Академический Документы
Профессиональный Документы
Культура Документы
TECHNOLOGY
MANAGEMENT,
AUDIT AND
CONTROL
Arranged by
Nowsherwan Adil Niazi
Society Publishers
2.
3.
Page 1
Page 2
Page 3
(B)
Page 4
Page 5
Page 6
Page 7
Page 8
Arranged by
Nowsherwan Adil Niazi
Page 9
CHAPTER 01
THE INFORMATION SYSTEMS
FUNCTION ORGANIZATIONAL ISUESS
IS/IT DIRECTORS
At the head of the IS/IT function will be either the IS/IT manager, IS/IT directors.
This person will be responsible for:-
i)
ii)
iii)
Steering Committee:
The IS/IT director should play a key role in a steering committee set up to
oversee the role of IS/IT within the organization.
iv)
IS/IT Infrastructure:
Standards should be set for the purchase and use of hardware and software
within the organization.
v)
Arranged by
Nowsherwan Adil Niazi
Page 10
b)
c)
d)
e)
Review the long and short range plans of the IS division to ensure that
they are in accordance with the corporate objectives.
ii)
iii)
Approve
and
monitor
major
products,
establish
priorities,
approve
v)
vi)
Make
decisions
regarding
centralization
versus
decentralization
and
Arranged by
Nowsherwan Adil Niazi
Page 11
Committee members should be chosen with the aim of ensuring the committee
contains the wide range of technical and business knowledge required. The
committee should liase closely with those affected by the decision it will make.
POLICIES
Policies are high level documents. They represent the corporate philosophy of an
organization. To be effective they must be clear and concise. Management must
create a positive control environment by assuming responsibility for formulating,
developing, documenting, promulgating and controlling policies covering general
goals and directives.
In addition to corporate policies that set the tone for the organization as a whole,
individual divisions and depths should define lower level policies. These would apply
to the employees and operations of these units and would focus at the operational
level.
A top-down approach to the development of lower level policies in instances when
they are derived from corporate policies is desirable, as it ensures consistency across
the organization. However, some organization begins by defining operational level
policies as immediate priorities. These companies view this as being the more cost
effective approach since these policies are often derived and implemented as the
results of risk assessment. This is a bottom-up approach, where in corporate policies
are a subsequent development & a synthesis of existing operational policies.
Management should review all policies. Policies need to be updated to reflect
significant changes within the organization or department.
Arranged by
Nowsherwan Adil Niazi
Page 12
OPERATIONS CONTROL
Operations control is concerned with ensuring IS/IT systems are working and
available to users. Key tasks include:
a)
b)
c)
d)
e)
Fault fixing.
INFORMATION CENTRE
An information centre (IC) is a small unit of staff with a good technical awareness of
computer systems, whose task is to provide a supportive function to computer users
within the organization. Information centre, sometimes referred to as support
centers, are particularly useful in organization which use distributed systems and so
are
likely
to
have
hardware,
data
and
software
scattered
throughout
the
Arranged by
Nowsherwan Adil Niazi
Page 13
b)
c)
is
compatible
and
can
be
put
into
use
in
different
c)
d)
Data processing standards ensure that certain such as the format of file
names are followed throughout the organization. The facilities sharing and
storage and retrieval of information by as many users as possible.
Arranged by
Nowsherwan Adil Niazi
Page 14
b)
b)
c)
d)
The IC can take responsibility for protecting the system against possible
abuses now that it is linked to the internet. Anti-virus measures will
become even more important in this environment, but network software
should make it easier for the IC to control the problem centrally.
e)
The internet link will also make control over access an important issue.
The IC can set up and operate firewalls which disable part of
communication technology that normally allows two-way go out into the
global net to retrieve information but external parts are denied access to
sensitive parts of the companys system.
Arranged by
Nowsherwan Adil Niazi
Page 15
b)
It gives better security / central over data and files. It is easier to enforce
standards.
c)
d)
e)
Commuter staff me in a single location, and more expert staff are likely to be
employed career paths may be more clearly defined.
Disadvantages:
a)
b)
c)
DECENTRALIZATION:
A decentralized IS/IT department involves IS/IT staff and functions being spread out
throughout the organization.
Advantages:
a)
Each office can introduce an information system specially tailored for its
specific needs. Local changes in business requirements can be taken into
account.
b)
c)
Arranged by
Nowsherwan Adil Niazi
Page 16
Disadvantages:
a)
b)
c)
Increased risk of data duplication, with different offices holding the same data
on their own separate files.
ACCOUNTING ISSUES
Providing and maintaining information systems to deliver good quality information
involves significant expenditure. There are three broad possibilities when accounting
for costs related to information system.
a)
b)
c)
Hardware purchase
Cabling
System installation
System
development
cost
(Programmer
&
analyst
fees,
testing
cost,
conversion cost)
Arranged by
Nowsherwan Adil Niazi
Page 17
Power
1. IT as a Corporate Overhead
It implies that all the expenses on IT should be born by the head office. No cost
allocation.
Advantages:
No complexability in calculation.
Encourage innovation because no one is being charged.
Good relations between IT and use department.
Disadvantages:
No cost control
Inefficiency
Substandard services to user department, because no one will complaint for
inefficient working /system.
No true performance picture.
2. IT charged at cost
IT cost is allocated to each user department on the basis of services received by
each.
Advantages
Realistic
Efficiency
Good services to user department
True performance picture
Disadvantages
Finding a cost unit, whether per page, per data entry or per print.
No good relations
Inefficiency may be passed e.g. waste pages by IS department may be
claimed as test pages.
3. IT charged at market
IS department will charge its services to other user department at market rates.
(This changing is actually on books not on reality)
Advantages
Profit centre
High standard services, because it is being provided at market rates
Cost cutting
Efficiency
Arranged by
Nowsherwan Adil Niazi
Page 18
Cost savings.
Arranged by
Nowsherwan Adil Niazi
Page 19
TYPES OF OUTSOURCING
There are four broad classification of outsourcing:
1. AD-HOC:
Some
IT/IS
services
are
outsourced.
Example
includes
hardware management.
Arranged by
Nowsherwan Adil Niazi
Page 20
on a time used basis. Software ownership may be with either the vender or
the client organization.
b. SERVICE
BUREAUS
USUALLY
FOCUS
ON
SPECIFIC
FUNCTION:
Facilities management
Software houses
Consultancy firms
SOFTWARE HOUSE:
Software houses concentrates on the provision of software services. These
include: Feasibility study, system analysis and design, development of OS
software, provision of application program packages, tailor-made application
programming, specialist systems advice and so-on. For example a software
Arranged by
Nowsherwan Adil Niazi
Page 21
CONSULTANCY FIRMS:
Some consultancy firms work at a fairly high level, giving advice to
management on the general approach to solving problems and on the types of
system to use. Other specialize in giving more particular systems advice,
carrying out flexibility studies and recommending computer manufacturers /
software. When a consultancy firm is used, the terms of the contract should
be agreed at the outset.
