chapter four information technology deployment risks (week 5)

Chapter FourChapter Four

INFORMATION TECHNOLOGYINFORMATION TECHNOLOGYDEPLOYMENT RISKSDEPLOYMENT RISKS

(Week 5)(Week 5)

Lecture OutlineLecture Outline

Developing Strategic PlansDeveloping Strategic Plans Managing Development ProjectsManaging Development Projects Acquiring Software ApplicationsAcquiring Software Applications Developing Software ApplicationsDeveloping Software Applications Changing Software ApplicationsChanging Software Applications Implementing Software ApplicationsImplementing Software Applications

Developing Strategic PlansDeveloping Strategic Plans

Serves as primary guideline for allocating Serves as primary guideline for allocating resources throughout the firm.resources throughout the firm.

Keeps the organization headed in a Keeps the organization headed in a profitable direction.profitable direction.

Strategic planning begins with a vision Strategic planning begins with a vision following clearly defined path of following clearly defined path of visionvisionmissionmissionobjectivesobjectivesstrategystrategypoliciespolicies

Objectives Strategy Policies

Mission Objectives Strategy Policies

InformationTechnology Plans Must Complement & Support Company Plans

Mission

The IT auditor should look for evidence of a The IT auditor should look for evidence of a prescribed, documented IT strategic planning process.prescribed, documented IT strategic planning process.

The existence of an ongoing process of this nature The existence of an ongoing process of this nature indicates that the company is constantly and indicates that the company is constantly and diligently seeking an optimal “fit” between the diligently seeking an optimal “fit” between the information technology infrastructure and the information technology infrastructure and the organization’s overall goals. organization’s overall goals.

Planning Process increases the likelihood that the Planning Process increases the likelihood that the company is making the most efficient & effective use company is making the most efficient & effective use of IT throughout the organizationof IT throughout the organization

Important Policy Areas for IT FunctionsImportant Policy Areas for IT Functions

1.1. Planning PoliciesPlanning Policiesa.a. ResponsibilityResponsibility (who is involved with (who is involved with

planning?)planning?)

b.b. TimingTiming (when does planning take place?) (when does planning take place?)

c.c. ProcessProcess (how should planning be conducted?) (how should planning be conducted?)

d.d. DeliverablesDeliverables (what planning documents are (what planning documents are produced?)produced?)

e.e. PrioritiesPriorities (what are the most to least critical (what are the most to least critical planning issues?)planning issues?)


2.2. Organizational PoliciesOrganizational Policiesa.a. StructureStructure (what is the organizational form of the IT (what is the organizational form of the IT

function?)function?)

b.b. Information ArchitectureInformation Architecture (is the infrastructure (is the infrastructure aligned with the firm’s mission?)aligned with the firm’s mission?)

c.c. CommunicationCommunication (are the IT strategy and policies (are the IT strategy and policies known by all affected parties?)known by all affected parties?)

d.d. ComplianceCompliance (are all external regulations and laws (are all external regulations and laws being addressed?)being addressed?)

e.e. Risk assessmentRisk assessment (are IT risks identified, measured (are IT risks identified, measured and controlled?)and controlled?)

3.3. Human Resource PoliciesHuman Resource Policiesa.a. TrainingTraining (what kind of training is provided and to (what kind of training is provided and to

whom?)whom?)

b.b. TravelTravel (what are the travel guidelines and priorities?) (what are the travel guidelines and priorities?)

c.c. HiringHiring (who determines needs and who screens (who determines needs and who screens applicants?)applicants?)

d.d. PromotionPromotion (what are the guidelines and how does the (what are the guidelines and how does the process work?)process work?)

e.e. TerminationTermination (what are voluntary and involuntary (what are voluntary and involuntary termination guidelines?)termination guidelines?)


4.4. Software PoliciesSoftware Policiesa.a. Acquisition (how is software acquired from outside Acquisition (how is software acquired from outside

vendors?)vendors?)

b.b. StandardsStandards (what are the software compatibility (what are the software compatibility standards?)standards?)

c.c. Outside contractorsOutside contractors (should contractors be used for (should contractors be used for software development?)software development?)

d.d. ChangesChanges (how to control and monitor the software (how to control and monitor the software change process?)change process?)

e.e. ImplementationImplementation (how to handle conversions, (how to handle conversions, interfaces, and users?)interfaces, and users?)


