ITMAC Notes by Nowsherwan Adil Niazi PDF

INFORMATION
TECHNOLOGY
MANAGEMENT,
AUDIT AND
CONTROL
Arranged by
Nowsherwan Adil Niazi
Society Publishers
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL

Contents
Anum
THE INFORMATION SYSTEMS FUNCTION ORGANIZATIONAL ISUESS ....... 10
IS/IT DIRECTORS .................................................................................................... 10
IS/IT STEERING COMMITTEE .............................................................................. 10
FUNCTIONS OF STEERING COMMITTEE .......................................................... 11
POLICIES .................................................................................................................. 12
PROCEDURES.......................................................................................................... 13
OPERATIONS CONTROL ....................................................................................... 13
INFORMATION CENTRE ....................................................................................... 13
ROLES PERFORMED BY INFORMATION CENTRES (ICs) .............................. 14
CENTRALIZATION ................................................................................................. 16
DECENTRALIZATION: .......................................................................................... 16
ACCOUNTING ISSUES ........................................................................................... 17
1.
IT as a Corporate Overhead ............................................................................. 18
2.
IT charged at cost ............................................................................................ 18
3.
IT charged at market ........................................................................................ 18
ESTABLISHING IT DEPARTMENT AS A SEPARATE COMPANY ...................... 19

LEGACY DATA MANAGEMENT ......................................................................... 19
OUT SOURCING ...................................................................................................... 20
TYPES OF OUTSOURCING.................................................................................... 20
LEVEL OF SERVICE PROVISION ......................................................................... 21
ORGANIZATION INVOLVED IN OUTSOURCING............................................. 21
CATEGORIES OF CONSULTING ACTIVITIES ................................................... 22
DEVELOPMENTS IN OUTSOURCING ................................................................. 23
MANAGEMENT OF OUTSOURCING ARRANGEMENT ................................... 23
SERVICE LEVEL AGREEMENT............................................................................ 24
ADVANTAGES OF OUTSOURCING .................................................................... 25
DISADVANTAGES OF OUTSOURCING .............................................................. 25
BUSINESS RISKS FROM OUTSOURCING .......................................................... 26
TERMINATION POLICIES ..................................................................................... 27
LOGGING SYSTEM................................................................................................. 27
INTRODUCTION TO STRATEGY & INFORMATION STRATEGIES ................... 29
CHARACTERISTICS OF STRATEGIC DECISIONS ............................................ 29
STRATEGY............................................................................................................... 29
Arranged by
Page 1

STRATEGIC PLANNING ........................................................................................ 30
Guideline of when Strategic Planning should be done .............................................. 31
Guidelines for Preparing the Strategic Plan ............................................................... 31
Purpose of the Information System Strategy Planning .............................................. 32
GENERAL LEVELS OF STRATEGY ..................................................................... 32
STRATEGIC PLANNING COMPONENTS ............................................................ 35
ELEMENTS OF A IT STRATEGY .......................................................................... 35
CONSIDERATIONS FOR DEVELOPING IT STRATEGY ................................... 36
A DATABASE APPROACH IS CALLED FOR WHEN ......................................... 37
COMPONENTS OF INFORMATION SYSTEM STRATEGY PLAN ................... 37
STRATEGIC SYSTEMS .......................................................................................... 38
IMPACT OF IS/IT ON ORGANIZATION ............................................................... 41
WHY HAVE AN IS/IT STRATEGY ........................................................................ 43
INFORMATION SYSTEM PLAN ........................................................................... 43
METHODOLOGIES AND FRAMEWORKS for establishing the information
requirements of an organization................................................................................. 43
EARLS THREE LEG ANALYSIS .......................................................................... 43
ENTERPRISE ANALYSIS ....................................................................................... 44
CRITICAL SUCCESS FACTORS ............................................................................ 45
PARSONS SIX INFORMATION SYSTEMS STRATEGIES ................................ 47
STRATEGIC MANAGEMENT ................................................................................ 48
THE POLITICAL AND LEGAL ENVIRONMENT ................................................ 50
THE ECONOMIC ENVIRONMENT ....................................................................... 51
THE SOCIAL AND CULTURAL ENVIRONMENT .............................................. 52
DEMOGRAPHIC FACTORS ARE .......................................................................... 52
FUTUROLOGY ........................................................................................................ 53
DEVELOPING AN INFORMATION TECHNOLOGY PLAN ............................... 53
PHASES INVOLVED IN ESTABLISHING THE IT PLAN ................................... 53
IT PLAN .................................................................................................................... 55
KEY STAGES IN DEVELOPING AN INFORMATION STRATEGY PLANNING
PROCESS .................................................................................................................. 55
MANAGING CHANGES TO AN INFORMATION STRATEGY ......................... 58
E-BUSINESS MODELS AND E-BUSINESS PRODUCTS ........................................ 59
E-COMMERCE ......................................................................................................... 59
BUSINESS TO CONSUMER (B-C) E-COMMERCE ............................................. 59
BUSINESS TO BUSINESS (B-B) E-COMMERCE ................................................ 60
Arranged by
Page 2

BUSINESS TO EMPLOYEE (B-E) E-COMMERCE .............................................. 60
CONSUMER TO CONSUMER (C-C) E-COMMERCE .......................................... 60
GOVERNMENT TO CITIZEN (G-C) E-COMMERCE .......................................... 61
SECURE SOCKETS LAYER (SSL)......................................................................... 61
DIGITAL SIGNATURE:........................................................................................... 62
STEPS ON GETTING ON INTERNET.................................................................... 62
ELECTRONIC PAYMENT METHOD .................................................................... 63
THE INFORMATION SYSTEMS DEVELOPMENT PROCESS ............................... 64
INFORMATION SYSTEM ACQUISITION ............................................................ 64
TURNKEY SYSTEMS ............................................................................................. 64
LEGACY SYSTEM................................................................................................... 65
SYSTEM DEVELOPMENT LIFECYCLES ............................................................ 66
THE WATERFALL MODEL ................................................................................... 66
THE SPIRAL MODEL .............................................................................................. 67
STRUCTURED SYSTEM ANALYSIS & DEVELOPMENT METHODOLOGY
(SSADM) ................................................................................................................... 67
THE STAGES OF SSADM ....................................................................................... 68
ADVANTAGES OF SSADM ................................................................................... 68
DISADVANTAGES OF SSADM ............................................................................. 69
PROTOTYPING ........................................................................................................ 69
STRUCTURED WALKTHROUGHS ...................................................................... 70
SIGNING OFF WORK.............................................................................................. 70
JOINT APPLICATION DEVELOPMENT ............................................................... 70
RAPID APPLICATION DEVELOPMENT .............................................................. 71
COMPUTER AIDED SOFTWARE ENGINEERING TOOLS (CASE) .................. 71
UPPER CASE TOOLS (ANALYSTS WORK BENCHES) .................................... 72
LOWER CASE TOOLS (PROGRAMMERS WORK BENCHES) ......................... 72
ADVANTAGES OF USING CASE TOOLS ............................................................ 72
QUALITY ASSURANCE AND TESTING .................................................................. 73
QUALITY ASSURANCE ......................................................................................... 73
APPROACHES TO QUALITY ................................................................................ 74
THE COST OF QUALITY ........................................................................................ 75
QUALITY ASSURANCE TEAM ............................................................................. 75
TOTAL QUALITY MANAGEMENT (TQM) ......................................................... 76
STAGES OF TESTING ............................................................................................. 77
TESTING SYSTEM LOGIC ..................................................................................... 77
Arranged by
Page 3

PROGRAM TESTING .............................................................................................. 77
SYSTEM TESTING .................................................................................................. 78
USER ACCEPTANCE TESTING ............................................................................ 78
METHODS OF TESTING ........................................................................................ 79
(A)
STATIC ANALYSIS TEST ............................................................................ 79
(B)
DYNAMIC ANALYSIS TEST ....................................................................... 79
OPERATION AND MAINTENANCE TEST .......................................................... 80

COMPUTER AIDED SOFTWARE TESTING (CAST) .......................................... 80
BETA VERSION ....................................................................................................... 81
LIMITATION OF SOFTWARE TESTING .............................................................. 81
POST IMPLEMENTATION ISSUES ........................................................................... 82
THE POST IMPLEMENTATION REVIEW REPORT ........................................... 82
THE CAUSES OF SYSTEM MAINTENANCE ...................................................... 82
COMPONENTS OF A FORMAL SYSTEM CHANGE PROCEDURE ................. 83
IN HOUSE MAINTENANCE ................................................................................ 83
OFF THE SHELF SOFTWARE MAINTENANCE ................................................. 84
MAINTENANCE CONTRACTS ............................................................................. 84
HARDWARE MAINTENANCE .............................................................................. 84
END USER DEVELOPMENT............................................................................... 85
USER GROUPS......................................................................................................... 85
COST BENEFIT REVIEW ....................................................................................... 86
EFFICIENCY ............................................................................................................ 86
EFFECTIVENESS ..................................................................................................... 86
METRICS .................................................................................................................. 87
COMPUTER BASED MONITORING ..................................................................... 87
INDIRECT MEASURES TO EVALUATE SYSTEM PERFORMANCE .............. 89
PERFORMANCE REVIEWS ................................................................................... 89
COMPUTER SYSTEMS EFFICIENCY AUDITS ................................................... 90
ORGANIZING THE IT FUNCTION ............................................................................ 92
INVITATION TO TENDER (ITT) ........................................................................... 92
FINANCING METHODS ......................................................................................... 93
EVALUATION OF SUPPLIER PROPOSALS ........................................................ 93
BENCHMARK TESTS ............................................................................................. 94
SIMULATION TESTS .............................................................................................. 94
INFORMATION SYSTEM MANAGER AS LIAISON .......................................... 95
Arranged by
Page 4

SUPPLY CHAIN MANAGEMENT & ENTERPRIZE RESOURCE PLANNING ..... 96
SUPPLY CHAIN MANAGEMENT ......................................................................... 96
STRATEGIC GROWTH OPPORTUNITIES FOR SUCESSFUL GROWTH
CONPANISE ............................................................................................................. 96
PRE-REQUISITE FOR GROWTH ........................................................................... 97
MANAGEMENT CONCERNS IN SCM .................................................................. 98
ENTERPRIZE RESOURCE PLANNING (ERP) ..................................................... 99
FEATURES OF ERP ................................................................................................. 99
COMPONENTS OF ERP ........................................................................................ 100
BUSINESS PROCESS RE-ENGINEERING .......................................................... 100
SELECTION OF ERP ............................................................................................. 101
IMPLEMENTATION OF ERP ............................................................................... 101
BENEFITS OF ERP ................................................................................................ 103
WHY DOES IN ERP MATTER FOR A CA .......................................................... 103
CUSTOMER RELATIONSHIP MANAGEMENT & ................................................ 105
CUSTOMER RELATIONSHIP MANAGEMENT ................................................ 105
BENEFITS OF CRM ............................................................................................... 105
CONSIDERATION FOR SELECTION OF CRM SOLUTION............................. 106
CUSTOMER RELATIONSHIP MANAGEMENT (CRM) .................................... 107
BENEFITS OF CRM Tools ..................................................................................... 107
BENEFITS FOR SMALL COMPANIES ............................................................... 108
COLLABORATION SOLUTIONS ........................................................................ 108
SALE FORCE AUTOMATION.............................................................................. 109
BENEFITS OF SALES AUTOMATION SYSTEM ............................................... 110
PRE-REQUISITE FOR SELECTING AND IMPLEMENTING SFA ................... 111
OTHER BENEFITS INCLUDE .............................................................................. 111
COBIT.......................................................................................................................... 112
Control Objectives for Information and Related Technology ..................................... 112
Benefits of implementing COBIT as a Governance Framework over IT ................ 113
IT Governance Maturity Model ............................................................................... 113
IFAC IT GUIDELINE .............................................................................................. 114
MANAGING SECURITY OF INFORMATION .................................................... 114
PLANNING IT PLANNING FOR BUSINESS IMPACT: ..................................... 115
ACQUISITION OF INFORMATION TECHNOLOGY ........................................ 115
THE IMPLEMENTATION OF IT .......................................................................... 116
IT SERVICE DELIVERY AND SUPPORT ........................................................... 117
Arranged by
Page 5

IT MONITORING ................................................................................................... 119
WEB TRUST ........................................................................................................... 119
Summary IFAC Guidelines...................................................................................... 121
Management Operation& Controls .............................................................................. 123
CONTROLS: STRUCTURE, ASSESSMENT & MONITORING......................... 123
CONTROL STRUCTURE ...................................................................................... 124
RISK ASSESSMENT .............................................................................................. 126
MONITORING CONTROL SYSTEM ................................................................... 127
APPLICATION CONTROLS ................................................................................. 127
CODES .................................................................................................................... 127
INPUT CONTROL .................................................................................................. 128
INSTRUCTION INPUT .......................................................................................... 129
INSTRUCTION INPUT .......................................................................................... 130
REPORT PROGRAM EXECUTION CONTROLS ............................................... 132
STORAGE CONTROLS ......................................................................................... 132
REPORT DESIGN CONTROLS ............................................................................ 132
PROCESSING CONTROL ..................................................................................... 133
Effective Management of IS ........................................................................................ 134
OPERATIONS MANAGEMENT CONTROL ....................................................... 134
DOCUMENTING & PROGRAM LIBRARY FUNCTIONS ................................. 135
IS Organization Structure and Responsibilities ....................................................... 135
Line Management Structure ..................................................................................... 136
Functional Areas in Information Processing Environment ...................................... 137
Security Administrators Functions ......................................................................... 137
Data Entry ................................................................................................................ 138
Tasks Performed in Data Entry ................................................................................ 138
Duties of System Administrator............................................................................... 138
Data Security............................................................................................................ 138
Processing Controls ................................................................................................. 139
Database Administration .......................................................................................... 139
DBAs Roles ............................................................................................................ 139
IS Deptt. Exercise Control over Database Administration Through ....................... 140
Reviewing Documentation in review of IT Planning / Strategy .............................. 140
Interviewing and Observing Personnel .................................................................... 141
Examples or IS vision and Mission Statements ....................................................... 141
Arranged by
Page 6

Indicators of Potential Problems at IPE ................................................................... 142
CRITICAL CHARACTERISTICS OF INFORMATION........................................... 143
INFORMATION SECURITY POLICY, STANDARD & PRACTICES ............... 144
COMPUTER CRIME ISSUES AND EXPOSURES .............................................. 145
INTRUDERS OF COMPUTER CRIMES .............................................................. 145
PHYSICAL EXPOSURE AND CONTROLS ........................................................ 146
PHYSICAL ACCESS EXPOSURES AND CONTROL ........................................ 147
AREAS TO BE COVERED FOR PHYSICAL ACCESS CONTROL ................... 148
LOGICAL ACCESS CONTROLS .......................................................................... 149
LOGICAL THREATS ............................................................................................. 149
VIRUSES ................................................................................................................. 149
TROJANS ................................................................................................................ 150
WORMS .................................................................................................................. 150
TRAP DOOR ........................................................................................................... 150
LOGIC BOMBS ...................................................................................................... 150
TIME BOMBS ......................................................................................................... 150
SPAM....................................................................................................................... 150
SNIFFERS ............................................................................................................... 151
SPOOFING .............................................................................................................. 151
NON BLIND SPOOFING ....................................................................................... 151
MAN IN THE MIDDLE ATTACK ........................................................................ 151
ROUNDING DOWN (SALAMI TECHNIQUE) .................................................... 152
LOGICAL ACCESS CONTROL SOFTWARE ..................................................... 152
Identification and Authentication (Internal Audit System) ..................................... 152
SECURITY BYPASS FEATURES ......................................................................... 153
NETWORK INFRA STRUCTURE SECURITY .................................................... 153
II. LAN (Client Sever) Security ............................................................................... 153
i. Passive attacks ...................................................................................................... 154
ii. Active attacks....................................................................................................... 154
SUBVERSIVE THREATS can be active or passive ............................................ 155
IDS (INCLUSION DETECTION SYSTEM) .......................................................... 155
HR Termination policies .......................................................................................... 156
SECURITY PROGRAMME ................................................................................... 156
DISASTER RECOVERY PLAN ............................................................................ 157
BACKUP OPTIONS ............................................................................................... 159
Arranged by
Page 7

BUSINESS CONTINUITY PLANNING (BCP) .................................................... 160
NETWORK INFRASTRUCTURE SECURITY ......................................................... 162
TCP/IP: THE LANGUAGE OF THE INTERNET ................................................. 162
NETWORK.............................................................................................................. 163
APPLICATION SERVICE PROVIDER (ASP) ...................................................... 164
IP SPOOFING ......................................................................................................... 165
DENIAL OF SERVICE ........................................................................................... 165
DESTRUCTIVE BEHAVIOUR .............................................................................. 166
ROUTER.................................................................................................................. 167
BRIDGE ................................................................................................................... 167
HUBS AND SWITCHES ........................................................................................ 167
DEMILITARIZED ZONE (DMZ) .......................................................................... 167
CRYPTO CAPABLE ROUTERS ........................................................................... 168
VIRTUAL PRIVATE NETWORKS (VPN) ........................................................... 168
NETWORK INFRASTRUCTURE SECURITY CHECKLIST .............................. 168
FIREWALLS ........................................................................................................... 169
FIREWALL ISSUES ............................................................................................... 170
DATABASE AND DATE RESOURCE MANAGEMENT ....................................... 171
MANAGEMENT OF DATA .................................................................................. 171
TASKS OF DATA ADMINISTRATIVE ............................................................... 171
TASKS OF DATABASE ADMINISTRATOR ...................................................... 172
DATA ADMINISTRATOR .................................................................................... 172
DATABASE MANAGEMENT .............................................................................. 173
RECOVERY STRATEGY ...................................................................................... 173
GRANDFATHER, FATHER, SON BACKUP & RECOVERY STRATEGY ...... 174
DUMPING ............................................................................................................... 174
LOGGING ............................................................................................................... 174
RESIDUAL DUMPING .......................................................................................... 174
DIFFERENTIAL FILE/SHADOW PAGING BACKUP AND RECOVERY
STRATEGY............................................................................................................. 174
MAJOR TYPES OF DATABASE .......................................................................... 175
UPDATE AND REPORT PROTOCOLS ............................................................... 175
DEAD LOCK........................................................................................................... 176
POTENTIAL BENEFITS OF THE DATABASE APPROACH ............................ 176
COMPUTER AUDITING ........................................................................................... 178
INTERNAL AUDIT ................................................................................................ 178
Arranged by
Page 8

RESPONSIBILITIES OF AN INTERNAL AUDITOR.......................................... 178
TYPES OF INTERNAL AUDITIG WORK ........................................................... 178
WORKING PAPERS PACKAGES ........................................................................ 179
TYPES OF SOFTWARE WHICH THE AUDITOR COULD USE WITH A MICRO
COMPUTER AS AN AID TO AUDIT WORK ...................................................... 179
USE OF MICRO COMPUTR AS AN AUDIT AID ............................................... 179
CONTROLS WHICH MUST BE IN PLACE OVER A MICRO-COMPUTER
USED IN AN AUDIT .............................................................................................. 180
CONTROLS OVER MASTER FILE AND THE STANDING DATA CONTAINED
THEREIN ................................................................................................................ 180
COMPUTER ASSITED AUDIT TECHNIQUES (CAATS) .................................. 180
BENEFITS OF USING CAATS ............................................................................. 181
TEST PACK ............................................................................................................ 181
EMBEDDED AUDIT FACILITIES........................................................................ 182
AUDIT SOFTWARE............................................................................................... 183
OTHER TYPES OF CAATS:.................................................................................. 184
CONTROLS IN ONLINE AND REAL TIME SYSTEMS .................................... 184
CONTROLS IN DATABASE SYSTEM (DBMS) ................................................. 185
BUREAUX AND SOFTWARE HOUSES ............................................................. 186
REASONS FOR USING BUREAU ........................................................................ 186
ADVANTAGES OF BUREAU:.............................................................................. 187
DISADVANTAGES OF BUREAU ........................................................................ 187
Summary of the main control procedures over the in-house development: ............ 188
Arranged by
Page 9
CHAPTER 01
THE INFORMATION SYSTEMS
FUNCTION ORGANIZATIONAL ISUESS
IS/IT DIRECTORS
At the head of the IS/IT function will be either the IS/IT manager, IS/IT directors.
This person will be responsible for:-
i)
IS/IT Strategy Development:

The IS/IT strategy must compliment the overall strategy of the organization.
The strategy must also be achievable given budgetary constraints. Returns on
investments in IS/IT should be monitored.
ii)
IS/IT Risk Management:

This is wide ranging area including legal risks, such as ensuring compliance
with relevant data protection legislation, ensuring adequate IS/IT security
measures and disaster recovery arrangements.
iii)
Steering Committee:
The IS/IT director should play a key role in a steering committee set up to
oversee the role of IS/IT within the organization.
iv)
IS/IT Infrastructure:
Standards should be set for the purchase and use of hardware and software
within the organization.
v)
Ensuring employees have the IS/IT support of tools they require:

Efficient lineless are required b/w IS/IT staff and the rest of the organization.
Technical assistance should be easily obtainable.
IS/IT STEERING COMMITTEE

The general purpose of the IS/IT steering committee is to make decision relating to
the future use and development of IS/IT by the organization. An organizations senior
management should appoint a planning or steering committee to oversee information
systems department activities. The planning or steering committee should contain
Arranged by
Page 10

representatives from all departments of the organization. Membership should include
representatives from senior management, the information system department and
user department management.
A high level steering committee for IT is a mechanism to ensure that the IS
department is in harmony with the corporate mission and objectives. Highly desirable
that member of BOD who understands the risks and issues should be responsible for
IT & should chair of this committee.
The committees duties and responsibilities should be defined in a formal charter.
Members should know IS department policies, practices, and procedures. Each
member should have the authority to make decisions within the group for his/her
respective areas.
Common TASKS of such a committee could include:
a)
Ensuring IS/IT activities comply with IS/IT strategy.
b)
Ensuring IS/IT activities compliment the overall organizational strategy.
c)
Ensuring resources committed to IS/IT are used effectively.
d)
Monitoring IS/IT projects.
e)
Providing leadership and guidance on IS/IT.
FUNCTIONS OF STEERING COMMITTEE

i)
Review the long and short range plans of the IS division to ensure that
they are in accordance with the corporate objectives.
ii)
Review and approve major acquisitions of hardware and software within

limits approved by the BOD.
iii)
Approve
and
monitor
major
products,
establish
priorities,
approve
standards and procedures and monitor overall IS performance.

iv)
iv)
Provide liaison b/w the IS deptt. & User deptt.

Approve and monitor major projects, the status of IS plans and annual
budgets.
v)
Review adequacy of resources and allocation of resources in terms of time,

personnel an equipment.
vi)
Make
decisions
regarding
centralization
versus
decentralization
and
assignment and responsibility.
Arranged by
Page 11

vii)
Review and approve plans for the outsourcing of selected or all IS

activates. The committee should monitor performance and institute
appropriate action of achieve desired results. Formal minutes of the IS
steering committee meetings should be maintained to document the
committees activities and decisions and inform the BOD, of IS activities.
Committee members should be chosen with the aim of ensuring the committee
contains the wide range of technical and business knowledge required. The
committee should liase closely with those affected by the decision it will make.
POLICIES
Policies are high level documents. They represent the corporate philosophy of an
organization. To be effective they must be clear and concise. Management must
create a positive control environment by assuming responsibility for formulating,
developing, documenting, promulgating and controlling policies covering general
goals and directives.
In addition to corporate policies that set the tone for the organization as a whole,
individual divisions and depths should define lower level policies. These would apply
to the employees and operations of these units and would focus at the operational
level.
A top-down approach to the development of lower level policies in instances when
they are derived from corporate policies is desirable, as it ensures consistency across
the organization. However, some organization begins by defining operational level
policies as immediate priorities. These companies view this as being the more cost
effective approach since these policies are often derived and implemented as the
results of risk assessment. This is a bottom-up approach, where in corporate policies
are a subsequent development & a synthesis of existing operational policies.
Management should review all policies. Policies need to be updated to reflect
significant changes within the organization or department.
Arranged by
Page 12

PROCEDURES
Procedures are detailed documents. They must be derived form the parent policy and
must implement the spirit (intent) of the policy statement. Procedures must be
written in a clear and unambiguous manner so that they may be easily and properly
understood by all who will be governed by them.
Generally, procedures are generally more dynamic than their respective parent
policies. They must reflect the regular changes in business focus and environment.
Hence, frequent reviews and updates of procedures are essential if they are to be
relevant. An auditor will find a divergence b/w practice and percept in organizations
that neglect the review process.
An independent review is necessary to ensure that policies and procedures have been
properly understood and executed. The reviewer should maintain independence at all
times and not be influenced by anyone in the group being reviewed. Evidence of
reviewer with a level of confidence that the work was performed in compliance with
established policies and procedures.
OPERATIONS CONTROL
Operations control is concerned with ensuring IS/IT systems are working and
available to users. Key tasks include:
a)
Maintaining the IS/IT infrastructure.
b)
Maintaining network usage and managing network resource.
c)
Keeping employs informed e.g. advance working of service interruptions.
d)
Virus protection measures e.g. ensuring anti-virus software updates are

loaded.
e)
Fault fixing.
INFORMATION CENTRE
An information centre (IC) is a small unit of staff with a good technical awareness of
computer systems, whose task is to provide a supportive function to computer users
within the organization. Information centre, sometimes referred to as support
centers, are particularly useful in organization which use distributed systems and so
are
likely
to
have
hardware,
data
and
software
scattered
throughout
the
organization. The IC provide a centralized source of support and co-ordination.
Arranged by
Page 13

ROLES PERFORMED BY INFORMATION CENTRES (ICs)
The ICs help desk ensures that staff time is spent on customer service
rather than on IT problems:
a)
It has sufficient staff and technical expertise to respond quickly to

problems with hardware or software. It maintains good contacts and
relationships with suppliers to ensure that they fulfill their maintenance
obligations and their maintenance staffs are quickly on site when needed.
b)
It maintains on record of problems and identifies those that occur most

often. If the problem is that users do not know how to use the system,
training is provided. If the problem is with the system itself, a solution is
found either by modifying the system or by investment in appropriate
hardware or software.
c)
It considers the viability of suggestions for improvements to the system

and brings these into effect, where possible, for all users who stand to
benefit.
The IC sets, and encourage users to conform to common standards:

a)
Hardware standards ensure that all of the equipment used in the

organization
is
compatible
and
can
be
put
into
use
in
different
departments as needed. The recent updates /upgrades of the marketing

departments old apple mac computer to IBM compatible Pentium PCs is
an example of this.
b)
Software standards ensure the information generated by one department

can easily be shared with and work upon by other department.
c)
Programming standards ensure that applications developed by individual

to help them perform their jobs (e.g. word processing macros and
spreadsheets for data analysis) follow best practice, are easy to modify,
and are replicated to others in the organization where this is of benefit.
d)
Data processing standards ensure that certain such as the format of file
names are followed throughout the organization. The facilities sharing and
storage and retrieval of information by as many users as possible.
Arranged by
Page 14

The IC helps to preserve security of data:
a)
It has developed a utility program and recommended procedures for

company wide use, to ensure that back-ups are made at regular intervals.
Second copies of back-ups files are stored of site and this system of
archiving is operated and maintained by the IC.
b)
The IC helps to preserve the companys system from attach by computer

viruses. The latest versions of antivirus software are available to all users.
Users are regularly reminded about the dangers of viruses and IC staff
give training in the use of anti-virus software.
IC can improve its services in a number of ways:

a)
Training software can be developed or purchased and made available

over the network form a central server. Training applications often contain
analysis software, drawing attention to trainee progress and common
problems (e.g. typing tutor) and the availability of such information will
enable the IC to identify and address specific training needs more closely.
b)
Help could be made available directly through users computers, using an

e-mail system for queries and responses. Common problems and their
solutions can be posted on a bulletin board for all to read. The network will
speed up the process of sorting out problems & sharing knowledge.
c)
Remote diagnostic software is available which enable staff in the IC to

take central of a computer whose user is having problem and sort out the
problem for them without leaving their desk, in the same way that they
would if they paid the user a visit. It will speed up the problem-salving
process.
d)
The IC can take responsibility for protecting the system against possible
abuses now that it is linked to the internet. Anti-virus measures will
become even more important in this environment, but network software
should make it easier for the IC to control the problem centrally.
e)
The internet link will also make control over access an important issue.
The IC can set up and operate firewalls which disable part of
communication technology that normally allows two-way go out into the
global net to retrieve information but external parts are denied access to
sensitive parts of the companys system.
Arranged by
Page 15

CENTRALIZATION
A centralized IS/IT department, involves all IS/IT staff and functions being based out
at a single central location, such as head office.
Advantages:
a)
Assuming centralized processing is used, there is only one set of files.

Everyone was the same data and information.
b)
It gives better security / central over data and files. It is easier to enforce
standards.
c)
Head office is in a better position to know what is going on.
d)
There may be economies of scale available in purchasing computer equipment

and supplies.
e)
Commuter staff me in a single location, and more expert staff are likely to be
employed career paths may be more clearly defined.
Disadvantages:
a)
Local offices might have to wait IS/IT services and assistance.
b)
Reliance an head office local office are less self-sufficient.
c)
A system fault at head office will impact across the organization.
DECENTRALIZATION:
A decentralized IS/IT department involves IS/IT staff and functions being spread out
throughout the organization.
Advantages:
a)
Each office can introduce an information system specially tailored for its
specific needs. Local changes in business requirements can be taken into
account.
b)
Each office is more self-sufficient.
c)
Offices are likely to have quicker access IS/IT support / advice.
Arranged by
Page 16

d)
A decentralized structure is more likely to facilitate accurate IS/IT cost /

overhead allocations.
Disadvantages:
a)
Control may be more difficult different and uncoordinated information systems

may be introduced.
b)
Self sufficiency may encourage a back of coordination b/w departments.
c)
Increased risk of data duplication, with different offices holding the same data
on their own separate files.
ACCOUNTING ISSUES
Providing and maintaining information systems to deliver good quality information
involves significant expenditure. There are three broad possibilities when accounting
for costs related to information system.
a)
Is costs are treated as administrator overhead.
b)
Is costs are charged cut at costs.
c)
Is costs are charged out at market rates.
The costs incurred are:CAPITAL COST
Hardware purchase
Cabling
System installation
REVENUE COST (ONE OFF)
System
development
cost
(Programmer
&
analyst
fees,
testing
cost,
conversion cost)
Initial training cost.
Any redundancy cost attributable to the new system.
REVENUE COST ONGOING
IS/IT staff cost.
Communication & transmission cost.
Arranged by
Page 17
Power
Maintenance & support.
Ongoing e.g. paper, printer ink, floppy disks, CDs.
1. IT as a Corporate Overhead
It implies that all the expenses on IT should be born by the head office. No cost
allocation.
Advantages:
No complexability in calculation.
Encourage innovation because no one is being charged.
Good relations between IT and use department.
Disadvantages:
No cost control
Inefficiency
Substandard services to user department, because no one will complaint for
inefficient working /system.
No true performance picture.
2. IT charged at cost
IT cost is allocated to each user department on the basis of services received by
each.
Advantages
Realistic
Efficiency
Good services to user department
True performance picture
Disadvantages
Finding a cost unit, whether per page, per data entry or per print.
No good relations
Inefficiency may be passed e.g. waste pages by IS department may be
claimed as test pages.
3. IT charged at market
IS department will charge its services to other user department at market rates.
(This changing is actually on books not on reality)
Advantages
Profit centre
High standard services, because it is being provided at market rates
Cost cutting
Efficiency
Arranged by
Page 18

Disadvantages
Administrative hassles
No comparable services
ESTABLISHING IT DEPARTMENT AS A SEPARATE COMPANY

Deals it as an outside vendor
Advantages
More skills because outsiders may also hire for different services.
IT department becomes a profit centre
Better career path for IT people
Employees are retained.
Disadvantages
Administrative hassles
Focus is lost (earlier IT department was developing application for the banks
only but now also for other business)
No priority for parent company.
LEGACY DATA MANAGEMENT

LDM involves identifying and converting historical information (paper-based and
archaic doctrines formats) to current electronic standards.
Legacy data management (LDM) is the process and methodologies developed to
maintain, track, store and use the large volumes of data generated by businesses in
a cost-effective manner. Each new system had its own proprietary data formats and
thus inters ration of various systems become an expensive and different aspect of
implementing computer technology. LDM can help companies effectively and
efficiently do the same.
Advantages:
Cost savings.
Occupies less storage space.
Enhance data consistency.
Increased data availability.
Minimal data less.
Improved Responsiveness Implementing LDM Involves:
Performing a system needs analysis.
Performing a cost benefit analysis.
Developing a conversion plan.
Arranged by
Page 19

OUT SOURCING
Outsourcing is contracted out of specified operations or services to an external
vender.
There are various outsourcing option available, with different levels of control
maintained in-house. Outsourcing has advantage (e.g. use of highly skilled people)
and disadvantage (e.g. back of control). Outsourcing is a contractual agreement
whereby an organization hands over control of part or all of the functions of the
information systems department to an external party. The organization pays a fee
and the contractor delivers a level of service that is defined in a contractually-binding
service level agreement. The contractor provides the resources and expertise
required to perform the agreed service. Outsourcing is becoming increasingly
important in many organizations. The IS auditor must be aware of the various forms
outsourcing can take and the associated risks. Objectives of the outsourcing to
achieve lasting, meaningful improvement in IS, through corporate restructuring to
take advantage of a vendors care competencies.
Reasons for Embarking on Outsourcing:
A desire to focus on core activities.