The use of consultancy services enables management to learn directly or
indirectly form the experience of others. Many large consultancies are owned
by big international accountancy firms, smaller consul Turing many consist of
on-or two person outfit with a high level of specialist experience in one area.
b)
c)
d)
e)
Arranged by
Nowsherwan Adil Niazi
Page 22
Multiple sourcing.
b)
Incremental approach.
c)
Joint-venture sourcing.
d)
b)
Can the system be relatively isolated functions that have only limited
interfaces are most easily outsourced e.g. payroll.
c)
d)
Design and development of new systems. When the in-house staff does not
have the requisite skills or otherwise occupied in higher priority tasks.
Arranged by
Nowsherwan Adil Niazi
Page 23
Time scale:
When does the contract expire? Is the timescale suitable for the organizations
needs or should it be negotiated?
v) Dependencies:
If related services are outsourced the level of service quality agreed should
group these activities together.
Arranged by
Nowsherwan Adil Niazi
Page 24
ADVANTAGES OF OUTSOURCING
a) Outsourcing can remove uncertainty about cost, as there is often a long-term
contract where services are specified in advance for a fixed price. If
computing services are inefficient, the costs will be borne by the FM Company.
This is also an incentive to the third party to provide a high quality service.
b) Long-term contracts encourage planning for the future.
c) Outsourcing can bring the benefits of economies of scale. e.g. FM Company
may conduct research into new technologies that benefits a number of clients.
d) A specialist organization is able to retain skills and knowledge. Many
organizations would not have a sufficiently well-developed IT department to
offer IT staff opportunities for career development. Talented staff would leave
to pursue their careers elsewhere.
e) New skills and knowledge become available a specialist company can share
staff with specific expertise b/w several clients. This allows the outsourcing
company to take advantage of new developments without the need to reprint
new people re-train existing staff, and without the cost.
f)
DISADVANTAGES OF OUTSOURCING
a) It is arguable that information and its provision is an internet part of the
business and of management. Unlike office cleaning, or catering, an
organizations IT services may be to too important to be contracted out.
Information is at the heart of organization.
Arranged by
Nowsherwan Adil Niazi
Page 25
Vender failure.
Hidden costs
Service costs not being competitive over the period of the entire contract.
Arranged by
Nowsherwan Adil Niazi
Page 26
TERMINATION POLICIES
Written termination policies should be established to provide clearly-defined steps
employee separation. It is important that policies be structured to provide adequate
protection for the organizations computer assets and data. Termination practices
should address both voluntary termination and involuntary (immediate) terminations.
In all other cases however, the following control procedures should be applied:
Return of all access keys, ID cards and badges to prevent easy physical
access.
Arrangement of the final pay routines to remove the employee from active
payroll files.
LOGGING SYSTEM
The information system department should implement comprehensive logging
systems. These will include manual as well as automated logs. Logs allow managers
to monitor work and compare actual performance with the usual averages. They can
also serve as early warning systems for serious errors. An effective IS department
should have various logs that individuals examine regularly and take appropriate
action on when necessary.
Arranged by
Nowsherwan Adil Niazi
Page 27
Data entry staff should keep full details of each bath of work, with
duration and error.
ii)
Computer operators should maintain logs of all batch job and the time
taken to complete them.
iii)
iv)
v)
vi)
A security subsystem could maintain detailed logs of who did what and
when and also if there any attempted security violations.
Arranged by
Nowsherwan Adil Niazi
Page 28
CHAPTER 02
2.
3.
4.
5.
Strategic decisions will affect operational decisions, because they will set off a
chain of lesser decisions and operational activities, involving the use of
resources.
6.
7.
Strategic decisions are likely to affect the long term direction that the
organization takes.
8.
STRATEGY
Strategy is a pattern of activities that seek to achieve the objectives of an
organization and adopt its scope, resources and operations to environmental changes
in the long term.
All the organizations carry out some form of strategic management. As the
organization grows larger, and more complex, there is a greater need for
involvement in the strategy process at all levels of the organizations.
Arranged by
Nowsherwan Adil Niazi
Page 29
objectives,
being
aware
of
the
organizations
resources,
and
Planning Stage
Components of Plan
Strategic analysis
Mission
Goals
Strategic choice
Strategies
Strategic implementations
Policies
Decisions
Actions
Levels of Planning:
Strategic:
Arranged by
Nowsherwan Adil Niazi
Page 30
Ensuring that the resources are obtained and used effectively and
efficiently in the accomplishment of the organizations objective.
Operational: Ensuring that specific tasks are carried out effectively and efficiently.
ii)
Strategic planning should also be done in new major venture. e.g. developing
a new department, division, major new product or line of products, etc.
iii)
iv)
v)
When conducting the planning process, involve the people who will be
responsible for implementing the plan. Use a cross-functional team to ensure
the plan is realistic and collaborative.
ii)
iii)
Organize the overall strategic plan into smaller action plans, often including an
action plan for each committee on the board.
iv)
In the overall planning document, specify who is doing what and by when.
v)
In
an
implementation
section
plan,
specify
and
clarify
the
plans
Translate the strategic plans action into job descriptions and personnel
performance reviews.
Arranged by
Nowsherwan Adil Niazi
Page 31
Communicate the rule of follow-ups to the plan. If people know the action
plans will be regularly reviewed, implementers tend to do their jobs before
there are checked on.
viii)
Be sure to document & distribute the plan, including inviting review input form
all.
ix)
Be sure that me internal person has ultimate responsibility that the plan is
enacted in a timely fashion.
x)
The chief executives support of the plan is a major driver to the plans
implementation. Integrate the plans goals and objectives into the chief
executives performance reviews.
xi)
xii)
ii)
Improving
communication
b/w
the
business
and
information
systems
organization.
iii)
iv)
v)
vi)
Corporate
strategy
is
concerned with the scope of an organizations activities and the matching of these to
the organizations environment, its resource capabilities and the valves and
expectations of its various stakeholders.
Arranged by
Nowsherwan Adil Niazi
Page 32
(ii)
(iii)
Surviving
The is a sense of direction for the entire corporate group. It is primarily concerned
with the determination of ends, e.g. what business or businesses the firm is in or
should be in and how integrated these businesses should be with one another. It
covers a longer time period and has a wider scope than the other levels of corporate
planning. At this level the global objectives e.g. growth, stability or retrenchment and
the general orientation to achieve them are defined.
BUSINESS STRATEGY
Business strategy or competitor strategy is concerned with how each strategic
business unit (SBU) attempts to achieve its mission within its chosen area of activity.
Here strategy is about which products or services should be developed and offered to
which markets and the extent to which the customer needs are met whilst achieving
the objectives of the organization.
These strategies are either cost leadership or differentiation of products and may
encompass an entire market or be focused on a particular segment of it. Business
strategy relates to how an organization approaches to a particular market, or the
activity of a particular business unit. For example, this can involve decisions as to
whether, in principle, a company should:
(i)
(ii)
Strategic Business Unit (SBU): It is a unit within the overall corporate entity,
which should have an identifiable and definable product or service range, market
segment competitor set.