5.5. Hardware PoliciesHardware Policiesa.a. AcquisitionAcquisition (how is hardware acquired from outside (how is hardware acquired from outside

vendors?)vendors?)

b.b. StandardsStandards (what are the hardware compatibility (what are the hardware compatibility standards?)standards?)

c.c. PerformancePerformance (how to test computing capabilities?) (how to test computing capabilities?)

d.d. ConfigurationConfiguration (where to use client-servers, personal (where to use client-servers, personal computers, and so on?)computers, and so on?)

e.e. Service ProvidersService Providers (should third-party service bureaus (should third-party service bureaus be used?)be used?)


6.6. Network PoliciesNetwork Policiesa.a. AcquisitionAcquisition (how is network technology acquired (how is network technology acquired

from outside vendors?)from outside vendors?)

b.b. StandardsStandards (compatibility of local area networks, (compatibility of local area networks, intranets, extranets, and so on?)intranets, extranets, and so on?)

c.c. PerformancePerformance (how much bandwidth is needed and is (how much bandwidth is needed and is the network fast enough?)the network fast enough?)

d.d. ConfigurationConfiguration (use of servers, firewalls, routers, hubs, (use of servers, firewalls, routers, hubs, and other technology?)and other technology?)

e.e. AdaptabilityAdaptability (capability to support emerging e- (capability to support emerging e-business models?)business models?)


7.7. Security PoliciesSecurity Policiesa.a. TestingTesting (how is security tested?) (how is security tested?)

b.b. AccessAccess (who can have access to what information and (who can have access to what information and applications?)applications?)

c.c. MonitoringMonitoring (who monitors security?) (who monitors security?)

d.d. FirewallsFirewalls (are they effectively utilized?) (are they effectively utilized?)

e.e. ViolationsViolations (what happens if an employee violates (what happens if an employee violates security?)security?)


8.8. Operations PoliciesOperations Policiesa.a. StructureStructure (how is the operations function structured?) (how is the operations function structured?)

b.b. ResponsibilitiesResponsibilities (who is responsibility for transaction (who is responsibility for transaction processing?)processing?)

c.c. InputInput (how does data enter into the information (how does data enter into the information system?)system?)

d.d. ProcessingProcessing (what processing modes are used?) (what processing modes are used?)

e.e. Error HandlingError Handling (who should correct erroneous (who should correct erroneous input/processing items?)input/processing items?)


9.9. Contingency PoliciesContingency Policies1.1. BackupBackup (what are the backup procedures?) (what are the backup procedures?)

2.2. RecoveryRecovery (what is the recovery process?) (what is the recovery process?)

3.3. DisastersDisasters (who is in charge and what is the plan?) (who is in charge and what is the plan?)

4.4. Alternate SitesAlternate Sites (what types of sites are available for (what types of sites are available for off-site processing?)off-site processing?)


10.10. Financial and Accounting PoliciesFinancial and Accounting Policies1.1. Project ManagementProject Management (are IT projects prioritized, (are IT projects prioritized,

managed, and monitored?)managed, and monitored?)

2.2. Revenue GenerationRevenue Generation (should services be sold inside or (should services be sold inside or outside the organization?)outside the organization?)

3.3. Technology InvestmentsTechnology Investments (are the investment returns (are the investment returns being properly evaluated?)being properly evaluated?)

4.4. Funding PrioritiesFunding Priorities (where to most effectively allocate (where to most effectively allocate resources?)resources?)

5.5. BudgetsBudgets (are budgets aligned with funding levels and (are budgets aligned with funding levels and priorities?)priorities?)


““Red Flags” for IT AuditorsRed Flags” for IT Auditors The following are key planning risks indicators, The following are key planning risks indicators,

should trigger red flags for the IT auditor.should trigger red flags for the IT auditor.