Pressure an profit manager.
Increasing competition that demands cost savings.
Flexibility with respect to both organization & structure.
TYPES OF OUTSOURCING
There are four broad classification of outsourcing:
1. AD-HOC:
The organization has a short term requirement for increased
IS/IT skills. An example would be employing programmers on a short term

contract to help with the programming of bespoke software.
2. PROJECT MANAGEMENT: The development and outsourced. For example, a
new according system. This approach is sometimes referred to as system
integration.
3. PARTIAL:
Some
IT/IS
services
are
outsourced.
Example
includes
hardware management.
Arranged by
Page 20

4. TOTAL:
An external supplier provides vast majority of an organizations
IT/IS services, e.g. third party own or is responsible for IT equipment,

software and staff.
LEVEL OF SERVICE PROVISION

The degree to which the provision and management of IS/IT services are transferred
to the third party varies according to the situation and skills of both organizations.
a. TIME SHARE:
The vender charges for access to an processing system
on a time used basis. Software ownership may be with either the vender or
the client organization.
b. SERVICE
BUREAUS
USUALLY
FOCUS
ON
SPECIFIC
FUNCTION:
Traditionally bureaus would provide the some type of services to many

organization e.g. payroll processing. An organization have developed their
own IT infrastructure, the use of bureaus has decreased.
c. FACILITIES MANAGEMENT (FM):
Facilities management involves an
outside agency managing the organizations IS/IT facilities. All equipment

usually remains with the client, but the responsibility for providing and
managing the specified services rest with the FM Company.
Facilities management traditionally involved contracts for premises related services
such as cleaning or site security.
ORGANIZATION INVOLVED IN OUTSOURCING
Facilities management
Software houses
Consultancy firms
Hardware manufacturers and suppliers.
SOFTWARE HOUSE:
Software houses concentrates on the provision of software services. These
include: Feasibility study, system analysis and design, development of OS
software, provision of application program packages, tailor-made application
programming, specialist systems advice and so-on. For example a software
Arranged by
Page 21

house might be employed to write a computerized system for the London
stock exchange.
CONSULTANCY FIRMS:
Some consultancy firms work at a fairly high level, giving advice to
management on the general approach to solving problems and on the types of
system to use. Other specialize in giving more particular systems advice,
carrying out flexibility studies and recommending computer manufacturers /
software. When a consultancy firm is used, the terms of the contract should
be agreed at the outset.
The use of consultancy services enables management to learn directly or
indirectly form the experience of others. Many large consultancies are owned
by big international accountancy firms, smaller consul Turing many consist of
on-or two person outfit with a high level of specialist experience in one area.
HARDWARE MANUFACTURERS AND SUPPLIERS:

Computer manufacturers or their designated suppliers will provide the
equipment necessary for a system. They will also provide, under a
maintenance contract, engineers who will, deal with any routine servicing and
with any breakdown of the equipment.
CATEGORIES OF CONSULTING ACTIVITIES

a)
Strategic studies, involving the development of a business strategy or

an IS strategy for on organization.
b)
Specialist studies, where the consultant provide a high level of expertise

in one area, e.g. enterprise resource management software.
c)
Project management, invaliding supervision of internal and external

parties in the completion of a particular project.
d)
Body-shopping, where the necessary staff, including consultants, project

management systems analysts and programmers, for a project are
identified.
e)
Recruitment, involving the supply of permanent or temporary staff.
Arranged by
Page 22

DEVELOPMENTS IN OUTSOURCING
a)
Multiple sourcing.
b)
Incremental approach.
c)
Joint-venture sourcing.
d)
Application Service Provider (ASP).

ASPs are third parties that manage and distribute software service and
solutions to customers across a wide area network.
MANAGEMENT OF OUTSOURCING ARRANGEMENT

Managing outsourcing arrangements involves deciding what will be outsourced,
choosing and negotiating with suppliers and managing the supplier relationship.
When considering whether to outsource a patroller service the following questions
are relevant.
a)
Is the system of strategic importance?

Strategic Is are generally not suited to outsourcing as they require a high
degree of specific business knowledge that a third party IT specialist not
be expected to possess.
b)
Can the system be relatively isolated functions that have only limited
interfaces are most easily outsourced e.g. payroll.
c)
Do we know enough about the system to manage the outsourced service

agreement if an organization knows very little about a technology it may
be difficult to know what constitutes good necessary to recruit additional
expertise to manage the relationship with the other party.
d)
Are out requirement likely to change? Organizations should avoid tying

themselves into a large term outsourcing agreements if requirement are
likely to change.
THIRD PARTY SERVICES:
Data entry (mainly airlines follow this route).
Design and development of new systems. When the in-house staff does not
have the requisite skills or otherwise occupied in higher priority tasks.
Maintenance of existing applications to free in-house staff to develop new

applications.
Arranged by
Page 23
Conversion of legacy application to new plat forms e.g. a specialist company

may web enable on old application.
Operating the help desk or the cell center.
SERVICE LEVEL AGREEMENT

The contract provides the framework for the relationship b/w the and the service
provider. A key factor when choosing and repudiating with external venders is the
contract offered and subsequently negotiated with the supplier. The contract is
sometimes referred to as the service level contract (SLC) or service level agreement
(SLC).
KEY ELEMENTS OF THE CONTRACT
i)
Time scale:
When does the contract expire? Is the timescale suitable for the organizations
needs or should it be negotiated?
ii) Service level:

The contract should clearly specify the minimum levels of service to be
provided penalties should be specified for failure to meet those standards.
Relevant factors will vary depending on the nature of the services outsourced
but could include:
Response time to requests for assistance / information.
System uptime percentage.
Deadlines for performing relevant tasks.
iii) Exit routes:

Arrangement for an exit route, addressing how transfer to another supplier, or
the move back in house, would be contused.
iv) Software ownership:
Relevant factors include:
Software licensing and security.
If the arrangement include the development of new software who

owns the copyright?
v) Dependencies:
If related services are outsourced the level of service quality agreed should
group these activities together.
Arranged by
Page 24

vi) Employment Issues:
If the arrangement includes provision for the organizations IT staff to move
to the third party, an player responsibilities must be specified clearly.
ADVANTAGES OF OUTSOURCING
a) Outsourcing can remove uncertainty about cost, as there is often a long-term
contract where services are specified in advance for a fixed price. If
computing services are inefficient, the costs will be borne by the FM Company.
This is also an incentive to the third party to provide a high quality service.
b) Long-term contracts encourage planning for the future.
c) Outsourcing can bring the benefits of economies of scale. e.g. FM Company
may conduct research into new technologies that benefits a number of clients.
d) A specialist organization is able to retain skills and knowledge. Many
organizations would not have a sufficiently well-developed IT department to
offer IT staff opportunities for career development. Talented staff would leave
to pursue their careers elsewhere.
e) New skills and knowledge become available a specialist company can share
staff with specific expertise b/w several clients. This allows the outsourcing
company to take advantage of new developments without the need to reprint
new people re-train existing staff, and without the cost.
f)
Flexibility, resources may be able to be scaled up or down departing upon

demand. For instance, during a major changeover from one system to another
the number of IT staff needed may be twice as large as it will be once the new
system is working satisfactorily.
An outsourcing organization is move able to arrange its work on a project basis,

whereby some staff will expect to move periodically from one project to the next.
DISADVANTAGES OF OUTSOURCING
a) It is arguable that information and its provision is an internet part of the
business and of management. Unlike office cleaning, or catering, an
organizations IT services may be to too important to be contracted out.
Information is at the heart of organization.
Arranged by
Page 25

b) A company may have highly confidential information and to let outsiders
handle it could be seen as risky in commercial and/or legal terms.
c) If a third party is handling IS/IT services there is no own upon internal
management to keep up with the new developments or to suggest new ides.
Consequently, opportunities to gain competitive advantages may be missed.
Any new technology or application devised by the third party is likely to be
available to competitors.
d) An organization may find itself locked in to an unsatisfactory level of service,
the effort and expiries the organization would incur to rebuild its own
computing functions.
e) An organization may find itself locked in to an unsatisfactory contract. The
decision may be very difficult to reverse. If the service provider supplier
unsatisfactory levels of service, the effort and expense the organization would
incur to rebuild its own computing function or to move to another provider
could be substantial.
f)
The use of an outsides organization does not encourage awareness of the

potential cost and benefits of IS/IT manage in-have IS/IT resources
effectively, then it could be argued that they will not be able to manage an
arrangement to outside effectively either.
Others summarized disadvantages
Costs exceeding customer expectations.
Loss of internal IS experience.
Loss of control IS.
Vender failure.
Limited product access.
Difficulty in reversing or changing outsourced arrangements.
BUSINESS RISKS FROM OUTSOURCING
Hidden costs
Contract terms not being met.
Service costs not being competitive over the period of the entire contract.
Obsolescence of vender IT systems.
Balance of power residing with the vender.
Arranged by
Page 26

Ways in which such risks can be reduced are:
By establishing measurable partnership-enacted-shared goals and rewards.
Utilization of multiple suppliers or withheld a piece of business as an incentive.
Formation of a cross-functional contract management team.
Contract performance reviews and benchmarking/bench trending.
Implantation of short-term contracts.
Address data ownership in the contract.
TERMINATION POLICIES
Written termination policies should be established to provide clearly-defined steps
employee separation. It is important that policies be structured to provide adequate
protection for the organizations computer assets and data. Termination practices
should address both voluntary termination and involuntary (immediate) terminations.
In all other cases however, the following control procedures should be applied:
Return of all access keys, ID cards and badges to prevent easy physical
access.
Deletion of assigned lagan-ID and passwords to prohibit system access.
Notification to other staff and facilities security to increase awareness of the

terminated employees status.
Arrangement of the final pay routines to remove the employee from active
payroll files.
Performance of a termination interview to gather insight on the employees

perception of management.
Return of all company property.
LOGGING SYSTEM
The information system department should implement comprehensive logging
systems. These will include manual as well as automated logs. Logs allow managers
to monitor work and compare actual performance with the usual averages. They can
also serve as early warning systems for serious errors. An effective IS department
should have various logs that individuals examine regularly and take appropriate
action on when necessary.
Arranged by
Page 27

Examples:
i)
Data entry staff should keep full details of each bath of work, with
duration and error.
ii)
Computer operators should maintain logs of all batch job and the time
taken to complete them.
iii)
Backup, storage of data off-site should be logged.
iv)
Any problems in hardware or software infrastructure should be indentured

in daily logs.
v)
Software application systems may generate their own logs of error.
vi)
A security subsystem could maintain detailed logs of who did what and
when and also if there any attempted security violations.
Arranged by
Page 28
CHAPTER 02
INTRODUCTION TO STRATEGY &

INFORMATION STRATEGIES
CHARACTERISTICS OF STRATEGIC DECISIONS
1.
Strategic decisions will be concerned with the scope of organizations

activities.
2.
Strategy involves the matching of an organizations activities to the

environment in which it operates.
3.
Strategy involves the matching of an organizations activities to its resource

capability.
4.
Strategic decisions therefore involve major decisions about the allocation or

re-allocation of resources.
5.
Strategic decisions will affect operational decisions, because they will set off a
chain of lesser decisions and operational activities, involving the use of
resources.
6.
Strategic decisions will be affected by the values and expectations of the

people in power within the organization.
7.
Strategic decisions are likely to affect the long term direction that the
organization takes.
8.
Strategic decisions have implications for change throughout the organization,

and so are likely to be complex in nature.
STRATEGY
Strategy is a pattern of activities that seek to achieve the objectives of an
organization and adopt its scope, resources and operations to environmental changes
in the long term.
All the organizations carry out some form of strategic management. As the
organization grows larger, and more complex, there is a greater need for
involvement in the strategy process at all levels of the organizations.
Arranged by
Page 29

STRATEGIC PLANNING
Strategic planning is the formulation evaluation and selection of strategies for the
purpose of preparing a long term plan of action to attain objectives. Strategic
information systems are systems at any level of an organization that change goals,
processes, products services or environmental relationships with the aim of gaining
competitive advantage. Strategic level systems are systems used by senior managers
for long term decision making.
Strategic planning is a disciplined effect to produce fundamental decisions and
actions that shape and guides what an organization is, what it does, and why it does
it, with a focus on the future. Being strategic means being clear about the
organizations
objectives,
being
aware
of
the
organizations
resources,
and
incorporating both into being consciously responsive to a dynamic environment.

A strategic plan can provide the foundation and framework for a business plan. The
strategic plan provides:
A framework for decisions or for securing support / approval.
Provide a basis for more detailed planning.
Explain the business to others in order to inform, motivate & involve.
Assist performance monitoring.
Stimulate change and become building black for next plan.
Planning Stage
Components of Plan
Strategic analysis
Mission
what business we in?
Goals
where are we going?
Strategic choice
Strategies
which routes have we selected?
Strategic implementations
Policies
what sort of frameworks needed?
Decisions
what choices do we have?
Actions
How shall we do it?
Levels of Planning:
Strategic:
Deciding on the objectives of the organizations on changes in these

objectives, on the resources used to attain these objective and on the
policies that are to govern the acquisition, use and disposition of these
resources.
Arranged by
Page 30

Tactical:
Ensuring that the resources are obtained and used effectively and
efficiently in the accomplishment of the organizations objective.
Operational: Ensuring that specific tasks are carried out effectively and efficiently.
Guideline of when Strategic Planning should be done

The strategic planning scheduling process depends on the nature and needs of the
organization and its immediate external environment.
i)
Strategic planning should be done when on organization is just getting

started. It is usually part of an overall business plan, along with a financial
plan, marketing plan, operational plan and management plan.
ii)
Strategic planning should also be done in new major venture. e.g. developing
a new department, division, major new product or line of products, etc.
iii)
Strategic planning should be conducted at least once a year in order to be

ready for the coming fiscal conducted at least once every three years.
iv)
Each year, action plans should be amended and updated.
v)
During implementation of the plan, the progress of the implementation should

be reviewed at least on a quarterly basis by the board. Frequency of review
depends on the extent of the rate of change in and around the organization.
Guidelines for Preparing the Strategic Plan

Following guidelines will help ensure that the plan is developed and successfully
implemented.
i)
When conducting the planning process, involve the people who will be
responsible for implementing the plan. Use a cross-functional team to ensure
the plan is realistic and collaborative.
ii)
Ensure plan is realistic con really do this
iii)
Organize the overall strategic plan into smaller action plans, often including an
action plan for each committee on the board.
iv)
In the overall planning document, specify who is doing what and by when.
v)
In
an
implementation
section
plan,
specify
and
clarify
the
plans
implementation rules and responsibilities. Build in regular reviews of status of

the implementation of the plan.
vi)
Translate the strategic plans action into job descriptions and personnel
performance reviews.
Arranged by
Page 31

vii)
Communicate the rule of follow-ups to the plan. If people know the action
plans will be regularly reviewed, implementers tend to do their jobs before
there are checked on.
viii)
Be sure to document & distribute the plan, including inviting review input form
all.
ix)
Be sure that me internal person has ultimate responsibility that the plan is
enacted in a timely fashion.
x)
The chief executives support of the plan is a major driver to the plans
implementation. Integrate the plans goals and objectives into the chief
executives performance reviews.
xi)
Place huge emphasis on feedback to the boards executive committee from

the planning participants.
xii)
Have designated rotating checkers to verify e.g. every quarter, if each

implementer completed their assigned tasks.
Purpose of the Information System Strategy Planning

i)
Effective management of expensive and critical assets of the organization.
ii)
Improving
communication
b/w
the
business
and
information
systems
organization.
iii)
Linking the information systems direction to the business direction.
iv)
Planning the flow of information and processes.
v)
Efficiently and effectively allocating information systems resources.
vi)
Information systems life cycle.
GENERAL LEVELS OF STRATEGY
Corporate, business and functional/ operational

CORPORATE STRATEGY
Corporate strategy is the most general level of strategy in an organization. Corporate
strategy is concerned with what types of business the company as a whole should be
in and is therefore concerned with decision of scope.
Corporate
strategy
is
concerned with the scope of an organizations activities and the matching of these to
the organizations environment, its resource capabilities and the valves and
expectations of its various stakeholders.
Arranged by
Page 32

Corporate strategy involves issues such as:
(i)
Diversifying or limiting the activities of the business
(ii)
Investing in existing units, or buying new business.
(iii)
Surviving
The is a sense of direction for the entire corporate group. It is primarily concerned
with the determination of ends, e.g. what business or businesses the firm is in or
should be in and how integrated these businesses should be with one another. It
covers a longer time period and has a wider scope than the other levels of corporate
planning. At this level the global objectives e.g. growth, stability or retrenchment and
the general orientation to achieve them are defined.
BUSINESS STRATEGY
Business strategy or competitor strategy is concerned with how each strategic
business unit (SBU) attempts to achieve its mission within its chosen area of activity.
Here strategy is about which products or services should be developed and offered to
which markets and the extent to which the customer needs are met whilst achieving
the objectives of the organization.
These strategies are either cost leadership or differentiation of products and may
encompass an entire market or be focused on a particular segment of it. Business
strategy relates to how an organization approaches to a particular market, or the
activity of a particular business unit. For example, this can involve decisions as to
whether, in principle, a company should:
(i)
Segment the market and specialize in particularly profitable areas:
(ii)
Compete by offering a wide range of products.
An example of a business strategy is the recent decision by Mercedes-Benz to expand

its products range to include four wheel drive vehicles.
Strategic Business Unit (SBU): It is a unit within the overall corporate entity,
which should have an identifiable and definable product or service range, market
segment competitor set.
OPERATIONAL AND FUNCTIONAL STRATEGIES

These involve decisions of strategic importance, but which are made or determined
at operational levels. These decisions include product pricing, investment in plant,
Arranged by
Page 33

personnel policy and so forth. The contributions of these different functions
determine the success of the strategy as effectively a strategy is only implemented at
this level.
Functional or operational strategies are concerned with how the various functions of
the organization (marketing, administration, production, corporate and competitive
strategies. To improve performance in the organization, functional strategies harness
the activities, skills and resources available.
Function/operational strategies deal with specialized areas of activity e.g. information
system strategy. It includes:
Information system strategies
Marketing strategies
Production strategies
Finance strategies
Human resources strategies
RLD Strategies
INFORMATION SYSTEM (IS) includes all systems and procedures involved in the
collection, storage, production and distribution of information.
VS.
INFORMATION TECHNOLOGY (IT) describes the equipment used to capture,
store, transmit or present information. IT provides a large part of the information
systems infrastructure.
Information
System
Strategy:
Is
strategy
indicates
what
features
and
performance the organization will need from the systems. It demonstrates how the
resources will be used and provides policy guidelines for the information resources
management
and
perhaps
policies
for
communication
network,
hardware
architectures, software infrastructures and management issues such as security,

development methods, organization and allocation of responsibilities.
VS.
Information Technology Strategy: IT strategy defies the policies for software and
hardware, for example any standards to be uses, any stand on preferred suppliers,
what are to be invested, selection of venders. It also describes the activities and
resources required for the development of the new application technology.
Arranged by
Page 34

INFORMATION MANAGEMENT refers to the approach an organization takes
towards the management of its information systems, including:
Planning is/it development
Organizational environments of IS
Control
Technology
STRATEGIC PLANNING COMPONENTS

i)
Identification of where are we today:

Look internally and externally at the business as well as information systems.
Thoroughly understand the business objectives and challenges in addition to
where information systems are currently.
ii)
Identification of where we want to be in the future:

Development the version and strategy from business perspective as well as an
information systems perspective. The future business direction must be the main
determinant in the information systems direction.
iii) Identification of the information systems gap between where we are and where
we want to be in the future.
iv) Identification of how to get information systems to where we want to be in the
future. Develop plan that begins with understanding the future business
operating vision. This vision then becomes basis for the IS mission, objective,
strategies and technical computing architecture. Assess the current systems by
comparing them to the future business operating vision and the desired
information systems computing architecture.
ELEMENTS OF A IT STRATEGY
i)
Executive Summary: A statement containing the main points of the

schemes. The document should have a section on the goals, specific and
general, of information processing in the organization.
ii)
Goals: A general goal might be to provide a different customer service,

whilst a specific goal could be to completely update the datable enquiry
system.
Arranged by
Page 35
iii)
Assumptions: The plan will be based on certain assumptions about the

organization and the current business strategy. It is essential that this
plan is linked to the organizations strategic plan.
iii)
Scenario: It is helpful to draw up a scenario of the information processing

environment that will result from executing the plan.
iv)
Application Areas: The plan should outline and set priorities for new
application areas being planned and for that application which are in the
process of development. A report on the progress and status should be
produced. For major new applications there should be a break-down of
costs and schedules. The plan should outline and set priorities for the
application areas.
v)
Operations: The current systems will be continuing and the plan should
identify the existing systems and the cost of maintaining them.
vi)
Maintenance:
The
plan
should
incorporate
the
budget
for
the
maintenance of, and enhancements to, the existing system.
vii)
Organizational Structure: The plan should describe the existing and

future organizational structure for the technology, in terms of location, and
human and financial resources.
viii)
Impact of the plan: Management is interested in the impact of a plan on

the organization, particularly its financial impact.
CONSIDERATIONS FOR DEVELOPING IT STRATEGY

i)
What are the key business areas that could benefit most from an investment in
IT, what form should the investment take and how such strategically important
units could be encouraged to effectively use such technology.
ii)
How much the system cost in terms of software, hardware, management

commitment and time, education and training, conversion, documentation,
operational manning and maintain ace. The importance of lifetime application
costs must be stressed.
Arranged by
Page 36

iii)
What criteria performance should be set for IT systems.
iv)
What are the implications for the existing work force. (Training issues,
redundancies issues etc).
v)
Whether such a strategy should be based on a datable approach with depend on

a number of factors.
A DATABASE APPROACH IS CALLED FOR WHEN

a)
Application needs are constantly changing, with considerable uncertainty as to

the important data elements, expected update or processing function, and
expected volumes to be handled.
b)
Rapid access is frequently required to answer ad hoc questions.
c)
There is a need to reduce long lead times and high development costs in
developing new application systems.
d)
Many data elements must be shared by users throughout the organization.
e)
There is a need to communicate and relate data across functional and

department binderies.
f)
There is a need to improve the quality and consistency of the datable and to
control access to that resource.
g)
Substantial dedicated programming assistance is not normally available.
COMPONENTS OF INFORMATION SYSTEM STRATEGY PLAN

i)
Business Information Strategy:

The indicates how information will be used to support the business. Priorities
that the organization has for systems developments are defined at a general
level, perhaps by suggesting a portfolio of current and required system. It
may
outline
information
requirement
via
blueprints
for
application
developments of future.
ii)
IS Functionality Strategy:
This indicates what features and performance the organization will need from
the systems. It demonstrates how the resources will be used; and provides
policy guidelines for the information resources management and perhaps
policies
for
communication
networks,
hardware
architectures,
software
infrastructures and management issues such as security, development

approaches, organization and the allocation of responsibility.
Arranged by
Page 37

iii)
IS Strategy:
The defines the policies for software and hardware, for example any standards
to be used and any stand on preferred suppliers. This also defines the
organizations stand on the IS organization, e.g. whether it is to centralized or
distributed, what are to be the investment, vender and human impact policies
and IS accounting techniques.
STRATEGIC SYSTEMS
The following items provide a good starting point for organizations planning to use
information systems as strategic weapon against competition, for the betterment of
products and services, and for overall growth of the company.
i)
Develop a partnership, relationship with suppliers and venders. e.g. working

with suppliers, to provide production forecasting information based an POS
data for a retail Co. and having retail clerks use hand held, wireless
scanners to automate inventory records on pricing data.
ii)
Support and shape changes in traditional business operations. e.g. TQM

principal in computer operation, software development & maintenance.
Provide information to low level employees for better decision making.
iii)
Connect various business functions and users together, regardless of their

location.
This
telecommunication
means
integrating
networks,
and
system
open-systems
architecture
technology
through
so
that
employees work together & share information across business units and
divisions.
iv)
(Crossfunctional systems).
Allow almost every employee to access computer systems so that decision

making is done at the end user level with the information readily available.
v)
Search external datable to obtain data on a competitors products and

services, general economic and service, general data, and political information
to help executive management prepare well advance for possible moves &
center moves. (This information helps in applying ESS & DSS).
vi)
Revisit the information flow b/w the home office and field offices, and b/w
headquarters and manufacturing plants or warehouses. The goal is to move
required data to field offices so that it can be acted upon move quickly and
managed more efficiently in order to serve the customer faster & better. (e.g.
workflow systems).
Arranged by
Page 38

vii)
Have
representatives
of
functional
and
user
groups,
present
on
the
information steering committee. These representative ensures that software

requirements are defined and that new systems are implemented whether the
system is developed in-have or acquired from the third-party vendors. The
goal is to place the decision making in the hands of end-users instead of a few
high-level managers.
viii)
Re-engineering the IS organization. This requires reorganizing, dispersing,

and aligning the IS department with units. The goal is to better reflect the
company strategy and link the information system structure to lines of
business. This may require the use of distributed or client / server technology
in business.
ix)
Put more focus on bowering the cost of doing business, improving customer
set vice, and cutting the time-to-market of new products and services. New
tools such
as
information
engineering and computer
aided
software
engineering (CASE) products can be used to cute timeto-market of new

products.
x)
Help reengineer business processes. This requires a focus on achieving

productivity improvement by providing the functional uses with the right
information at the right time. This responsibility puts pressure on IS
management to retrain existing staff to learn new tools & techniques.
In some cases, existing staff may have to be replaced.
xi)
Develop a new class of application systems that use existing production data
to improve business decision and, ultimately, customer service. This includes
building decision support application systems that query huge production
databases.
Critical Success Factors

Three factors can summarize all of them: people, process and tools.
People and process need to be related to each other to improve quality and increased
productivity. A process is a sequence of steps or operations used to accomplish a
certain goal. People perfume operations. E.g. all processes need to be changed where
needed, and applications, methodologies tools need to be evaluated. In all these
activities, people are an integral part.
Arranged by
Page 39
Top management support.
Long-term commitment.
Help quality staffing.
Substantial customer input.
Co-ordination b/w organizations.
Appropriate use of technology.
Good up-front planning.
Need to change corporate culture.
Strategic Planning:
Strategic planning is the process of deciding organizational direction. Managers apply
analytic techniques, creativity and sound judgment to anticipate the requirements of
the future. When properly executed, IS strategic planning helps an organization to
efficiently and effectively carry out its mission. Managers can better position their
organization to meet tomorrow challenges, strategic planning is a key tool for moving
from where one is to where one wants to be.
An IS strategic plan should be a part of the organization strategic plan. Due to their
long-term nature, strategic plans are not updated frequently. External or internal
changes within an organization are often the catalyst for organization strategic
planning.
Key Components of IS Strategic Plan
i)
A mission statement that defines the organizations purpose.
ii)
A version to support the mission.
iii)
Goals to achieve the vision and mission.
iv)
An environmental analysis to identify internal strengths and weakness and

external challenges & opportunities.
v)
Strategies to meet vision & goals.
vi)
A risk assessment that contrasts the impacts of change versus those of no

change.
vii)
CSF that highlight key elements for achieving organization goals.
Arranged by
Page 40

Success Factors for Strategic Planning
i)
Managers must commit to and participate in the planning process.
ii)
Managers must nurture strategic thinking.
iii)
Managers must communicate with all parties affected by the plan.
iv)
Managers must gain staff and customer / client support for the plan.
v)
Managers must develop operational plans to guide the implementation of the

strategic vision.
_____________________________________________________________
INFORMATION SYSTEM STRATEGY refers to the long term plan concerned with
exploiting IS and IT either to support business strategies or create new strategic
options. It should be developed with the aim of ensuring IS/IT is utilized as efficiently
and effectively as possible in the pursuit of organizational goals and objectives.
Information system should support corporate and business strategy. In some
circumstances an IS may have a greater influence and actually help determine
corporate / business strategy.
(a)
IS/IT may provide a possible source of competitive advantage. This could

involve new technology not yet available to others or simply using existing
technology in a different way.
(b)
The IS may help in formulating business strategy by providing information

from internal and external sources.
(c)
Developments in IT may provide new channels for distributing and collecting

information, and / or for conducting transactions e.g. the internet.
IMPACT OF IS/IT ON ORGANIZATION

(a)
The type of products or services that are made or sold

Consumer markets have been the emergences of PC, CDs, USBs, satellite
dishes for receiving channels, industrial markets have seen the emergence of
custom built microchips, robots and LAN for office IS technological change
such as introduction of tennis and squash rackets with graphite frames, turbo
powered or engines.
Arranged by
Page 41

(b)
The way in which products are made

There is continuing trend towards the use of automation and computer aided
design and manufacture. The manufacturing environment is undergoing rapid
changes with the growth of advanced manufacturing technology. These are
changes in both apparatus and technique.
(c)
The way in which services are provided

High
street
banks
encourage
customers
to
use
hale-in-the-wall
cash
dispenser, or telephone or internet banking, POS terminals at store. Many

organizations use e-commerce: selling products and services over the
internet.
(d)
The way in which markets are identified

Database systems make it much easier to analyze the market place.
(e)
The way in which employees are mobilized

Computerization encourages delay ring of organizational hierarchies, but
requires greater workforce skills. Using technology often requires changes in
working methods.
(f)
The way in which firms are managed