Arranged by
Nowsherwan Adil Niazi
Page 33
Marketing strategies
Production strategies
Finance strategies
RLD Strategies
INFORMATION SYSTEM (IS) includes all systems and procedures involved in the
collection, storage, production and distribution of information.
VS.
INFORMATION TECHNOLOGY (IT) describes the equipment used to capture,
store, transmit or present information. IT provides a large part of the information
systems infrastructure.
Information
System
Strategy:
Is
strategy
indicates
what
features
and
performance the organization will need from the systems. It demonstrates how the
resources will be used and provides policy guidelines for the information resources
management
and
perhaps
policies
for
communication
network,
hardware
Arranged by
Nowsherwan Adil Niazi
Page 34
Organizational environments of IS
Control
Technology
ii)
iii) Identification of the information systems gap between where we are and where
we want to be in the future.
iv) Identification of how to get information systems to where we want to be in the
future. Develop plan that begins with understanding the future business
operating vision. This vision then becomes basis for the IS mission, objective,
strategies and technical computing architecture. Assess the current systems by
comparing them to the future business operating vision and the desired
information systems computing architecture.
ELEMENTS OF A IT STRATEGY
i)
ii)
Arranged by
Nowsherwan Adil Niazi
Page 35
iii)
iii)
iv)
Application Areas: The plan should outline and set priorities for new
application areas being planned and for that application which are in the
process of development. A report on the progress and status should be
produced. For major new applications there should be a break-down of
costs and schedules. The plan should outline and set priorities for the
application areas.
v)
Operations: The current systems will be continuing and the plan should
identify the existing systems and the cost of maintaining them.
vi)
Maintenance:
The
plan
should
incorporate
the
budget
for
the
vii)
viii)
What are the key business areas that could benefit most from an investment in
IT, what form should the investment take and how such strategically important
units could be encouraged to effectively use such technology.
ii)
Arranged by
Nowsherwan Adil Niazi
Page 36
iv)
What are the implications for the existing work force. (Training issues,
redundancies issues etc).
v)
b)
c)
There is a need to reduce long lead times and high development costs in
developing new application systems.
d)
e)
f)
There is a need to improve the quality and consistency of the datable and to
control access to that resource.
g)
outline
information
requirement
via
blueprints
for
application
developments of future.
ii)
IS Functionality Strategy:
This indicates what features and performance the organization will need from
the systems. It demonstrates how the resources will be used; and provides
policy guidelines for the information resources management and perhaps
policies
for
communication
networks,
hardware
architectures,
software
Arranged by
Nowsherwan Adil Niazi
Page 37
IS Strategy:
The defines the policies for software and hardware, for example any standards
to be used and any stand on preferred suppliers. This also defines the
organizations stand on the IS organization, e.g. whether it is to centralized or
distributed, what are to be the investment, vender and human impact policies
and IS accounting techniques.
STRATEGIC SYSTEMS
The following items provide a good starting point for organizations planning to use
information systems as strategic weapon against competition, for the betterment of
products and services, and for overall growth of the company.
i)
ii)
iii)
This
telecommunication
means
integrating
networks,
and
system
open-systems
architecture
technology
through
so
that
employees work together & share information across business units and
divisions.
iv)
(Crossfunctional systems).
v)
vi)
Revisit the information flow b/w the home office and field offices, and b/w
headquarters and manufacturing plants or warehouses. The goal is to move
required data to field offices so that it can be acted upon move quickly and
managed more efficiently in order to serve the customer faster & better. (e.g.
workflow systems).
Arranged by
Nowsherwan Adil Niazi
Page 38
Have
representatives
of
functional
and
user
groups,
present
on
the
ix)
Put more focus on bowering the cost of doing business, improving customer
set vice, and cutting the time-to-market of new products and services. New
tools such
as
information
aided
software
xi)
Develop a new class of application systems that use existing production data
to improve business decision and, ultimately, customer service. This includes
building decision support application systems that query huge production
databases.
Arranged by
Nowsherwan Adil Niazi
Page 39
Long-term commitment.
Strategic Planning:
Strategic planning is the process of deciding organizational direction. Managers apply
analytic techniques, creativity and sound judgment to anticipate the requirements of
the future. When properly executed, IS strategic planning helps an organization to
efficiently and effectively carry out its mission. Managers can better position their
organization to meet tomorrow challenges, strategic planning is a key tool for moving
from where one is to where one wants to be.
An IS strategic plan should be a part of the organization strategic plan. Due to their
long-term nature, strategic plans are not updated frequently. External or internal
changes within an organization are often the catalyst for organization strategic
planning.
Key Components of IS Strategic Plan
i)
ii)
iii)
iv)
v)
vi)
vii)
Arranged by
Nowsherwan Adil Niazi
Page 40
ii)
iii)
iv)
Managers must gain staff and customer / client support for the plan.
v)
_____________________________________________________________
INFORMATION SYSTEM STRATEGY refers to the long term plan concerned with
exploiting IS and IT either to support business strategies or create new strategic
options. It should be developed with the aim of ensuring IS/IT is utilized as efficiently
and effectively as possible in the pursuit of organizational goals and objectives.
Information system should support corporate and business strategy. In some
circumstances an IS may have a greater influence and actually help determine
corporate / business strategy.
(a)
(b)
(c)
Arranged by
Nowsherwan Adil Niazi
Page 41
(c)
street
banks
encourage
customers
to
use
hale-in-the-wall
cash
(e)
(f)
(g)
To cut production cost and so probably to reduce sale prices to the customer.
2.
3.
4.
5.
Arranged by
Nowsherwan Adil Niazi
Page 42
2.
3.
4.
5.
6.
7.
8.
2.
3.
Key
management
decision
regarding
hardware,
software,
data
and
telecommunications.
4.
5.
Enterprise analysis
Business led (top down emphasis, focus on business plans & goals)
Arranged by
Nowsherwan Adil Niazi
Page 43
ENTERPRISE ANALYSIS
Enterprise analysis involves examining the entire organization in terms of structure,
processes, functions and data elements to identify the key elements and attributes of
organizational data and information.
Enterprise analysis is sometimes referred to as business systems planning. This
approach involves the following steps.
Step 1
Ask a large sample of managers about:
Arranged by
Nowsherwan Adil Niazi
Page 44
Step 3
Use the matrix to identify areas that IS should focus on, e.g. on process that create
data.
The enterprise analysis approach gives a comprehensive view of the organization and
its use of data and systems. The enterprise analysis approach results in a mountain
of data that is expensive to collect and difficult to analyze.
Survey questions tend to focus on how systems and information are currently used,
rather than on how information that is needed to result in existing systems being
automated rather than looking at the wider picture.
Arranged by
Nowsherwan Adil Niazi
Page 45
Where measure KPIs use quantitative data, performance can be measured in number
of ways.
The determination of key performance indicators for CSFs is not necessarily straight
forward. Some measures might use factual, objectively verifiable, data while others
might make use of softer concepts, such as opinions, perceptions and hunches.
Example
The reliability of stock records can be measured by means of physical stock
counts, either at discrete intervals or on a rolling basis. Forecasting of demand
variations will be much harder to measure.