1.1. A strategic planning process is not used.A strategic planning process is not used.

2.2. Information technology risks are not assessed.Information technology risks are not assessed.

3.3. Investment analyses are not performed.Investment analyses are not performed.

4.4. Quality assurance reviews are not conducted.Quality assurance reviews are not conducted.

5.5. Plans and goals are not communicatedPlans and goals are not communicated..

Key planning risks indicatorsKey planning risks indicators

6.6. Information technology personnel are Information technology personnel are disgruntled.disgruntled.

7.7. Software applications do not support Software applications do not support business processes.business processes.

8.8. The technology infrastructure is inadequate.The technology infrastructure is inadequate.9.9. The user community is unhappy with the The user community is unhappy with the

level of support.level of support.10.10.Management’s information needs are not Management’s information needs are not

met.met.

CobiT GuidelinesCobiT Guidelines

Guidelines suggest eleven processes should Guidelines suggest eleven processes should be incorporated into IT strategic plans.be incorporated into IT strategic plans.

Each process is integrated throughout IT Each process is integrated throughout IT policy areas.policy areas.

Processes designed to manage the key IT Processes designed to manage the key IT risks.risks.

11 Processes11 Processes

1.1. Develop a strategic IT plan.Develop a strategic IT plan.2.2. Articulate the information architecture.Articulate the information architecture.3.3. Find an optimal fit between IT and the company’s Find an optimal fit between IT and the company’s

strategy.strategy.4.4. Design the IT function to match the company’s needs.Design the IT function to match the company’s needs.5.5. Maximize the IT investment.Maximize the IT investment.6.6. Communicate IT policies to the user community.Communicate IT policies to the user community.7.7. Manage the IT workforce.Manage the IT workforce.8.8. Comply with external regulations, laws, and contracts.Comply with external regulations, laws, and contracts.9.9. Conduct IT risk assessments.Conduct IT risk assessments.10.10. Maintain a high-quality systems development process.Maintain a high-quality systems development process.11.11. Incorporate sound project management techniques.Incorporate sound project management techniques.

Managing Development ProjectsManaging Development Projects

Regardless of types of projects, there are project Regardless of types of projects, there are project management techniques that apply to most situations.management techniques that apply to most situations.

Using structured methodology minimizes risk of Using structured methodology minimizes risk of failure:failure:– Late deliveryLate delivery

– Cost overrunCost overrun

– Lack of functionsLack of functions

– Poor qualityPoor quality

IT auditor should check that project management IT auditor should check that project management techniques are employed.techniques are employed.

Project ManagerProject Manager

First step is to assign project to a managerFirst step is to assign project to a manager Needs experience in domain areaNeeds experience in domain area Needs skill at managing projectsNeeds skill at managing projects Must work well with staff on planning and Must work well with staff on planning and

executing the project.executing the project.– Senior management representativesSenior management representatives

– IT staffIT staff

– Affected usersAffected users

Generic Project Life CycleGeneric Project Life Cycle

Activity Resources

Activity Resources

Activity ResourcesParameters

Deliverable

Deliverable DeliverableActivit

y 1

Parameters

Activity Resources

Activity 2

Parameters

Activity 4

Parameters

Deliverable

Activity 3

ProjectOutcom

e

Planning

Scheduling

Monitoring Controlling

ProjectResource

s

BoundaryConditions

ScopeTimeCost

Beginning End

Closing

Project Life CycleProject Life Cycle

Phase1 : Plan the ProjectPhase1 : Plan the Project– Set the Time, Cost & ScopeSet the Time, Cost & Scope

– Identify resourcesIdentify resources

– Articulate project outcomeArticulate project outcome

– Work with specialists I.e., analysts, programmers, usersWork with specialists I.e., analysts, programmers, users

– Determine the WBS – Work Breakdown StructureDetermine the WBS – Work Breakdown Structure

Phase 2 :Phase 2 : Schedule the Project Schedule the Project (Create Time Table for each (Create Time Table for each activity)activity)– Gantt chartsGantt charts

– Critical Path AnalysisCritical Path Analysis

– Critical Math MethodCritical Math Method

– Microsoft ProjectMicrosoft Project

Project Life CycleProject Life CyclePhase 3 : Continuous MonitoringPhase 3 : Continuous Monitoring

– Use benchmarks, milestones, deliverables to track progressUse benchmarks, milestones, deliverables to track progress

– Monitoring frequency varies by project depending on sensitivity Monitoring frequency varies by project depending on sensitivity of the project to deviationof the project to deviation

– Rule of Thumb: Determine the maximum percent deviation Rule of Thumb: Determine the maximum percent deviation allowed & monitor activities at the half-way point.allowed & monitor activities at the half-way point.

