Information Technology - Governance

Community cloud

A cloud infrastructure that is shared by users in a specific community (e.g., municipal governments, an industry association, related to compliance requirements).

Hybrid cloud

A cloud that includes two or types of the above types of clouds with partitions between the types of services.

Platform as a service (PaaS)

A development environment for creating cloud-based software and programs using cloud-based services. Example: Salesforce.com's Force.com.

Help desk personnel

Answer help-line calls and emails, resolve user problems, and obtain technical support and vendor support when necessary.

Hiring Practices

Applicants should complete detailed employment applications and formal, in-depth employment interviews before hiring. When appropriate, specific education and experience standards should be imposed and verified. All applicants should undergo thorough background checks and verification of academic degrees, work experience, and professional certifications, as well as searches for criminal records.

three main functional areas within most IT departments:

Applications development Systems administration and programming Computer operations

Organizational Structure of the Information Technology (IT) Department

CEO -> VP (marketing, operations, finance), CIO -> systems administration and programming, applications development (new system development, system maintenance), computer operator (data control, data prep/entry clerk/conversion, computer operators, file librarian)

Competence

COSO requires that "Management ... [should] specify the competence levels for particular jobs and to translate those levels into requisite knowledge and skills. These actions help ensure that competent, but not over-qualified employees serve in appropriate roles with appropriate responsibilities."

Firing (Termination)

Clearly, procedures should guide employee departures, regardless of whether the departure is voluntary or involuntary; it is especially important to be careful and thorough when dealing with involuntary terminations of IT personnel who have access to sensitive or proprietary data. In involuntary terminations, the employee's username and keycard should be disabled before notifying the employee of the termination to prevent any attempt to destroy company property. Although this sounds heartless, after notification of an involuntary termination, the terminated employee should be accompanied at all times until escorted out of the building.

Outsourcing and economies of scale

Cloud-based systems allow organizations to outsource data storage and management to organizations with the capabilities and competencies to manage these facilities. By outsourcing to organizations who specialize in cloud services, economies of scale may be obtained, wherein the cloud provider realizes cost benefits, some of which are passed on to the organization who purchases cloud services. An additional benefit is therefore, obviously, cost savings due to a reduced need for internal IT personnel.

Scalability

Cloud-based systems are highly scalable, meaning that they grow with an organization. Specifically, organizations can buy only the capabilities and storage that they currently need but can contract for expansion as organizational needs evolve.

Enterprise-wide integration

Cloud-based systems can be integrated with enterprise- wide systems to allow the seamless integration of organizations across units and geography. Indeed, some argue that fully realizing the benefits of ERPs requires cloud-based systems.

How does the Potential for Increased Management Review differ in an automated, compared to a manual, accounting system?

Computer-based systems increase the availability of raw data and afford more opportunities to perform analytical reviews and produce management reports; however, the opportunities for increased reporting and review of processing statistics can mitigate the additional risks associated with computerized processing.

Roles that do/do not have access to computer operations "live data" #3

Do computer operators - within computer operations systems programmers - within system administration and programming Do not data entry - within computer operations data control - within computer operations file librarian - within computer operations application programmer - within application development system analyst - within application development data administrator - ?

Roles that do/do not have access to application development "application planning" #1

Do application programmer - within application development system analyst - within application development data administrator - ? Do not data entry - within computer operations data control - within computer operations file librarian - within computer operations computer operators - within computer operations systems programmers - within system administration and programming

Roles that do/do not have access to system admin and programming #2

Do systems programmers - within system administration and programming Do not data entry - within computer operations data control - within computer operations file librarian - within computer operations computer operators - within computer operations application programmer - within application development system analyst - within application development data administrator - ?

What are the three major components of the COBIT model?

Domains and processes, information criteria, IT resources.

"Best practices"

ERP systems processes are based on analysis of the most successful businesses in their industry; by adopting the ERP system, the organization automatically benefits from the implementation of these "best practices."