GENERAL SOURCES OF CSFs
Arranged by
Nowsherwan Adil Niazi
Page 46
The Existing System: The existing system can be used to generate reports
showing failure to meet CSFs.
(b)
will
maintain
details and
(d)
(e)
(f)
ii)
Leading edge: There is a belief that innovative technology use can create
competitive advantage, and therefore that risky investment in unproven
technologies may generate large returns. The organization may have the
motivation and ability to commit large amounts of money and other
resources. Users must be enthusiastic and willing to support new initiatives.
iii)
Free market: This strategy is based on the belief that the market makes the
best decisions. The IS function is a competitive business unit, which must be
prepared to achieve a return on its resources. The department may have to
compete with outside providers.
iv)
Monopoly: The direct opposite to the free market strategy. This strategy is
based upon the belief that information is an organizational asset that should
be controlled by a single service provider.
v)
Scare resource: This strategy is based on the premise that IS use limited
resource, and therefore all IS development requires a clear justification.
Arranged by
Nowsherwan Adil Niazi
Page 47
STRATEGIC MANAGEMENT
It is a district mode of management which proceeds from analysis to
implementation and shares the some functions, planning, organizing, directing
and controlling as operations management.
A)
STRATEGIC ANALYSIS
The first step in the process involves analysis of the situation in which the
organization finds itself. This means identifying the conditions prevailing in
both the internal and external environment and the effects of these conditions
on the organization. The following matters to be addressed.
(i)
(ii) CUSTOMER ANALYSIS: The organization must analyse who its competitors
are, how and why they are competing, and whether and how competition will
increase. The nature of the industrys competitive force should be address.
(iii) MARKET ANALYSIS: In many markets the needs / demands of customers
are becoming increasing sophisticated and complex.
(iv) CULTURAL ANALYSIS: The culture or feel of an organization is seen as
being
of
critical
strategic
important.
An
organization
which
has
an
Arranged by
Nowsherwan Adil Niazi
Page 48
STRATEGIC CHOICE
futures.
(E.g.
worldwide
economic
growth
interest
rates,
competitions)
(c) STRATEGY SELECTION: A strategy is chosen, according to the evaluation
above. Remember, however, that this process is strongly influenced by the
values of the managers selecting them. Developing strategies by which these
objectives may be met.
(d) STRATEGIC IMPLEMENTATION
Having formulated strategies and plans it only remains to implement them.
This will almost certainly involve changes to the way things are done of the
process of strategic management has been followed through from first
principles, areas in which the implementation of strategies is likely to cause
charges are:
(i)
(ii)
(iii)
(iv)
(v)
Arranged by
Nowsherwan Adil Niazi
Page 49
(b)
(c)
Some legal factors that may impact upon organizations are as follows:
General legal framework (contract, tort, agency)
Basic ways of doing business negligence proceedings copyright laws software
licences.
Criminal law : Theft, insider dealing bribery deception
Company law: Directors and their duties, reporting requirements, takeover
proceedings shareholders rights insolvency.
Employment law: Trade union recognition, social chapter provisions, minimum
wage, unfair dismissal, redundancy, maternity, equal opportunities.: Health &
Safety: Fire precautions safety procedures workstation design.
Data protection: Use of information about employees and customers e.g. data
protection act 1998 uk, privacy
Marketing and Sale: Laws to protect consumers (e.g. refunds and replacement,
cooling off period after credit agreements) what is or isnt allowed in advertising.
Environment: Pollution control waste disposal
Tax law : Corporation tax payment, collection of income tax (Paye) and national
insurance contributions, VAT. The political environment is not simply limited to legal
factors.
Governments are responsible for enforcing and creating a stable framework in which
business can be done. The quality of government policy is important in providing the
right:
a)
b)
c)
Arranged by
Nowsherwan Adil Niazi
Page 50
OF
OVERSEAS
MARKETS:
Desirable
overseas
market
(demand) or source of supply with the advent of www even the smallest organization
can have an international presence.
CAPITAL FLOWS AND TRADE: Investment opportunities, free trade, cost of
exporting
INTEREST RATES
a)
A rise might increase the cost of any borrowing, thereby reducing profitability. It
also raises the cost of capital. An investment project, (new information system)
therefore has a higher hurdle to overcome to be accepted.
b)
Interest rate also have a general effect on consumer confidence and liquidity,
and hence demand.
INFLATION
a)
Inflation reduces the value of financial assets and the income of these on fixed
incomes.
b)
Inflation makes it hard for business to plan, owing to the uncertainty of future
financial returns. Inflation and expectations of it encourages organizations to
focus on the short term (short termism)
c)
Inflation requires high nominal interest rates to offer investors a real return
Arranged by
Nowsherwan Adil Niazi
Page 51
b)
c)
d)
Marketers can adopt their products to suit cultural traits (e.g. should
website be tailored for individual national markets?)
b)
Arranged by
Nowsherwan Adil Niazi
Page 52
Alignment
b)
Scope
c)
Time frame
d)
e)
Achievability
f)
g)
Reassessment
h)
Awareness
i)
Accountability
j)
Commitment
Orientation
b)
Assessment
c)
Strategic
d)
Tactical
Arranged by
Nowsherwan Adil Niazi
Page 53
Establish scope
2)
ASSESSMENT
In second phase, data is collected and analyzed to describe the existing usage and
management of IT and the extent to which they are unable, or may be unable, to
support business objectives.
This phase also provides an opportunity to identify other potential uses of
information technology which may assist in meeting objectives.
ACTIVITIES
3)
Confirm business direction and drives to ensure the key driver for the IT plan
5)
6)
7)
Develop an assessment
STRATEGIC PLAN
In the third phase of IT Planning process, appropriate strategies are formulated.
These strategies are funded on the assessment of the business needs and priorities.
IT direction and other related issues considered in the assessment phase.
ACTIVITIES
8)
Develop a vision
9)
10)
Arranged by
Nowsherwan Adil Niazi
Page 54
12)
Prioritize projects
13)
14)
IT PLAN
a)
Demonstrate to the organization how it can gain business benefits from IT.
b)
c)
d)
b)
Adequate resources
c)
d)
b)
c)
d)
e)
Prioritize solutions
Arranged by
Nowsherwan Adil Niazi
Page 55
ii)
Appoint a champion
iii)
iv)
ii)
iii)
ii)
iii)
iv)
v)
vi)
viii)
PRIORITIZE SOLUTIONS
i)
ii)
iii)
iv)
v)
Get authorizations.
VIDEO CONFERENCING
Improving communication between project team and between site offices. Hence
eliminating unnecessary travel.
VISUALIZATION
Improve design visualization and communication with clients. This allows clients to
see exactly what a design will look like giving them increased confidence in the
design.
Arranged by
Nowsherwan Adil Niazi
Page 56
aid
internal
company
collaboration.
Extranets
promote
project
collaboration, team working and e-commerce. Both help standardization and improve
data flows.