Computerization encourages delay ring of organization hierarchies but
requires greater workforce skills. Using technology of ten requires changes in
working methods.
(g)
The means and extent of communications with customers
BENEFITS OF TECHNOLOGICAL CHANGE TO ORGANIZATION

1.
To cut production cost and so probably to reduce sale prices to the customer.
2.
To develop better quality product and services.
3.
To develop products and service that did not exist before.
4.
To provide products or services to customers more quickly or effectively.
5.
To free staff from repetitive work and to tap their creativity.
Arranged by
Page 42

WHY HAVE AN IS/IT STRATEGY
1.
IT/IS is a high cost activity.
2.
IS/IT is critical to the success of many organizations.
3.
IS now used as a port of commercial strategy in the battle for competitive

advantage.
4.
IT can impact significantly on the business context.
5.
IT affects all levels of management.
6.
IT and its effect on management information (the way management

information is created and presented)
7.
Requires effective management to obtain the maximum benefits.
8.
Involves many stakeholders inside and outside the organization.
INFORMATION SYSTEM PLAN

Organization should develop an information systems plan that supports their overall
business plan.
The IS plan should contain following:
1.
Overall organization goals.
2.
How information systems and information technology contributes to attaining

these goals.
3.
Key
management
decision
regarding
hardware,
software,
data
and
telecommunications.
4.
Specific dates and milestones relating to IS/IT projects.
5.
Financial information such as budget and cost benefit analysis.
METHODOLOGIES AND FRAMEWORKS for establishing the

information requirements of an organization
Earls three leg analysis
Enterprise analysis
Critical success factors (CSFs)
EARLS THREE LEG ANALYSIS
Business led (top down emphasis, focus on business plans & goals)
Infrastructure led (bottom up emphasis, focus on current systems)
Mixed (inside out emphasis, focus of IT/IS opportunities)
Arranged by
Page 43

BUSINESS LED (TOP DOWN)
The overall objectives of an organization are identified and then IS/IT systems are
implemented to enable these objectives to be met. This approach relies on the ability
to break down the organization and its objectives to a series of business objectives
and processes and to be able to identify the information needs of these. This is an
analytical approach. The people usually involved are senior management and
specialist teams.
INFRASTRUCTURE LED (BOTTOM UP)
Computer based transaction systems are critical to business operations. The
organization focuses of systems that facilitate transaction and other basic operations.
This is an evaluative approach. The people usually involved are system users and
specialists.
MIXED (INSIDE OUT)
The organization encourages ideas that will exploit existing IT and IS resources.
Information may come from entrepreneurial managers or individuals outside the
formal planning process.
This is an innovative / creative approach. The people involved are entrepreneurs and
/ or visionaries.
ENTERPRISE ANALYSIS
Enterprise analysis involves examining the entire organization in terms of structure,
processes, functions and data elements to identify the key elements and attributes of
organizational data and information.
Enterprise analysis is sometimes referred to as business systems planning. This
approach involves the following steps.
Step 1
Ask a large sample of managers about:
How they use information?
Where they get information?
What the objectives are?
What their data requirements are?
How they make decisions?
The influence of environment.
Arranged by
Page 44

Step 2
Aggregate the finding from step 1 into sub units, functions, processes and data
metrics. Compile a process / data class matrix to show:
What data classes are required to support particular organizational

processes.
Which processes are the creators and users of data?
Step 3
Use the matrix to identify areas that IS should focus on, e.g. on process that create
data.
The enterprise analysis approach gives a comprehensive view of the organization and
its use of data and systems. The enterprise analysis approach results in a mountain
of data that is expensive to collect and difficult to analyze.
Survey questions tend to focus on how systems and information are currently used,
rather than on how information that is needed to result in existing systems being
automated rather than looking at the wider picture.
CRITICAL SUCCESS FACTORS

Critical success factors are small number of key operational goals vital to the success
of an organization.
The use of CSFs can help to determine the information requirements of an
organization. CSFs are operational goals. If operational goals are achieved, the
organization should be successful. Progress towards achieving critical success factors
must be monitored. This is done through the use of key performance indicators
(KPI). KPI are measures designed to track a critical performance variable over time.
The CSF approach is sometimes referred to as the strategic approach. Manager
should focus on a small number of objectives, and information systems should be
focused on providing information is enable managers to monitor these objectives.
TYPES OF CSFs
A monitoring CSF is one that if achieved will contribute towards the

success of existing activities and operations. Monitoring CSFs are
important for maintaining business.
Arranged by
Page 45
A building CSF helps to measure the progress of new initiatives. Besides

CSFs are important for expanding business.
USING OF CSF APPROACH

The approach involves THREE STEPS
List the organizations corporate objectives and goals.
Determine which factors are critical for accomplishing the objectives.
Determine a small number of key performance indicators for each CSF.
Where measure KPIs use quantitative data, performance can be measured in number
of ways.
In physical quantities, for example units produced or units sold.
In money terms, for example profit, revenues, casts or variances.
In ratios and percentages
The determination of key performance indicators for CSFs is not necessarily straight
forward. Some measures might use factual, objectively verifiable, data while others
might make use of softer concepts, such as opinions, perceptions and hunches.
Example
The reliability of stock records can be measured by means of physical stock
counts, either at discrete intervals or on a rolling basis. Forecasting of demand
variations will be much harder to measure.
GENERAL SOURCES OF CSFs
The industry that the business is in
The company itself and its situation within the industry
The environment, for example consumer trends, the economy, and

political factors of the country in which the company operates.
Temporal organizational factors, which are areas of corporate activity

which are currently unacceptable and represent a cause of concern, for
example, high stock level.
Arranged by
Page 46

POSSIBLE SPECIFIC SOURCES OF CSFs& KPIs
(a)
The Existing System: The existing system can be used to generate reports
showing failure to meet CSFs.
(b)
Customer service deptt: This department
will
maintain
details and
complaints received, refunds handled, customer enquiries etc. these should be

reviewed to ensure all failure types have been identified.
(c)
Customers A survey of customers, provided that it is properly designed and

introduced would reveal (or confirm) those areas where satisfaction is high or
low.
(d)
Competitors Competitors operations, pricing structures and publicity should

be closely monitored.
(e)
Accounting system: The profitability of varies aspects of the operation is

probably a key factor in any review of CSFs.
(f)
Consultants: A specialist consultancy might be able to perform a detailed

review of the system in order to identify ways of satisfying CSFs.
PARSONS SIX INFORMATION SYSTEMS STRATEGIES

i)
Centrally Planned : The logic of this approach is that those planning IS

development should have an understanding of the overall strategic. Business
and IS strategy are viewed as being closely linked.
ii)
Leading edge: There is a belief that innovative technology use can create
competitive advantage, and therefore that risky investment in unproven
technologies may generate large returns. The organization may have the
motivation and ability to commit large amounts of money and other
resources. Users must be enthusiastic and willing to support new initiatives.
iii)
Free market: This strategy is based on the belief that the market makes the
best decisions. The IS function is a competitive business unit, which must be
prepared to achieve a return on its resources. The department may have to
compete with outside providers.
iv)
Monopoly: The direct opposite to the free market strategy. This strategy is
based upon the belief that information is an organizational asset that should
be controlled by a single service provider.
v)
Scare resource: This strategy is based on the premise that IS use limited
resource, and therefore all IS development requires a clear justification.
Arranged by
Page 47

Budgetary controls are in place and should be adhered to. New projects
should be subject to cost benefit analysis (CBA).
vi)
Necessary evil: IS/IT is seen as a necessary evil of modern business. IS/IT

is allocated enough resources only to meet basic needs. This strategy is
usually adopted in organizations that believe that information is not important
to the business.
STRATEGIC MANAGEMENT
It is a district mode of management which proceeds from analysis to
implementation and shares the some functions, planning, organizing, directing
and controlling as operations management.
A)
STRATEGIC ANALYSIS
The first step in the process involves analysis of the situation in which the
organization finds itself. This means identifying the conditions prevailing in
both the internal and external environment and the effects of these conditions
on the organization. The following matters to be addressed.
(i)
SWOT ANALYSIS (internal strengths and weakness, external opportunities

and threats)
(ii) CUSTOMER ANALYSIS: The organization must analyse who its competitors
are, how and why they are competing, and whether and how competition will
increase. The nature of the industrys competitive force should be address.
(iii) MARKET ANALYSIS: In many markets the needs / demands of customers
are becoming increasing sophisticated and complex.
(iv) CULTURAL ANALYSIS: The culture or feel of an organization is seen as
being
of
critical
strategic
important.
An
organization
which
has
an
enterprising, innovative and unique culture will be attractive to investors,

customers and employees. Culture must be therefore be analysed to see what
kind of message it is giving out absent the organization.
(v) SOCIAL ANALYSIS: Identify how the complexity of modern society impacts
on the organization and its customers. It will take into account demographic
and economic changes, changes in attitudes in society (such as towards
environmental issues) and changes in political attitudes e.g. the favorable
light in which the Govt. views initiative).
Arranged by
Page 48

B)
STRATEGIC CHOICE
(a) STRATEGIC OPTIONS GENERATION. A variety of alternatives can be

considered:
(i)
Increase market share
(ii) Increase mental growth

(iii) Concentration on core competencies
(iv) Acquisition
(b) STRATEGIC OPTIONS EVALUATION:
Each option is then examined on its merits.
Varieties of techniques are used to access and value strategies. Some will be
assessed on financial criteria (such as a net present value). Where this is not
possible or where the uncertainty in the environment is so great, more
sophisticated models are used. Scenario building postulates a number of
possible
futures.
(E.g.
worldwide
economic
growth
interest
rates,
competitions)
(c) STRATEGY SELECTION: A strategy is chosen, according to the evaluation
above. Remember, however, that this process is strongly influenced by the
values of the managers selecting them. Developing strategies by which these
objectives may be met.
(d) STRATEGIC IMPLEMENTATION
Having formulated strategies and plans it only remains to implement them.
This will almost certainly involve changes to the way things are done of the
process of strategic management has been followed through from first
principles, areas in which the implementation of strategies is likely to cause
charges are:
(i)
The organizations culture (there may have to be a move from

bureaucracy towards a task culture if it has been identified that the
organization is in an unstable environment.
(ii)
The quality of all outputs the may well have to improve;
(iii)
Attitude towards innovation, entrepreneurship and individualism.
(iv)
The degree of control exercised over sub ordinates given new

emphasis on innovations.
(v)
Personnel the organization needs to acquire the services of the right

personnel to put strategies into practice.
Arranged by
Page 49

THE POLITICAL AND LEGAL ENVIRONMENT
The political environment effects an organization in a number of ways.
(a)
Laws and legislation provide a legal framework.
(b)
Government policy may directly impact upon a business or industry.
(c)
The governments overall conduct of its economic policy is relevant.
Some legal factors that may impact upon organizations are as follows:
General legal framework (contract, tort, agency)
Basic ways of doing business negligence proceedings copyright laws software
licences.
Criminal law : Theft, insider dealing bribery deception
Company law: Directors and their duties, reporting requirements, takeover
proceedings shareholders rights insolvency.
Employment law: Trade union recognition, social chapter provisions, minimum
wage, unfair dismissal, redundancy, maternity, equal opportunities.: Health &
Safety: Fire precautions safety procedures workstation design.
Data protection: Use of information about employees and customers e.g. data
protection act 1998 uk, privacy
Marketing and Sale: Laws to protect consumers (e.g. refunds and replacement,
cooling off period after credit agreements) what is or isnt allowed in advertising.
Environment: Pollution control waste disposal
Tax law : Corporation tax payment, collection of income tax (Paye) and national
insurance contributions, VAT. The political environment is not simply limited to legal
factors.
Governments are responsible for enforcing and creating a stable framework in which
business can be done. The quality of government policy is important in providing the
right:
a)
Physical infrastructure 9e.g. transport, communication)
b)
Social infrastructure (education, a welfare safety net, law enforcement)
c)
Market infrastructure (enforceable contracts, policing corruption)
Arranged by
Page 50

THE ECONOMIC ENVIRONMENT
OVERALL GROWTH OR FALL IN GDP: Increased / decreased demand for goods
and services
LOCAL ECONOMIC TRENDS: Type of industry in the area, office / factory rents.
Labour rates. House prices.
INFLATION: Low in most countries, disrupts business decisions, wage inflation
compensates for price inflation.
TAX LEVELS: Corporation tax affects how much firms can invest or return to
shareholders. Income tax and yat (sales tax) after how much consumers have to
spend, hence demand.
GOVERNMENT SPENDING: Suppliers to the government (e.g. construction firms)
are affected by spending.
THE BUSINESS CYCLE: Economic activity may fluctuate between periods of growth
followed by decline. Govt. policy can cause, exacerbate or mitigate such trends.
EXCHANGE RATES: Cost of imports, selling prices, and value of exports cost of
hedging against fluctuations.
CHARACTERISTICS
OF
OVERSEAS
MARKETS:
Desirable
overseas
market
(demand) or source of supply with the advent of www even the smallest organization
can have an international presence.
CAPITAL FLOWS AND TRADE: Investment opportunities, free trade, cost of
exporting
INTEREST RATES
a)
A rise might increase the cost of any borrowing, thereby reducing profitability. It
also raises the cost of capital. An investment project, (new information system)
therefore has a higher hurdle to overcome to be accepted.
b)
Interest rate also have a general effect on consumer confidence and liquidity,
and hence demand.
INFLATION
a)
Inflation reduces the value of financial assets and the income of these on fixed
incomes.
b)
Inflation makes it hard for business to plan, owing to the uncertainty of future
financial returns. Inflation and expectations of it encourages organizations to
focus on the short term (short termism)
c)
Inflation requires high nominal interest rates to offer investors a real return
Arranged by
Page 51

THE SOCIAL AND CULTURAL ENVIRONMENT
Social change involves changes in the nature, attitudes and habits of society. Social
changes occur continually, and trends can be identified which may or may not be
relevant to an organization.
Demography is the analysis of statistics on birth and death rates, age structures of
populations, ethnic groups within communicates etc. It is important because:
a)
Labour is a factor of production
b)
People create demand for goods, services and resources
c)
It has a long term impact on government policies
d)
There is a relationship between population growth and living standards.
DEMOGRAPHIC FACTORS ARE

Growth: The rate of growth or decline in a national population and in regional
populations.
Age: Changes in the age of the population certain age groups may have a greater or
lesser aptitude for technological developments such as internet.
Geography: The concentration of population into certain geographical areas.
Household and family structure: A household is the basic unit and its size might
be determined by the number of children, whether elderly parents live at home etc.
Social structure: The population of the society can be broken down into a number
of subgroups, with different attitudes and access to economic resources. Social class,
however, is hard to measure (as peoples subjective perceptions vary)
Employment: This is related to changes in work place. There has been some
movement towards a more flexible workforce with greater numbers of workers on
part time or temporary contracts. However, despite some claims, most employees
are in permanent full time employment.
Wealth: Rising standards of living lead to increased demand for many goods and
services.
Culture: The culture of a society can effect an organization in a number of ways
a)
Marketers can adopt their products to suit cultural traits (e.g. should
website be tailored for individual national markets?)
b)
Human resource managers may need to tackle cultural differences in

recruitment and employment policies.
Arranged by
Page 52

FUTUROLOGY
Futurology is the science and study of sociological and technological developments,
values and trends with a view to planning for the future.
The model involves a panel of exports providing views on various events to be
forecast. Such as inventions and breakthroughs, or even regulations or changes over
a time period into the future. In some cases, instead of technical developments being
used to predict future technologies, future social developments can be predicted, in
order to predict future customer needs.
DEVELOPING AN INFORMATION TECHNOLOGY PLAN

a)
Alignment
b)
Scope
c)
Time frame
d)
Cost benefit justification
e)
Achievability
f)
Monitoring and control
g)
Reassessment
h)
Awareness
i)
Accountability
j)
Commitment
PHASES INVOLVED IN ESTABLISHING THE IT PLAN

Organizations develop IT plan specific to their needs. However, the planning process
used to develop the IT Plan will be similar across a wide range of organizations. The
process can be broken down into four phases.
a)
Orientation
b)
Assessment
c)
Strategic
d)
Tactical
Arranged by
Page 53

ORIENTATION
The first phase establishes the scope of the IT planning process, the methodology
and techniques to be applied and identifies for planning team and reporting lines for
the planning process. The planning process may have been initiated in response to a
major change in the business strategy or as a reaction to changes in the business or
IT assumptions of the existing plan.
ACTIVITIES
1)
Establish scope
2)
Establish techniques and mobilize resources
ASSESSMENT
In second phase, data is collected and analyzed to describe the existing usage and
management of IT and the extent to which they are unable, or may be unable, to
support business objectives.
This phase also provides an opportunity to identify other potential uses of
information technology which may assist in meeting objectives.
ACTIVITIES
3)
Confirm business direction and drives to ensure the key driver for the IT plan
is the business direction of the organization.

4)
Review technology trends
5)
Outline future requirements
6)
Inventory existing information systems
7)
Develop an assessment
STRATEGIC PLAN
In the third phase of IT Planning process, appropriate strategies are formulated.
These strategies are funded on the assessment of the business needs and priorities.
IT direction and other related issues considered in the assessment phase.
ACTIVITIES
8)
Develop a vision
9)
Conduct option analysis
10)
Develop a strategic plan
Arranged by
Page 54

TACTICAL PLAN
In the last phase of the planning process, the tactical or implementation plan is
developed. In the tactical plan, the focus is on the projects that need to be
undertaken to implement each of the strategies.
ACTIVITIES
11)
Identify and specify projects
12)
Prioritize projects
13)
Develop the tactical plan
14)
Establish monitoring and control mechanisms
IT PLAN
a)
Demonstrate to the organization how it can gain business benefits from IT.
b)
Act as a yardstick by which to measure performance
c)
Provide a framework for offering incentive to managers
d)
Provide a framework for justifying
REQUIREMENTS OF A SUCCESSFUL INFORMATION STRATEGY PLAN

a)
Continuous sponsorship and involvement from top management
b)
Adequate resources
c)
Formulating the first strategy is the only starting point. It needs to be

continuously updated and improved.
d)
Strategies often remain on shelves. An organization needs resources,

infrastructure and incentive schemes to implement the strategy.
KEY STAGES IN DEVELOPING AN INFORMATION STRATEGY

PLANNING PROCESS
a)
Initiate the information strategy planning project
b)
Identify your business position
c)
Examine capabilities and technologies
d)
Develop system and technology roadmap
e)
Prioritize solutions
Arranged by
Page 55

INITIATE THE INFORMATION STRATEGY PLANNING PROJECT
i)
Gain senior management approval and sponsorship
ii)
Appoint a champion
iii)
Appoint team and schedule activities
iv)
Involve business managers and employees
IDENTIFY YOUR BUSINESS POSITION

i)
Access your current business position
ii)
Examine your future business direction
iii)
Identify critical external systems and technologies. (video conferencing,

visualization, internet and web intranet/extranet)
DEVELOP SYSTEM AND TECHNOLOGY ROAD MAP

i)
Map your project lifecycle process
ii)
Examine your information sharing requirements
iii)
Explore the relevance of the internet/e-business to your organization
iv)
Decide which major systems you will need.
v)
Plan your infrastructure requirements
vi)
Standardize your systems and technologies.
viii)
Plan your people training and requirements.
PRIORITIZE SOLUTIONS
i)
Prioritize critical software systems.
ii)
Indicate resources and timeframes.
iii)
Plan how you will manage changes to the document.
iv)
Commutate and seek feedback.
v)
Get authorizations.
VIDEO CONFERENCING
Improving communication between project team and between site offices. Hence
eliminating unnecessary travel.
VISUALIZATION
Improve design visualization and communication with clients. This allows clients to
see exactly what a design will look like giving them increased confidence in the
design.
Arranged by
Page 56

INTERNET AND WEB
Email and company web site these give instant worldwide communication together
with a platform for companies to show cause their services.
INTERNET / EXTERNAL
Internets
aid
internal
company
collaboration.
Extranets
promote
project
collaboration, team working and e-commerce. Both help standardization and improve
data flows.
INFORMATION ABOUT TECHNOLOGIES CAN BE FOUND

a)
In the IT Press
b)
By talking to major suppliers
c)
By visiting trade shows
d)
Through organizations, such as the computer society of Pakistan, which keep

databases of local industry?
e)
From Govt. sponsored initiatives, such as the e-Government projects.
ISSUES INVOLVED IN SUCCESSFULLY IMPLEMENTING THE

INFORMATION STRATEGY PLAN
i)
Specification
of
user
requirements:
Determining
detailed
user
requirements for software selection (specification of user requirements)

ii)
iii)
Software selection: Deciding whether software should be
Package software bought off the shelf
Bespoke software developed by an external
IT supplier or, developed internally (software selection)
Integration and interface: How will new systems integerate and interface
with existing systems. (Integration & Interface)
iv)
Sequence of implementation: What is the logical order to implementing

different system?
v)
Legacy systems: What are the major issues when replacing expensive
legacy systems?
vi)
Time scales and resources: What is the overall time scale for the plan
vii)
Managing Expectations: Maintaining user expectations and keeping them

informed
ADVANTAGES OF IMPLEMENTATION AS PILOT PROJECTS
Arranged by
Page 57

i)
Reduced risk of time and cost over runs
ii)
Reduced risk in selecting the wrong system
iii)
Benefits
are
achieved
earlier
thus
increasing
management
and
user
confidence.
iv)
The organization is able to revise its requirements
v)
The level of training required can be assessed.
vi)
The approach fits well with the construction industrys tendency to fund IT
systems on a project basis
vii)
An organization can develop its IT skill and experience, assisting it to

successfully select and implement more complex and huge system across the
organization at a larger stage.
MANAGING CHANGES TO AN INFORMATION STRATEGY

Many strategies have ended as shelf ware. But information strategy planning is an
ongoing process, not a document. An organization needs to be capable of
implementing its strategies, then maintaining and updating them. It need s to
manage innovation on an ongoing basis. In particular, ongoing strategic planning will
require:
a)
Continuous support and involvement from senior management.
b)
In house skills to develop and maintain the strategy.
c)
Time and tools, which should be planned for in advance
d)
Appropriate
incentive
schemes,
so
that
in
competition
with
other
organization activities, it receives appropriate priority.

e)
A change management plan, setting out who will manage the changes,
and what procedures they will use to do so. This plan should be included in
your initial strategy document.
Arranged by
Page 58
CHAPTER 03
E-BUSINESS MODELS AND E-BUSINESS

PRODUCTS
E-COMMERCE
E-business can be defined as commerce conducted via any electric medium, such as
TV, fax or the internet. E-commerce is the ability to buy and sell goods and services
over the internet.
E-commerce is the paperless exchange of routine business information using
electronic data interchange (EDI) and other technologies, including electronic mail
(e-mail), electronic bulletin boards (E BBs), facsimile machines (faxes), electronic
funds transfer (EFT), E-commerce is about web-enabling your core business
processes to improve customer service, reduce cycle time, get more results from
limited resources, and actually sell things.
BUSINESS TO CONSUMER (B-C) E-COMMERCE

In this form of electronic commerce, business must develop attractive electronic
marketplaces to out ice and sell products and services to customers e.g. many
compromise
offer
E-commerce websites that
provide virtual
storefronts and
multimedia catalogs interactive order processing, scour electronic payment systems,

and online customer support.
FEATURES:
In this model, all is done electronically, remotely through the internet, without
you having to leave the comfort of your house or office.
Customer and suppliers can be 10,000 miles apart, in different cities or

countries, or even different continents, and yet do business as if they were
located in the same city or an the same street.
Since the internet never sleeps or closes, customers can do business 24house of the day, 365-days of the year. (weathers, strikes not problems).
Arranged by
Page 59

BUSINESS TO BUSINESS (B-B) E-COMMERCE
This involves both electronic business market and direct market links b/w businesses
e.g. many companies offer score internet or extranet E-commerce websites for their
business customers and supplier.
Other may rely on electronic data interchange (EDI) via the internet or extranets for
computer to computer exchange of E-commerce document with their larger business
customers and suppliers. Also very important are BRB E-commerce portals that
provide aviation and exchange markets for businesses.
FEATURES:
Using industry standard such as EDI etc for transmitting data related to
commercial transactions, the manufacture and the supplier are easily and
quickly able to complete a business transaction.
BUSINESS TO EMPLOYEE (B-E) E-COMMERCE

It is sometime called intra-business e-commerce, refers to the use of internet
technology to handle activities that take place within a business. An internet is as
internal network that uses internet technologies.
B-E e-commerce does not generate revenue like the previously discussed types of ecommerce business models. Instead, it increases profiles by reducing expenses
within a company. e.g. using BRE e-commerce employee collaborate with each other,
exchange data and information, and access in-house databases, sales information,
market news, and competitive analysis. By having instantaneous access to this type
of technology, employees do not spend time manually looking up information.
Many professional firms in the west, with central offices in big cities and project
offices or client offices in smaller cities are using BRE to receive and process
employee time sheet, expense claims prepare to invest in secure commotions for
employees to safely access company internets.
CONSUMER TO CONSUMER (C-C) E-COMMERCE

The huge success of online actions like e-bay, where consumers (as sell as
business) can buy and sell with each other in an aviation process at an aviation
Arranged by
Page 60

website, makes this E-commerce model an important E-commerce business strategy.
Thus, participating in or sponsoring consumer s or business aviation is an important
E-commerce. Electronic personal advertising of products or services buy or sell by
consumers at electronic newspapers sites, consumer E-commerce portals, or
personal websites is also an important form of CRC E-commerce.
Examples:
E-aviation sites, chest rooms, forums,
GOVERNMENT TO CITIZEN (G-C) E-COMMERCE

Government to citizen (GRC) E-commerce refers to the use of ecommerce
technologies by the govt. to handle all or major activities electronically, in which
govt. are involved with. It can be an internet which will be available for citizens to
internet with government or to access different govt. information / records for
example related to property and land details. It can be a helpful electronic way for
two / duties collection and management by the govt. It can also be used by govt. to
provide
public
health
related
information
to
its
public.
Even
government
procurements can all be handled through such type of E-commerce systems.

Example:
CBR, FBR, website. SECP website.
CHALLENGES:
Availability of deep & secure access to govt. sites.
Govt. must be cognizant of the fact that such access must be made widely
available to all classes of its citizenry.
SECURE SOCKETS LAYER (SSL)

SSL is a layered protocol. The primary goal of the SSL protocol is to provide
privacy and reliability b/w communicating applications. The secure server uses its
private key (known only to itself) to generate a random session key for your
connection. Your browser decodes this encrypted key using the public part of the
server key; if it de-codes it is understood that only the secure server could have sent
it. Once that is bone, a secure connection has been established and all further traffic
through it is encrypted using the session key.
Arranged by
Page 61

The SSL protocol provides connection security that has three basic properties.
i)
The connection is private. Encryption is used after an initial handshake to

define a secure key.
ii)
Symmetric cryptography is used for data encryption is a program layer

created by Netscape for managing the security of message transmissions in a
network.
iii)
The connection is reliable.
DIGITAL SIGNATURE:
The purpose of digital signature is to authenticate both the sender and
message; (i-e. to provide proof to the recipient that the message stems from the
sender, and that the messages contents have not been altered since leaving the
signatory). Digital signatures are the basis for the security of smart card systems.
A digital signature is based on the actual contents of the message itself. A
digital signature is a small amount of data that is recorded on an electronic medium.
The sender produces it by applying certain calculations to a message. This process is
called the Signature Function The resulting signature, which looks like random
data, has meaning only when read in conjunction with the message used to create it.
The recipient of the message checks the digital signature by performing another set
of calculations on the signature and the message. This is called the verification
functions. The result of these calculations reveals whether or not the signature is a
genuine authenticator of both sender and message.
STEPS ON GETTING ON INTERNET

1. Upgrade customer interaction
Start doing emails
Make a web site
2. Understand the customer segments:
Wealthy
Youngsters
Educated
3. Understand service process
How many processes do we have?
All the computerized or manual
Arranged by
Page 62

4. Define the role of live interaction. Some products are bought through live
interaction: e.g perfumes, cars,cloths etc.
5. Technology decide
Zero touch (It has no human interaction)
Low touch (It has human interaction)
6. Deal with tidal waves
7. Create incentives and disincentives (eg. Online shopping , cash transaction)
8. Decide on channel choice
9. Explode the internet (offer them something)
10. Implement (execute the plan made)
ELECTRONIC PAYMENT METHOD

a) Smart cards
b) Credit / charge / debit Cards
c) Online banking
d) Digi Cash / E- Cash
e) E- Cheque
f)
E- Wallets
g) Financial Electronic Data Interchange (FEDI)
Arranged by
Page 63
CHAPTER 04
THE INFORMATION SYSTEMS

DEVELOPMENT PROCESS
INFORMATION SYSTEM ACQUISITION
Organization usually acquires information system in two ways:
(vi)
They develop customized systems in-house through formal systems

development activities, and
(vii)
They purchase commercial systems from software venders.
In-House Development
Many organizations require systems that are highly tuned to their unique operations.
These firms design their own information systems through in house system
development activities. In house development requires maintaining a full time
systems staff of analysts and programmers who identify user information needs and
satisfy their needs with custom systems.
Purchase Commercial Systems
A growing number of systems are purchased from software renders. Faced with
many completing packages each with unique features and attributes, management
must choose the system and the vender that best serves that needs of the
organization. Making the optimal choice requires that this be an informed decision.
TURNKEY SYSTEMS
Turnkey systems are completely finished and tested systems that are ready for
implementation. They are often general purpose systems or systems customized to a
specific industry. Turnkey systems are usually sold only as compiled program
modules, and users have limited ability to customize them to their specific needs.
Some turnkey systems have software options that allow the user to customize input,
output, and some processing through menu choices. Other turnkey systems venders
will sell their customers the source code if program changes are desired. For a fee,
the user or the vender can then customize the system by reprogramming the original
source code.
Arranged by
Page 64

Examples
(a)
General Accounting System
(b)
Special Purpose System (medial field banking industry)
(c)
Office automation system (word processing spreadsheets desktop

publisher systems). These are computer systems that improve the
productivity of office works.
(d)
Backbone Systems (SAP)

Backbone systems provide a basic system structure on which to
build. Backbone systems come with all the primary processing modules
programmed. The vender designs and programs the user interface to
suit the clients needs.
(e)
Vender Supported system

Vender supported systems are hybrids of custom systems and
commercial software. Under this approach, the vender develops
custom systems for its clients. The systems themselves are custom
products,
but
the
system
development
service
is
commercially
provided.
Advantages of Commercial Software
Implementation time
Cost
Reliability
Disadvantages of commercial Software
Independence
The need for customized systems
Maintenance & flexibility
LEGACY SYSTEM
A legacy system is an old, outdated system which continues to be used because it is
difficult to replace.
The main reason legacy systems continue to be used often include the cost of
replacing it, and the significant time and effort involved in introducing a new system.
Legacy system often requires specialized knowledge to maintain them in a condition
suitable for operation. This may leave an organization exposed should certain staff
leave the organization. Legacy system may also require data to be in a specific, may
Arranged by
Page 65

be unusual format. This can cause compatibility problems if other systems are
replaced throughout an organization.
File
conversion
issues
are
common
when
replacing
legacy
systems,
example:
a)
Establishing the formats of data files held on the legacy system.
b)
Assessing the data held for accuracy and completeness.
c)
Automated file conversion procedures may not be applicants due to

system compatibility and data issues.
d)
Ensuring transferred data is available in the required format for all

applications that access it.
a)
Hardware supplied by different manufacturers that cannot interact.
b)
Data duplicated in different areas of the business as separate systems

cannot use the same source.
c)
Software that is unable to interact with other packages.
SYSTEM DEVELOPMENT LIFECYCLES

