the IT Function – to whom should
the IT manager?the IT manager?
Stucturing the IT Function - Often determined Stucturing the IT Function - Often determined by cultural, political and economic forces by cultural, political and economic forces inherent in each organization. inherent in each organization.
3
Internal control considerations Internal control considerations within an IT function within an IT function
Separate from one another :Separate from one another :– systems development systems development – computer operationscomputer operations– computer securitycomputer security
Must vest in different people:Must vest in different people:– Authorizing TransactionsAuthorizing Transactions– Recording TransactionsRecording Transactions– Maintaining Custody of AssetsMaintaining Custody of Assets
4
Systems DevelopmentSystems Development Staff has access to operating systems, business Staff has access to operating systems, business
applications and other key software. applications and other key software.
Systems developers are authorized to create Systems developers are authorized to create and alter software logic, therefore, they and alter software logic, therefore, they should should not be allowednot be allowed to process information to process information
They They should not maintainshould not maintain custody of custody of corporate data and business applications.corporate data and business applications.
5
Computer OperationsComputer Operations
Operation staff are responsible for:Operation staff are responsible for:– Entering DataEntering Data (similar to the internal control (similar to the internal control
concept of ‘authorizing transactions’)concept of ‘authorizing transactions’)– Processing informationProcessing information (similar to the internal (similar to the internal
control concept of ‘recording transactions’)control concept of ‘recording transactions’)– Disseminating OutputDisseminating Output (similar to the internal (similar to the internal
control concept of ‘maintaining custody’) control concept of ‘maintaining custody’)
Must segregate duties.Must segregate duties.
6
Computer SecurityComputer Security
Responsible for the safe-keeping of Responsible for the safe-keeping of resources resources – includes ensuring that business software includes ensuring that business software
applications are secure. applications are secure. – responsible for the safety (‘custody’) of responsible for the safety (‘custody’) of
corporate information, communication corporate information, communication networks and physical facilities networks and physical facilities
Systems analysts and programmers should Systems analysts and programmers should not have access to the production library.not have access to the production library.
7
Funding the IT FunctionFunding the IT Function
Must be adequately funded to fulfill strategic objectives.Must be adequately funded to fulfill strategic objectives.– Audit riskAudit risk of under-funding - Heavy workloads can lead to a of under-funding - Heavy workloads can lead to a
culture of ‘working around’ the system of internal controls culture of ‘working around’ the system of internal controls
Two funding approachesTwo funding approaches– Cost Center Cost Center
– Profit Center Profit Center » Negative Outcome: IT can build excessive expenses into billing rates Negative Outcome: IT can build excessive expenses into billing rates
until the rates exceed costs of outside providers.until the rates exceed costs of outside providers.
» Auditor should confirm that reasonableness check is performed at least Auditor should confirm that reasonableness check is performed at least annually to ensure that billing rates are not excessiveannually to ensure that billing rates are not excessive
8
Staffing the IT FunctionStaffing the IT Function Business and audit risks can be effectively Business and audit risks can be effectively
controlled via sound human resource procedures.controlled via sound human resource procedures.
HiringHiring RecruitingRecruiting VerifyingVerifying TestingTesting InterviewingInterviewing
ReviewingReviewing RewardingRewarding EvaluatingEvaluating CompensatingCompensating PromotingPromoting TrainingTraining TerminatingTerminating
9
Compensation Issues:Compensation Issues:Compression and InversionCompression and Inversion
CompressionCompression: The compensation of newly hired : The compensation of newly hired employees gets very close to experienced employees employees gets very close to experienced employees in similar positions or the compensation of in similar positions or the compensation of subordinates is nearly the same as their superiors.subordinates is nearly the same as their superiors.
InversionInversion: The compensation of new hires is greater : The compensation of new hires is greater than more experienced employees in the same than more experienced employees in the same position, or the compensation of subordinates position, or the compensation of subordinates exceeds that of superiors. exceeds that of superiors.
10
TerminatingTerminating A disgruntled employee can disrupt the company’s A disgruntled employee can disrupt the company’s
systems and controls.systems and controls.