Phase 4 : ControllingPhase 4 : Controlling– Aimed at keeping the project movingAimed at keeping the project moving

– Adjust to unexpected issues, delays, and problems arisedAdjust to unexpected issues, delays, and problems arised

– ContinuallyContinually adjust the planadjust the plan

Project Life CycleProject Life Cycle

Phase 5 : Closing the ProjectPhase 5 : Closing the Project– Obtain client acceptance in writingObtain client acceptance in writing– Release and evaluate project personnelRelease and evaluate project personnel– Identify & reassign remaining project assetsIdentify & reassign remaining project assets– Evaluations of projectEvaluations of project– Chronicle project historyChronicle project history

Key Project Risk IndicatorsKey Project Risk Indicators1.1. Management does not use a formal project Management does not use a formal project

management methodology.management methodology.2.2. Project leaders are not adequately. experienced Project leaders are not adequately. experienced

at managing projects.at managing projects.

Key Project Risk IndicatorsKey Project Risk Indicators3.3. Project leaders have insufficient domain expertise.Project leaders have insufficient domain expertise.

4.4. Project teams are unqualified to handle the project Project teams are unqualified to handle the project size/complexity.size/complexity.

5.5. Project team members are dissatisfied and frustrated.Project team members are dissatisfied and frustrated.

6.6. Projects do not have senior-level executive support.Projects do not have senior-level executive support.

7.7. Projects do not include input from all affected parties.Projects do not include input from all affected parties.

8.8. Project recipients are dissatisfied with project Project recipients are dissatisfied with project outcomes.outcomes.

9.9. Projects are taking longer to develop than planned.Projects are taking longer to develop than planned.

10.10. Projects are costing more than budgeted.Projects are costing more than budgeted.

Acquiring Software ApplicationsAcquiring Software Applications

IT auditor should determine if the new IT auditor should determine if the new application would fit into the company’s application would fit into the company’s strategic plan.strategic plan.

There should be a formal software There should be a formal software application acquisition policy.application acquisition policy.

Needs must be identified and prioritized.Needs must be identified and prioritized. Determine which applications can be Determine which applications can be

developed in-house, and which to purchase.developed in-house, and which to purchase.

Selection ProcessSelection Process

Assign a project managerAssign a project manager– Must know the needs of users & include them in Must know the needs of users & include them in

decisionsdecisions

Identify alternatives and compare:Identify alternatives and compare:

Ease of useEase of use Internal controlsInternal controlsFunctionalityFunctionality Integration with existing systemsIntegration with existing systemsReportingReporting Future scalabilityFuture scalabilityDocumentationDocumentation PerformancePerformance

Security featuresSecurity features CostCost

Total Cost of SoftwareTotal Cost of Software– Price of acquisitionPrice of acquisition

– User trainingUser training

– Multiple licensesMultiple licenses

– Service and supportService and support

– Future upgradesFuture upgrades

– Software modificationsSoftware modifications

Key Acquisition Risk IndicatorsKey Acquisition Risk Indicators1.1. Software acquisitions are not mapped to the strategic Software acquisitions are not mapped to the strategic

plan.plan.

2.2. There are no documented policies aimed at guiding There are no documented policies aimed at guiding software acquisitions.software acquisitions.

Key Acquisition Risk IndicatorsKey Acquisition Risk Indicators

3.3. There is no process for comparing the “develop versus There is no process for comparing the “develop versus purchase” option.purchase” option.

4.4. No one is assigned responsibility for the acquisition No one is assigned responsibility for the acquisition process.process.

5.5. Affected parties are not involved with assessing Affected parties are not involved with assessing requirements and needs.requirements and needs.

6.6. There is insufficient knowledge of software alternatives.There is insufficient knowledge of software alternatives.7.7. Security features and internal controls are not assessed.Security features and internal controls are not assessed.8.8. Benchmarking and performance tests are not carried out.Benchmarking and performance tests are not carried out.9.9. Integration and scalability issues are not taken into Integration and scalability issues are not taken into

account.account.10.10. Total cost of ownership is not fully considered.Total cost of ownership is not fully considered.