In the IT Press
b)
c)
d)
e)
Specification
of
user
requirements:
Determining
detailed
user
iii)
Integration and interface: How will new systems integerate and interface
with existing systems. (Integration & Interface)
iv)
v)
Legacy systems: What are the major issues when replacing expensive
legacy systems?
vi)
Time scales and resources: What is the overall time scale for the plan
vii)
Arranged by
Nowsherwan Adil Niazi
Page 57
ii)
iii)
Benefits
are
achieved
earlier
thus
increasing
management
and
user
confidence.
iv)
v)
vi)
The approach fits well with the construction industrys tendency to fund IT
systems on a project basis
vii)
b)
c)
d)
Appropriate
incentive
schemes,
so
that
in
competition
with
other
A change management plan, setting out who will manage the changes,
and what procedures they will use to do so. This plan should be included in
your initial strategy document.
Arranged by
Nowsherwan Adil Niazi
Page 58
CHAPTER 03
offer
provide virtual
storefronts and
In this model, all is done electronically, remotely through the internet, without
you having to leave the comfort of your house or office.
Since the internet never sleeps or closes, customers can do business 24house of the day, 365-days of the year. (weathers, strikes not problems).
Arranged by
Nowsherwan Adil Niazi
Page 59
Using industry standard such as EDI etc for transmitting data related to
commercial transactions, the manufacture and the supplier are easily and
quickly able to complete a business transaction.
Arranged by
Nowsherwan Adil Niazi
Page 60
public
health
related
information
to
its
public.
Even
government
CHALLENGES:
Govt. must be cognizant of the fact that such access must be made widely
available to all classes of its citizenry.
Arranged by
Nowsherwan Adil Niazi
Page 61
ii)
iii)
DIGITAL SIGNATURE:
The purpose of digital signature is to authenticate both the sender and
message; (i-e. to provide proof to the recipient that the message stems from the
sender, and that the messages contents have not been altered since leaving the
signatory). Digital signatures are the basis for the security of smart card systems.
A digital signature is based on the actual contents of the message itself. A
digital signature is a small amount of data that is recorded on an electronic medium.
The sender produces it by applying certain calculations to a message. This process is
called the Signature Function The resulting signature, which looks like random
data, has meaning only when read in conjunction with the message used to create it.
The recipient of the message checks the digital signature by performing another set
of calculations on the signature and the message. This is called the verification
functions. The result of these calculations reveals whether or not the signature is a
genuine authenticator of both sender and message.
Arranged by
Nowsherwan Adil Niazi
Page 62
E- Wallets
Arranged by
Nowsherwan Adil Niazi
Page 63
CHAPTER 04
(vii)
In-House Development
Many organizations require systems that are highly tuned to their unique operations.
These firms design their own information systems through in house system
development activities. In house development requires maintaining a full time
systems staff of analysts and programmers who identify user information needs and
satisfy their needs with custom systems.
Purchase Commercial Systems
A growing number of systems are purchased from software renders. Faced with
many completing packages each with unique features and attributes, management
must choose the system and the vender that best serves that needs of the
organization. Making the optimal choice requires that this be an informed decision.
TURNKEY SYSTEMS
Turnkey systems are completely finished and tested systems that are ready for
implementation. They are often general purpose systems or systems customized to a
specific industry. Turnkey systems are usually sold only as compiled program
modules, and users have limited ability to customize them to their specific needs.
Some turnkey systems have software options that allow the user to customize input,
output, and some processing through menu choices. Other turnkey systems venders
will sell their customers the source code if program changes are desired. For a fee,
the user or the vender can then customize the system by reprogramming the original
source code.
Arranged by
Nowsherwan Adil Niazi
Page 64
(b)
(c)
(d)
(e)
but
the
system
development
service
is
commercially
provided.
Advantages of Commercial Software
Implementation time
Cost
Reliability
Independence
LEGACY SYSTEM
A legacy system is an old, outdated system which continues to be used because it is
difficult to replace.
The main reason legacy systems continue to be used often include the cost of
replacing it, and the significant time and effort involved in introducing a new system.
Legacy system often requires specialized knowledge to maintain them in a condition
suitable for operation. This may leave an organization exposed should certain staff
leave the organization. Legacy system may also require data to be in a specific, may
Arranged by
Nowsherwan Adil Niazi
Page 65
conversion
issues
are
common
when
replacing
legacy
systems,
example:
a)
b)
c)
d)
a)
b)
c)
Feasibility study
Systems investigation
Systems analysis
Systems design
Systems implementation
Arranged by
Nowsherwan Adil Niazi
Page 66
(b)
(c)
Top left
(i)
Objectives determined
(ii)
Top right
(i)
Alternative evaluated
(ii)
Bottom right
(i)
System development
(ii)
implementation)
(d)
Bottom Left
(i)
The spiral approach aims to avoid the problems of the waterfall model (lack of
user involvement, long delays). It is usually used in conjunction with
prototyping.
(b)
User involvement
(c)
Diagrammatic documentation
(d)
Data Driven
(e)
Defined structure
Arranged by
Nowsherwan Adil Niazi
Page 67
Feasibility Study
If the feasibility study is conducted under SSADM, it focused on investigating
system requirements and conducting a cost benefit analysis.
(ii)
Requirement Analysis
Involves on analysis of current operations is followed by the development and
presentation of options for the new system.
(iii)
Requirements specification
This stage involves defining the data and processes that will be used in the
new system. The systems specification document will be produced.
(iv)
(v)
Physical Design
The logical data structure is converted to actual physical data specifications
for example data specification.
ADVANTAGES OF SSADM
Standard methods allow less qualified staff to carry out some of the analysis
works, thus cutting the cost of the exercise.
Using
standard
development
process
lead
to
improved
system
specifications.
Users are involved with development work from an early stage and are
required to sign off each stage.
Arranged by
Nowsherwan Adil Niazi
Page 68
Scope limits the impact on actual work processes or social context of the
system.
PROTOTYPING
A prototyping is a model of all or part of a system, built to show users early in the
design process how it is envisaged the completed system will appear.
Prototyping enables programmers to write programs more quickly and allows the
user to see a preview of the system that is envisaged.
ADVANTAGES OF PROTOTYPING
DISADVANTAGES OF PROTOTYPING
Arranged by
Nowsherwan Adil Niazi
Page 69
If the system developers fail to deliver something that both parties formally
agreed to it is the developers responsibility to put it right, at their own expense, and
compensate the user for the delay.
(b)
If users ask for something extra or different, that was not formally agreed to,
the developers cannot be blamed and the user must pay for further amendments and
be prepared to accept some delay.
(ii)
(iii)
(iv)
Arranged by
Nowsherwan Adil Niazi
Page 70
(ii)
Project initiation
Generate project schedules in various formats.
(ii)
(iii)
(iv)
Implementation
Installing schedule program code generator
(v)
Maintenance
Version control change specification & tracking
Arranged by
Nowsherwan Adil Niazi
Page 71
(b)
Analysis tools that check the logic, consistency and completeness of system
diagrams, forms and reports.
(c)
A case repository that holds all data and information relating to the system.