SDLC describes the stages a system moves through from inception until it is
discarded or replaced.
Feasibility study
Systems investigation
Systems analysis
Systems design
Systems implementation
Review and maintenance
THE WATERFALL MODEL

This model breaks the systems development process into sequential stages with the
output from a stage forming the input to the following stage.
Each stage is divided into two parts the actual work associated with the stage
followed by a procedure to check what has been done. Verification in this context is
concerned with ensuring required specifications have been met. Validation is
concerned with ensuring the system it fit for its operational role.
Arranged by
Page 66

THE SPIRAL MODEL
The spiral model approach involves carrying out the some activities over a number of
cycles in order to clarify requirements and solutions.
The development process starts at the centre of the spiral. At the centre
requirements are not well defined. System requirements are refined with each
rotation around the spiral, the more complex the system and the greater the cost.
The mode is divided into four quadrants.
(a)
(b)
(c)
Top left
(i)
Objectives determined
(ii)
Alternative and constraints identified
Top right
(i)
Alternative evaluated
(ii)
Risks identified and resolved
Bottom right
(i)
System development
(ii)
Cover the activities described in the waterfall model (including
implementation)
(d)
Bottom Left
(i)
The next phase in the development process is planned
The spiral approach aims to avoid the problems of the waterfall model (lack of
user involvement, long delays). It is usually used in conjunction with
prototyping.
STRUCTURED SYSTEM ANALYSIS & DEVELOPMENT METHODOLOGY

(SSADM)
A systems development methodology is a collection of procedures,, techniques, tools
and documentation aids which will help systems developers in their efforts to
implement a new information system.
Characteristics of Methodologies
(a)
Separation of logical and physical
(b)
User involvement
(c)
Diagrammatic documentation
(d)
Data Driven
(e)
Defined structure
Arranged by
Page 67

THE STAGES OF SSADM
SSADM covers five stages from the early and middle stages of the systems
development process. SSADM refers to stages as modules.
(i)
Feasibility Study
If the feasibility study is conducted under SSADM, it focused on investigating
system requirements and conducting a cost benefit analysis.
(ii)
Requirement Analysis
Involves on analysis of current operations is followed by the development and
presentation of options for the new system.
(iii)
Requirements specification
This stage involves defining the data and processes that will be used in the
new system. The systems specification document will be produced.
(iv)
Logical system specification

This focuses initially on technical options for hardware and communications
technology. Then the user interface and associated dialogue is designed.
Logical rules for processing are established.
(v)
Physical Design
The logical data structure is converted to actual physical data specifications
for example data specification.
ADVANTAGES OF SSADM
Detailed documentation is produced
Standard methods allow less qualified staff to carry out some of the analysis
works, thus cutting the cost of the exercise.
Using
standard
development
process
lead
to
improved
system
specifications.
Systems developed in this way are easier to maintain and improve.
Users are involved with development work from an early stage and are
required to sign off each stage.
The emphasis on diagramming makes it easier for relevant parties, including

users, to understand the system than if purely narrative descriptions were
used.
The structured framework of a methodology helps with planning. This allows

control by reference to actual achievements rather than to estimates the
progress.
A logical design is produced that is independent of hardware and software.
Arranged by
Page 68

DISADVANTAGES OF SSADM
It is inappropriate for information of a strategic nature that is collected on an

ad-hoc basis.
Scope limits the impact on actual work processes or social context of the
system.
Encourage excessive documentation and bureaucracy.
PROTOTYPING
A prototyping is a model of all or part of a system, built to show users early in the
design process how it is envisaged the completed system will appear.
Prototyping enables programmers to write programs more quickly and allows the
user to see a preview of the system that is envisaged.
ADVANTAGES OF PROTOTYPING
It makes possible for the programmers to present a mock up version of an

envisaged system to users before a substantial amount of time and money
has been committed.
The process facilities the production of custom built application software

rather than off the shelf packages which may or may not suit user needs.
Prototyping may speed up the design stage of the systems development

lifecycle.
A prototyping does not necessarily have to be written in the language of what

it is prototyping, so prototyping is not only a tool, but a design technique.
DISADVANTAGES OF PROTOTYPING
Some prototyping tools are tied to a particular make of hardware, or a

particular database system.
It is sometimes argued that prototyping tools are inefficient in the program

codes they produce, so that programs are bigger and require more memory
than a more efficient coded program.
Prototyping may help users to steer the development of a new system

towards an existing system.
Prototyping tools encourage programmers to produce programs quickly, but to

neglect program quality.
Arranged by
Page 69

STRUCTURED WALKTHROUGHS
Structure walkthroughs are a technique used by those responsible for the design of
some aspect of a system (particularly analysts and programmers) to present their
design to interested user groups in other word to walk them through the design
structured walkthroughs are formal meetings, in which the documentation produced
during development is reviewed and checked for errors or omissions.
Users are involved in structured walkthroughs because their knowledge of the desired
system is more extensive than that of the systems development personnel.
Walkthroughs are sometimes referred to as user validation.
SIGNING OFF WORK

At the end of each stage of development, the resulting output is presented to users
for their approval. There must be a formal sign off of each completed stage before
work on the next stage begins. It clarifies responsibilities and leaves little room for
later disputes.
(a)
If the system developers fail to deliver something that both parties formally
agreed to it is the developers responsibility to put it right, at their own expense, and
compensate the user for the delay.
(b)
If users ask for something extra or different, that was not formally agreed to,
the developers cannot be blamed and the user must pay for further amendments and
be prepared to accept some delay.
JOINT APPLICATION DEVELOPMENT

Joint application development (JAD) describes the partnership between users and
system developers. The potential value to an organization may be as follows:
(i)
It creates a pool of expertise compromised of interested parties from all

relevant functions.
(ii)
Reduced risk of systems being imposed by systems personnel.
(iii)
This increases user ownership and responsibility for systems solutions.
(iv)
Emphasizes the information needs of users and their relationship to business

needs and decision making.
Arranged by
Page 70

DISADVANTAGES
(i)
The relative inexperience of many users may lead to misunderstandings and

possibly unreasonable demands / expectations on the system performance.
(ii)
The danger of lack of coordination leading to fragmented individual possibly

esoteric information systems.
RAPID APPLICATION DEVELOPMENT

Rapid application development (RAD) combines a less structured approach to
systems development with the use of modern software tools such as prototyping.
RAD also involves the end users heavily in the development process. To develop
systems that provide competitive advantage it is often necessary to build and
implement the system quickly.
COMPUTER AIDED SOFTWARE ENGINEERING TOOLS (CASE)

CASE tools are software tools used to automate some tasks in the development of
information system
e.g. generating documentation and diagrams. The more
sophisticated tools facilitate software prototyping and code generation.

The ranges of facilities offered by CASE tools are:
(i)
Project initiation
Generate project schedules in various formats.
(ii)
Analysis and design

Produce diagrams flowcharts DFDs, ERMs generate data dictionary
(iii)
Design (logical & physical)

Produce system model diagrams data structure.
(iv)
Implementation
Installing schedule program code generator
(v)
Maintenance
Version control change specification & tracking
Arranged by
Page 71
UPPER CASE TOOLS (ANALYSTS WORK BENCHES)

Upper case tools are geared towards automating tasks associated with system
analysis. They include:
(a)
Diagramming tools that automate the production of diagrams using a range of

modeling techniques.
(b)
Analysis tools that check the logic, consistency and completeness of system
diagrams, forms and reports.
(c)
A case repository that holds all data and information relating to the system.
The data dictionary records all data items held in the system and control
access to the repository. The dictionary will list all data entities, data flows,
data stories, processes, external and individual data items.
LOWER CASE TOOLS (PROGRAMMERS WORK BENCHES)

Lower case tools are geared towards automating tasks later in the development
process (after analysis and design). They include:
(a)
Document generators that automate the production of documents using a

range of modeling techniques.
(b)
Screen and report layout generators that allow prototyping of the user
interface to be produced and amended quickly.
(c)
Code generators that automate the production of code based on the

processing logic input to the generators.
ADVANTAGES OF USING CASE TOOLS

(a)
Document / diagram preparation and amendment is quicker and more

efficient.
(b)
Accuracy of diagrams is improved. Diagrams drawers can ensure consistency

of terminology and maintain certain standards of documentation.
(c)
Prototyping is made easier, as re-design can be effected very quickly.
(d)
Blocks of code can be re-used. Many applications incorporate, similar

functions and processes, blocks of software can be retained in a library and
used (or modified) as appropriate.
Arranged by
Page 72
CHAPTER 05
QUALITY ASSURANCE AND TESTING

QUALITY ASSURANCE
The concept of quality is concerned with fitness for purpose. Quality may be
defined as conformance of customer (user) needs.
High quality software should possess the following characteristics.
No Major bugs
Whilst it is unrealistic to expect completely but-free software, any bugs that
significantly impact upon system effectiveness / efficiency should be fixed
before a package is released.
Produce within budget

As with any purchase, software should be cost effective. A realistic budget for
good quality software that will satisfy user requirements should be set, and
then kept to.
Produced on time
Software impact upon organizational activities. It is important therefore that
plans are able to be made for the introduction of new software. Delays to this
schedule will cause disruption.
Meets user needs and specification

Quality software must meet the requirements of users. It is vital therefore
that user requirements are stated clearly and accurately early in the
development process. It should also be user friendly.
Competitive & compatible with other products

Software production is a competitive market a product that ignores trends in
development is likely to become absolute in a short period of time and may
not be compatible with other software packages.
Produced according to best practices

There are widely accepted practices and procedures for producing software
(e.g. documentary program design). There are also internationally recognized
standards (issued by the international standard organization) relating to
Arranged by
Page 73

software development. Using procedures that satisfies these standards should
result in quality software.
APPROACHES TO QUALITY
(a)
Quality management
(b)
Quality assurance
(c)
Quality control
QUALITY MANAGEMENT
Quality management is concerned with controlling activities with the aim of ensuring
that products or services are fit for their purpose, and meet specifications. Quality
management encompasses quality assurance and quality control. The essence of
quality management is that quality should be built in to all processes and materials
used within an organization with the ultimate aim of no substandard output.
Homles proposes an eight stage model for implementing quality management.
1)
Find out the problems (e.g. from customers and employees)
2)
Select action targets from the number of improvement projects identified, on

the basis of costs, safety, importance and feasibility (with current resources)
3)
Collect data about the problem.
4)
Analyse data by a variety of techniques to assess common factors behind the

data, to tease out any hidden messages the data might contain.
5)
Identify possible cause (eg using brainstorming sessions) no ideas are ruled
out of order.
6)
Plan improvement action. Significant help might be required.
7)
Monitor the effects of the improvement.
8)
Communicate the results.
QUALITY ASSURANCE
Quality assurance schemes involve a supplier guaranteeing meeting the quality of
goods or services supplied. Procedures and standards are devised with the aim of
ensuring defects are eliminated. As quality has been built in the routine inspection of
goods after production should not be required.
Arranged by
Page 74

QUALITY CONTROL
Quality control is concerned with checking and reviewing work that has been done.
Quality control therefore has a narrower focus than quality assurance. Quality control
focuses on the product or service produced, rather than the production procedures.
Quality control involves establishing standards of quality for a product or service,
implementing procedures that are expected to produce products of the required
standard in most cases and monitoring output to ensure substandard output is
rejected or corrected.
THE COST OF QUALITY

Quality involves four types of cost
(a)
Prevention Costs: are costs incurred to ensure the work is done correctly for
example ensuring the system design is correct before beginning production.
Prevention costs are the cost of avoiding poor quality.
(b)
Appraisal costs are the costs of inspecting and testing for example design
reviews, structured walkthroughs and program testing.
(c)
Internal failure costs are the cost of correcting defects discovered before
the system is delivered.
(d)
External failure costs These are costs arising to fix defects discovered after
the system has been delivered.
QUALITY ASSURANCE TEAM

Quality assurance teams work independently of the development team. This
structure assures the independence of the work of the QA team. The manager of the
QA function should report directly to the executive.
FUNCTIONS OF QA TEAM
1.
To develop quality for the information system function overall to assist n the
development of quality goals for specific information systems.
2.
To develop promulgate and maintain IS standards.
3.
To monitor compliance with standards.
4.
To identify areas of improvement
5.
To report to management regular reports on compliance with general

standards and specific standards must be prepared.
6.
To train all other IS personnel in QA standards and procedures.
Arranged by
Page 75

TOTAL QUALITY MANAGEMENT (TQM)
TQM is involving and empowering the entire workforce to improve the quality of
goods and services actively and continuously.
TQM is a system of continuous improvement of employing participative management

and centered on the needs of customers. TQM is a strategic, integrated management
system for achieving customer satisfaction. It is a comprehensive, customer focused
system that many organizations are adopting to improve the quality of their products
and services.
KEY ELEMENTS OF TQM
1.
Process Focus
Reduce process variation and advice continuous process improvement.
2.
Customer focus
Studying customers need and managing customer satisfaction.
3.
Measurement and Analysis

Goals oriented measurement system.
4.
Human side of quality

Create
companywide
quality
culture
by
leadership,
total
participation,
employee empowerment and other social psychological and human factors.
Quality management is the means by which IS department based processes are

controlled, measured and improved.
Areas of control for quality management include:
i)
Software development, maintenance and software.
ii)
Acquisition of hardware and software.
iii)
Day-to-day operations.
iv)
Security
v)
Human resource management.
vi)
General administration.
Insistence on observance of processes and procedures is key to the effectiveness and

efficiency of the IS organization. Various standards have emerged to assist IS
Arranged by
Page 76

organizations
in
achieving
an
operational
environment
that
is
predictable,
measurable and repeatable.

Example:
The ISO 9000 series that govern software development processes.
The ISO 9126 standard that focuses on the end result of good software
processes; i-e, the quality of the actual software product.
The capability maturity model developed by the software engineering institute

at Carnegie Mellon University.
STAGES OF TESTING
A system must be thoroughly tested before implementation. A system that is not
thoroughly tested may go live with faults that cause disruption and prove costly. The
scope of tests and trials will vary depending on the size and purpose of the system.
Four basis stages of testing can be identified:
system logic,
programme testing,
system testing and
users acceptance testing.
TESTING SYSTEM LOGIC

Before any programs are written logic devised by the systems analyst should be
checked. This process would involve the use of flow charts or structure diagrams
such as data flow diagrams.
The path of different types of data and transactions are manually plotted through the
system, to ensure all possibilities have been catered for and that the processing logic
is correct. When all results are as expected, programs can be written.
PROGRAM TESTING
Program testing involves processing test data through all programs. Test data should
be of type that the program will be required to process and should include
Arranged by
Page 77

invalid/exceptional items to test whether the program reacts as it should. Program
testing should cover the following areas:
a)
Input validity checks
b)
Program logic and functioning
c)
Interfaces with related modules / systems
d)
Output format and validity
The testing process should be fully documented recording data used, expected
results, actual results and action taken. Two types of program testing are unit testing
and unit integration testing.
UNIT TESTING
Means testing one function or part of a program to ensure it operates as intended.
UNIT INTEGRATION TESTING
Involves testing two or more software units to ensure they work together as
intended. The output from unit integration testing is a debugged module.
SYSTEM TESTING
When it has been established that indivisual programs and interfaces are operating
as intended, overall system testing should begin. System testing should extend
beyond areas already tested, to cover:
a)
Input documentation and the practicalities of input e.g time taken.
b)
Flexibility of system to allow amendments to the normal processing cycle.
c)
Ability to produce information on time.
d)
Ability to cope with peak system resource requirements e.g transaction

volumes, staffing levels.
e)
Viability of operating procedures.

System testing will involve testing both before installation (known as off line
testing) after implementation (on-line testing)
USER ACCEPTANCE TESTING

User acceptance testing is carried out by those who will use the system to determine
whether the system meets their needs. These needs should have previously been
Arranged by
Page 78

stated as acceptance criteria. The aim is for the customer to determine whether or
not to accept the system.
Users process test data, system performance is closely monitored and users report
how they felt the system meets their needs. Test data may include some historical
data, because it is then possible to check results against the actual output from the
old system.
METHODS OF TESTING
(a)
Static Analysis Test
(b)
Dynamic analysis test
(A)
STATIC ANALYSIS TEST
This test evaluates the quality of a module through a direct inspection of source
code. Some important types of static analysis checks follow:
(i)
Desk checking
Desk
checking
involves
programmer
examining
the
source
code
for
verification of errors or any irregularities e.g. the programmer might look for
syntax errors, logical errors or variation from coding standards.
(ii)
Structured walk through

Structured walk through is a type of checking in which a programmer who is
responsible for the development of the modules leads the other programmers
through the module in order to detect the errors. Group who is responsible for
review is comprised of the independent programmers.
(iii)
Design and Code inspections

Design and Code inspections a special team, led by an experienced
moderator, is composed to conduct review of program module. A proper
checklist is used to conduct the review and results are documented which is
followed by the correction of the module to ensure correctness of programs.
(B)
DYNAMIC ANALYSIS TEST
This type of test requires modules to be executed on the machines and can be
classified into following two types:
Arranged by
Page 79

(i)
Black Box Test

In this type of test, test cases are designed based on the requirements
specification of be module. These test cases are executed to establish
divergence from requirements.
(ii)
White Box Test

In this kind of a test, test cases are designed and conducted after examining
the internal logic of the module.
OPERATION AND MAINTENANCE TEST

A system becomes operation when it is released for daily use of the organization. It
is a continuous process to keep on monitoring the performance of the system. Over a
period of type the system is required to be maintained to keep the functionality of
the system up to date with the changing organizational requirements. Three types of
maintenance is conducted.
(a)
Repair Maintenance
In which program errors are corrected which have been overlooked in the
earlier tests or which might arise after the program is implemented and
comes functional.
(b)
Adoptive maintenance
In which the program is modified to meet changing user requirements. These
requirements might include business requirements or any changes in the
technologies.
(c)
Perfective maintenance
In which the program is tuned to decrease resource consumption so that both
efficiency and effectiveness of the program can be improved.
COMPUTER AIDED SOFTWARE TESTING (CAST)

Automated testing tools are sometimes referred to as computer aided software
testing (CAST) tools. These are products available that can automate a variety of
tasks, including:
(a)
Executing various command combinations and recording the results.
(b)
Testing software in a variety of operating environments and comparing

results.
(c)
The debugging of some obvious programming errors.
(d)
Facilities to track document all testing and quality assurance information.
Arranged by
Page 80

BETA VERSION
Commercial software producers often carry out user acceptance testing through the
use of beta versions of software. A beta version is an almost finalized package, that
has been tested in controlled conditions, but has not been used in the field. Some
users are prepared to use beta versions and report any remaining bugs.
LIMITATION OF SOFTWARE TESTING
Poor testing process

The test palm may not cover all areas of system functionality. Testers may not be
adequately trained. The testing process may not be adequately documented.
Inadequate time
Software and systems are inevitability produced under significant time pressures.
Testing time is often squeezed to compensate for project over runs in other areas
Future requirements not anticipated

The test data used may have been fine at the time of testing, but future demands
may be outside the range of values tested. Testing should allow for future
expansion of the system.
Inadequate test data

Test data should test positively checking that the software does what it should
do, and test negatively that it doesnt do what it shouldnt. it is difficult to include
the complete range of possible input errors in test data.
Software changes inadequately tested

System / software changes made as a result of testing findings or for other
reasons may not be adequately tested as they were not in the original test plan.
Arranged by
Page 81
Chapter 06
POST IMPLEMENTATION ISSUES

THE POST IMPLEMENTATION REVIEW REPORT
The findings of a post implementation review team should be formalized in a
report.
a)
A summary of their findings should be provided, emphasizing any

areas where the system has been found to be unsatisfactory.
b)
A review of system performance should be provided. This will address

the matters outlined such as runtime and error rates.
c)
A cost benefit review should be included, comparing the forecast

costs cost and benefits identified at the time of the feasibility study
with actual costs and benefits.
d)
Recommendations should be made as to any further action or steps

which should be taken to improve performance.
THE CAUSES OF SYSTEM MAINTENANCE

Besides
environmental
changes,
three
factors
contribute
to
the
need
for
maintenance.
Error:
It is likely that bugs will exist in a newly implemented system. The effect of errors
can obviously very enormously.
Constraints:
Cost constraints may have meant that certain requested features were not
incorporated. Time constraints may have meant that requirements suggested
during development were ignored in the interest of prompt completion.
Changes in requirements:
Although over should be consulted at all stages of system development, problems
may arise after a system is implemented because users may have found it
different to express their requirements, or may have been concerned about the
future of their jobs and not participated fully in development.
Arranged by
Page 82
Poor Documentation:
If old systems are accompanied by poor documentation, or even complete lack of
documentation, it may be very difficult to understand their programs. It will be
hand to update or maintain such programs.
Programmers may opt instead to patch up the system with new applications using
newer technology.
System Change Procedure

System should be built with a certain amount of flexibility that allows changes to
be made in the future to cope with different demands. Changing a system carries
the some risks associated with the initial system development to system changes
should therefore pass through change procedure.
COMPONENTS OF A FORMAL SYSTEM CHANGE PROCEDURE

(a)
Raise the change request.
(b)
Evaluate the impact of the requested change.
(c)
Specify the change request.
(d)
Regression, system and acceptance testing.
(e)
Implement the change.
IN HOUSE MAINTENANCE
With large computer systems, developed by the organization itself, inhouse systems
analysts
and
programmers
might
be
given
the
responsibility
for
software
maintenance.
To ensure the maintenance is carried out efficiently, the principles of good
programming practice should be applied.
(a)
Any change must be properly authorized by a manager in user department.
(b)
The new program requirement must be specified in full and in writing. These
specifications will be prepared by system analyst. A programmer should use
these of the program.
(c)
In developing a new program version, a programmer should keep working

papers. He can refer back to these papers later or check in the event that
there is an error in the new program or the user of the program asks further
change in the program.
Arranged by
Page 83

(d)
The new program version should be tested when it has been written. A
programmer should prepare test data and establish whether the program will
process the data according to he specification given by system analyst.
(e)
Provisions should be made for further program amendments in the future.

One way of doing this is to leave space in the program instruction numbering
sequence for new instructions to be inserted later.
(f)
A record should be kept of all program errors that are found during live
processing and of the corrections that are made to the program.
(g)
Each version of a program should be separately identified, to avoid a mix up

about what version of a program should be used for live operating.
OFF THE SHELF SOFTWARE MAINTENANCE

With ready-made software, the software house or supplier is likely to issue a version
of a package if significant changes are required.
MAINTENANCE CONTRACTS
There is also likely to be an agreement b/w the supplier of software and the
customer for the provision of a software support service. A maintenance contract
typically includes the following services:
(a)
Help
(Telephone call or visits to office premises)
(b)
Information
(Magazine to subscribers, case studies)
(c)
Updates
(Free discounted updates)
(d)
Upgrades
(Heavy discounts to subscribers)
(e)
Legal conditions (Termination of contract, use of hardware prohibitions on

making copies)
HARDWARE MAINTENANCE
Computer hardware should be kept serviced and maintained too. Maintenance
services are provided by:
(a)
The computer manufacturers.
(b)
Third party maintenance companies.
It may be obtained on a contract or an ad has basis.
Arranged by
Page 84

END USER DEVELOPMENT
End user development is the direct, hands on development of computer system
by users. Accounts staff designing and using complex spreadsheet models is an
example of end user computing. While these programs may work they will be very
difficult to modify and they will very often be the personal property of the individual
who developed the system, with no wider use.
DISADVANTAGES:
i)
A great time and energy is gaining into producing inefficient programs

which are unusable by anyone other than their developer.
ii)
The risk from the elimination of the separation of the functions of user and
analyst.
iii)
The risk from lack of user knowledge and acceptance of application quality
assurance procedures for development and operation.
iv)
The risk from limits on user ability to identify correct and complete
requirements for an application.
v)
The risk from unstable user system.
vi)
The risk from encouraging private information system.
vii)
The risk from permitting unstructured information systems development.
USER GROUPS
A user group is a forum for user of particular hardware or, more usually, software,
that they can share ideas and experience.
User of a particular package can meet, or perhaps exchange views over the internet
to discuss solutions, ideas or shat cuts to improve productivity. An electronic new
letter service might be appropriate, based on views exchanged by members, but also
incorporating ideas culled from the wider environment by IT specialist.
Interested parties, including as a maximum representative from the IT department
and users who are familiar with different parts of the system can attend monthly or
quarterly meetings to discuss the operation of the system, make suggestions for
improvements and raise any queries.
Arranged by
Page 85

COST BENEFIT REVIEW
A cost benefit review is similar to a cost benefit analysis, except that actual data
can be used.
Categories of cost benefit review:
Direct Benefits
Might include reduced operating cost, for example lower overtime payments.
Indirect Benefits
Might include better decision making and the freeing of human brainpower from
routine tasks so that it can be used for more creative work.
Development Costs
Include systems analysts costs and the cost of time spent by users in assisting
with fact finding.
Implementation Costs
Would include costs of site preparation and costs of training.
Running Costs
Include maintenance costs, software leasing costs and an going user support.
EFFICIENCY
Efficiency can be measured by considering the resource input into, and the output
from, a process or an activity.
An entity uses resources such as staff, money and materials. If the same activity can
be performed using fewer resources, for example fewer staff or less money, or if it
can be completed more quickly, the efficiency of the activity is improved. An
improvement in efficiency represents an improvement in productivity.
EFFECTIVENESS
Effectiveness is a measurement of how well the organization is achieving its
objective.
It focuses primarily on the relationship of the organization with its environment. For
example, automation might be perused because it is expected that the company will
be more effective at increasing market share or at satisfying customer needs. Recent
Arranged by
Page 86

trends are more towards the development of front office systems, for example to
improve an organizations decision making capability or to seek competitive
advantage. This approach seeks to improve the effectiveness of the organization.
METRICS
Metrics are quantified measurements used to measure system performance. The use
of metrics enables system quality to be measured and the early identification of
problems. Examples of metrics include system response time, the number of
transactions that can be processed per minute, the number of bugs per hundred lines
of codes and the number of system crashes per week.
Many facets of system quality are not easy to measure statistically (e.g. user
friendliness). Indirect measurements such as the number of calls to the help desk
per month can be used as an indication of overall quality / performance.
COMPUTER BASED MONITORING

Systems evaluation may use computer based monitoring. Four methods used are:
HARDWARE MONITORS:
Hardware monitors are devices which measure the presence or absence of electrical
signals in selected circuits in the commuter hardware. They might measure idle time
or levels of activity in the CPU, peripheral activity. Data is sent from the sensors to
counters which periodically write it to disk or tape.
A program will then analyze the data and produce an analysis of findings as output.
It might identify for example inefficient co-ordination of processors and peripherals,
or excessive delays in writing data to backing storage.
SOFTWARE MONITORS:
Software monitors are commuter programs which interrupts the application in use
and record data about it. They might identify, for example, excessive waiting time
during program exaction. Unlike hardware monitors, they may slow down the
operation of the program being monitored.
Arranged by
Page 87
SYSTEM LOGS
Many computer systems provide automatic log details, for example job start and
finish times or which employee has used which program and for how longs. The
systems log can therefore provide useful data for analysis.
a)
Unexplained variations in job running times might be recorded.
b)
Excessive machine down-time is sometimes a problem.
c)
Mixed workloads large and small jobs might be scheduled inefficiently.
HYBIRD MONITOR
A hybrid monitor has hardware, software and perhaps firmware components. These
components can be configured in many different ways. For example, software and
firmware probes can detect events and write them to a hardware interface. An
external device that reads processes stores and present the data written to the
hardware interface. Thus, hybrid monitor can detect both software and hardware
related events. They are sometimes difficult to use. However, because of the
measurement taken by the software component the measurement taken by hardware
component must be coordinated.
Performance measurement data can be presented by either using tables or
charts. Two types of charts that are often used to present performance
measurement data are:
a) Gantt charts:
Gantt charts use the horizontal bar to show the percentage utilization of a
resource and the extent of overlap of resource utilization among a number of
resources.
b) Kiviat graphs:
Kiviat graphs present performance measurements results so the problem
with the performance can be recognized easily. They use radial axes in a
circle to plot performance measurement results. The shape of the resulting
plot can be used to determine the extent to which the system is balanced in
terms of its resource utilization.
Auditors should have two concerns about data integrity whenever performance
monitors are used
Arranged by
Page 88

a) First, they should determine whether the monitor has been installed correctly
in the target system. They must evaluate the integrity of the measurements
made by the monitor and the integrity of the target system processes after
instrumentation.
b) Second, auditors must try to determine whether a monitor has been used to
violate data integrity. They should evaluate whether unauthorized use of the
monitor to breach data privacy.
INDIRECT MEASURES TO EVALUATE SYSTEM PERFORMANCE

a) Significant task relevance attempts to observe the results of system use.
For example: a document turnaround times might have improved following the
acquisition of a document image processing system, or minutes of meetings
might be made available & distributed faster following the addition of a company
secretarial function to a LAN.
b) The willingness of users to pay might give an indication of value. Charge out
mechanism may provide an indication of how much users would be prepared to
pay in order to gain the benefits of a certain upgrade, e.g. availability of a
particular report.
c) Systems logs may give an indication of the value of the system it us a voluntary
use system, such as an external database.
d) User information satisfaction is a concept which attempts to find out, by asking
users, how they rate their satisfaction with a system. They may be asked for their
views on timeliness, quality of output, response times, processing and their
overall confidence in the system.
e) The adequacy of system documentation may be measurable in terms of how
often manuals are actually used and the number of errors found or amendments
made.
PERFORMANCE REVIEWS
Performance reviews can be carried out to look at a wide range of system functions
and character technological change often gives scope to improve the quality of
outputs or reduce the cost of inputs.
Arranged by
Page 89

Performance reviews will vary in contact form organization, but the matters which
will probably be looked at are as follows:
a) The growth rates in file sizes and the number of transactions processed by the
system. Trends should be analyzed and projected to access whether there are
likely to be problems with lengthy processing time or an inefficient file structure
due to volume of processing.
b) The clerical manpower needs for the system, and deciding whether they are more
or less than estimated.
c) The identification of any delays in processing and an assessment of the
consequences of any such delays.
d) An assessment of the efficiency of security procedures, in terms of number of
breaches, number of viruses encountered.
e) A check of the error rates for input data. High error rates may indicate inefficient
preparation of input documents, an inappropriate method of data capture or poor
design of input media.
f)
An examination of whether output from computer is being used to good purpose.