Enterprise-Wide or Enterprise Resource Planning (ERP) Systems

ERPs provide transaction processing, management support, and decision-making support in a single, integrated, organization-wide package. ERPs attempt to manage and eliminate the organizational problem of consolidating information across departments, regions, or divisions.

Information criteria—To have value to the organization, data must have the following properties or attributes - 7

Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability

Performance Evaluation

Employees should be evaluated regularly. The evaluation process should provide clear feedback on the employee's overall performance as well as specific strengths and weaknesses. To the extent that there are weaknesses, it is important to provide guidance on how performance can be improved.

Network managers

Ensure that all applicable devices link to the organization's networks and that the networks operate securely and continuously.

Security management

Ensures that all components of the system are secure and protected from all internal and external threats. Responsibilities include security of software and systems and granting appropriate access to systems via user authentication, password setup, and maintenance.

M1. Monitor and evaluate IT performance

Establish a monitoring approach, including metrics, a reporting process, and a means to identify and correct deficiencies.

M4. Provide IT guidance

Establish an IT governance framework that aligns with the organization's strategy and value delivery program.

File librarian

Files and data not online are usually stored in a secure environment called the file library; the file librarian is responsible for maintaining control over the files, checking them in and out only as necessary to support scheduled jobs. The file librarian should not have access to any of the operating equipment or data (unless it has been checked into the library).

Data entry clerk (data conversion operator)

For systems still using manual data entry (which is rare), this function keys (enters) handwritten or printed records to convert them into electronic media; the data entry clerk should not be responsible for reconciling batch totals, should not run programs, access system output, or have any involvement in application development and programming.

Goals of ERP systems:

Global visibility Cost reductions Employee empowerment "Best practices"

Employee empowerment

Global visibility of information improves lower-level communication and decision making by making all relevant data available to the employee; this empowers the employee and, in turn, makes the organization more agile and competitive in a volatile business environment.

Planning and organization - 10

How can IT best contribute to business objectives? Establish a strategic vision for IT. Develop tactics to plan, communicate, and realize the strategic vision. define strategic it plan define info architecture determine tech direction define it process & relationships manage it investment communicate managements aims manage it HR manage quality assess & manage risk manage projects

Acquisition and implementation - 7

How can we acquire, implement, or develop IT solutions that address business objectives and integrate with critical business process? identify auto solutions acquire & maintain applications acquire & maintain infrastructure enable operation & use procure it resources manage change install & accredit changes

Delivery and support - 13

How can we best deliver required IT services including operations, security, and training? define and manage service labels manage 3rd party services manage performance & capacity ensure continuous service ensure system security identify and allocate costs educate and train users manage incidents manage configuration manage problems manage data manage physical environment manage operations

Monitor and evaluate - 4

How can we best periodically assess IT quality and compliance with control requirements? monitor & eval IT performance monitor & eval internal control ensure regulatory compliance provide IT guidance

M3. Ensure regulatory compliance

Identify compliance requirements and evaluate, and report on, the extent of compliance with these requirements.

How does the audit trail differ in an automated, compared to a manual, accounting system?

In automated systems, audit trails are often in imaged or other electronic forms. In manual systems, they were paper.

Online analytical processing (OLAP) system

Incorporates data warehouse and data mining capabilities within the ERP.

Cloud Service Delivery Models

Infrastructure as a service (IaaS) Platform as a service (PaaS) Software as a service (SaaS)

Basic Processes in an Automated AIS

Input—Record or capture event data in system (input to storage). Process—Update data storage. Output—Retrieve master data from storage.

Basic Processes in a Manual AIS

Journalize—Record entries. Post—To general ledger. Summarize—Prepare a trial balance.

Cost reductions - ERP

Long-run systems maintenance costs are reduced by eliminating the costs associated with maintaining multiple systems.

Cost reductions - cloud based systems

Long-run systems maintenance costs are reduced by eliminating the costs associated with maintaining multiple systems.