The IT function needs to design and implement The IT function needs to design and implement countervailing controlscountervailing controls– backup proceduresbackup procedures
– checks-and-balanceschecks-and-balances
– cross-trainingcross-training
– job rotationsjob rotations
– mandated vacationsmandated vacations
– immediately separate them from the computing environment immediately separate them from the computing environment
– terminate all computer privileges terminate all computer privileges
11
Directing the IT Function:Directing the IT Function:Administering the WorkflowAdministering the Workflow
Effective capacity planningEffective capacity planning Schedule and perform the workSchedule and perform the work
– Have enough resources for peaks yet minimize idle Have enough resources for peaks yet minimize idle timetime
Develop formal workload schedulesDevelop formal workload schedules Monitor performanceMonitor performance Denote actual-to-planned workload variancesDenote actual-to-planned workload variances Continually adjustContinually adjust
12
Managing the Computing Managing the Computing EnvironmentEnvironment
The IT manager mustThe IT manager must– Must understand how the infrastructure Must understand how the infrastructure
elements work together.elements work together.» Computer hardwareComputer hardware» Network hardwareNetwork hardware» Communication systemsCommunication systems» Operating systemsOperating systems» Application software and data filesApplication software and data files
– establish policies for acquiring, disposing, and establish policies for acquiring, disposing, and accounting for inventoryaccounting for inventory
– track rented equipment and softwaretrack rented equipment and software– comply with licensing agreementscomply with licensing agreements
13
Managing the Computing Managing the Computing EnvironmentEnvironment
The IT manager must ensure the physical The IT manager must ensure the physical environment is safe for humans and computers environment is safe for humans and computers withwith– Fire suppression systems in placeFire suppression systems in place
– A tested fire evacuation planA tested fire evacuation plan
– A climate controlled environmentA climate controlled environment
– Facilities that are inconspicuous in location and designFacilities that are inconspicuous in location and design
– Compliance with appropriate safety and health Compliance with appropriate safety and health regulationsregulations
14
Third Party ServicesThird Party Services Examples:Examples:
– Internet service providers (ISP), ASP, MSPInternet service providers (ISP), ASP, MSP– Communication companiesCommunication companies– Security firmsSecurity firms– Call centersCall centers
Policies must be established for purchase, Policies must be established for purchase, use, and termination of 3use, and termination of 3rdrd party services. party services.– Must ensure the security and confidentiality of Must ensure the security and confidentiality of
company information.company information.– Must have a plan for disruption of services.Must have a plan for disruption of services.– Must have backup and recover plan in place.Must have backup and recover plan in place.
15
Assisting UsersAssisting UsersTraining and EducationTraining and Education
Training and Education Training and Education – Identify training needs.Identify training needs.– Design curricula.Design curricula.– Deliver programs.Deliver programs.– Use outside training programs.Use outside training programs.
Help DeskHelp Desk– design and monitor effective ways to assist design and monitor effective ways to assist
users when they request help. users when they request help. – Effective handling of problems and incidences Effective handling of problems and incidences
requires a formal set of policies and procedures.requires a formal set of policies and procedures.
16
Controlling the IT FunctionControlling the IT Function The major control categories involved in the The major control categories involved in the
IT function areIT function are– SecuritySecurity– InputInput– ProcessingProcessing– OutputOutput– DatabasesDatabases– Backup and recovery (continuity)Backup and recovery (continuity)
Each of these categories is intended to Each of these categories is intended to minimize business and audit risk via internal minimize business and audit risk via internal controls.controls.
17
Security ControlsSecurity Controls
Secure the computing infrastructure from Secure the computing infrastructure from internal and external threats.internal and external threats.
A compromise of the infrastructure can A compromise of the infrastructure can result in:result in:– business risk business risk
» network downtimenetwork downtime» database corruptiondatabase corruption
– audit riskaudit risk» material misstatements in accounts due to material misstatements in accounts due to
incomplete or inaccurate data capturingincomplete or inaccurate data capturing
18
Physical SecurityPhysical Security Focuses on keeping facilities, computers, communication Focuses on keeping facilities, computers, communication
equipment and other tangible aspects of the computing equipment and other tangible aspects of the computing infrastructure safeinfrastructure safe..