(Is it used? Is it timely? Does it go to the right people?)
g) Operational running costs, examined to discover any inefficient programs or

processes. This examination may reveal excessive costs for certain items
although in total, cost may be acceptable.
COMPUTER SYSTEMS EFFICIENCY AUDITS

Computer systems efficiency audits are concerned with improving outputs from the
system and their use and / or reducing the costs of system inputs. With falling costs
of computer hardware and software, and continual technological advance, there
should often be scope for improvements in computer systems.
a)
Outputs from a computer system
(i)
More output of some valve could be produced by the same input resources.
e.g. process more transaction / minute, produce better quality management
information (sensitivity analysis), make information available to more people.
(ii)
Outputs of little valve could be eliminated from the system, thus making
savings in the cost of inputs, processing and handling. e.g. reports produced
too frequently should be lesson, distribution list should be shortened, reports
size should be reduced.
Arranged by
Page 90

(iii)
The timing of outputs could be better. Computer systems could give managers
immediate access to the information they require, by means of file ensuing or
special software (such as databases, or spreadsheet modeling packages.
(iv)
It might be found that outputs are not as satisfactory as they should be,
perhaps because access to information from the system is limited, and could
be improved by the use of a database and network system.
Available outputs are restricted because of the method of data processing used (e.g.
batch processing instead of real time processing) or type of equipment used (e.g.
stand-alone PCs am pared with client / server systems).
b)
Inputs to a computer system
The efficiency of a computer system could be improved if the same volume and
frequency of output could be achieved with fewer input resources, and at less cost.
(i)
Multi user or network systems might be more efficient than
stand alone
system. Multi user systems allow several input operators to work on the same
file at the heavy workload and another is warranty short of work, the person
who has some free time can help his or her busy college thus improving
operator efficiency.
(ii)
Real time systems might be more efficiency than batch processing.
(iii)
Using more up to date software.
(iv)
Using computer and external storage media with bigger storage capacity. A
frequent can be very long & tedious. Computer systems with better backing
storage facilities can reduce this operator waiting time, & so be more efficient.
Management might also wish to consider whether time spent checking & correcting
input data can be eliminated. An alternative method of input might be chosen. e.g.
burr codes & scanners eliminate input errors.
Arranged by
Page 91
CHAPTER 07
ORGANIZING THE IT FUNCTION

INVITATION TO TENDER (ITT)
An imitation to tender (ITT) sets out the specification for the required system,
explaining how it is to be used and setting out the timescale for implementation. It
will set the performance required of the new system.
An organization may issue an ITT to a range of suppliers. It would give same
background information about the company, together with an indication of the
purpose of the system and with the details of requirements such as:
a)
The volume of data to be processed.
b)
The complexity of processing requirements (including interfaces with other

systems).
c)
The number of offices or in divisional people who will want to access the
computer system, and whether access needs to be instant or not.
d)
The speed of processing required, e.g. response times.
e)
Inputs and outputs desired.
f)
The type of file processing needed.
g)
Estimated life of the system.
h)
Possible upgrades or expansion anticipated.
Details about the company should relate to its present organization structure, the
nature and size of its business and its plan for future expansion.
General Matters
a)
Contact name within the company.
b)
A Financial constraint.
c)
The form that submissions are to take.
d)
The closing date for submission of tenders.
e)
The address to which tenders should be sent.
Arranged by
Page 92

Responses to ITT
Sending of standard broachers & price lists.
Officers to visit the organizations site and provide free demonstration of

equipment and its capabilities.
FINANCING METHODS
The financing decision can be an important consideration in the choice of hardware or
software. Failure to make the right choice can lead to serious consequence financially
and operationally.
There are various financing options.
a)
Purchasing
b)
Leasing
c)
Renting / Rental
d)
Outsourcing / Facilities management
An outright purchase may be funded from me of time sources:

a)
Cash or working capital from within the organization.
b)
A new lean or other borrowing.
c)
Credit from a finance house, in the form of a hire-purchase agreement.
EVALUATION OF SUPPLIER PROPOSALS

Once supplier proposal have been obtained, they must be evaluated. Evaluated
becomes very complicated if there is any doubt about systems performance, as this
may necessitate a test of the system. The varsity of responses may make a direct
comparison of different tender difficult.
The supplier will usually try to match the customers profile with that of an existing
customer to demonstrate that the system can handle such a workload. However, if
the application is unusual or new, this will not be possible, and so a formal evaluation
using bank marking simulation tests will be necessary.
Arranged by
Page 93

BENCHMARK TESTS
Benchmark tests test how long it takes a machine to run through a particular set of
programs.
One way of computing power is to conduct benchmark tests. More powerful machine
will do the processing more quickly. There is some concern that some benchmarks
tests are created by manufacturers are designed to give the most favorable result to
their products. Also, it may be hard to say that one computer performs better than
another, as it may depend on application used.
These tests are carried out to compare the performance of piece of hardware or
software against pre-set criteria. Typical criteria which may be used as benchmarks
include:
Speed of performance of performance of a particular operation;
Acceptable volumes before a degradation in response times is apparent;
General user-friendliness of equipment.
These do not have to be objective, though clearly with subjective tests, such as userfriendliness, it may be harder to reach definitive contusions.
Software can also be benchmarked. Organization might try out a series of different
package on its own existing hardware to see which performed the best speed of
respond, ability, to process different volume of transactions, reporting capabilities
and so on.
SIMULATION TESTS
Simulation testing uses synthetic programs written specifically for testing purposes
and incorporating routines designed to test variety of situations programs are
particularly appropriate for testing PCs, which generally execute one program step at
a time. However carrying out simulation tests on larger computers is more complex,
as multiple jobs are usually processed at the same time and realistic operating
conditions must be created.
Arranged by
Page 94

Consideration of other features of the proposal
i)
Supplier reliability
ii)
Cost
iii)
Utility software
iv)
Warranty & maintenance
v)
Software support
vi)
Training
vii)
Keeping the package up-to-date
INFORMATION SYSTEM MANAGER AS LIAISON

Liaison b/w information systems professionals and the rest of the organization is a
key role. Such function includes the following:
i)
Provision of technical assistance.
ii) Informal dissuasion with users as to their needs before detailed feasibility
studies are carried out, which can also include discussions as to the payoffs of
a particular is investment.
iii) Advice on the impact of information systems on organizational structure,
working environment and so forth.
Arranged by
Page 95
CHAPTER 08
SUPPLY CHAIN MANAGEMENT &

ENTERPRIZE RESOURCE PLANNING
SUPPLY CHAIN MANAGEMENT
Supply chain management is concerned with the total management of the supply
chain. Without the right companies up and down the supply chain to work with a
company will never achieve true competitive advantages.
Typically, SCM will attempt to centrally control or link the production, shipment and
distribution of a product. By managing supply chain, companies are able to cut
excess fat and provide products faster. This is done by keeping control of internal
inventories, internal production, distribution, sales and the monitories of the
companys product purchasers.
STRATEGIC GROWTH OPPORTUNITIES FOR SUCESSFUL GROWTH

CONPANISE
Customer Franchise Management
Growth
companies
focus
selectively
and
aggressively
on
developing
and
managing the most profitable customers. They constantly strive to know

everything about those customers and their needs and serve those needs with
intense dedication. They realize that growth flows from the acquisition,
development and retention of profitable customers.
New products / services development strategy

Growth companies become exceptionally effective at rapidly developing new
products and services that offer superior value to customers. These companies
that consistently bring the best new products to market can feul significant
growth. Frequent and rapid introduction of new products would be impractical
without agile supply chains.
Arranged by
Page 96

Channel Management
Growth companies find, develop and continually review the most effective ways
to connect customer segments with their products and service. Some companies
have grown by creatively using alternative distribution channels, and in many
instances developing multi-channel strategies. The exploitation of e-commerce
opportunities has in many cases resulted in significant growth opportunities.
PRE-REQUISITE FOR GROWTH

VALUE
Comparatively superior value as defined by your customer.
A product or service is competitively superior if it provides the highest value as
defined by the customer at the right price. Growth champion invest vast resources in
identifying how to create and increase value.
Expand your customer service research to comprehensively understand how your

customer define, achieve, and measure success including growth.
Access all customer service offerings in terms of how they contribute to customer
business and growth plans.
Measure the effectiveness and efficiency of your customer service programs on

the basis of your customers success.
Communicate the success principles to your customers, and make it the basis of
your relationship. Explain how your service benefits them.
Become indispensable to your customer. Provide so much value that there would
be virtually no advantage in bringing in a new supplier.
ECONOMICS
Comparatively superior economics across value chain
Supply chain must be aligned with the customers and the organizations growth
strategy. Tradeoffs among the logistics cost components exist along to supply chain
e.g. higher service levels vs higher inventory holding costs.
Define companys supply chain as broadly as possible.
Understanding the economics levers (drivers)
To be more agile in order to adopt to the changing market place.
Requirements are faster info. flows, reduced cycle times, flexible production,
minimal inventories, integrated inter, Co.SC
Arranged by
Page 97

EXECUTION
Consistently superior strategy execution via organization alignment
Through process re-definition and a horizontal management structure, supply chain

management can integrate inter dependent processes and their supporting internal
specialization (such as sales and production) with external customers and suppliers.
Companies must serve the customer through horizontal processes. Horizontal

processes cross traditional functional disciplines within organizations and even go
beyond formal organizational boundaries to include customers, suppliers and
other stakeholders.
Process owners, teams and individuals are driven by customer accountability.

They must be given the responsibility need to be designed to support the efficient
management of processes.
People must have the attitude, skills and behaviours required to sustain
horizontal processes. Human performance systems and organizational culture
become critical enablers. Key goals include attracting, developing, leveraging,
and retaining top talent across the organization and fostering a culture to process
excellence.
Information enables horizontal integration and adoptive learning. Real time

access to information enables the effective and efficient management of process.
RESISTANCE TO CHANGE
Clear vision communicated to all levels
Participation support available if they participate in creation
Alignment performance measures and rewards systems with growth strategy.
MANAGEMENT CONCERNS IN SCM
Logistic strategy development and implementation
Logistic network optimization
Logistic performance measurement
Sakes forecasting
Logistic support for marketing activities
Purchasing and procurement strategies
Inventory levels and development
Ware house / facility location
Arranged by
Page 98
Transport cost
Fleet size
Vehicle scheduling
Logistic MIS
Universal logistic success factors
Market driven customer service strategy
Optimum logistic cost and investment
Logistic management information systems
Logistic organization structure
Customer service elements
Product availability (order fill)
Length of order cycle time
Consistency of order cycle time
Invoice / billing procedure /accuracy
Information request responsiveness
Distance to supplier wave house
Special customer requests
Frequency of damaged goods
Quality of order deptt
Emergency coverage
On time delivery
ENTERPRIZE RESOURCE PLANNING (ERP)

Enterprise resource planning (ERP) is an industry term for integrated, multi-module
application software packages that are designed to serve and support multiple
business functions.
FEATURES OF ERP
ERP facilities companywide integrated information system covering all functional

areas like manufacturing selling and distribution payables receivables inventory
accounts human resources purchases etc.
Arranged by
Page 99
ERP performs core corporate activities and increases customer services and
thereby augmenting the corporate image.
ERP bridges the information gap across the organization.
ERP provides for complete integration of systems not only across the departments
in a company sat also across the companies under the same management.
ERP is the only solution for better project management.
ERP allows automatic introduction of latest technologies like EFT, EDI, Internet,
Internet video conferencing, e-commerce etc.
ERP eliminates he most of the business problems like material shortages

productivity enhancements, customer service, cash management, inventory
problems, quality problems.
ERP not only addresses the current requirements of the company but also
provides the opportunity of continually improving and refining business process.
ERP provides business intelligence tools like decision support systems (DSS
executive information system (EIS) reporting data miing and early warning
systems (Robots) for enabling people to make better decisions and thus improve
their business processes.
COMPONENTS OF ERP
Sales and marketing
Master scheduling
Material requirement planning
Capacity requirement planning
Bill of materials
Purchasing
Shop floor control
Account payable
Account receivable logistics
Asset management
Financial accounting
BUSINESS PROCESS RE-ENGINEERING

Business process re-engineering is a pre-rquisite for going ahead with a powerful
planning tool, ERP. An in depth BPR study has to be done before taking up ERP.
Business process re-engineering brings out deficiencies of the existing system and
Arranged by
Page 100

attempts to maximize productivity through restructuring and reorganizing the human
resources as well as divisions and departments in the organization.
STEPS OF BUSINESS PROCESS RE-ENGINEERING
Study the current system
Design and develop new systems
Define process, organization structure and procedure
Develop customize the software
Train people
Implement new system
The principle followed for BPR may be defined as USA principle (understand, simplify,
automate) i.e. understanding the existing practices, simplifying the processes and
automate the process. Various tools used for this principle are
Understand simplify automate
Diagramming eliminating EDI
Story boarding combining ERP
Brain storming rearranging
SELECTION OF ERP
Evaluation and selection involves:
Checking whether all functional aspects of the business are duly covered
Checking whether all the business functions and processes are fully integrated.
Checking whether all the latest IT trends are covered
Checking whether the vendor has customizing and implementing capabilities
Checking whether the business can absorb the cost
Checking whether the ROI is optimum
IMPLEMENTATION OF ERP
Implementing an ERP package has to be done on a phased manner. Step by step
method of implementing will yield a better result than a big-bang introduction. The
total time required for successfully implementing on ERP package will be anything
s/w 18 and 24 months. The normal steps involved in implement of an ERP are as
follows
Arranged by
Page 101

i. DETAILED DISCUSSION PHASE
Task
Project initiation
Evaluation of current processes
Business practices
Setup project organization
Deliverables
Accepted norms and conditions
Project organization chart
Identity work teams
ii. DESIGN AND CUSTOMIZATION PHASE

Task
Map organization
Map business process
Define functions and process
ERP software configuration
Build ERP system modification
Deliverables
Organization structure
Design specification
Process flow diagrams
Function model
Configuration recording and system modification
iii. IMPLEMENTATION PHASE

Task
Create go live plan and documentation
Integrate application
Test the ERP customization
Train users
Deliverables
Testing environment report
Customization test report
Implementation report
Conversion plan execution
Arranged by
Page 102

iv. PRODUCTION PHASE
Task
Execute trial production
Maintain systems
Deliverables
Reconciliation reports
BENEFITS OF ERP
Gives accounts payable personnel increased control of invoicing and payment

processing and thereby boosting their productivity and eliminating their reliance
on computer personnel for these generations.
Reduce proper documents by providing on line formats for quickly entering and
retrieving information.
Improves timelines of information by permitting, posting daily instead of monthly.
Greater accuracy of information with detailed content, better presentation, fully

satisfaction for the auditors.
Improved cost control
Faster response and follow up on customers
Most efficient cash collection, say material reduction in delay in payment by

customers.
Better monitoring and quicker resolution of queries.
Enables quick response to change in business operations and market conditions.
Help to achieve competitive advantage by improving its business process.
Improve supply demand linkage with remote locations and branches in different
countries.
Provides a unified customer database usable by all applications
Improves information access and management throughout the organization.
Improves international operations by supporting a variety of two structures,

invoicing, shares, multiple currencies, multiple period accounting and languages.
WHY DOES IN ERP MATTER FOR A CA
CA as a consultant (ERP role in consultancy business)
CA as an auditor
Assuming a situation where the client has implemented an ERP solution. If the
auditor is aware of ERP he can make use of the feature of ERP and thereby:
Arranged by
Page 103
Ensures that the internal controls and checks are consistently maintained
Ensures that the provisions of income tax or other fiscal laws are not
ignored
Ensures that the accounting standards are consistently followed across the
company.
Improves the quality of the reporting.
CA as an Liaison
CA as a Manager (accounts, timely information for taking appropriate business

decisions)
Arranged by
Page 104
CHAPTER 09
CUSTOMER RELATIONSHIP
MANAGEMENT &
SALES FORCE AUTOMATION
CUSTOMER RELATIONSHIP MANAGEMENT
Customer relationship management (CRM) puts the customer at the center of any
and all activities within an enterprise. A CRM solution helps an enterprise learn more
about the customers need and makes any knowledge gained through interaction
with the customer accessible at all levels of the organization. The value of CRM
software grows considerably when CRM is highly integrated with solid enterprise
resource planning (ERP) and supply chain management (SCM) functionality. This
total solution enables you to support and streamline the entire business process from
original customer contact through post sales service.
BENEFITS OF CRM
CRM tools can help your business track opportunities and close sale quickly, but their
capabilities go beyond these areas. The real power lies in their ability to help you
build smart customer relationships that will grow into long term success.
Examples
(i)
Track Orders
At their most basic level, CRM tools automate the process of tracking
customers order histories. You can find out which products they order and
how many, so you can easily identify your best customers, not only in terms
of volume, but also in terms of profitability. You can use this information to
give these bread and butter clients special discounts for volume buying and
other incentives that will encourage loyalty and send the message that you
value their business.
Arranged by
Page 105

(ii)
Pinpoint buying behavior

The information CRM tool track allows you to identify the customer buying
patterns, you can determine the time of year or situations that prompt
purchases, and use this information to raise your level of customer service.
(iii)
Build compelling promotions

CRM tools take the guesswork out of designing effective promotions. Because
they help you identify customer needs, challenges and buying habits, you
have insight into whether your market will respond to two for one promotions,
free product with purchase offers, other outreach programs.
(iv)
Locate cross selling and up selling opportunities

By creating an accurate picture of customer buying details, CRM tools can help
you highlight opportunities to increase sales to a particular customer. e.g.
since you know client has purchased a particular product model, you can
design
follow
up
marketing
outreach
to
promote
model
accessories,
complementary products or available upgrades.

(v)
Build customer care from inside your company

Since CRM tools allow employees to share information exile, they can enhance
team productivity and morale. Employees develop collaborative habits across
your organization, which raise job satisfaction and sense of empowerment.
This, in turn, translates to better service for your customers. A productive,
satisfied team provides better care than a disjointed and disorganized one.
CONSIDERATION FOR SELECTION OF CRM SOLUTION

(i)
Who are your customers?

Because CRM is customer centric, its important to design a solution with a
clear understanding of who your customers are. You went to know their
preferred ways of doing business, how they usually come in contact with your
business and why they select you over another vendor.
(ii)
How many people need to work with your CRM tools?

The solution you design will need to be powerful enough to accommodate
peak staff usage without performance suffering. Be sure to consider future
growth plans in your analysis as well.
(iii)
What roles do they have in the company?

When defining the number of users you want to support with CRM tools, also
define their job functions and the way in which they will use the tools, e.g. will
Arranged by
Page 106

traveling sales reps rely on it? If so, youll want to make it easily accessible
from the road.
(iv)
How does your business receive order?

If your company takes orders from many channels such as telephone order
centres, a web site, and through sales reps you will want to make sure your
solution can accommodate information from each source.
(v)
Does your inventory allow for significant cross sell and / or up sell?
If your business sells a deep range of related products and services, it is
especially well suited to CRM tools. You will want to look for a solution that
can help you make the most of cross sell and up sell opportunities, with the
flexibility to handle multiple layers of data sorting. This will allow you to
customize outreach efforts to a high degree.
CUSTOMER RELATIONSHIP MANAGEMENT (CRM)

Customer relationship management (CRM) tools help business better understand and
respond to customer needs, boosting satisfaction and loyalty level. These solutions
using a combination of hardware, software and web based capabilities provide
companies with insight into daily interactions with individual customers. This allows
than to be more proactive in meeting each purchasers highly specific needs.
CRM tools aggregate and maintain customer information so it is easy for sales staff,
service representative, and support teams to access. The goal is to have the same
set of up to the minute information available across an organization so every client
need can be met quickly.
BENEFITS OF CRM Tools
Faster response time: CRM tools allow your business to respond quickly to
customer requests. This means you can provide better service while handling
more business in less time.
Increased efficiency: By automating information sharing, CRM tools allow

employees to stay focused on business building activities, rather than paper
work associated with tracking customer data.
Increased marketing opportunities: CRM tools make it easy to identify

your most profitable customers and their needs, giving you the information
you need to make marketing efforts as targeted and effective as possible.
Arranged by
Page 107
Insight into customers: By making it easy to track customer buying habits,

requests, and complaints, these tools give you the information you need to
enhance products and services, and raise you overall level of customer
service.
BENEFITS FOR SMALL COMPANIES
Increased efficiency: Online documents can be shared more quickly in a

virtual work share. Large documents or graphics rich files, for instance, can be
posted and worked on line instead of having to be uploaded and downloaded
via email.
Boost turnaround time: Companies can meet with clients online to

exchange comments and revisions, and post edited document for instant
approval. This can often cut down on the volume of meetings necessary to
reach a final version.
Lower Costs: Virtual work can reduce or eliminate the need for travel, phone
calls, faxes, and over right mail. This decreased overhead can provide a
needed boost to a firms bottom line.
Streaming project management: Timelines, budgets and other documents

can be uploaded to project specific sites, keeping everyone on target with a
projects overall goals.
Ensure client confidentiality: Collaborative software and services lots

companies restrict access to files and various workflow routines. This ensures
that only those people authorized to view and work on specific projects can do
so.
COLLABORATION SOLUTIONS
Remote network access:

Using your network management solution, you can create specific customer
accounts that provide limited, secure access to the information on your
server. Customers can log on to download files they are authorized to view,
collaborate on served based documents, or transfer files on the fly. Some
companies set up client only servers for this purpose, posting files to these
servers as needed, to reduce the impact of their captive network
Collaborative workspace:
These solutions can make remotes network access a step further by creating
virtual
conference
Arranged by
rooms
where
companies
can
meet
and
exchange
Page 108

documents and information with clients. These collaborative solutions can be
housed on your networks, or are available as hosted solutions from a
number of internet based suppliers. The workspaces are accessed via a
standard web browser, and only authorized users can get in. companies use
these solutions to streamline the process of posting, editing and exchanging
documents with clients.
Messaging solutions
Instant messaging and real time chat features, which are common elements
of collaborative workspace, allow companies to converse online with clients
instead of having to pick up the phase. Some solutions also utilize vip
technology, allowing members to conduct real time, web based voice
conferences. Message boards permit companies and their clients to keep a
running record of comments regarding specific projects, boosting overall
knowledge management. Paging solutions can be used to invite users to a
workspace when specific documents have been posted.
Calendaring / Scheduling
Companies such as medical practices, salons, or restaurants can use internet
based scheduling solutions to play customers set up appointments. These
solutions act as virtual appointment books, allowing customers to go online to
schedule, view, move, or even cancel appointments at any time of the day or
night. This can make it easier for a company to manage its schedule, while
providing it with another way to reach customers with its message.
SALE FORCE AUTOMATION

SFA is the fastest growing component of CRM. The interaction of sales force with the
prospect, turning the prospect into a customer and then maintaining a loyal
relationship, is a core business concern for the enterprises success. The sales
process must be managed across many domains interfacing with other business
units.
By automating companys sales efforts, management can efficiently forecast, track
and fulfill orders and customer interactions, analyze sales forecast and competitors
trends, manage sales cycles and communicate with sales representative both in office
and on the road. These services, known collectively as sales force automation (SFA),
use technology to reduce administrative work and increase sales team productivity.
Arranged by
Page 109

BENEFITS OF SALES AUTOMATION SYSTEM
Streamline sales processes

Sales automation tools handle repetitive and time consuming activities such as
capturing website leads, qualifying buyers, and triggering follow up. They also
make data re-keying unnecessary by automatically disseminating information to
appropriate departments, which reduces errors and save time.
Boost salesperson knowledge

Online product catalogue can be updated the moment a new product or service is
available sales people can access produce spec and configuration information at
their fingertips.
Enhance collaborative selling

All users of your sales automation system share access to the single data source,
which facilitates collaborative selling, marketing efforts, and customer support. It
additions, these capabilities can be entered to include third party sales
representative and distribution partners.
Improve customer relationship

SFA system can target data to customer based on their specific needs and keep
existing clients abreast of product updates. They also support online customer
service, including automated help and access to information 24 hours a day, 7
days a week.
Reduce quote time

Online product configuration allows customers to configure complex solutions in
minutes instead of days. A salesperson can use this tool to determine customer
requirements and immediately provide a professional and complete proposal after
a single meeting, cutting days or even weeks from the selling cycle.
Increased sale with other company data

Sales automation tool can communicate with financial and enterprise resource
planning (ERP) systems, establishing an open data flow among department such
as accounting, sales, and fulfillment.
Increased sales force morale

Sales automation applications reduce the time your staff spends on low level
business functions. They create a more flexible work environment by allowing
employees to use internet to access information when and where they need it,
whether working from home, on the road, or in your corporate offices.
Arranged by
Page 110

PRE-REQUISITE FOR SELECTING AND IMPLEMENTING SFA
The sales should be well defined in the beginning phase.
Select a sales automation tool from that was compatible with our business.
Involve a cross functional team that thoroughly understood what salespeople go

through on a day to day basis, and that made sure the SFA system customized
appropriate appropriately in the pilot phase of the project. During this phase the
sales process was painstakingly mapped to the SFA tool. Focusing on the process
itself was the most critical success factor.
Clear articulation of the value proposition around the tool.
Executive commitment from all our executives.
Win-win-win advantages for the sales force, the delivery teams and management.
To gain rapid acceptance, SFA was designed to help salespeople get much more
organized around managing their own business in their own territories, allowing
them to spend more time with customers.
It also intended to help delivery teams gain visibility into pending opportunities,
so they can plan when their services will be needed.
Provide easy to create, self serve management reports that can be detailed and
summarized in many ways, allowing much better business predictability and what
if planning.
OTHER BENEFITS INCLUDE
Un-expected new knowledge, because information can be presented in many

ways to reveal new insights.
Validation of how will services offerings are selling for marketing purposes.
The ability for individuals to bring up a list of sales opportunities and search and
sort in a number of different ways.
Improved account planning by attaching account plans, so the entire selling team
can see the breeder context of the account.
Arranged by
Page 111
Chapter 10
COBIT
Control Objectives for Information and
Related Technology
For IT to be successful in delivering against business requirements, management
should put an internal control system or framework in place. The COBIT control
framework contributes to these needs by:
a)
Making a link to the business requirements.
b)
Organizing IT activities into a generally accepted process model;
c)
Identifying the major IT resources to be leveraged;
d)
Defining the management control objectives to be considered.
The business orientation of COBIT consist of linking business goals to IT goals,

providing metrics and maturity model to measure their achievement, and identifying
the associated responsibilities of business and IT process owners.
COBIT this supports IT governance by providing a framework to ensure that:
a)
IT is aligned with the business.
b)
IT encases the business and maximizes benefits;
c)
IT resources are used responsibly.
d)
IT risks are managed appropriately.
Strategic Alignment
Focuses on ensuring the linkage of business and IT plans, on defining,
maintaining and validating the IT valve proposition; and on aligning IT operations
with enterprise operations.
Valve Delivering
Is about executing the valve proposition throughout the delivery cycle, ensuring
the IT delivers the promised benefits against the strategy, concentrating on
optimizing costs and providing the intrinsic value of IT.
Arranged by
Page 112
Resource Management
Is about the optimal investment in, and the proper management of, critical IT
resources: applications, information, infrastructure and people. Key issues relate
to the optimization knowledge and infrastructure.
Risk Management
Requires risk awareness by senior corporate officers, a clear understanding of the
enterprises
appetite
for
risk,
understanding
of
compliance
requirement,
transparency about the significant risks to the enterprise, and embedding of risk
management responsibilities into the organization.
Performance Management
Tracks and monitors strategy implementation, project
Completion, resource usage, for example, balanced scorecards that translate
strategy into action to achieve goals measures beyond conventional accounting.
The COBIT process model has been mapped to the IT governance focus areas,
providing bridge between what operational managers need to execute and what
executive wish to govern. To achieve effective governance; executives expect
controls to be implemented by operational managers within a defined control
framework for all IT processes.
Benefits of implementing COBIT as a Governance Framework over

IT
Better alignment, based on a business focus.
A view, understandable to management, of what IT does.
Clear ownership and responsibilities, based on process orientation.
General acceptability with third parties and regulators.
Shared understanding amongst all stakeholders, based on a common

language.
Fulfillment of the COSO requirement for the IT control environment.
IT Governance Maturity Model

Value, Risk and control constitute the core of IT Governance.
Governance over information technology and its processes with the business goal of
adding valve, while balancing risk versus return.
Arranged by
Page 113
Non existent (Complete lack of IT governance process)
Initial / Ad hoc (Recognition of IT governance exist, but no standard process)
Repentance but intuitive
Define process
Managed and measures
Optimized
(Detail from PBP book)
IFAC IT GUIDELINE
MANAGING SECURITY OF INFORMATION
The security objective is supported by the eight core principles;
Accountability:
Responsibility and accountability most be explicit.
Awareness:
Awareness of risks and security interactive must be disseminated.
Multidisciplinary:
Security must be addressed taking into consideration bath technological and nontechnological issues.
Cost Effectiveness:
Security must be cost effective.
Integration:
Security must be coordinated & integrated.
Reassement:
Security must be reassessed periodically.
Timeliness:
Security procedures must provide for monitoring and timely response.
Social Factors:
Ethics must be promoted by respecting the rights and interests of others.
Arranged by
Page 114

PLANNING IT PLANNING FOR BUSINESS IMPACT:
The objective of the IT plan is to provide a road-map of the information technology
required to support the business direction of an organization, out lining the resources
that are required and the benefits that will be realized on implementation of the plan.
Alignment:
The plan should support and complement the business direction of an organization.
Relevant Scope:
The scope of the plan should be established to facilitate formulation of effective
strategies.
Relevant Timeframe:
A planning horizon should be formulated that provides long-term direction and short
to-medium term deliverable in a manner consistent with the business strategy.
Benefit Realization:
Cost of implementation should be justified through tangible & intangible benefits that
can be realized.
Achievability:
The planning process should recognize the capability & capacity of the organization to
deliver solutions within the stated planning timeframe.
Measurable Performance:
The plan should provide a basis for measuring and monitoring performance.
Reassessment:
The plan should be reassessed periodically.
Awareness:
The plan should be disseminated widely.
Accountability:
Responsibility for implementing the plan should be explicitly.
Commitment:
Management commitment in implementing the plan should be exhibited.
ACQUISITION OF INFORMATION TECHNOLOGY

The objective of the IT acquisition process is to acquire the right solution, at the right
price, and at the right time. Regardless of the nature of the acquisition, its size, cost
and complexity, the following generic core principles apply:-
Arranged by
Page 115

Alignment:
The objectives, scope and requirements of the acquisition should be clearly defined
and documented, including any integration issues that need to be addressed.
Obsolesce:
The impact of new and emerging technologies on the acquisition must be considered.
Accountability:
Responsibilities and accountability for the acquisition most be considered.
Opinion analysis:
The available options must be identified and assessed.
Evaluation:
Selection criteria must be established and consistently applied across the alternatives
available.
Negotiation:
Effective negotiation mist be conducted before any decision is made.
Transparency:
Good governance dictates that the IT acquisition process be fair, open and
consistent.
THE IMPLEMENTATION OF IT
An IT project may cover the acquisition and implementation of IT resources such as
date, application systems, technical components, facilities and, eventually, the
relevant in terms of its needs and circumstances and may vary considerably in
complexity, it is generally conducted according to the following principles:
Aligned Scope:
The scope of the implementation of an IT solution should be aligned with the
objective first developed during the acquisition phase, including any issues of
integration and implementation timing.
Project Management & Commitment:
An IT project must be properly managed. To achieve this goal, the human resources
allocated to the project need to have experience in project management, technical
competence and knowledge of the organizations business process.
Managing Changes, Awareness and Communication:
When preparing an organization for the implementation of new systems, the issue of
change management must be specifically addressed and a communication plan must
Arranged by
Page 116

be established to ensure that all relevant parties are kept informed about the
progress of the project.
Selection of the relevant implementation methods:
There are several methods for implementation of a new IT system. The method
chosen will depend on the type of IT development selected. To ensure the successful
implementation of the solution developed, it may be necessary to follow elements of
several different methods.
Implementation Phasing:
Depending on the method chosen, the phasing of an IT project may either be strict
and detailed or more iterative. It is essential, however, to include the following five
major project phases: general design, specification, development, completion and
deployment.
Integration:
The final product of IT project will generally either be a new application system or
new technical facilities which must be integrated into the existing information
system.
Risk Management & Monitoring:
The project risks must be continuously evaluated during the project and alternative
congruency
solutions
identified.
performance indicators
must
To
ensure
be established
effective
and
project
reviewed
management,
regularly, regular
management reporting is also essential.
Interactive approach:
A prototype is built and entranced until all needs are dealt with and users are
satisfied. Some phases of this type of project are more or less linked. This
approach is usually applied to the implementation of a software package or
development of a system using rapid application development method.
Linear approach:
A project follows a step by step method, with a strict vacillation of each
phase before proceeding to the next. This approach typically applies to the
large, specific development projects.
IT SERVICE DELIVERY AND SUPPORT

Although the information technology infrastructure and reliance on information
systems varies from one organization to another, there are broad fundamentals that
can be applied to all IT environments and that should be considered in the delivery of
IT services and support.
Arranged by
Page 117

The core principles are:
Accuracy:
Information delivered to the business must be accurate and timely;
Awareness:
Trainings, education and support services area provided to all IT staff and IT
customers.
Cost Effectiveness:
Systems and facilities should be aligned with business needs and not put undue
financial burdens on the organization.
Customer Focused:
The organizations systems should be easy to operate and supportive of its business
operations.
Disciplined Approach:
IT should have adequate controls, a well defined structure and consistent policies
and procedures.
Flexibility:
Systems and facilities should exhibits and degree of flexibility to cater for fluctuations
in business volumes and staffing levels, and, wherever possible, be capable of being
easily modified to handle changes in business practices.
Meeting Performance Expectations:
The delivery of, and support for IT, services must meet the expectations of IT
customers, be available at agreed on times and be measurable and measured.
Protected Environment:
Business data and the facilities and IS used to process them should be safe and
secure. The environment should also offer a safe working environment for IT
customers and staff.
Relevance:
The system and facilities should be appropriate and aligned with the organizations
business needs. They should also be fit for purpose and conform to the user
requirements.
Reliability:
Information system should be robust and reliable.
Arranged by
Page 118

IT MONITORING
Monitoring of IT is enabled by the definition of relevant performance indicators, the
systematic and timely reporting of performance and prompt acting on any deviations
identified. IT monitoring is especially important because of the complexity and risk
involved in IT activities. It has the business goals of ensuring the delivery of
information to help the organization achieve its objectives and ensuring the
achievement of performance objectives for the IT function.
Core principles are:
Comprehensiveness:
Any monitoring activity has to be comprehensive based on simple and consolidated
measures focusing on exceptions.
Relevance:
Any monitoring activity has to be relevant to the mission, vision, goals and strategy
of the enterprise.
Acceptability:
An effective monitoring approach has to be acceptable to those being monitored. This
means not invading their privacy and not intruding into their day to day
responsibilities.
Timelines:
To make correct and expedient decisions, monitoring data must be available to
detect deviations that need to be reported immediately.
Verifiability:
Information obtained by the monitoring process should be verifiable by other means
thus, it should be accurate, and whenever possible, it should be based on fact.
Action Oriented:
Any form of monitoring must enable expedient corrective action.
Flexibility Adaptability:
The monitoring system should be easily adaptable to provide accurate, changing
environment.
WEB TRUST
The web trust standards have been developed by experts in auditing, accounting and
risk management. These standards also incorporate, whenever possible, prevailing
international best practices and guidelines for conducting business over the
internet.
Arranged by
Page 119

(a)
Online Privacy:Prove you keep your privacy promise
The enterprise ensures that personally identifiable information obtained as a result of

electronic commerce is protected as stated in its online privacy statement.
Example:
(i)
Information on the sources of private information being collected.
(ii)
How that information will be used and distributed as well as corrected when
necessary.
(iii)
How cookies are used.
(iv)
How customers can opt out of translations.
(b)
Confidentiality:
Assures customers about their confidential information.
The enterprise ensure that access to the information obtained as a result of electronic
commerce and designated as confidential is restricted to authorized individuals in
conformity with its disclosed confidentiality practices.
Example:
(i)
Assurance that the security surrounding transmission.
(ii)
Collection and distribution of confidential information is adequate.
(iii)
Proper procedures for confidentiality breaches.
(iv)
Choices provided to customers, including opting out.
(v)
Safeguard an transmission to unintended recipients and against unauthorized

access secure storage of backup media.
(c)
Security:
Ease concerns about your commitment to security.
The security ensures that access to the electronic commerce system and data is
restricted only to authorized individuals in conformity with its disclosed security
policies.
Example:
(i)
The existence of a functioning disaster recovery plan
(ii)
Procedures to handle security breaches.
Arranged by
Page 120

(iii)
The use of proper encryption technology.
(iv)
The use of routine system backups.
(d)
Business Practices transition integrity:-
The
enterprises
electronic
commerce
transitions
are
processed
completely,
accurately and in conformity with its disclosed business procures.