System programmers

Maintain the various operating systems and related hardware. For example, they are responsible for updating the system for new software releases and installing new hardware. Because their jobs require that they be in direct contact with the production programs and data, it is imperative that they are not permitted to have access to information about application programs or data files.

How does the Computer-Initiated Transactions differ in an automated, compared to a manual, accounting system?

Many computerized systems gain efficiency by automatically generating transactions

Components of an ERP System

Online transaction processing (OLTP) system Online analytical processing (OLAP) system

Web administrators

Operate and maintain the web servers. (A web server is a software application that uses the hypertext transfer protocol (recognized as http://) to enable the organization's website.

IT resources—Identify the physical resources that comprise the IT system - 5

People Applications Technology Facilities Data

Domains and processes

Planning and organization Acquisition and implementation Delivery and support Monitoring

Cloud Deployment Models

Private cloud Community cloud Public cloud Hybrid cloud

Other Considerations

Recruiting and retaining highly qualified employees is an important determinant of organizational success. Ensuring that an organization has training and development plans, including training in security and controls, is essential both to employee retention, and to creating a system of internal control.

Risks in Computer-Based Systems - 6

Reliance on faulty systems or programs Unauthorized access to data leading to destruction or wrongful changes, inaccurate recording of transactions, or recording of false or unauthorized transactions Unauthorized changes in master files, systems, or programs Failure to make necessary changes in systems or programs Inappropriate manual intervention Loss of data

Software as a service (SaaS)

Remote access to software. Office 365, a suite of office productivity programs, is an example of SaaS.

Systems analysts

Responsible for analyzing and designing computer systems; systems analysts generally lead a team of programmers who complete the actual coding for the system; they also work with end users to define the problem and identify the appropriate solution.

Computer operators

Responsible for operating the computer: loading program and data files, running the programs, and producing output. Computer operators should not enter data into the system or reconcile control totals for the data they process. (That job belongs to Data Control.)

How does segregation of duties differ in an automated, compared to a manual, accounting system?

Segregated functions are often combined in automated systems, with automated processes then used as a compensating control.

Comparison of Risks in Manual versus Computer-Based Transaction Processing Systems

Segregation of Duties Disappearing Audit Trail Uniform Transaction Processing Computer-Initiated Transactions Potential for Increased Errors and Irregularities Potential for Increased Management Review

AIS File Organization - 4

Source documents and other data capture records Data accumulation records (or journals) Subsidiary ledgers (or registers) General ledger and financial statement records

Universal access

System data is available at any site with Internet access.

Public cloud

The cloud infrastructure available to the public or a large industry group (e.g., Dropbox, Amazon Cloud services).

Private cloud

The cloud infrastructure exists solely for an individual organization.

System administrators

The database administrator, network administrator, and web administrators are responsible for management activities associated with the system they control. For example, they grant access to their system resources, usually with usernames and passwords. System administrators, by virtue of the influence they wield, must not be permitted to participate directly in these systems' operations.

Employee Handbook

The employee handbook, available to all employees, should state policies related to security and controls, unacceptable conduct, organizational rules and ethics, vacations, overtime, outside employment, emergency procedures, and disciplinary actions for misconduct.

Global visibility

The integration of all data maintained by the organization into a single database; once the data is in a single database—which binds the whole organization together. Once it is integrated into a single database, the data are available to anyone with appropriate authorization.

Online transaction processing (OLTP) system

The modules comprising the core business functions: sales, production, purchasing, payroll, financial reporting, etc. These functions collect the operational data for the organization and provide the fundamental motivation for the purchase of an ERP.

Applications Development

This department is responsible for creating new end-user computer applications and for maintaining existing applications completed in a "test" or "sandbox" environment using copies of live data and existing programs rather than in the "live" system. The controls listed in this section are all general controls—controls over the IT department as a whole. The majority of the controls are also preventive controls. Systems analysts Application programmers

Computer Operations

This department is responsible for the day-to-day operations of the computer system, including receipt of batch input to the system, conversion of the data to electronic media, scheduling computer activities, running programs, etc. Data control Data entry clerk (data conversion operator) Computer operators File librarian

Systems Administration and Programming

This department maintains the computer hardware and computing infrastructure and grants access to system resources. System administrators System programmers Network managers Security management Web administrators Help desk personnel

M2. Monitor and evaluate internal control

This is required by the Sarbanes-Oxley Act (SOX) Section 404.