The data dictionary records all data items held in the system and control
access to the repository. The dictionary will list all data entities, data flows,
data stories, processes, external and individual data items.
(b)
Screen and report layout generators that allow prototyping of the user
interface to be produced and amended quickly.
(c)
(b)
(c)
(d)
Arranged by
Nowsherwan Adil Niazi
Page 72
CHAPTER 05
No Major bugs
Whilst it is unrealistic to expect completely but-free software, any bugs that
significantly impact upon system effectiveness / efficiency should be fixed
before a package is released.
Produced on time
Software impact upon organizational activities. It is important therefore that
plans are able to be made for the introduction of new software. Delays to this
schedule will cause disruption.
Arranged by
Nowsherwan Adil Niazi
Page 73
APPROACHES TO QUALITY
(a)
Quality management
(b)
Quality assurance
(c)
Quality control
QUALITY MANAGEMENT
Quality management is concerned with controlling activities with the aim of ensuring
that products or services are fit for their purpose, and meet specifications. Quality
management encompasses quality assurance and quality control. The essence of
quality management is that quality should be built in to all processes and materials
used within an organization with the ultimate aim of no substandard output.
Homles proposes an eight stage model for implementing quality management.
1)
2)
3)
4)
5)
Identify possible cause (eg using brainstorming sessions) no ideas are ruled
out of order.
6)
7)
8)
QUALITY ASSURANCE
Quality assurance schemes involve a supplier guaranteeing meeting the quality of
goods or services supplied. Procedures and standards are devised with the aim of
ensuring defects are eliminated. As quality has been built in the routine inspection of
goods after production should not be required.
Arranged by
Nowsherwan Adil Niazi
Page 74
Prevention Costs: are costs incurred to ensure the work is done correctly for
example ensuring the system design is correct before beginning production.
Prevention costs are the cost of avoiding poor quality.
(b)
Appraisal costs are the costs of inspecting and testing for example design
reviews, structured walkthroughs and program testing.
(c)
Internal failure costs are the cost of correcting defects discovered before
the system is delivered.
(d)
External failure costs These are costs arising to fix defects discovered after
the system has been delivered.
To develop quality for the information system function overall to assist n the
development of quality goals for specific information systems.
2.
3.
4.
5.
6.
Arranged by
Nowsherwan Adil Niazi
Page 75
Process Focus
Reduce process variation and advice continuous process improvement.
2.
Customer focus
Studying customers need and managing customer satisfaction.
3.
4.
companywide
quality
culture
by
leadership,
total
participation,
ii)
iii)
Day-to-day operations.
iv)
Security
v)
vi)
General administration.
Arranged by
Nowsherwan Adil Niazi
Page 76
in
achieving
an
operational
environment
that
is
predictable,
The ISO 9126 standard that focuses on the end result of good software
processes; i-e, the quality of the actual software product.
STAGES OF TESTING
A system must be thoroughly tested before implementation. A system that is not
thoroughly tested may go live with faults that cause disruption and prove costly. The
scope of tests and trials will vary depending on the size and purpose of the system.
Four basis stages of testing can be identified:
system logic,
programme testing,
PROGRAM TESTING
Program testing involves processing test data through all programs. Test data should
be of type that the program will be required to process and should include
Arranged by
Nowsherwan Adil Niazi
Page 77
b)
c)
d)
The testing process should be fully documented recording data used, expected
results, actual results and action taken. Two types of program testing are unit testing
and unit integration testing.
UNIT TESTING
Involves testing two or more software units to ensure they work together as
intended. The output from unit integration testing is a debugged module.
SYSTEM TESTING
When it has been established that indivisual programs and interfaces are operating
as intended, overall system testing should begin. System testing should extend
beyond areas already tested, to cover:
a)
b)
c)
d)
e)
Arranged by
Nowsherwan Adil Niazi
Page 78
METHODS OF TESTING
(a)
(b)
(A)
This test evaluates the quality of a module through a direct inspection of source
code. Some important types of static analysis checks follow:
(i)
Desk checking
Desk
checking
involves
programmer
examining
the
source
code
for
verification of errors or any irregularities e.g. the programmer might look for
syntax errors, logical errors or variation from coding standards.
(ii)
(iii)
(B)
This type of test requires modules to be executed on the machines and can be
classified into following two types:
Arranged by
Nowsherwan Adil Niazi
Page 79
(ii)
Repair Maintenance
In which program errors are corrected which have been overlooked in the
earlier tests or which might arise after the program is implemented and
comes functional.
(b)
Adoptive maintenance
In which the program is modified to meet changing user requirements. These
requirements might include business requirements or any changes in the
technologies.
(c)
Perfective maintenance
In which the program is tuned to decrease resource consumption so that both
efficiency and effectiveness of the program can be improved.
(b)
(c)
(d)
Arranged by
Nowsherwan Adil Niazi
Page 80
Inadequate time
Software and systems are inevitability produced under significant time pressures.
Testing time is often squeezed to compensate for project over runs in other areas
Arranged by
Nowsherwan Adil Niazi
Page 81
Chapter 06
b)
c)
d)
environmental
changes,
three
factors
contribute
to
the
need
for
maintenance.
Error:
It is likely that bugs will exist in a newly implemented system. The effect of errors
can obviously very enormously.
Constraints:
Cost constraints may have meant that certain requested features were not
incorporated. Time constraints may have meant that requirements suggested
during development were ignored in the interest of prompt completion.
Changes in requirements:
Although over should be consulted at all stages of system development, problems
may arise after a system is implemented because users may have found it
different to express their requirements, or may have been concerned about the
future of their jobs and not participated fully in development.
Arranged by
Nowsherwan Adil Niazi
Page 82
Poor Documentation:
If old systems are accompanied by poor documentation, or even complete lack of
documentation, it may be very difficult to understand their programs. It will be
hand to update or maintain such programs.
Programmers may opt instead to patch up the system with new applications using
newer technology.
(b)
(c)
(d)
(e)
IN HOUSE MAINTENANCE
With large computer systems, developed by the organization itself, inhouse systems
analysts
and
programmers
might
be
given
the
responsibility
for
software
maintenance.
To ensure the maintenance is carried out efficiently, the principles of good
programming practice should be applied.
(a)
(b)
The new program requirement must be specified in full and in writing. These
specifications will be prepared by system analyst. A programmer should use
these of the program.
(c)
Arranged by
Nowsherwan Adil Niazi
Page 83
The new program version should be tested when it has been written. A
programmer should prepare test data and establish whether the program will
process the data according to he specification given by system analyst.
(e)
(f)
A record should be kept of all program errors that are found during live
processing and of the corrections that are made to the program.