Access RestrictionAccess Restriction– Authorized personnel only, Visitors must be accompnaied Authorized personnel only, Visitors must be accompnaied
by authorized personnel at all times. by authorized personnel at all times. – Entry SecurityEntry Security - - Security guards, keys, card readers, etc. Security guards, keys, card readers, etc.
MonitoringMonitoring who is entering, roaming and leaving the who is entering, roaming and leaving the facility.facility.– Security guardsSecurity guards– Video CamerasVideo Cameras– Penetration alarmsPenetration alarms
19
Security IssueSecurity Issue Physical ControlsPhysical Controls Logical ControlsLogical Controls
Access ControlsAccess Controls
Security GuardsSecurity Guards
Locks & KeysLocks & Keys
Biometric DevicesBiometric Devices
ID and PasswordsID and Passwords
Authorization MatrixAuthorization Matrix
Firewalls & EncryptionFirewalls & Encryption
Monitor ControlsMonitor Controls Security GuardsSecurity Guards
Video CamerasVideo Cameras
Penetration AlarmsPenetration Alarms
Access logsAccess logs
Supervisory OversightSupervisory Oversight
Penetration alarmsPenetration alarms
Review ControlsReview Controls Formal ReviewsFormal Reviews
Signage LogsSignage Logs
Violation InvestigationsViolation Investigations
Formal ReviewsFormal Reviews
Activity LogsActivity Logs
Violation InvestigationsViolation Investigations
Penetrating TestsPenetrating Tests
Unauthorized attempts to Unauthorized attempts to enter IT facilitiesenter IT facilities
Attempts to break in through Attempts to break in through vulnerable pointsvulnerable points
As authorized visitor, As authorized visitor, attempts to leave authorized attempts to leave authorized personnel and wander around personnel and wander around the facility without oversightthe facility without oversight
Unauthorized attempts to enter Unauthorized attempts to enter servers and networksservers and networks
Attempts to override access Attempts to override access controls (hacking)controls (hacking)
As authorized user, attempts to As authorized user, attempts to use unauthorized applications use unauthorized applications and view unauthorized and view unauthorized informationinformation
20
Physical SecurityPhysical SecurityCommunication & Power LinesCommunication & Power Lines
Communication & Power Lines Communication & Power Lines – monitor the primary communication and power linesmonitor the primary communication and power lines– install secondary (backup) lines in case the primary install secondary (backup) lines in case the primary
lines fail. lines fail. – UPSUPS
21
Logical SecurityLogical Security
Data and software nature known as ‘logical’ Data and software nature known as ‘logical’ components of the infrastructure:components of the infrastructure:– Corporate dataCorporate data– Computer softwareComputer software
» user applicationsuser applications
» network management softwarenetwork management software
» communication systemscommunication systems
» operating systemsoperating systems
22
Logical SecurityLogical SecurityPoints of EntryPoints of Entry
Computer TerminalComputer Terminal– Supply Authorized IDSupply Authorized ID– PasswordPassword
Network/InternetNetwork/Internet– Controls need to control external access pointsControls need to control external access points– FirewallsFirewalls– Track failed attempts to enter systemTrack failed attempts to enter system
23
Information ControlsInformation Controls
Controls need to be in place and working Controls need to be in place and working effectively to ensure the integrity and effectively to ensure the integrity and accuracy of vital decision-making accuracy of vital decision-making information.information.– InputInput– ProcessingProcessing– OutputOutput
Must Integrate sound backup controls. Must Integrate sound backup controls.
24
Information ControlsInformation ControlsInput ControlsInput Controls
The company must have and follow written The company must have and follow written procedures regarding the proper procedures regarding the proper authorization, approval and input of authorization, approval and input of accounting transactions.accounting transactions.
These are incompatible functions.These are incompatible functions.– they should be carefully segregated, to the they should be carefully segregated, to the
extent possible, and controlled. extent possible, and controlled.