Examples:(i)
Assurance that services or products are provided to customers as requested.
(ii)
Information on the condition of goods.
(iii)
Time frame for transactions.
(iv)
Payment& delivery terms.
(v)
How to cancel orders and receive customer support & service.
(e)
Availability:Show you keep your promises
The enterprise ensures that e-commerce systems and data are availability as
disclosed.
Examples of areas evaluated are:
(i)
Access terms and conditions.
(ii)
Availability
policies
that
conform
with
legal,
contractual
and
other
requirements.
(iii)
Procedures to handle availability problems and security incidents.
(iv)
A functioning disaster recovery plan.
(v)
Assurance that hardware and software have properly tested and documented
availability objectives.
Summary IFAC Guidelines

Managing security of information:
(a)
Awareness
(b)
Accountability
(c)
Multidisciplinary
(d)
Cost effectiveness
(e)
Integration
(f)
Reassessment
(g)
Social factors
Arranged by
Page 121
Planning IT planning for business impact:

(a)
Alignment
(b)
Awareness
(c)
Achievability
(d)
Relevant scope
(e)
Relevant
(f)
Commitment
(g)
Benefit Realization
(h)
Measurable performance
Acquiring of information technology:

(a)
(b)
(c)
(d)
(e)
(f)
Alignment
Accountability
Vegetation
Relevant requirements
Trangerancy
Obsolesce
Implementation of an IT:
(a)
Aligned scope
(b)
Project management & commitment
(c)
Managing changes, awareness, and communication.
(d)
Selection of relevant information methods.
(e)
Implementation phasing.
(f)
Integration.
(g)
Risk management & monitoring.
IT Monitoring:
(a)
Compare heaviness
(b)
Relevance
(c)
Acceptability
(d)
Timeliness
(e)
(f)
(g)
Vendibility
Action oriented
Flexibility
Arranged by
Page 122
Chapter
11
Management Operation& Controls

(These provide prevention from access to the network of the Co.)
CONTROLS: STRUCTURE, ASSESSMENT & MONITORING

Internal Control:
The whole system of controls, financial and otherwise, established in order to provide
reasonable assurance of:
Effective and efficient operation.
Internal Financial control.
Compliance with laws and regulations.
Internal Control System:

An internal control system consist of all the policies and procedures adapted by
management of an entity to assist in achieving managements objective of ensuring,
as for as practicable, the orderly and efficient conduct of its business, including
adherence to management policies, the safeguarding of assents, the prevention and
detection of fraud and error, the accuracy and completeness of the accounting
records, and the timely preparation of reliable financial information.
Management Control:
Management controls consist of processes used by managers to ensure that
organizational goals are achieved and procedure adapted to and that organizational
responds appropriately to changers in its environment.
It has following features:
(a)
It is an integral part of management responsibility.
(b)
It is always designed to achieve organization goals.
(c)
It seeks to help the employees in attaining the company goals by

following organizational policies.
Arranged by
Page 123

Administrative Controls:
The administrative controls are designed to ensure operational efficiency and
adherence to managerial polices.
Accounting Controls:
Accounting controls are designed to ensure that assents are safeguarded and that
financial data and records are reliable.
General Controls:
The controls which are used to ensure that an organizations control environment is
sound and is properly managed to enhance the effectiveness of application controls
are referred to as general controls.
Application Controls:
The application controls are the controls which are used to prevent, detect, and
correct errors and irregularities in various transactions during their processing.
Input Controls:
Input controls are designed to ensure the only accurate, valid, and properly authorize
date are processed and entered into the system.
Processing Controls:
To ensure the correct and complete processing of all transactions and proper of
record, the control and are termed as processing controls.
Output Control:
Output controls are designed to ensure that system output is properly controlled and
protected.
CONTROL STRUCTURE
The policies and procedures which have been established to ensure that the
organizations specific objectives are achieved, as termed as internal control
structure.
Following are elements of internal control structure.
Control environment
Arranged by
Page 124
Information and communication
Control procedure activities
Control Environment:
Control environment consist of attitude of management and employees towards
various policies and objectives of the organization. Positive attitude increases the
wealth of organization.
The factors which effect the establishment, enhancement or working of various
policies and procedures adopted by the management are as follows:
(a)
Working style of the management.
(b)
Integrity
and
ethical
valves
followed
by
employees
and
the
management.
(c)
The structure of the organization.
(d)
The working style of BOD.
(e)
Assigning of authority and responsibility to various managers.
(f)
Behavior of management dealing with the performance deviations.
(g)
Commitment of the organization of competence.
(h)
Monitoring of the controls.
The Accounting Information System:

Information and communication accounting information system consist of methods,
and records used to identify, assemble, classify, record and report the business
transactions.
Establishing of methods and records required function as follow:
(a)
Identify and record all valid transactions
(b)
Determine the time period of occurrence of transactions for their

recording in the proper accounting period.
(c)
Describe each transaction in sufficient details to facilitate the proper

classification of transactions for financial reporting.
(d)
Measure the valve of transactions for recording in the financial

statements.
(e)
Present properly the transactions and related disclosures in the

financial statements.
Arranged by
Page 125

Control Procedures Activities:
Controls procedures or activities refer to various steps provided in the operating
procedures intended to award threats to the objective and polices of organization.
These may be categorized as procedures pertaining to the following:
(a)
Proper authorization of transactions and activities.
(b)
Segregation of duties that reduce the opportunities of fraud.
(c)
Design and use of adequate documents and records to help ensure the
proper recoding of transactions and event.
(d)
Adequate safeguards over access to and use of assets and records.
(e)
Independent check on performance & proper valuation of recorded

amounts.
RISK ASSESSMENT
Risk refers to a possible loss in future which could be a result of a threat it that
comes true.
Its
assessment
is
necessary
to
ensure
that
control
system
adopted
is
comprehensive one. Following steps may facilitate the proper assessment of the risk.
(a)
Identification of threats:
The threat which could be faced by organization must be identified to avoid
possible losses. e.g. threat in constructing down in on area of frequent
earthquake.
(b)
Estimating the risk:

If probability of occurrence of a threat is more and more likely, the risk
involved is greater.
(c)
Identification of controls:
The identification of controls which could protect on organization from threat
is must. Protective controls are much superior as compared to detective
controls which involve additional costs.
(d)
Estimating costs and benefits:

A control system involves certain costs for protecting an organization from
threats. Protection from threats in fact is the benefit of the control system.
The benefits of a control procedure should be greater them the costs.
Arranged by
Page 126

(f)
Determining effectiveness of costs & benefits:

Benefits of a control system should be greater them the cost. For determining
the cost-benefit effectiveness a good judgment must be applied and all factors
be considered to arrive at he correct decision. Documenting, the existing
internal control system, evolving its quality and cost and benefits and basis
steps for this exercise.
MONITORING CONTROL SYSTEM

Internal control system, if not reviewed periodically, will become in-effective with the
passage of time, as such the quality of internal control performance of must be
assessed on a timely basis. Monitoring of control system is important to keep this
updated and to meet the changing environment.
Methods for monitoring internal control system are:
Effective supervision
Responsibility accounting
Internal awaiting
APPLICATION CONTROLS
CODES
Data codes are used to identify an entity uniquely. Poorly designed data codes cause
recording and keying errors.
Four type of coding systems used are:
(a)
Serial Codes:
Which assign consultative numbers or alphabetic to an entity.
(b)
Block sequence codes:

Which assign blocks of numbers to particular categories of an entity.
(c)
Hierarchical codes:
Which assign codes on the basis of an assigned order of importance of the
attributes of an entity.
(d)
Association codes:
Which are concatenations of codes assigned to different attributes of an
entity.
Arranged by
Page 127

INPUT CONTROL
1.
VALIDATION CHECKS
Validation of input data is ensured by putting in following checks.
(a)
(a)
Field Check
(b)
Record Check
(c)
Batch Check
(d)
File Check
Field Check:
Field are used to ensure the completeness and correctness of independent field in the
records. Following types of fields checks are used:
(i)
Completeness:
Items should be of a specific length e.g. 17 digit for A/C #.
(ii)
Format:
Format should be of a standard form e.g. postal code in the address comes
after the city or date field as mm/dd/yyyy.
(iii)
Range:
Only data within specified range is acceptable e.g. code ranges b/w 0000 to
9999.
(iv)
Check Digit:
A Check digit is a redundant digit added to a code that enables the accuracy
of other characters in the code to be checked e.g. customer or product #.
(b)
Record Check:
With a record checks a relationship amongst the field in a record is checked logically
to ensure data integrity rules of databases. Following types of record checks are
applied in an input system.
(i)
Reasonableness:
Even though a field is checked for a range check, the content of another field
in the record may be used to ensure the correctness of dependent field e.g.
Range of valid salaries must be depended upon the organizational positions.
(ii)
Valid Sign Numbers:

The contents of one field might establish which sign is valid for a numeric
field.
Arranged by
Page 128

(iii)
Size:
If a variable length record are used, the size of the record is a function of the
sizes of variable length fields or the sizes of the fields whose valves may be
omitted from the record.
(iv)
Sequence check:
A logical record might contain more than one physical record e.g. an invoice
data will have more then once occurrences of the details like item and their
quantities. The input program might check the sequence of the physical
record it receives.
(c)
Batch Checks:
Batching is the process of grouping together transactions that bear some type of
relationship to each other. Two types of batches are used.
Physical Batches:
Are groups of transactions that constitute a physical unit e.g. a batch of
source documents.
Logical Batches:
Are groups of transactions bound together on some logical basis e.g.
transactions entered directly into a terminal during some time period.
(d)
File Checks:
With file check, the validation tests examine whether the characteristics of a file used
during data entry are harmonious with the stated characteristics of a file. The input
programs ensures that files which are being used is accessing the correct file for this
very propose an internal label is used. It is also important for input programs to
validate that file while is being used does not use an older file with and expired date.
Control totals can be calculated for a file on he basis of the staffing of a file. The
input validation program checks to see that it is using a file with accurate control
totals.
INSTRUCTION INPUT
There are six major ways in which instructions can be entered into on IS:
(a)
Menu driven languages,

Which ask users to select from a list of options with which they are presented.
(b)
Question-answer dialogs,
Which ask users to respond to questions presented by the application system.
Arranged by
Page 129

(c)
Command Languages,
Which require users to recall and initiate instructions for the application
system.
(d)
Form based languages,

Which require users to specify commands in he content of some input or
output form.
(e)
Natural languages,
Which allow users to instruct an application system via free-form input.
(f)
Direct manipulation interfaces,

Which allow users to enter instructions to an application system via direct
manipulation of objects on a screen.
INSTRUCTION INPUT
Ensuring the quality of instruction input to an application system is a more difficult
objective to achieve. During instruction input, however, users, often attempt to
communicate complex actions that they want the system to undertake. Following are
the application system used to communicate instruction to an application system.
1. Menu driven languages
Menu is the simplest way to provide instruction to an application system. The
system presents users with a list of options. Users then choose an option. The
following guidelines should reduce the no. of errors that are likely to occur using
menu input:
i)
Menu items should be grouped logically so they are meaningful and

memorable
ii)
Menu items should follow any natural order, ordered by frequency of

occurrence and long menus by alphabetical order.
iii)
Menu should be fully spelled, clear, concise
iv)
The basis for selecting a menu item should be clear for e.g. numbers, a
mnemonic abbreviation
v)
Where other output is displayed on the screen, the menu should be clearly
differentiated.
2. Question answer dialogue

Used primarily to obtain data input. For finding of NPV system asks questions like
discount rate, initial investment, no. of periods, cash flow per period etc. and the
user responds. A well designed question-answer dialog makes clear the set of
answers that are valid. In those cases in which the required facility answers are
not obvious, a help facility can be used to assist inexperienced users.
Arranged by
Page 130

3. Command languages require users to specify commands to invoke some
process and a set of arguments that specify precisely how the process should be
executed For e.g., SQL is a database interrogation language that uses a
command-language format.
To facilitate recall of commands, command names should be meaningful.

To reduce typing effort, it should be possible to truncate (shorten,
abbreviate) commands
4. Forms based languages - Forms-based languages can be successful if users

solve problems in the context of input and output forms. In these cases syntax of
the language corresponds to the ways users think about the problem. As a result,
input errors are reduces, and the language tends to be used effectively and
efficiently.
5. Natural languages are the subject of substantial research and development
efforts. Its goal is to enable relatively free form natural language interaction to
occur b/w users and users and an application system, perhaps via speech
production/recognition device. Current natural languages have following
limitations.
i)
They do not always cope with the ambiguity and redundancy present in
natural language for e.g., the meaning
ii) Substantial effort sometimes must be expanded to establish the lexicon

(glossary, word list) for the natural language interface. Users must define all
possible works they could use
iii) Even minor deviations outside the lexicon established for the application
domain can cause problems.
iv) Users still need some training when they employ natural language interfaces.
6. Direct manipulation languages
Some user interface application systems employ direct manipulation to enter
commands and data i.e. spreadsheet. There are 3 attributes are identifies of a
direct manipulation interface
(1) visibility of the object of interest
(2) rapid, reversible, incremental actions and,
(3) use of direct manipulation devices e.g. mouse. Examples are:
i)
Electronic spreadsheet users see visual image on the spreadsheet and its
associated cell values. They can alter values by using a mouse to move the
cursor to the cell to be altered and keying of new value.
ii) Electronic desktops users see an image of a desktop with an in-basket, an

out-basket, a thrash basket, a set of files and so on. They can manipulate
these objects using a mouse. For e.g. files to be deleted can be moved to the
trash basket.
It often provides a more error free, effective and efficient interface that traditional
menu or command-oriented interfaces.
Three types of validation check scan be exercised over instruction input:

(a)
Lexical validation,
Which evaluates whether commands contain valid commands;
Arranged by
Page 131

(b)
Syntactic validation,
Which evaluates whether commands contain a string of valid operations,
(c)
Semantic validation,
Which evaluates whether the actins to be invoked by a command are
meaningful.
REPORT PROGRAM EXECUTION CONTROLS

Auditors should have three concerns in relation to the execution of report programs.
(a)
Only authorized persons should be able to execute the programs.

Otherwise, confidential data could be revealed.
(b)
The action privileges assigned to the authorized users of report

programs should be appropriate to their need.
(c)
Report programs that produce a large amount of output should include

checkpoint restart facilities.
STORAGE CONTROLS
Three major centrals should exist in relation to storage of output.
(a)
Output should be store in an environment that will allow it to be

preserved for the period it is required.
(b)
Output must be stored securely.
(c)
Appropriate inventory controls must be kept over stored output.
REPORT DESIGN CONTROLS

Following information may be included in a well-designed batch report.
(a)
Time and date of production.
(b)
Distribution list
(c)
Processing period covered
(d)
Contact person
(e)
Retention data
(f)
Page reading
(g)
Page numbers
(h)
End of job tag
Arranged by
Page 132

PROCESSING CONTROL
Processing refers to computing, sorting, classifying, and summarizing data. Main

components involved in processing are:
(a)
Control processing unit for execution of program.
(b)
Main or virtual memory storage of data and programs.
(c)
Operating system for system management.
(d)
Application programs to execute specific user requirement.
Four types of controls are used to minimize expected losses from errors &
irregularities associated with central processors:
(a)
Errors in processor can be detected via parity checks or instruction

velocity checks. Temporary errors can be corrected by attempting to
execute failed instruction again.
(b)
Privileged instructions can only be executed if the processor is in

special state.
(c)
Timing controls can be used to prevent the processor idol state in an

endless loop.
(d)
Processor component can be replicated to allow processing to continue

if any component fails.
Two types of controls are used to reduce expected losses from errors and
irregularities associated with real memory.
(a)
Memory errors can be detected via parity checks and hamming codes,
which also allows correcting the errors.
(b)
Access controls, which are implemented via boundary registers, are

used to ensure that one process does not gain unauthorized access to
real memory assigned to another process.
These are few threats involved with the integrity of computer these may
include but not limited to:
(a)
Privileged personnel misuse their powers
(b)
Penetrates deceive privileged personnel into giving them special

powers.
(c)
Special devices are used to detect electromagnetic radiation, unit

electromagnetic radiation or wiretap communication lines.
(d)
Penetrates interact with as a to determine & exploit any flow in the

system.
Arranged by
Page 133
Chapter 13
Effective Management of IS
OPERATIONS MANAGEMENT CONTROL
Operations management is responsible for the daily running of hardware and
software facilities so that:
(a)
Production application system can accomplish their work, and.
(b)
Development staff can design implement and maintain application

systems.
Operations management typically exercises controls over the following functions.

(a)
Computer operations
(b)
Communication network control
(c)
Data preparation and entry
(d)
File library
(e)
Documentation & program library
(f)
Help desk technical support
(g)
Capacity planning & performance monitoring
(h)
Outsourced operations
The production control section under operations management performs five major
functions.
(a)
Receipt and dispatch of input & output
(b)
Job scheduling
(c)
Management of SLA with users
(d)
Transfer pricing charge out control
(e)
Acquisition of computer consumables
The file library function within the operations area takes responsibility for the
management of an organizations machine readable storage media. Four functions
must be undertaken:
Arranged by
Page 134

(a)
Ensuring that removable storage media used only for authorized

purpose.
(b)
Maintaining storage media in good working order, and.
(c)
Locating storage media appropriately at either on site or off site

facilities.
DOCUMENTING & PROGRAM LIBRARY FUNCTIONS

(a)
Maintenance of documentation
(b)
Management of inventory of acquired or licensed software.
(c)
Documentation should be kept up to data
(d)
Illegal copies of software are not made
(e)
Compliance with terms and conditions of licensing agreement.
(f)
Suitable backup for the software often has responsibility for managing
the day to day activities
(g)
Associated with an outsourcing contract.
Four types of control must be exercise;

(a)
Ongoing evaluation of the financial Viability of the outsourcing vendor,
(b)
Ensuring compliance with the outsourcing contracts terms and

conditions.
(c)
Ensuring the ongoing outsourcing vendors operation and
(d)
Maintaining procedures for disaster recovery with the outsourcing

vender.
IS Organization Structure and Responsibilities

Organization and management controls include those controls that provide protection
for the actual or tangible physical environment, as well as for the staffing and
operation
of
the
information
processing
facility
(IPF).
Organizational
and
management control provide effective and efficient operations staffed with qualified
and dependable personal. Proper level of responsibility should be clearly defined and
provide for an adequate separation of duties.
Organization and management controls within the IPF encompass the following:
Sound human resource policies and management practices.
Separation of duties among the information processing environment and

other organizational environment or functions.
Arranged by
Page 135
Separation of duties within the information processing environment.
Methods to assess effective and efficient operations.
Line Management Structure

Following person/may report to IS directors:
i)
Control Group:
Members of the operation area that are responsible for
the collection, logging and submission of input for the various user groups.
ii)
System Development Manager:

Responsible for programmers and analysts who implement new systems &
maintain existing systems
ii)
Help Desk:
Responsible for easting and users to employ and user hardware
& software and provide technical support for production systems by assisting
with problem resolution.
iv)
End User:
Responsible for operations related to business application
services: used to distinguish the person for whom the product was designed,
form the person who programs, services or install applications.
v)
End User support manager:

Responsible as lesions b/w the IS deptt and the and user.
vi)
Data Management: Responsible for the data architecture in larger IT

environments and tasked with managing data as a corporate asset.
vii)
Database Administrator:
Responsible for maintenance and integrity of the organizations database
systems.
viii)
Technical Support Manager:

Responsible for system programmers who maintain the system software.
ix)
Security Administrator: Responsible for implementing information security

policy and providing assurance that adequate Physical and logical security for
IS programs, data and equipment are carried out.
x)
System Administrator:
Responsible for maintaining major multi-user
computer systems, including local area networks.

xi)
Operations Manager:
including
computer
Responsible for computer operations personnel,
operators,
librarians,
schedulers
and
data
control
personnel.
Arranged by
Page 136

xii)
Network Manager/Administrator:
Responsible
for
planning,
implementing
&
maintaining
the
telecommunications infrastructure, and also may be responsible for voice

networks.
xiii)
Quality Assurance Manager:

Responsible for negotiating and facilitating quality activities in all areas of
information technology, although must frequently, quality initiatives are
focused on systems development activities.
Job descriptions and organizational structure charts are important items for all
employees to have as they provide a clear definition of their job responsibilities and
authority. Given the dynamic nature of information technology, job disruptions and
organization structure can change frequently. Therefore, it is important that
procedures be in place to maintain them.
Functional Areas in Information Processing Environment
Operations (From book)
Systems analysis
Data Entry
Application programming
Control Group
Librarian
Network management
Security Administration
Help Desk Administration
Quality assurance
System programming
Database administration.
Security Administrators Functions
Maintaining security and confidentiality over the issuance and maintenance of

authorized user IDs and password.
Monitoring security violations and taking corrective action to ensure that

adequate security is provided.
Periodically reviewing and evaluating the security policy and suggesting

necessary changes to management.
Preparing and monitoring the security awareness program for all employees.
Testing the security architecture to evaluate the security strengths & detect
possible threats.
Maintaining access rules to data & other IT resources.
Arranged by
Page 137

Data Entry
Batch Entry
Online Entry
Tasks Performed in Data Entry
Receives source documents from various department and ensures
proper
safekeeping of such until processing is complete and source documents and

output are returned.
Prepares batches of source documents with accurate control totals.
Schedule and sets up the jobs to process input.
Verifies, logs and distributes output to the appropriate department with

special core for confidential information.
A supervisor should be assigned to ensure that the work is properly prepared and
submitted for processing. This individual should also ensure that all exception and
rejected inputs are brought to the attention of the originating department and
resubmitted in a timely fashion and must ensure that the entry staff maintains
confidentiality and does have to temper sensitive data.
Duties of System Administrator
Adding and configuring new workstations.
Setting up user accounts.
Installing system wide software.
Performing procedures to prevent the spread if viruses.
Allocating mass storage space.
Data Security
It includes the standards and procedures designed to protect data against accidental
or intentional unauthorized disclosure, modification or destruction. A critical part of
the management control exercised by the IPF is providing an adequate level of data
security. Data security covers many aspects of security and must be contumely
modified and expanded to cover IS technological advances.
Data security program must effectively integrate:
Arranged by
Page 138

i)
Physical Security: Such
as
safeguarding
hardware
used
during
the
processing of data and media on which data are stored.

ii)
Employee Education:
That encompass the need for data security and
privacy; employees also must understand that disciplinary action will be taken
against anyone who violates corporate guidelines in this area.
iii)
Logical Security:
Such as software or hardware controls built into
the system to prevent and detect unauthorized access to data.
Processing Controls
Include those items necessary to ensure that the organization receives timely,
complete, accurate and secure processing of data. These controls are particularly
pertinent to the work performed by the computer operations group that includes:
Data control is often responsible for all the data necessary to run various
systems and for checking to ensure that output information received is
complete. Adequate, up-to-data control manuals are essential for each
system. Manuals should state the source of various forms of input, which such
input should be available.
Production control is often responsible for job scheduling, job submission and
media management. Job scheduling may be done manually or with scheduling
is essential if the computer resources are to be used at optimum efficiency.
Database Administration
DBA defines and maintains the data structures in the corporate database systems.
He is responsible for the actual design, definition and proper maintenance of the
corporate databases. The DBA has the tools to establish control over the database
and the ability to override these controls. The DBA also has the capability of gaining
access to all data, inhaling production data. It is usually not practical to prohibit or
completely prevent access by the DBA to production data.
DBAs Roles
i)
Specifying physical (computer oriented) data definition.
ii)
Changing physical data definition to improve performance.
iii)
Selecting and implementing database optimization tools.
iv)
Testing and evaluating programmer and optimization tools.
v)
Answering programmer queries and educating programmers in the

database structures.
Arranged by
Page 139

vi)
Implementing
database
definition
controls,
access
controls,
update
controls and concurrency controls.

vii)
Monitoring database usage, collecting performance satiations and tuning

the database.
viii)
Defining and initiating backup and recovery procedures.
IS Deptt. Exercise Control over Database Administration Through

i)
Segregation of duties.
ii)
Management approval of DBA activities.
iii)
Supervisor review of access logs.
iii)
Detective controls over the use of database tools.
Reviewing Documentation in review of IT Planning / Strategy
Information technology strategies, plans & budget.
Organization / functional charts.
Security policy documentation.
Job descriptions.
Steering committee report.
System development and program change procedures.
Operations procedures.
Human resource manuals.
Information technology strategies, plans and budgets provide evidence of

planning and managements control of the information system environment.
Security policy documentation provides the standard for compliance. It

should state the position of the organization with regard to any and all
security risks. It should identify who is responsible for the safeguarding the
company assets, including programs and data. It should state the preventive
measures to be taken to provide adequate protection and actions to be taken
against violations. For this reason it should be treated as a confidential of
documents.
Organization
functional
charts
provide
the
IS
auditor
with
an
understanding of the reporting line within a particular department or

organization. They illustrate a division of responsibility and give an indication
of the degree of segregation of duties within the organization.
Arranged by
Page 140
Job description defines the functions and responsibilities of positions

throughout the organization. They provide an organization with the ability to
group similar jobs in different grade levels to ensure a fair compensation of
the workforce. Job decorations should identify the position that the personnel
report to.
Steering committee reports provide documented information regarding mew

system projects. Those reports are reviewed by upper management &
disseminated among the various business units.
System
development
and
program
change
procedures
provide
framework within which to undertake system development or program

change.
Operations procedures describe the responsibilities of the operation staff.
Human resource manuals provide the rule and regulations determined by an

organization for how it expects its employees to conduct themselves.
Interviewing and Observing Personnel