(g)
MAINTENANCE CONTRACTS
There is also likely to be an agreement b/w the supplier of software and the
customer for the provision of a software support service. A maintenance contract
typically includes the following services:
(a)
Help
(b)
Information
(c)
Updates
(d)
Upgrades
(e)
HARDWARE MAINTENANCE
Computer hardware should be kept serviced and maintained too. Maintenance
services are provided by:
(a)
(b)
Arranged by
Nowsherwan Adil Niazi
Page 84
DISADVANTAGES:
i)
ii)
The risk from the elimination of the separation of the functions of user and
analyst.
iii)
The risk from lack of user knowledge and acceptance of application quality
assurance procedures for development and operation.
iv)
The risk from limits on user ability to identify correct and complete
requirements for an application.
v)
vi)
vii)
USER GROUPS
A user group is a forum for user of particular hardware or, more usually, software,
that they can share ideas and experience.
User of a particular package can meet, or perhaps exchange views over the internet
to discuss solutions, ideas or shat cuts to improve productivity. An electronic new
letter service might be appropriate, based on views exchanged by members, but also
incorporating ideas culled from the wider environment by IT specialist.
Interested parties, including as a maximum representative from the IT department
and users who are familiar with different parts of the system can attend monthly or
quarterly meetings to discuss the operation of the system, make suggestions for
improvements and raise any queries.
Arranged by
Nowsherwan Adil Niazi
Page 85
Direct Benefits
Might include reduced operating cost, for example lower overtime payments.
Indirect Benefits
Might include better decision making and the freeing of human brainpower from
routine tasks so that it can be used for more creative work.
Development Costs
Include systems analysts costs and the cost of time spent by users in assisting
with fact finding.
Implementation Costs
Would include costs of site preparation and costs of training.
Running Costs
Include maintenance costs, software leasing costs and an going user support.
EFFICIENCY
Efficiency can be measured by considering the resource input into, and the output
from, a process or an activity.
An entity uses resources such as staff, money and materials. If the same activity can
be performed using fewer resources, for example fewer staff or less money, or if it
can be completed more quickly, the efficiency of the activity is improved. An
improvement in efficiency represents an improvement in productivity.
EFFECTIVENESS
Effectiveness is a measurement of how well the organization is achieving its
objective.
It focuses primarily on the relationship of the organization with its environment. For
example, automation might be perused because it is expected that the company will
be more effective at increasing market share or at satisfying customer needs. Recent
Arranged by
Nowsherwan Adil Niazi
Page 86
METRICS
Metrics are quantified measurements used to measure system performance. The use
of metrics enables system quality to be measured and the early identification of
problems. Examples of metrics include system response time, the number of
transactions that can be processed per minute, the number of bugs per hundred lines
of codes and the number of system crashes per week.
Many facets of system quality are not easy to measure statistically (e.g. user
friendliness). Indirect measurements such as the number of calls to the help desk
per month can be used as an indication of overall quality / performance.
HARDWARE MONITORS:
Hardware monitors are devices which measure the presence or absence of electrical
signals in selected circuits in the commuter hardware. They might measure idle time
or levels of activity in the CPU, peripheral activity. Data is sent from the sensors to
counters which periodically write it to disk or tape.
A program will then analyze the data and produce an analysis of findings as output.
It might identify for example inefficient co-ordination of processors and peripherals,
or excessive delays in writing data to backing storage.
SOFTWARE MONITORS:
Software monitors are commuter programs which interrupts the application in use
and record data about it. They might identify, for example, excessive waiting time
during program exaction. Unlike hardware monitors, they may slow down the
operation of the program being monitored.
Arranged by
Nowsherwan Adil Niazi
Page 87
SYSTEM LOGS
Many computer systems provide automatic log details, for example job start and
finish times or which employee has used which program and for how longs. The
systems log can therefore provide useful data for analysis.
a)
b)
c)
HYBIRD MONITOR
A hybrid monitor has hardware, software and perhaps firmware components. These
components can be configured in many different ways. For example, software and
firmware probes can detect events and write them to a hardware interface. An
external device that reads processes stores and present the data written to the
hardware interface. Thus, hybrid monitor can detect both software and hardware
related events. They are sometimes difficult to use. However, because of the
measurement taken by the software component the measurement taken by hardware
component must be coordinated.
Performance measurement data can be presented by either using tables or
charts. Two types of charts that are often used to present performance
measurement data are:
a) Gantt charts:
Gantt charts use the horizontal bar to show the percentage utilization of a
resource and the extent of overlap of resource utilization among a number of
resources.
b) Kiviat graphs:
Kiviat graphs present performance measurements results so the problem
with the performance can be recognized easily. They use radial axes in a
circle to plot performance measurement results. The shape of the resulting
plot can be used to determine the extent to which the system is balanced in
terms of its resource utilization.
Auditors should have two concerns about data integrity whenever performance
monitors are used
Arranged by
Nowsherwan Adil Niazi
Page 88
PERFORMANCE REVIEWS
Performance reviews can be carried out to look at a wide range of system functions
and character technological change often gives scope to improve the quality of
outputs or reduce the cost of inputs.
Arranged by
Nowsherwan Adil Niazi
Page 89
(i)
More output of some valve could be produced by the same input resources.
e.g. process more transaction / minute, produce better quality management
information (sensitivity analysis), make information available to more people.
(ii)
Outputs of little valve could be eliminated from the system, thus making
savings in the cost of inputs, processing and handling. e.g. reports produced
too frequently should be lesson, distribution list should be shortened, reports
size should be reduced.
Arranged by
Nowsherwan Adil Niazi
Page 90
The timing of outputs could be better. Computer systems could give managers
immediate access to the information they require, by means of file ensuing or
special software (such as databases, or spreadsheet modeling packages.
(iv)
It might be found that outputs are not as satisfactory as they should be,
perhaps because access to information from the system is limited, and could
be improved by the use of a database and network system.
Available outputs are restricted because of the method of data processing used (e.g.
batch processing instead of real time processing) or type of equipment used (e.g.
stand-alone PCs am pared with client / server systems).
b)
The efficiency of a computer system could be improved if the same volume and
frequency of output could be achieved with fewer input resources, and at less cost.
(i)
stand alone
system. Multi user systems allow several input operators to work on the same
file at the heavy workload and another is warranty short of work, the person
who has some free time can help his or her busy college thus improving
operator efficiency.
(ii)
(iii)
(iv)
Using computer and external storage media with bigger storage capacity. A
frequent can be very long & tedious. Computer systems with better backing
storage facilities can reduce this operator waiting time, & so be more efficient.
Management might also wish to consider whether time spent checking & correcting
input data can be eliminated. An alternative method of input might be chosen. e.g.
burr codes & scanners eliminate input errors.
Arranged by
Nowsherwan Adil Niazi
Page 91
CHAPTER 07
b)
c)
The number of offices or in divisional people who will want to access the
computer system, and whether access needs to be instant or not.
d)
e)
f)
g)
h)
Details about the company should relate to its present organization structure, the
nature and size of its business and its plan for future expansion.
General Matters
a)
b)
A Financial constraint.
c)
d)
e)
Arranged by
Nowsherwan Adil Niazi
Page 92
FINANCING METHODS
The financing decision can be an important consideration in the choice of hardware or
software. Failure to make the right choice can lead to serious consequence financially
and operationally.