25
Information ControlsInformation ControlsInput Controls – 3 Scenarios- #1Input Controls – 3 Scenarios- #1
A A customercustomer purchases goods at a store counter. purchases goods at a store counter.– Authorizing the saleAuthorizing the sale
A A cashiercashier records the sale on the cash register records the sale on the cash register– Approving the sale, balances the register, logs the logs into Approving the sale, balances the register, logs the logs into
the register with IDthe register with ID
An An accounting clerkaccounting clerk later processes cash register later processes cash register sales in batches. sales in batches. – Inputs sales transactions into accounting system in batchesInputs sales transactions into accounting system in batches
26
Process ControlsProcess Controls
ValidatingValidating
Error HandlingError Handling
UpdatingUpdating
27
Output controlsOutput controls
Only properly authorized parties can request Only properly authorized parties can request certain output –certain output –– computer screenscomputer screens– printed reports printed reports
Must have record retention and destruction Must have record retention and destruction policies per regulatory and company rules.policies per regulatory and company rules.– Permanent reports must be in secured area.Permanent reports must be in secured area.– Temporary reports must by properly destroyed.Temporary reports must by properly destroyed.
28
Output controlsOutput controlsComputer ScreensComputer Screens
Screens need to be physically secure when Screens need to be physically secure when output is visible.output is visible.
Output should be removed when user leaves Output should be removed when user leaves the terminal.the terminal.
Return to the screen should require a Return to the screen should require a password.password.
29
Database ControlsDatabase ControlsRoll-back and RecoveryRoll-back and Recovery
When there is an interruption, the database When there is an interruption, the database management system (DBMS) begins to management system (DBMS) begins to restore.restore.
There are numerous technical processes There are numerous technical processes depending on the DBMS in use.depending on the DBMS in use.
30
Database ControlsDatabase ControlsConcurrency ControlConcurrency Control
Multiple users attempt to read/update the same Multiple users attempt to read/update the same data item simultaneously data item simultaneously
A common way to prevent concurrency problems A common way to prevent concurrency problems is to is to locklock a database object while it is in use a database object while it is in use – Course levelCourse level – database is locked during updates. – database is locked during updates.
– Moderate levelModerate level – Database locks at tuple (record) – Database locks at tuple (record) level. level.
– Fine levelFine level – Database locks at attribute (field) level. – Database locks at attribute (field) level.
– A lower level of granular locking equates to slower A lower level of granular locking equates to slower computer performance. computer performance.
31
Continuity ControlsContinuity Controls
Must develop and follow a sound backup Must develop and follow a sound backup strategy to prevent disruption of business strategy to prevent disruption of business activity due.activity due.– Two key considerations: downtime and cost.Two key considerations: downtime and cost.– Shorter downtime requirements equate to Shorter downtime requirements equate to
higher backup costs. higher backup costs. Backup TypesBackup Types
– Normal (full), Copy*, Normal (full), Copy*, – Incremental, Differential*, Incremental, Differential*, – Daily*Daily*
32
Continuity ControlsContinuity ControlsBackup Controls – Data BackupBackup Controls – Data Backup
Fast CompanyFast Company– Must be back on computers within hoursMust be back on computers within hours– Needs daily full backupNeeds daily full backup– Hourly incremental backupsHourly incremental backups
Lightening CompanyLightening Company– Must be back on computers within minutesMust be back on computers within minutes– Needs real-time backupNeeds real-time backup– Simultaneouse updating on remote computerSimultaneouse updating on remote computer
33
Continuity ControlsContinuity ControlsStorage location & hardware redundancyStorage location & hardware redundancy
Physical VaultingPhysical Vaulting One backup on-site, one off-siteOne backup on-site, one off-site
– On site copy is readily accessible if no disasterOn site copy is readily accessible if no disaster– Off-site copy retrievable if disasterOff-site copy retrievable if disaster
Electronic VaultingElectronic Vaulting Send backup data over a communications network Send backup data over a communications network
(such as the Internet) to an off-site storage (such as the Internet) to an off-site storage medium.medium.