Observing personnel in the performance of their duties assist an IS Auditor in
identifying:
Actual Fluctuations:
Observation is the best test to ensure that the individual who is assigned and
authorized to perform a particular function is the person who is actually doing
the job. It allows the IS Auditor an opportunity to witness how policies and
procedures are understood and practiced.
Security Awareness:
Security awareness should be observed to verify on individuals understanding
and practice of good preventative and detective security measures to
safeguard the Co assets & data.
Reporting Relationships:
Reporting
relationship
should
be
observe
to
ensure
that
assigned
responsibilities and adequate separation of duties are being practiced.
Examples or IS vision and Mission Statements
The mission /goal is to provide world class computer systems and to deliver
quality computer services to users.
Put a value information system planning process in place and to ensure its
continuity.
Arranged by
Page 141
Install
system planning mechanisms challenged and supported by IS
management.
To provide relevant, reliable, useful, timely, and meaningful data and

information is a user located anywhere at any time in a form that the valve
and benefits to be received from the system.
Establish partnership relations with functional users, auditors, hardware and

software venders, business supplier, and customer in sharing data and system
services.
Cultivate a mind-set among IS employees and to develop a working

environment in which the functional user is treated as a business client or
customer.
Identify and analyze the drivers of IT and computing cost structures and to
reduce such costs where possible.
Achieve a balance between productivity and quality with the available

resources.
Indicators of Potential Problems at IPE
Unfavorable and user attitudes
Excessive costs.
Budget overruns
Lode Projects
High staff turnover
Inexperienced staff
Frequent hardware / software errors
Excessive backlog of user requests.
Exception reports which were not followed up on.
Slow computer response time.
Numerous aborted / suspended projects
Unsupported / unauthorized purchase
Frequent hardware / software upgrades
Extensive exception reports.
Poor motivation
Lack of succession plans
Reliance on one or two key personnel.
Arranged by
Page 142
CHAPTER 14
CRITICAL CHARACTERISTICS OF
INFORMATION
The value of information comes from the characteristic it possesses.
Availability
Availability enables users who need to access information to do so without
interference or obstruction, and to receive it in required format.
Accuracy
Information is accurate when it is free from mistakes or errors and it has the
value that the end users expect.
Authenticity
Authenticity of information is the quality or state of being genuine or original,
rather than a reproduction or fabrication. Information is authentic when it is
the information that was originally created, placed, stored, or transferred.
Confidentiality
The confidentiality of information is the quality or state of preventing
disclosure or exposure to unauthorized individuals or systems. Confidentiality
of information is ensuring that only those with the rights and privileges to
access a particular set of information are able to do, and that those who are
not authorized are prevented from obtaining access.
Integrity
The quality or state of being whole, complete and uncorrupted is the integrity
of
information.
The
integrity
of
information
is
threatened
when
the
information is exposed to corruption, damage, destruction or other disruption

of its authentic state. The threat of corruption can occur while information is
being stored or transmitted.
Utility
The utility of information is the quality of state of having value of some
purpose or information has value when it serves a particular purpose. This
means that if information is available but not in a format meaningful to the
end user, it is not useful.
Arranged by
Page 143
Possession:
The possession of information is the quality of state of having ownership or
control of some object or item. Information is said to be in possession of one
obtains it, independent of format or other characteristic. Encryption protects
confidentiality of information but possession may change.
Components of an Information System

Software
People
Hardware
Procedure
Data
Network
INFORMATION SECURITY POLICY, STANDARD & PRACTICES

(IT security Policy should provide following responsibilities)
Organization
The information security policy should provide general guidance on the
allocation of security roles and responsibilities in the organization. All
responsibilities regarding information security management must be well
defined which includes information security management personnel and
management. Following responsibilities could be assigned to different levels of
management in the organization.
Executive Management
Executive
management
in
the
organization
is
responsible
for
overall
information system asset protection. Executive management has to show

commitment for information security management by providing budgets and
have follow ups on information security management policies and plans.
Security Committee
In order to implement the security policies and procedures in the organization,
a security committee may be formulated. Formal terms of references may also
be formulated for this committee and recommendation be adopted by the
organization.
Arranged by
Page 144
Data Owners:
Data owners have the responsibility of maintaining accuracy, completeness
and integrity business processes.
Process Owners:
Process owners have to ensure that the processes running on computer
systems are secure and are in line with the procedures defined in the scope of
security policies of the organization.
IT Developers:
IT developers are responsible for implementing the security policy in the
organization.
Security Specialist / Advisers

Organization may hire security specialist / adviser in order to disseminate and
assist the management and IT developers to design and
implement
organizational security policy, standards and procedures.
Users:
It/ is users of the organization are responsible for having full knowledge of all
policies and procedures developed within organization. Users also have a
heavy responsibility for protecting.
IS Auditors
IS
Auditors
are
responsible
for
providing
independent
assurance
to
management regarding aptness and effectiveness of information security

objectives and its implementation in the organization.
COMPUTER CRIME ISSUES AND EXPOSURES
INTRUDERS OF COMPUTER CRIMES

(a)
Hackers
A hacker is a person who attempts to invade the privacy of a computer
system. Hackers are normally skilled programmers and have been known to
crack system passwords with consummate ease.
Arranged by
Page 145

(b)
Employees
Unauthorized
employees
implementations
within
intentionally
the
attempt
organization
and
to
try
break
to
the
gain
security
access
to
organizational information assets. While authorize employees may cause loss

to assets intentionally or by mistake.
(c)
IS Personnel
These have the easiest access to organizational information, since they are to
custodians of information assets. Good segregation of duties apart from
checks like logical access controls will ensure reduction in attacks on reset
from this category of personnel.
(d)
Outsiders
This may include the organized criminals like hackers, competitors or crackers
(paid hackers)
PHYSICAL EXPOSURE AND CONTROLS

FIRE DAMAGE
Fire is often most serious threat to physical security of information system assets. A
well designed fire-protection plan should be made in the organization. Such plan may
include:
(a)
Both automatic and manual fire alarms are placed in computer rooms etc.
(b)
Automatic fire extinguishers are placed at strategic places in the organization.
(c)
When a fire alarm is activated, a signal is sent automatically to a control

station that is always staffed.
(d)
To minimize the risk of extensive damage from electrical fires, electrical wiring
should be placed in fire resistant panels and conduct.
Security administrators should arrange regular inspections and test of all fire
protection system and ensure that they are properly serviced. Periodic
trainings of the staff to use such like equipments should also be arranged.
WATER DAMAGES
Water damages to IS assets might results in due to fire or could also happen due to
other natural disasters like floods or terrestrial rains. To protect, following measure:
(a)
Installation of water proof ceilings and walls
(b)
Proper drainage system existence in premises
Arranged by
Page 146

(c)
Installation of alarms in important places
(d)
All material information systems assets be placed above water levels, in

floody areas
(e)
Cover hardware devices with protective covers when not in use.
ENERGY VARIATIONS
Energy variations occur from increase in power (surge or spikes), decrease in
power (sags on brain outs), or loss of power (blackouts). Voltage regulators and
circuit breakers may be used to avoid such instances. UPS may also be used or two
different sources of power to avoid blackouts.
TERRORIST ACTIVITIES
Political terrorism is the main risk, but there are also threats from individuals with
grudges. In some cases there is every little that an organization can do: its buildings
may just happen to be in the wrong place and bear the brunt of an attack aimed at
another organization or intended to cause general disruption.
(a)
There are some avoidance measures that should be taken, however
(b)
Physical access to buildings should be controlled.
ACCIDENTAL DAMAGE
People are physical threat to computer installations or cause of accidental damage to
installation.
Combating accidental damage is a measure of:
(a)
Sensible attitude to office behavior.
(b)
Good office layout
(c)
Check new software with antivirus software before it is installed.
(d)
Educate users about the dangers of viruses and the ways to prevent infection.
PHYSICAL ACCESS EXPOSURES AND CONTROL

PHYSICAL ACCESS ISSUES AND EXPOSURES
Unauthorized entry
Damage
Vandalism/Sabotage (Strikes)
Arranged by
Page 147
Theft
Copying or viewing of sensitive data
Alteration of sensitive equipment and information
Public disclosure of sensitive information
Abuse of data processing
Blackmailing
Embezzlement
PHYSICAL ACCESS CONTROLS
Security guards
Bolting/secure door locks
Combination of door locks (multiple kinds of locks)
Electronic doors
Dead man door (e.g. Bank lockers, only one person can enter at one time)
Controlled single entry point
Alarm system
Manual logging
Electronic logging
Identification
Video cameras
Secured report distribution carts
Bounded personnel (fixed the people to enter)
No advertising of sensitive location
Computer workstation
PERSONAL COMPUTER /LAPTOPS PHYSICAL AND LOGICAL SECURITY
Engraving the company name

Logging of serial numbers
Physical locking (e.g. IBM steel hangers)
Theft response team
Backup of data
Password on files
Data encryption
AREAS TO BE COVERED FOR PHYSICAL ACCESS CONTROL

Physical access controls are designed to prevent intruder getting access to physical
assets of the company like computer equipment and storage media etc. following are
the areas which should be physically protected from intruder:
Programming areas
Computer Rooms
Office Back up Facilities
Operator Console
Power Sources
Tape library, Tape disks
Telecommunication
Storage rooms & supplies
Printing facilities
Door Locks
Access Logging
Card entry system
Biometric access
Arranged by
Micro Computers
Page 148

LOGICAL ACCESS CONTROLS
Logon IDs and passwords
Password policies
Biometric devices
Single Sign-on (SSO)
LOGICAL THREATS
VIRUSES
A virus is a piece of software which infects programs and data and which replicates
itself. Viruses need an opportunity to spread. The programmers of virus therefore
place viruses in the kind of software which is most likely to be copied. This includes
(a)
Free Software
(b)
Pirated Software
(c)
Games Software
PROTECTION AGAINST VIRUS ACTIVITIES:

To
reduce
expected
losses
from
viruses,
security
administration
can
implement the following types of controls.

Preventive:
(a)
Use only clean certified copies of software files.
(b)
Do not use public domain / shareware software or files unless that have been
checked for viruses individual login IDs & passwords to ensure security of assets and
also maintain physical security of assets.
Detective:
(a)
Regularly run antivirus software to detect infections. Carryout file size
comparisons to check whether the size of programs has changes

(b)
Undertake date/time stamp comparisons to determine whether unauthorized
modifications have been made to software.

Corrective:
(a)
Ensure clean back up is maintained
(b)
Have a documented plan for recovery from virus infection.
(c)
Run antivirus software to remove infections.
Arranged by
Page 149

TROJANS
A Trojan is a program that while visibility performing one functions secretly carries
out another. For example, a program could be running a game, while simultaneously
destroying a data file or another program. 4 Trojans work is immediate, and
obvious. They are easy to avoid as they do not copy themselves onto the target disk.
WORMS
Whereas a Trojan attacks from without, a worm, which is a type of virus, attacks
from within. A worm is a program that survives by copying and replicating itself
inside the computer system it has entered, without necessarily altering that system.
Other viruses attach themselves to a program.
TRAP DOOR
A trap door is an undocumented entry-point into a computer system. It is not to be
found in design specification but may be put in by software developers to enable
them to bypass access controls while working on a new piece of software. Because, it
is not documented, it may be forgotten and rediscovered by a hacker perhaps, at a
later date.
LOGIC BOMBS
A large bomb is a piece of code triggered by certain events. A program will behave
normally until a certain event occurs, for example when disk utilization reaches a
certain percentage. A large bomb, by responding to set conditions, maximizes
damage.
TIME BOMBS
A time bomb is similar to a logic bomb, except that it is triggered at a certain date.
Companies have experienced virus attacks on April Fools Day and on Friday 13th.
These were released by time bombs.
SPAM
Spam is flooding the internet with many copies of the some messages in an attempt
to force the message on people who would not otherwise choose to receive it. Most
spam is commercial advertising, often for doubles products, get rich quickly schemes,
Arranged by
Page 150

or quasi-logical services. Spam costs the sender very little to send most of the costs
are paid by the recipient or the carriers rather than by the sender.
Cancelable Spams
Email Spam
SNIFFERS
A sniffer is a program or device that can monitor data traveling over a network.
Sniffers can be used both for legitimate network management functions and for
stealing information from a network. Unauthorized sniffers can be extremely
dangerous to a networks security, because they are virtually impossible to detect.
They often work on TCP/IP networks, where they are sometimes called packet
sniffers.
SPOOFING
IP spoofing is one of the most common forms of online camouflage. In IP spoofing,
an attacker gains unauthorized access to a computer or a network by making it
appear that a malicious message has come from a trusted by spoofing the IP
address of that machine.
NON BLIND SPOOFING

This type of attack takes place when the attacker is on the same subset as the
victim. The sequence and acknowledgement numbers can be sniffed, eliminating the
potential difficulty of calculating them accurately. The biggest threat of spoofing in
this instance would be session hijacking. This is accomplished by corrupting the data
stream of an established connection, then re-establishing it based on correct
sequence and acknowledgement number with the attack machine. Using this
technique, an attacker could effectively by pass any authentication measures taken
place to build the connection.
MAN IN THE MIDDLE ATTACK

In these attacks, a malicious party intercepts a legitimate communication between
two friendly parties. The malicious host then controls the flow of communication and
can eliminate or alter the information sent by one of the original participants without
the knowledge of either the original sender or the recipient. In this way, an attacker
Arranged by
Page 151

can fool a victim into disclosing confidential information by spoofing presumably
trusted by the recipient.
ROUNDING DOWN (SALAMI TECHNIQUE)

Rounding down involves drawing small amounts of money from a computerized
transaction or account and rerouting this amount to the operators account. The term
rounding down refers to rounding small fractions of a denomination down and
transferring these small fractions into the unauthorized account. Since the amounts
are so small, they are noticed rarely.
LOGICAL ACCESS CONTROL SOFTWARE

It is operate in the operating system
It may be in data base / Programmes
Function:
User identification (log on IDs) and authentication (password)
Apply restrictions
Create or change user profiles/setting
Create accountability (record each and every thing)and auditability(audit of
record)
Log events
Log user activities
Report capabilities e.g. message in window XP dont send
Identification and Authentication (Internal Audit System)

Process of providing ones identity its first line of accountability
Identification and Authentication system based on three things:

a) Something you know (log on IDs and password)
b) Something you have (ID card)
c) Something you are (By matrices)
Identification and Authentication system Examples:
a)
b)
c)
d)
Logon IDs and password

Token devices (video games)
One time password
Bi matrix
Thumb prints
Finger prints
Palm readers
Arranged by
Page 152

Hand geometry
Iris checking
Retinal imaging
Facial imaging
Signature recognition
Voice recognition
e) Single Sign On (SSO)
Multiple password for every server
One password and you have access to every servers, its most dangerous
(MSN Messenger)
SECURITY BYPASS FEATURES

Physical example: entry is blocked; Bypass due to influence, position, special
privilege.
Bypass should be disabled for everyone.
Features to be considered
a) Label processing, Bypass off; label process on
b) Special system log on IDs
Every system has logon IDs when you install window as administrator and then other
IDs are guest users i.e. called special system logon IDs, this should be disabled.
c) System Exists
This should not be available to user; complex maintenance task/tailoring: there are
thing which cannot be recorded by system e.g. in cell phone removing battery or SIM
system cannot record it.
NETWORK INFRA STRUCTURE SECURITY

I. Controls in network environment
a) Qualified people are hired for networking
b) Segregation of duties
c) Restriction on important function
d) Terminal identification file (when you log on/off)
e) Encrypted transmission. Data has to be encoded
II. LAN (Client Sever) Security

i. Risk
associated with LAN

Loss of data and program integrity
Viruses
License issues
External access (outsiders may access LAN)
Arranged by
Page 153

Illegal access (hackers may access LAN)
Destruction of auditing and logging data
ii. Controls of LAN
Dial/call back modems
Turn off call forwarding (first goes to specific no.) or divert on terminal (direct
goes to another no.)
III. Internet threats and security
a) Threats
Viruses
Hackers
b) Security
Antivirus
Dial back mechanism, firewall
IV. Types of network attacks
i. Passive attacks
Get knowledge before going for active attack.
Three methods of passive attack:
a) Network analysis
Scan operating system, services and ports/software ports (monitoring
operating system)
Ports ( Software Port) e.g. http port
b) Eaves dropping (wiretapping)
c) Traffic analysis
look at nature of traffic flow, means audio, video, graphic, session length
(data packets)
message length and
frequency of packets)
ii. Active attacks

Five methods of active attack:
1. Brute force attack (try out all possible combinations of passwords; deadly
attack)
2. Impersonation /spoofing /masquerading
3. Packet replay (you copy packet & replay it and join it with your packets and
gain access to the system)
4. Email bombing
5. DOS - DDOS (Denial of service - Distributed DOS)
DOS: e.g. one student ask all question; Huge email
DDOS: e.g. distribute questions among the students
Engaging the server (Huge email; server busy)

Bouncing back all request (request does not reach to server)
Blocking a specific user (block one specific user)
Arranged by
Page 154

SUBVERSIVE THREATS can be active or passive
In a passive attack the intruders attempt:
to learn the characteristics the data being transmitted, so privacy of data

is violated
read and analyze the clear text source and destination identifiers attached
to a message for routing purposes, and the content of data remains same
examine the length and frequency of message

Examples are traffic analysis, Release of message content, invasive tap
In an active attack, intruders could
insert a message in the message stream being transmitted
delete the message being transmitted
modify the contents of message
duplicate messages
alter the order of message
deny message services b/w sender and receiver by corrupting, discarding

or delaying messages
IDS (INCLUSION DETECTION SYSTEM)

An IDS inspects all inbound and outbound network activity and identifies suspicious
patterns. These are several types
of IDS.
Types of IDS
a) Misuse detection system
The IDS analysis the information it gathers and compares it to large
databases of attacks signature.
b) Anomaly Detection (Abnormal Detection)
System administrator defines the baseline /normal state of the networks
traffic load breakdown, protocols and typical packet size. The anomaly
detector monitors network segments to compare their state to the normal
baseline and look for anomalies.
c) Network based system
Detects individual malicious packets flowing through the network that are
designed to be overlooked by a firewall.
d) Post based system
Examines activities on each individual computer or host.
e) Passive system
Detects a potential security breach, logs the information and signals and
alert.
f) Reactive system
Responds to the suspicious activities by logging off a user or re-programming
the firewall.
Arranged by
Page 155

The Difference between IDS and Firewall
Firewall
IDS
They are installed at meeting point
They are installed in your

server
Check both inbound and out
bound activities.
Check only out bound activities
HR Termination policies
There should be clearly defined steps of termination policy in writing. The policy
should address both types of policies.
Voluntary may be dangerous.

Voluntary (dangerous).
Control Procedures
Return all access keys.
Delete log on IDs and Password.
Notification to other staff about the terminated employee.
Arrangement of final pay.
Termination / exit Interview.
Return all company property.
Escort the person to main Gate.
SECURITY PROGRAMME
A security programme is a series of on-going, regular, periodic reviews conducted to
ensure that assets associated with the information systems function are safeguarded
adequately. Security program must have six features:
(a)
Alignment:
The programme must be aligned with the organizational goals.
(b)
Enterprise Wide:
Everyone
in
the
organization
must
become
part
of
the
security
programme.
(c)
Continuity:
The programme must be operational continuously without any disruption.
(d)
Validation:
The security programme must be tested and validated to ensure its
operability.
Arranged by
Page 156

(e)
Proactive:
Organization should not wait from something to happen rather must use
innovative, preventive and protective measures.
(f)
Formal:
It must be a formal programme with authority, responsibility and
accountability.
DISASTER RECOVERY PLAN

The purpose of a disaster recovery plan or contingency plan is to enable the
information systems function to restore operations in the event of some types of
disaster.
Comprehensive DRP comprises four parts:
(a)
An emergency plan
(b)
A Back up Plan
(c)
A recovery Plan
(d)
A test Plan
(a)
An Emergency Plan
The emergency plan specifies the actions to be taken immediately when a disaster
occurs. Management must identify those situations that require the plan to be
invoked. When the situations that evoke the plan have been identified, four aspects
of energy plan must be articulated.
(i)
The plan must show who is to be nitrified immediately when the disaster
occurs management, police or fire deptt.
(ii)
The plan must show any actions to be undertaken, such as shutdown of

equipment, removal of files, and termination of power.
(iii)
Any evaluation procedures required must be specified.
(iv)
Return procedures (e.g. conditions that must be met before the site is
considered safe) must be designated.
(b)
Backup Plan
The backup plan specified
The type of backup to be kept.
The frequency with which backup is to be undertaken
Arranged by
Page 157
The procedures for making backup
The location of backup resources
The site where these resources can be assembled and operations restarted.
The personal who are responsible for gathering backup resources and
restarting operations.
The priorities to be assigned to recovering the various systems, and
A time frame in which recovery of each system must be affected.
The following resources must be considered
Personnel (trainings & rotation of duties)
Hardware (outsourcing for provision)
Facilities (outsourcing for provision)
Documentation (inventory stored offside & on site)
Supplied (inventory stored offside & on site)
Data / information (inventory of files offsite & on site)
Application software (inventory of files offsite & on site)
System Software (inventory of files offsite & on site)
(c)
Recovery Plan
Whereas the backup plan is intended to restore operations quickly so the information
systems function can continue to service an organization, recovery plans set out
procedures to restore full information system capabilities. Recovery plans depend on
the circumstances of a disaster. E.g. They will depend on whether the disaster is
global or localized and if localized, the nature of the machine, the applications, and
the data to be recovered. The plan should specify the responsibilities of the
committee and provide guidelines or priorities to be followed. Plan might also include
which applications are to be recovered first.
(d)
Test Plan
The final component of a DRP is a test plan. The purpose of a test plan is to identify
deficiencies in the emergency, backup or recovery plans or in the preparedness of an
organization and its personnel in the event of a disaster. It must enable a range of
disaster to be simulated and specify the criteria by which emergency, backup and
recovery plans can be deemed satisfactory.
Arranged by
Page 158

To facilitate testing, a phased approach can be adopted. First, the DRP can be tested
by desk checking and inspection and walk through, must like validation procedures
adopted for programs. A disaster can be simulated at a convenient time. Finally,
disaster could be simulated without warning at any time. These are the acid tests of
the organizations ability to recover from a real disaster.
BACKUP OPTIONS
Following are some viable backup options security administrators should consider:
(a)
Cold Site
If an organization can tolerate some downtime, cold site backup might be
appropriate. A cold site has all the facilities needed to install a mainframe
system, raised floors, air conditioning, power, communication lines, and so
on. The mainframe is not present, however, and it must be provided by the
organization wanting to use the cold site.
(b)
Hot Site
If fast recovery is critical, an organization might need hot side backup. All
hardware and operations facilities will be available at the hot site. In some
cases, software, data and supplies might also be stored there. Hot sites are
expensive to maintain. They usually are shared with other organizations that
have hot site needs.
(c)
Warm Site
A warm site provides an intermediate level of backup. It has cold site facilities
plus hardware that might be difficult to obtain or install e.g. a warm sight
might certain selected peripheral equipment plus a small mainframe with
sufficient power to handle critical application in the short run.
(d)
Reciprocal Agreement
Two or more organizations might agree to provide backup facilities to each
other in the event of one suffering from a disaster. This, backup option is
relatively cheap, but each participant must maintain sufficient capacity to
operate another critical systems. Reciprocal agreements are often informal in
nature.
If a third party site is to be used for backup and recovery purposes, security
administrators must ensure that a contract is written to cover such issues as:
Arranged by
Page 159

(i)
How soon the site will be made available subsequent to a disaster.
(ii)
The number of organizations that will be allowed to use the site on currently
in the event of a disaster.
(iii)
The priority to be given to concurrent users of the site in the event of a

common disaster.
(iv)
The period during which the site can be used.
(v)
The conditions under which the site can be used.
(vi)
The facilities and services the site provider agrees to make available.
(vii)
What controls will be in place and working at the off-site facility.
BUSINESS CONTINUITY PLANNING (BCP)

BCP is the act of proactively working out a way to prevent and manage the
consequences of a disaster, limiting it to the extent that a business can afford. BCP
determines how a company will keep functioning until its normal facilities are
restored after a disruptive event.
There are two key performance indicators (KPIs) that measure across the business
continuity spectrum.
(a)
Recovery point objective (RPO)

The pre-incident point in time that data must be recovered to resume
business transactions (acceptable transaction data less)
(b)
Recovery time objective (RTO)

The maximum elapsed time required to recover data and processing
capability.
1.
Business impact analysis (BIA)

Business impact analysis is performed to determine the impacts associated
with disruptions to specific functions or assets in a firm. These include
operating impact, financial impact and legal or regulatory impact.
2.
Risk Analysis
Risk analysis identifies important functions and assets that are critical to a
firms operations, and then subsequently establishes the probability of a
disruption to those functions and assets. Once the risk is identified and
established, objectives and strategies to eliminate avoidable risks and
Arranged by
Page 160

minimize impacts of unavoidable risks can be set. A list of critical business
functions and assets should first be complied and prioritized.
3.
Disaster Recovery Plan

DRP is an IT focused plan designed to restore operability of the target
systems, applications, or computer facility at an alternate site after an
emergency. A DRP addresses major site disruptions that require site
relocation. The DRP applies to major, usually catastrophic, event that deny
access to the normal facility for an extended period.
4.
Disaster tolerance
Disaster tolerance defines an environments ability to withstand major
disruptions to systems and related business processes. Disaster tolerance at
various levels should be built into an environment and can take form of
hardware redundancy, high availability/clustering solutions, multiple data
centers, eliminating single points of failure, and disaster solutions.
Bare Metal Recovery

A bare metal recovery describes the process of restoring a complete system,
including system and boot partitions, system settings, applications, and data to their
original state at some points prior to a disaster.
Arranged by
Page 161
CHAPTER 15
NETWORK INFRASTRUCTURE
SECURITY
TCP/IP: THE LANGUAGE OF THE INTERNET
TCP/IP includes both network-communication and application-support protocols. The
TCP/IP protocol is defined as follows:
(a)
Remote terminal control protocol (telnet)

This terminal-emulation protocol enables users to log remote systems and use
resources as if they were connect locally.
(b)
File transfer protocol (FTP)

FTP enables users and systems to transfer files from one computer to another
on the internet. FTP allows for users and anonymous login based on
configuration. FTP can be used to transfer a variety of file types and does not
provide secure communication (encryption) during login or file transfer.
(c)
Simple mail transfer protocol (SMTP)

This protocol provides standard electronic (email) transfer services.
(d)
Domain Name Service (DNS)

This protocol resolves hostnames to IP addresses and IP addresses to
hostnames.
That
is
www.google.com
would
resolve
to
IP
address
66.33.202.245. DNS servers have hierarchal distributed database systems

that are queried for solution the service enables users to remember names
instead of having to remember IP addresses.
(e)
Network File System (NFS)

This protocol allows a computer to access files over a network as if they were
on its local disk.
Arranged by
Page 162

(f)
Transmission Control Protocol (TCP)

This transport-layer protocol establishes a reliable, full-duplex data delivery
service that many TCP/IP applications use. TCP is a connection oriented
protocol, which means that it guarantees the delivery of data and that the
packets will be delivered in the same order as they were sent.
(g)
User Datagram Protocol (UDP)

This transport layer protocol provides connectionless delivery of data on the
network. UDP does not provide error-recovery services and is primarily used
for broadcasting data on the network.
(h)
Internet Protocol (IP)

This protocol specifies the format of packets (datagrams) that will be
transported on the network. IP only defines the format of packets, so it is
generally combined with a transport protocol such as TCP to affect.
(i)
Internet Control Message Protocol (ICMP)

This protocol is an extension of the internet protocol (IP). It supports packets
that contain error, control, and informational messages. The ping command,
used to test networks connectivity, uses the ICMP protocol.
(j)
Address Resolution Protocol (ARP)

This network-layer protocol is used to convert on IP address (logical address)
into a physical address. When a host on the network wants to obtain a
physical address, it broadcasts on ARP request. The host on the network that
has the IP address replies with the physical address.
(k)
X.25
This is a data communications interface specification developed to describe
how data passes into and out of switched packet network. The x.25 protocol
suite defines protocol layer I-3.
NETWORK
Network is a connection of autonomous processes. Two or more processes are said to
be autonomous if they can work independently with each other as well as
collectively.
Arranged by
Page 163
Our mobile phones processes do not form a network because they are not intelligent
enough to work independently. Similarly if several I/O devices are attached with a
super, mainframe or minicomputer, it is not a network because I/O devices are not
able to work independently if they are disconnected. However, if two or more micro
computers are connected with each other and they are able to work independently as
well as in a sharing network, then it is a NETWORK.
NETWARE (SOFTWARE NEEDED TO RUN THE NETWORK)
Client Server
One computer is server and other computer is client. The biggest example might be
internet in which we are the clients of an internet ISP. Again IPSs are client of
internationally recognized networking bodies. (Hyundai, AT & T, British Telecom)
Peer to Peer
No one is server, no one is client. Every machine is server and every machine is
client.
FOUR REASONS FOR FORMING NETWORK
Sharing of data/information
Sharing of resources (e.g. printer, hard disk, CD drive)
Sharing of services (e.g. internet service, stock exchange service)
Security (You cannot take data away from the network hard disk. A lot of
instructions are imposed even to access data.)
APPLICATION SERVICE PROVIDER (ASP)

(Outsourcing vendor on internet / WAN)
Functions
Own and Operate server

Own and Operate software application
Employ people who operate / run the system
Service anywhere and every where
Charge a nominal fee.
Advantages
Low and no setup cost

Pay as you go
No specialization
User has his own bandwidth
Arranged by
Page 164
Flexibility
Disadvantages
Same as outsourcing
Serious points to consider
1. Customer access:
Browser for websites
Special browsers E.g. at Airport terminal we can use internet
2. Customer Issues:
Training
Queries
3. Secure Connection
4. Dedicated or shared application server (dedicated is recommended)
5. Problem resolution capacity
6. Level of Redundancy / backup
7. Disaster recovery
8. Date ownership
9. Data security
10. Transfer of date between In-house application and ASP
11. How to switch to another ASP.
IP SPOOFING
This is where one host claims to have the IP address of another. Since many systems
(such as router access control list) define which packets may and which packets may
not pass based on the senders IP address. This is a useful technique to on attacker.
He can send packets to a host, perhaps causing it to take some sort of action.
Additionally, some applications allow login based on the IP address of a person
making the request. These are both good examples how trusting on-trustable layers
can provide security that is at best-weak.
DENIAL OF SERVICE
The promise of DOS attack is simple: Send more requests to the machine than it can
handle. Dos attacks are probably the nastiest, and the most difficult to address.
These are the nastiest, because they are very easy to launch, difficult to track, and it
is not easy to refuse the requests of the attacker, without also refusing legitimate
requests for service.
There are tool kits available in the underground community that make this simple
matter of running a program and telling it which host to blast with request.
Arranged by
Page 165

Some things that can be done to reduce the risk of being stung by a Dos attack
include:
(a)
Not running your visible to the world services at a level too close to capacity.
(b)
Using packet filtering to prevent obviously forged packets from entering into
your network address space.
(c)
Obviously forged packet would include those that claim to come from your
own hosts; addresses reserved for private networks, and the look back
network (127.0.0.0).
(d)
Keeping up to date on security related patches for your hosts operating

systems.
DESTRUCTIVE BEHAVIOUR
Among the destructive sorts of break-ins and attacks, there are two major
categories.
Data diddling
Data destruction
Data Diddling
The data diddling is likely the worst sort, since the fact of a break-in might not be
immediately obvious. Perhaps hes toying with the numbers in your spreadsheets, or
changing the dates in your projections and plans. May be he is changing the account
numbers for the auto deposit of certain paychecks.
Data Destruction
Some of those perpetrate attacks are simply twisted jerks who likes to delete things.
In these cases, the impact on your computing capability and consequently your
business can be nothing less than if a fire or other disaster caused your computing
equipment to be completely destroyed.
Preventive Measures
1)
Regular backups should be maintained
2)
Dont put data where it doesnt need to be
3)
Avoid systems with single point of failure
4)
Stay current with relevant operating system patches
5)
Have someone on staff be familiar with security practices.
Arranged by
Page 166

ROUTER
Routers are used to direct or route traffic on the network and work at the network
layer (layer 3) of the OSI model. Router link two or more physically separate network
segments. Although they are linked via route, they can function as independent
networks. Routers look at the headers in networking packets to determine source
addresses (logical addresses). Router can be used as packet filtering firewalls by
comparing header information in packets only against their rules. The creation of rule
in packet filtering involves both permit and deny statements.
BRIDGE
A bridge works at the data link layer (layer 2) of the OSI model and cannot
two separate networks to form a logical network. They can store and forward frames.
Bridge examines the media access control (MAC) header of a data packet to
determine where to forward the packet; they are transparent to end users. A MAC
address is the physical address of the device on the network. As packet pass through
it, the bridge determines whether the MAC address resides on its local network, if
not, the bridge forwards the packets to the appropriate network, segment. Bridge
can reduce collisions that result from segment congestion, but they do forward
broadcast fames. Bridges are good network devices if used for right purpose.
HUBS AND SWITCHES