Data control

This position controls the flow of all documents into and out of computer operations; for batch processing, schedules batches through data entry and editing, monitors processing, and ensures that batch totals are reconciled; data control should not access the data, equipment, or programs. This position is called "quality assurance" in some organizations.

Deployment speed

Typically, CSPs can provide services much faster than organizations that attempt to duplicate these services using internal IT departments.

Benefits of Cloud-Based Systems:

Universal access Cost reductions Scalability Outsourcing and economies of scale Enterprise-wide integration Deployment speed

Infrastructure as a service (IaaS)

Use of the cloud to access a virtual data center of resources, including a network, computers, and storage. Example: Amazon Web Services and Carbonite.

Cloud service providers (CSPs)

Vendors who provide cloud services (e.g., Amazon Cloud, Dropbox)

Application programmers

Work under the direction of the systems analyst to write the actual programs that process data and produce reports.

Cloud-Based Systems and Storage

also called the cloud, cloud computing, cloud storage, and cloud services a virtual data pool is created by contracting with a third-party data storage provider when done well - gain the benefits of relying on a professionally managed data storage provider and provide a massive, universally accessible data store while minimizing the risks of unauthorized access by intruders, at a reasonable cost. when done poorly - provide a massive, universally accessible data store while minimizing the risks of unauthorized access by intruders, at a reasonable cost.

The Control Objectives for Information and Related Technology (COBIT) Framework

bridges the gaps between strategic business requirements, accounting control needs, and the delivery of supporting IT focuses on IT controls and is intended for use by IT managers, IT professionals, and internal and external auditors

ERP System Architecture

client/server three-tiered architectures

Personnel Policies and Procedures

competence, loyalty, and integrity of employees are among an organization's most valuable assets Hiring Practices Performance Evaluation Employee Handbook Competence Firing (Termination) Other Considerations

How does the Uniform Transaction Processing differ in an automated, compared to a manual, accounting system?

consistency increases in a computerized environment. Consequently, "clerical" errors (e.g., human arithmetic errors, missed postings) are "virtually" eliminated. In a computerized environment, however, there is increased opportunity for "systemic" errors, such as errors in programming logic

Risks of Cloud-Based Systems

data loss and outages system penetration by hackers, crackers, and terrorists when all one's data is stored with one vendor rely on the competence, professionalism, reliability, viability, and transparency of the CSP. Data stored in community and public clouds may be vulnerable to actions by other tenants of the CSP. This may create legal issues related to data privacy and data availability. Storing data with a high-profile CSP (e.g., Amazon Cloud) can make one a high-profile target for cyber-attackers.

Enterprise Architecture

effort to understand, manage, and plan for IT assets. An organization's IT security governance plan must articulate with, and be informed by, the organization's enterprise architecture plan.

virtual private network (VPN)

limit access to the system and encrypt sensitive information.

chief information officer (CIO)

oversees the IT department. In some organizations the CIO is called the vice president of information technology or the chief technology officer (CTO). The CIO generally reports to the chief executive officer (CEO). The CIO is responsible for efficient and effective functions of existing systems and for planning for the development and technical resources for future systems. The CIO is ultimately in control of hardware and software operations for the entire company.

How does the Potential for Increased Errors and Irregularities differ in an automated, compared to a manual, accounting system?

remote access to data Concentration of information decreased opportunities for observation Errors or fraud may occur in the design or maintenance of application programs

Roles with all functions of IT departments - 12

system analysts application programmers system administrators system programmers network managers security management web administration help desk personnel date control data entry clerk (data conversion operator, data prep) computer operators file librarian