Strategy involves more time and moneyStrategy involves more time and money
34
Continuity ControlsContinuity ControlsStorage location & hardware redundancyStorage location & hardware redundancy
Hardware Backup usually needed for Hardware Backup usually needed for component failures:component failures:– Power suppliesPower supplies– Anything with moving partsAnything with moving parts
There are 3 common configurations for There are 3 common configurations for redundant storage devices:redundant storage devices:– Redundant Array of Independent Disks (RAID)Redundant Array of Independent Disks (RAID)– Network Attached Storage (NAS)Network Attached Storage (NAS)– Server Area Network (SAN)Server Area Network (SAN)
35
Continuity ControlsContinuity ControlsRedundant Array of Independent Disks (RAID)Redundant Array of Independent Disks (RAID) Disk mirroringDisk mirroring
– Data is simultaneously written to the primary disk Data is simultaneously written to the primary disk and one or more redundant disks and one or more redundant disks
Disk stripingDisk striping– An array of at least three, but usually five, disks is An array of at least three, but usually five, disks is
established established – scheme of parity checks is utilizedscheme of parity checks is utilized– if one disk drive in the array fails, the remaining if one disk drive in the array fails, the remaining
drives can reconstruct the data on the failed drive drives can reconstruct the data on the failed drive and continue processing and continue processing
36
Continuity ControlsContinuity ControlsNetwork Attached Storage (NAS)Network Attached Storage (NAS)
Integrates one or more storage devices, (NAS Integrates one or more storage devices, (NAS appliances,) into the local area network (LAN) .appliances,) into the local area network (LAN) .
Comprised of one or more disk drives and an Comprised of one or more disk drives and an internal controller.internal controller.
Employs RAID technology to ensure hardware Employs RAID technology to ensure hardware redundancy.redundancy.
Can be shared by multiple users on the network. Can be shared by multiple users on the network. Appliances are relatively affordable and scalable Appliances are relatively affordable and scalable
37
User #1 User #2
Printer
ScannerNetwork Attached Storage (NAS)
38
Continuity ControlsContinuity ControlsServer Area Network (SAN)Server Area Network (SAN)
Expands NAS to wide area networks (WAN). Expands NAS to wide area networks (WAN). SAN is a dedicated network.SAN is a dedicated network. SAN can be linked to multiple LANs. SAN can be linked to multiple LANs. Multiple SANs can be simultaneously utilized.Multiple SANs can be simultaneously utilized. SAN can be expensive and technically complicatedSAN can be expensive and technically complicated Capable of handling very high volumesCapable of handling very high volumes SAN is a great solution for large companies.SAN is a great solution for large companies. SAN is designed to be very SAN is designed to be very fault tolerantfault tolerant..
39
DiskStorage
Input-OutputController
DiskStorage
DiskStorage
DiskStorage
Wide AreaNetwork
40
Disaster Recovery ControlsDisaster Recovery Controls IT managers and auditors should plan for what, IT managers and auditors should plan for what,
who, when, where, how, which and why.who, when, where, how, which and why.
– determine determine whatwhat just happened just happened – specify specify whowho to contact, in what order, and what they are to contact, in what order, and what they are
expected to do expected to do – whenwhen to enact the remainder of the contingency plan to enact the remainder of the contingency plan – wherewhere to transfer the lost computer processing load to transfer the lost computer processing load
41
Disaster Recovery Controls (Disaster Recovery Controls (wherewhere)) Three Levels:Three Levels:
1.1. Cold Site: Includes building & basic Cold Site: Includes building & basic infrastructureinfrastructure
» bring own computing equipmentbring own computing equipment» establish the necessary infrastructureestablish the necessary infrastructure
telephone service telephone service - Internet connections- Internet connections specialized computer cooling systems (if needed)specialized computer cooling systems (if needed) unique power requirements unique power requirements
2.2. Warm Site: provides basic computer needsWarm Site: provides basic computer needs» Not the computersNot the computers
3.3. Hot Site: Ready to Go!Hot Site: Ready to Go!» Complete with computersComplete with computers» Operating systemOperating system
42
Disaster Recovery ControlsDisaster Recovery Controls HowHow is the company going to get the computer is the company going to get the computer
hardware, people, software and data to the alternate hardware, people, software and data to the alternate site?site?
WhichWhich applications are mission critical? applications are mission critical? WhyWhy one application or set of applications is more one application or set of applications is more
time sensitive than another ?time sensitive than another ?
All affected parties need to be involved in planning All affected parties need to be involved in planning phase.phase.
It must be reviewed and updated on a recurrent basis.It must be reviewed and updated on a recurrent basis.