A hub operates at the physical layer (layer 1) of the OSI model and can serve as the
center of a star topology. Hubs can be considered concentrators because they
concentrate all network communications for the device attached to them. A hub
contains several parts to which clients are directly connected.
A switch combines the functionality of a multi-port bridge and the signal amplification
of a repeater.
DEMILITARIZED ZONE (DMZ)

The DMZ is a critical part of a firewall. It is a network that is neither part of the
in0trusted network, nor part of the trusted network. But, this is a network that
connects the un-trusted to the trusted. The importance of a DMZ is tremendous.
Someone who breaks into your network from the internet should have to get through
Arranged by
Page 167

several layers in order to successfully do so. Those layers are provided by various
components within the DMZ.
CRYPTO CAPABLE ROUTERS

A feature that is being built into some routers is the ability to session encryption
between specified routers. Because traffic traveling across the internet can be seen
by people in the middle who have the resource and time to snoop around. These are
advantageous for providing connectivity between two sites, such that there can be
secure routers.
VIRTUAL PRIVATE NETWORKS (VPN)

VPNs provide the ability for two offices to communicate with each other in such a way
that it looks like they are directly connected over a private leased line. The session
between them, although going over the internet, is private (because the link is
encrypted), and the link is convenient, because each can see others internal
resources without showing them off to the entire world.
NETWORK INFRASTRUCTURE SECURITY CHECKLIST
Check systems for zombie agent software
Minimize external exposure by minimizing internet access and connectivity.
Consider using a web-content filter product to further limit your exposure to

breaches and legal liability.
Remove or limit internet access from those employees who may not need it for
business purposes.
Review security policy and ensure that they are current.
Ensure all current service level and security patches have been installed on
operating systems and softwares including antivirus updates.
Diligently review and monitor all critical system legs for suspect activity and
consider implementing a host instruction detection system.
Revisit your firewall configuration and rules to ensure that un-necessary parts
and services are turned off and that access control is tightly manages.
Consider changing passwords for all super users or power IDs such as root, DB
admin, application manager ID etc.
Arranged by
Page 168
Revisit access control lists on routers firewalls, servers and applications to ensure
that access to critical functions and resources is limited to those whose need to
know.
Ensure all critical systems are regularly backed up and actual systems recovery
procedures have been tested.
Consider developing on incident response plan to address appropriate actions

should a deliberating cyber incident / event occur at your business.
Users working from home via high-speed, broad band connections should be
required to have a firewall installed on their system.
FIREWALLS
A firewall is a device (hardware/software) that restricts access between networks.
Those networks might be a combination of an internal and external networks
(organizations LAN and the internet) or might be within internal networks. A firewall
is implemented to support the organizational security policy, in those specific
restrictions or rules are configured within the firewall to restrict access to services
and ports. If configured correctly the firewall is the gateway through which all traffic
will flow. The network traffic (or packet) then is monitored as it comes into the
firewall and compared against a set of rules (filters) if the traffic does not meet the
requirements of the access control policy, it is not allowed access and might be
discarded or redirected.
Firewall can be considered a choke point on the network because all traffic must be
checked against the rules before gaining access. As a result, the rules that are
created for the network must take into account performance as well as security.
Firewall can filter traffic based on a variety of the parameters within the packet.
(a)
Source and Destination Addresses

The firewall can look at the source or destination address in the packet.
(b)
Source and Destination ports

The firewall can look at the source or destination port identifier of the service
or application being accessed.
(c)
Protocol types
The firewall might not let certain protocol types access the network.
There are many different types of firewall but most enable organization to:
Arranged by
Page 169

(i)
Block access to particular sites on the internet.
(ii)
Limit traffic on an organizations public services segment to relevant

addresses and ports.
(iii)
Prevent certain users from accessing certain servers or services
(iv)
Monitor and record all communications between an internal network

and the outside world to investigate network penetrations or detect
internal subversion.
(v)
Encrypt packets that are sent between different physical locations

within an organization by creating a VPN over the internet (i.e.IPSEC
VPN tunnels)
FIREWALL ISSUES
Problems faced by organizations that have implemented firewall include:
(i)
A false sense of security may exist where management feels that no

further security checks and controls are needed on the internal
network. (i.e. the majority of incidents are caused by insiders, who are
no controlled by firewall).
(ii)
The circumvention of firewalls through the use of modems may

connect users directly to internet service providers.
(iii)
Management should provide assurance that the use of modems when a

firewall exists is strictly controlled or prohibited altogether.
(iv)
Mis-configured firewalls may allow unknown and dangerous services to

pass through freely.
(v)
What constitutes a firewall may be misunderstand (e.g. companies

claiming to have a firewall merely have a screening router.)
(vi)
Monitoring activities may not occur on a regular basis (i.e. log settings
not appropriately applied and reviewed.)
(vii)
Firewall policies may not be maintained regularly.
Arranged by
Page 170
CHAPTER 16
DATABASE AND DATE RESOURCE

MANAGEMENT
MANAGEMENT OF DATA
The organization needs information for making decision of running the business in a
successful manner. This necessitates that data should be collected and managed
properly.
There are four objectives for better data management:
(a)
User must be able to share data.
(b)
Data must be available to users when it is needed, where it is needed and in

the form in which it is needed.
(c)
Data modification should be easy in the light of changing requirements.
(d)
Data integrity must be preserved.
TASKS OF DATA ADMINISTRATIVE

(i)
Defining Data
Undertake strategic data planning, determine user needs, specify conceptual
and external scheme definitions.
(ii)
Creating Data
Advertising user on collection, validation and editing criteria.
(iii)
Redefining / Restructuring Data

Specify new conceptual and external schema definitions.
(iv)
Retiring Data
Specify retirement policies
(v)
Making database available to users

Determine
end
user
requirements
for
database
tools,
testing
and
evaluation of end use tools.
Arranged by
Page 171

(vi)
Informing and servicing users

Answering end user queries, educating, informing high level policies.
(vii)
Maintaining database integrity

Developing organizational standards
(viii) Monitoring operations

Monitoring end users
TASKS OF DATABASE ADMINISTRATOR

(i)
Defining Data
Specify internal schema definitions
(ii)
Creating Data
Preparing programs to create data, assist in populating database.
(iii)
Redefining / Restructuring Data

Now internal schema definitions, altering database to implement that
(iv)
Retiring Data
Implement retirement policies
(v)
Making Database available to users

Determine programmer requirements for database tools, testing / evaluation
of programmer and optimization tools.
(vi)
Informing and servicing users

Answering
programmer
queries,
educating,
informing
low
level
policy
information.
(vii)
Maintaining database Integrity

Implementing database controls, application controls
(viii) Monitoring operations

Monitoring programmers, performance timing
DATA ADMINISTRATOR
(a)
Ensures that all data management role groups comply with data management
policies and guidelines.
(b)
Periodically reports to director on status of compliance with data management

policies and guidelines.
Arranged by
Page 172

DATABASE MANAGEMENT
Access controls are used in the database subsystem to prevent unauthorized
access to end use of data. A discretionary access control policy can be used, which
allow users to specify who can access the data they own and what action privileges
they have with respect to the data. A mandatory access control policy requires a
system administrator to assign security aspects to data that cannot be changed by
database users.
Under a discretionary access control policy, users who are not owners of data can
be subjected to four types of access restrictions:
(a)
Name-dependent access control, which permits or denies access to a named

data resource.
(b)
Content-dependent access control which permits or denies access depending

on the content of the data item.
(c)
Context dependent restriction, which permits or denies access depending on

the context. E.g. revelation of a specific data item value versus access for
statistical purpose.
(d)
History dependent access, which permits or denies access depending on the

history of prior accesses to the database.
Under a mandatory access control policy, classification levels can be assigned to

specific data items / attributes in a record / relation and to records / relations as a
whole. The value of the classification level is then compared against the users
clearance level to determine whether the data item / attribute or record / relation will
be made available to the users.
RECOVERY STRATEGY
Existence controls encompass both a backup strategy and a recovery strategy. All
backup strategies require maintenance of a prior version of the database and a log of
transaction or changes made to the database. Recovery strategies take two forms:
(a)
Roll forward; where by the current stage of the database is recovered from
a previous version.
(b)
Rollback, where a previous state of the database is retrieved from the current
state.
Arranged by
Page 173

GRANDFATHER, FATHER, SON BACKUP & RECOVERY STRATEGY
It involves maintaining the previous two versions of a master file and a previous
version of the transaction file. If the current (son) version of the master file is lost, it
can be recovered by processing the current transaction file against the previous
version of the master file (father). If the previous version of the master file is lost
during recovery, it too can be recovered by using the grand fathers version of the
master file and previous version of the transaction file.
DUMPING
Dumping involves copying the whole or a portion of the database to some backup
medium. Recovery involves rewriting the dump back to the primary storage medium
and reprocessing transactions that have occurred since the time of dump.
LOGGING
Logging involves recording a transaction that changes the database or and image of
the record changed by an update action.
Three types of log s can be kept;
(a)
Transaction logs to allow reprocessing of transactions during recovery
(b)
Before image logs to allow rollback of the database.
(c)
After image logs to allow roll forward of the database.
RESIDUAL DUMPING
Residual dumping involves logging records that have not been changes since the last
database dump. The database is recovered by going back to but not including the
second last residual dump log. Residual dumping reduces the overheads associated
with dumping because records that have been changed and recorded on the log are
not then dumped.
DIFFERENTIAL FILE/SHADOW PAGING BACKUP AND RECOVERY

STRATEGY
The differential file / shadow paging backup and recovery strategy involves. Keeping
the database intact and writing changes to the database, to a separate file. In due
course these changes are written to the database. If failure occurs before the
changes are applied, the intact database constitutes a prior dump of the database.
Arranged by
Page 174

Providing a log of transactions has been kept, these transactions can then be
reprocessed against the database.
MAJOR TYPES OF DATABASE

(a)
Database containing structured data, the most common subtypes are

relational database and object database. The contents of these database
transactions and it is used in the business transactions and business reports.
(b)
Database containing freely linkable (associated) information on various types

of entities, intelligence databases. These databases are used as a tool in
solving complex one off problems.
(c)
Databases containing free format text or multimedia data, text or multimedia

unstructured texts or multimedia data. The data may be tagged indicating
meaning of data or permanently liked to maps (GIS), drawings etc to allow
easy access to data.
(d)
Database containing references to articles, books, WWW pages and similar

external materials, reference databases. These databases are used for
literature searches.
(e)
Databases containing logical and mathematical inference rules and data for
these rules to operate upon, knowledge databases. These databases are
used as a tool in solving repeating complex problems or as a part in
embedded problem solvers.
UPDATE AND REPORT PROTOCOLS

When application programs use the database, they should follow certain update and
report protocols to protect the integrity of the database. The update protocols
include:
(a)
Sequence checking the order of the transaction file and master file during
batch updates.
(b)
Ensuring correct end of file procedures are followed so that records are not
lost.
(c)
Processing multiple transactions for a single record in the correct order.
(d)
And posting monetary transactions that mismatch a master file record against
a suspense account.
(e)
The report protocols include:
Arranged by
Page 175

(i)
Printing control data for internal tables/ standing data to ensure it

remain accurate and complete.
(ii)
Printing run to run control totals
(iii)
Printing suspense account entries.
DEAD LOCK
Locking out one process while the other process completes it update can lead to a
situation called dead lock in which two processes are waiting for each other to
release a data item that other needs. A widely accepted solution to deal lock is a two
phase locking, in which all the data items needed to propagate the effects of a
transaction are first obtained and locked from other processes. The data items are
not released until all updates on the data items have been completed.
POTENTIAL BENEFITS OF THE DATABASE APPROACH

(a)
Ease of setting up:

Databases do not require programming in a low level language to set them
up, and in many cases a working prototype of the required system can be
developed quickly, allowing users to get involved with the design of the
system and in the capture of data before the final system is anywhere near
developed. Screen and report painting facilities also encourages users to
produce their own data input or query screens, and design their own reports.
(b)
Lower maintenance cost:

Because many of the highly technical aspects of the systems are handled by a
standard engine, the programmers involve in the system can concentrate on
the organization specific parts of the processing, rather than those concerned
with the computer, file handling and so on. As a result the complexity of the
system and therefore the ongoing maintenance costs of a database can be
significantly lower than those of systems designed using other methods.
(c)
Standardized query and reporting mechanism

The use of SQL as a standard query and report specification mechanism, or
language, is reducing the need for more technical expertise and this level of
programming. Databases allow users to use SQL to specify their queries and
reports in statements approaching English in their syntax.
Arranged by
Page 176

(d)
Standardized interfaces to other software

Many
software
products
which
might
complement
database
in
an
information system, such as graph drawing programs, spreadsheets and

analysis tools have standard data interfaces which are supported by the main
database products. As a result it is simple to extract data from databases and
move the data into those programmes for subsequent manipulation.
(e)
Standard security mechanisms

The access security backup and disaster recovery facilities offered by many
databases are very sophisticated and would be difficult and time consuming to
implement using other software methods. The facilities normally built in
include access security at file, record, menu and field levels. These provide for
high level of data integrity without the need for specific programming.
(f)
Eliminating of data duplication

An application specific processing system will usually capture, process and
store much of the some data as other systems in an organization. This result
in duplicated efforts and resources being utilized. Using a database approach,
the same data can be used for different applications and so data only needs to
be captured and stored once.
(g)
Improved integrity of data:

Because data is stored once, the risk of inconsistencies between data used by
different applications is reduced. If one department updates a file, other
departments will have instant access to updated information.
(h)
Better management information

A database is better able to satisfy the information needs of management,
which are necessarily based on a requirement for global rather than
application specific information.
Arranged by
Page 177
CHAPTER NO. 17
COMPUTER AUDITING
INTERNAL AUDIT
The purpose of an internal audit is to evaluate the adequacy and effectiveness of a
companys internal control system and responsibilities are actually carried out.
RESPONSIBILITIES OF AN INTERNAL AUDITOR

(a)
Review the reliability and integrity of operating and financial information and
how it is identified, measured, classified and reported.
(b)
Determine whether the systems designed to comply with operating and

reporting policies, plans, procedures, laws and regulations are actually being
followed.
(c)
Review how assets are safeguarded and verify the existence of assets as
appropriate.
(d)
Examine company resources to determine how effectively and efficiently they

are utilized.
(e)
Review company operations and programs to determine whether they are

being carried out as planned and whether they are meeting their objectives.
TYPES OF INTERNAL AUDITIG WORK

Three types of audit are commonly performed.
(a)
The financial audit examines the reliability and integrity of accounting records
and therefore correlates with the first of the five scope standards.
(b)
The IS audits reviews the general and application controls of an AIS to assess
its
compliance
with
internal
control
policies
and
procedures
and
its
effectiveness in safeguarding assets.

(c)
The operational, or management, audit is concerned with the economical and

efficient use of resources and the accomplishment of established goals and
objectives.
Arranged by
Page 178

WORKING PAPERS PACKAGES
Automated working paper packages have now been developed which can make the
documentary of audit work much easier.
(a)
Such programmes will aid preparation of working papers, lead schedules, and
even sets of accounts. These documents are automatically cross referenced
and balanced by the computer.
(b)
The risk of error is reduced and the working papers produced will be neater
and easier to review.
(c)
Standard forms will no longer have to be carried to audit locations.
(d)
It will not be necessary for an audit manager to visit auditors in the field in
order to review completed audit working paper files: these can now be
transmitted to the audit manager at audit HQ or at home for review.
(e)
Auditors may also benefit from on-line accessing and real time file updating.
TYPES OF SOFTWARE WHICH THE AUDITOR COULD USE WITH A

MICRO COMPUTER AS AN AID TO AUDIT WORK
(a)
Standard software for word processing and spreadsheets which can be used to
carry out the various tasks.
(b)
Expert systems which will determine sample sizes based specified risk criteria.
USE OF MICRO COMPUTR AS AN AUDIT AID

(a)
The production of time budgets and budgetary control. The variances which
arises on the audit can be used as a basis for updating the future audit time
budget.
(b)
The production of working papers, in particulars lead schedules, trial balances

and schedule of errors.
(c)
Analytical review procedures can be more efficiently carried out on a microcomputer as the necessary calculations can be carried out at much greater
speed and year-on-year information built-up.
(d)
The production and retention of audit programmes. These can then be

reviewed and updated from year to year.
(e)
The maintenance of permanent file information which can be updated from

one year to the next.
Arranged by
Page 179

CONTROLS WHICH MUST BE IN PLACE OVER A MICRO-COMPUTER
USED IN AN AUDIT
Controls which must be exercised when micro computers are used by he auditor in
his work: are as follows:
Access controls for users by means of passwords.
Back up of data contained on files, regular production of hard copy; back up

disks held off the premises.
Viral protection of programmes.
Training for users.
Evaluation and testing of programs before use.
Proper recording of input data to ensure reasonableness of output.
CONTROLS OVER MASTER FILE AND THE STANDING DATA

CONTAINED THEREIN
Controls are required to ensure the continuing correctness of master files and the
standing data contained therein. Frequently, control techniques, such as record
counts or hash totals for the file, are established and checked by the user each time
the file is used.
Controls are required:
Over application development.
To prevent or detect unauthorized changes to programs.
To ensure that all program changes are adequately rested and documented.
To prevent and detect errors during program execution.
To prevent unauthorized amendment to data files.
To ensure that systems software is properly installed and maintained.
To ensure that proper documentation is kept; and
To ensure continuity of operations.
COMPUTER ASSITED AUDIT TECHNIQUES (CAATS)

Computer assisted audit techniques (CAAT) are methods of using computer to assist
the auditor in the performance of a computer audit. Audit techniques that involve,
directly or indirectly, the use of clients computer are referred to as CAATs, of which
the following are two principle categories.
Arranged by
Page 180
AUDIT SOFTWARE
Computer programs used for audit process to examine the contents of the
clients computer files.
TEST DATA
Dated used by the auditor for computer processing to test the operation of the
enterprises computer programs.
BENEFITS OF USING CAATS

a.
By using computer audit programs, the auditor can scrutinize large volumes of
data and concentrate skilled manual resources on the investigation of results,
rather than on the extraction of information.
b.
Once the programs have been written and tested; the costs of operation are
relatively low; indeed the auditor does not necessarily have to be present
during its use.
TEST PACK
A test pack consists of input data submitted by the auditor for processing by the
enterprises computer based accounting system. It may be processed during a
normal production run (live) or during a special run at a point in time outside the
normal cycle (dead).
PRACTICAL PROBLEMS ENCOUNTERED USING A TEST PACK

The practical problems encountered in using a test pack are as follows:
a.
In using live processing there will be problems removing or reversing the

test data, which might corrupt master file information.
b.
In using dead processing the auditor does not test the system actually used
by the audit subject.
c.
The system will be checked by the test pack, but not the year end balances,
which will still require sufficient audit work. Costs may therefore be high.
d.
Any auditor who wishes to design a test pack must have sufficient skill in
computing and also a thorough knowledge of the clients system.
e.
Any changes in the system will mean that the test pack will have to be rewritten which will be costly and time-consuming.
Arranged by
Page 181

EMBEDDED AUDIT FACILITIES
An embedded audit facility consists of program code or additional data provided by
the auditor and incorporated into the computer element of the enterprises
accounting system. Two frequently encountered examples are:
Integrated test facility (ITF)
System control and review file (SCARF)
Snapshot
Continuous and Intermittent Simulation (CIS)
INTEGRATED TEST FACILITY (ITF)

Integrated test facility involves the creation of fictitious entity within the framework
of a regular application. Transactions are then posted to the fictitious entity along
with the regular transaction. The results produced by the normal processing cycle are
compared with what should have been produced, which is predetermined by other
means.
Fictitious entities must not become part of the financial reporting of the organization
and several methods can be adopted to prevent this. The simplest and most secure
method is to make reversing journal entries at the appropriate cut-off dates. ITF
enables management and auditor to keep a constant check on the internal processing
functions applied to all types of valid and invalid transaction.
SYSTEM CONTROL AND REVIEW FILE (SCARF)
SCARF is a relatively simple technique to build into an application.
Each general ledger account has two fields. These are yes/no field indicating whether
or not SCARF applies to this account; and a monetary value which is a threshold
amount set by the auditor.
If SCARF does apply to the account then all transactions posted to the account which
have a value in excess of the threshold amount are also written to a SCARF file. The
contents of that file can be read by the user, but usually can only be altered or
deleted by the organizations internal and internal auditors. The same restriction
applies to the yes/no and threshold fields associated with each account when new
Arranged by
Page 182

account is opened, it is automatically assigned as a SCARF account (yes) and with a
threshold of zero Rs only the auditor can change hese fields SCARF thus enables the
organization and its auditor to monitor material transactions or sensitive accounts
with ease and provides on assurance that all such transactions are under the
scrutiny.
Snapshot
The snapshot concurrent auditing technique involves having embedded audit
modules take pictures of a transaction as it flows through various points in an
application system. The snapshots are either printed immediately or written to a file
for later printing. Auditors must determine where they want to place the snapshot
points in an application system, which transactions will be subject to snapshot, and
how and when the snapshot data will be presented for audit evaluation purposes.
A modification to the snapshot technique is the extended record technique. Whereas
snapshot writes a record for each snapshot point, the extended record technique
appends data for each snapshot point to a single record. All the data relating to a
transaction is kept, therefore, in the one place.
Continuous and Intermittent Simulation (CIS)
The continuous and intermittent simulation (CIS) concurrent auditing technique can
be used whenever application systems use a database management system.
Transactions that are of interest to auditors are trapped by the database
management system and passed to CIS. CIS then replicates the application system's
processing, and the two sets of results are compared. If CIS's results differ from the
application system's results, data about the discrepancy is written to a special audit
file. If the discrepancies are material, CIS can instruct the database management
system not to perform the updates to the database on behalf of the application
system.
AUDIT SOFTWARE
Audit software comprises computer programs used by the auditor to examine an
enterprises computer files. It may consist of package programs or utility programs
which are usually run independently of the enterprises computer based accounting
system. It includes interrogation facilities available at the enterprise. The features of
the main typical of audit software are as follows:
Arranged by
Page 183
PACKAGE PROGRAMS:
Consist of prepared generalized programs for which the auditor will specify his
detailed
requirements
by
means
of
parameters,
and
sometimes
by
supplementary program code.
PURPOSE WRITTEN PROGRAMS:

Involve the auditor satisfying his detailed requirements by means of program
code specifically written for the purpose.
UTILITY PROGRAMS:
Consist of programs available for performing simple functions such as sorting
and printing data files.
OTHER TYPES OF CAATS:

(a)
Logical path analysis will draw a flow chart of the program logic.
(b)
Code comparison programs compare the original specific program to

the current program to detect unauthorized amendments.
CONTROLS IN ONLINE AND REAL TIME SYSTEMS

(a)
SEGREGATION OF DUTIES: When remote terminals are located at a

point at which data is originated, it may be found that the some person
is responsible for producing and processing the some information. To
compensate for the reduction in internal check, supervisory controls
should be strengthened.
(b)
DATA FILE SECURITY: The ability of a person using a remote

terminal to gain access to the computer at will results in the need for
special controls to ensure that files are neither read nor written to (nor
destroyed),
either
accidentally
or
deliberately,
without
proper
authority.
(i)
The controls may be partly physical access to terminal is
restricted to authorized personnel. The terminals and the rooms in

which they are kept are locked when not in use.
Arranged by
Page 184

(ii)
They may be partly operated by the operating system.
Passwords, special bridges, PIN Restriction by OS of certain terminals

to certain files. Logging of all attempted violations of the above
controls possibly accompanied by the automatic shutdown of terminal
used.
(c)
PROGRAM SECURITY: Previous points apply equally to the use of

program.
(d)
FILE RECONSTRUCTIONS: Dumping, the method of allowing for the

reconstruction of direct access files in batch processing systems, is of
limited use in on-line systems as the contents of the file are being
costively
changed.
Although
the
complete
file
will
be
dumped
periodically, it is also necessary to maintain a file giving details of all

transactions processed since the last dump.
(e)
One of the greatest advantages of online system is the ability to make

editing more effective.
CONTROLS IN DATABASE SYSTEM (DBMS)

The following controls (some of which are common to all real bone system) might be
incorporated to DBMS
(a)
Controls to prevent or detect unauthorized changes to programs

(i)
No access to live program files by any personnel except for the

operations personnel at the central computer.
(ii)
Password protection of programs
(iii)
Restricted access to the central computer and terminal
(iv)
Maintenance of a console log and scrutiny by the data processing

managers and by an independent party such as the internal auditor.
(v)
Periodic comparison of live production programs to control copies

supporting documentation.
(b)
Control to prevent or detect errors during operation

(i)
Restriction of access to terminals by use of passwords and restrictions

of programs themselves to certain fields.
Arranged by
Page 185

(ii)
Satisfactory application controls over input, processing and master files

and their contents, including retrospective batching.
(iii)
Use of operations manuals and training of all users.
(iv)
Maintenance of logs showing unauthorized attempts to access and

regular scrutiny by the data processing manager and internal auditors.
(c)
(v)
Physical protection of data files
(vi)
Training in emergency procedures
Controls to ensure integrity of the data base system

(i)
Restriction of access to the data dictionary.
(ii)
Segregation of duties between the data processing manager, the

database administration function (including its manager) and systems
development personnel.
(iii)
Liaison between the date base administration function and system

development to ensure integrity of systems specifications.
(iv)
Preparation and update as necessary of user manuals in conjunction

with the data dictionary.
BUREAUX AND SOFTWARE HOUSES

Computer service bureaux are third party service organizations who provide facilities
to their clients.
The main types of bureaux are:
(a)
Independent
companies
formed
to
provide
specialist
computing
services.
(b)
Computer manufactures with bureaux
(c)
Computer users with spare capacity who hire out computer time when
it is not required for their own purposes. e.g. (universities).
REASONS FOR USING BUREAU

(a)
New User: A company that is considering acquiring a computer may find it
extremely beneficial to use a bureau because:

(i)
It can evaluate the type of computer it is interested in.
(ii)
It can test and develop its programs prior to the delivery of its own
computer.
Arranged by
Page 186

(iii)
Its staff will become familiar with the requirements of a computer

system.
In some cases the new system may be initially implemented using a bureau.
This will involve file conversion and pilot or parallel running.
(b)
Cost: Many companies cannot justify the installation of an in house computer

on cost-benefit ground. With the enormous increase in the number of VCRs
and mini computers available this basis is becoming less common.
(c)
Peak Loads: Some computer users find it convenient to employ a bureau to

cope with peak loads arising for example from seasonal variations in sales,
bureau may be used for data preparation work for file conversion, prior to the
implementation of a new computer system.
(d)
Stand by: A bureaus computer may be used in the event of breakdown of an

in house machine.
(e)
Specialist skills: Management feel that the job of data processing should be
left to the experts.
(f)
Consultancy: Bureau can provide advice and assistance in connection with

feasibility studies, system design equipment evaluation, staff training and so
on.
(g)
For On Off use.
ADVANTAGES OF BUREAU:
(a)
A very few users can offered to pay for the services of system analysts and
programmers of the quantity that will be found working for the large bureau.
(b)
Use of a bureau should enable a customer to obtain the use of up to date

computer technology in the bureau.
(c)
Unloading responsibility on to the bureau (e.g payroll)
(d)
Use of a bureau does not require high capital outlay.
DISADVANTAGES OF BUREAU
(a)
Loss of control over time taken to process data and in particular the inability
to reschedule work should input delays occur.
(b)
Problems may be encountered in the transfer of data to end from the bureau.
(c)
The bureau may close down leaving the customer without any DP facilities.
Arranged by
Page 187

(d)
Customer may feel that they will lose control over an important that it is bad
security to allow confidential information to be under the control of outsiders.
(e)
Its employees will be uninterested in and often unaware of the type of data
they are processing.
(f)
Standards of service and the provision of adequate documentation control and

any audit trail are also important consideration.
Summary of the main control procedures over the in-house

development:
(i)
Adopt a recognized and documented system analysis and design method.
(ii)
Full on going documentation must be completed throughout the development

stage.
(iii)
Review and approval should be carried out throughout the development stage.
(iv)
Test data must be designed to impact on all system areas with predetermined results.
(v)
Full testing should be carried out prior to implementation.
(vi)
Approval of system documentation with external auditors.
(vii)
Full training schemes should be set up.
(viii)
User documentation should be reviewed prior to implementation.
(ix)
Controlled file conversion from old to new system.
(x)
Review of ability of development staff.
Auditors may use a number of computer assisted audit

techniques (CAAT) including.
Audit interrogation software
Test data
Embedded audit facilities
Simulation
Logical path analysis
Code Comparison
Arranged by
Page 188

ITMAC Notes by Nowsherwan Adil Niazi PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

ITMAC Notes by Nowsherwan Adil Niazi PDF

Загружено:

Авторское право:

Доступные форматы

INFORMATION

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL

IT as a Corporate Overhead ............................................................................. 18

IT charged at cost ............................................................................................ 18

IT charged at market ........................................................................................ 18

ESTABLISHING IT DEPARTMENT AS A SEPARATE COMPANY ...................... 19

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL

STATIC ANALYSIS TEST ............................................................................ 79

DYNAMIC ANALYSIS TEST ....................................................................... 79

OPERATION AND MAINTENANCE TEST .......................................................... 80

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL

IS/IT Strategy Development:

IS/IT Risk Management:

Ensuring employees have the IS/IT support of tools they require:

IS/IT STEERING COMMITTEE

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL

Ensuring IS/IT activities comply with IS/IT strategy.

Ensuring IS/IT activities compliment the overall organizational strategy.

Ensuring resources committed to IS/IT are used effectively.

Monitoring IS/IT projects.

Providing leadership and guidance on IS/IT.

FUNCTIONS OF STEERING COMMITTEE

Review and approve major acquisitions of hardware and software within

standards and procedures and monitor overall IS performance.

Provide liaison b/w the IS deptt. & User deptt.

Review adequacy of resources and allocation of resources in terms of time,

assignment and responsibility.

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL

Review and approve plans for the outsourcing of selected or all IS

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL

Maintaining the IS/IT infrastructure.

Maintaining network usage and managing network resource.

Keeping employs informed e.g. advance working of service interruptions.

Virus protection measures e.g. ensuring anti-virus software updates are

organization. The IC provide a centralized source of support and co-ordination.

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL

It has sufficient staff and technical expertise to respond quickly to

It maintains on record of problems and identifies those that occur most

It considers the viability of suggestions for improvements to the system

The IC sets, and encourage users to conform to common standards:

Hardware standards ensure that all of the equipment used in the

departments as needed. The recent updates /upgrades of the marketing

Software standards ensure the information generated by one department

Programming standards ensure that applications developed by individual

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL

It has developed a utility program and recommended procedures for

The IC helps to preserve the companys system from attach by computer

IC can improve its services in a number of ways:

Training software can be developed or purchased and made available

Help could be made available directly through users computers, using an

Remote diagnostic software is available which enable staff in the IC to

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL

Assuming centralized processing is used, there is only one set of files.

Head office is in a better position to know what is going on.

There may be economies of scale available in purchasing computer equipment

Local offices might have to wait IS/IT services and assistance.