There are various financing options.
a)
Purchasing
b)
Leasing
c)
Renting / Rental
d)
b)
c)
Arranged by
Nowsherwan Adil Niazi
Page 93
One way of computing power is to conduct benchmark tests. More powerful machine
will do the processing more quickly. There is some concern that some benchmarks
tests are created by manufacturers are designed to give the most favorable result to
their products. Also, it may be hard to say that one computer performs better than
another, as it may depend on application used.
These tests are carried out to compare the performance of piece of hardware or
software against pre-set criteria. Typical criteria which may be used as benchmarks
include:
These do not have to be objective, though clearly with subjective tests, such as userfriendliness, it may be harder to reach definitive contusions.
Software can also be benchmarked. Organization might try out a series of different
package on its own existing hardware to see which performed the best speed of
respond, ability, to process different volume of transactions, reporting capabilities
and so on.
SIMULATION TESTS
Simulation testing uses synthetic programs written specifically for testing purposes
and incorporating routines designed to test variety of situations programs are
particularly appropriate for testing PCs, which generally execute one program step at
a time. However carrying out simulation tests on larger computers is more complex,
as multiple jobs are usually processed at the same time and realistic operating
conditions must be created.
Arranged by
Nowsherwan Adil Niazi
Page 94
Supplier reliability
ii)
Cost
iii)
Utility software
iv)
v)
Software support
vi)
Training
vii)
ii) Informal dissuasion with users as to their needs before detailed feasibility
studies are carried out, which can also include discussions as to the payoffs of
a particular is investment.
iii) Advice on the impact of information systems on organizational structure,
working environment and so forth.
Arranged by
Nowsherwan Adil Niazi
Page 95
CHAPTER 08
companies
focus
selectively
and
aggressively
on
developing
and
Arranged by
Nowsherwan Adil Niazi
Page 96
Access all customer service offerings in terms of how they contribute to customer
business and growth plans.
Communicate the success principles to your customers, and make it the basis of
your relationship. Explain how your service benefits them.
Become indispensable to your customer. Provide so much value that there would
be virtually no advantage in bringing in a new supplier.
ECONOMICS
Comparatively superior economics across value chain
Supply chain must be aligned with the customers and the organizations growth
strategy. Tradeoffs among the logistics cost components exist along to supply chain
e.g. higher service levels vs higher inventory holding costs.
Requirements are faster info. flows, reduced cycle times, flexible production,
minimal inventories, integrated inter, Co.SC
Arranged by
Nowsherwan Adil Niazi
Page 97
People must have the attitude, skills and behaviours required to sustain
horizontal processes. Human performance systems and organizational culture
become critical enablers. Key goals include attracting, developing, leveraging,
and retaining top talent across the organization and fostering a culture to process
excellence.
RESISTANCE TO CHANGE
Sakes forecasting
Arranged by
Nowsherwan Adil Niazi
Page 98
Transport cost
Fleet size
Vehicle scheduling
Logistic MIS
Emergency coverage
On time delivery
FEATURES OF ERP
Arranged by
Nowsherwan Adil Niazi
Page 99
ERP performs core corporate activities and increases customer services and
thereby augmenting the corporate image.
ERP provides for complete integration of systems not only across the departments
in a company sat also across the companies under the same management.
ERP allows automatic introduction of latest technologies like EFT, EDI, Internet,
Internet video conferencing, e-commerce etc.
ERP not only addresses the current requirements of the company but also
provides the opportunity of continually improving and refining business process.
ERP provides business intelligence tools like decision support systems (DSS
executive information system (EIS) reporting data miing and early warning
systems (Robots) for enabling people to make better decisions and thus improve
their business processes.
COMPONENTS OF ERP
Master scheduling
Bill of materials
Purchasing
Account payable
Asset management
Financial accounting
Arranged by
Nowsherwan Adil Niazi
Page 100
Train people
The principle followed for BPR may be defined as USA principle (understand, simplify,
automate) i.e. understanding the existing practices, simplifying the processes and
automate the process. Various tools used for this principle are
SELECTION OF ERP
Evaluation and selection involves:
Checking whether all functional aspects of the business are duly covered
Checking whether all the business functions and processes are fully integrated.
IMPLEMENTATION OF ERP
Implementing an ERP package has to be done on a phased manner. Step by step
method of implementing will yield a better result than a big-bang introduction. The
total time required for successfully implementing on ERP package will be anything
s/w 18 and 24 months. The normal steps involved in implement of an ERP are as
follows
Arranged by
Nowsherwan Adil Niazi
Page 101
Project initiation
Business practices
Deliverables
Map organization
Deliverables
Organization structure
Design specification
Function model
Integrate application
Train users
Deliverables
Implementation report
Arranged by
Nowsherwan Adil Niazi
Page 102
Maintain systems
Deliverables
Reconciliation reports
BENEFITS OF ERP
Reduce proper documents by providing on line formats for quickly entering and
retrieving information.
Improve supply demand linkage with remote locations and branches in different
countries.
CA as an auditor
Assuming a situation where the client has implemented an ERP solution. If the
auditor is aware of ERP he can make use of the feature of ERP and thereby:
Arranged by
Nowsherwan Adil Niazi
Page 103
Ensures that the internal controls and checks are consistently maintained
Ensures that the provisions of income tax or other fiscal laws are not
ignored
Ensures that the accounting standards are consistently followed across the
company.
CA as an Liaison
Arranged by
Nowsherwan Adil Niazi
Page 104
CHAPTER 09
CUSTOMER RELATIONSHIP
MANAGEMENT &
SALES FORCE AUTOMATION
CUSTOMER RELATIONSHIP MANAGEMENT
Customer relationship management (CRM) puts the customer at the center of any
and all activities within an enterprise. A CRM solution helps an enterprise learn more
about the customers need and makes any knowledge gained through interaction
with the customer accessible at all levels of the organization. The value of CRM
software grows considerably when CRM is highly integrated with solid enterprise
resource planning (ERP) and supply chain management (SCM) functionality. This
total solution enables you to support and streamline the entire business process from
original customer contact through post sales service.
BENEFITS OF CRM
CRM tools can help your business track opportunities and close sale quickly, but their
capabilities go beyond these areas. The real power lies in their ability to help you
build smart customer relationships that will grow into long term success.
Examples
(i)
Track Orders
At their most basic level, CRM tools automate the process of tracking
customers order histories. You can find out which products they order and
how many, so you can easily identify your best customers, not only in terms
of volume, but also in terms of profitability. You can use this information to
give these bread and butter clients special discounts for volume buying and
other incentives that will encourage loyalty and send the message that you
value their business.
Arranged by
Nowsherwan Adil Niazi
Page 105
(iii)
(iv)
follow
up
marketing
outreach
to
promote
model
accessories,
(ii)
(iii)
Arranged by
Nowsherwan Adil Niazi
Page 106
(v)
Does your inventory allow for significant cross sell and / or up sell?
If your business sells a deep range of related products and services, it is
especially well suited to CRM tools. You will want to look for a solution that
can help you make the most of cross sell and up sell opportunities, with the
flexibility to handle multiple layers of data sorting. This will allow you to
customize outreach efforts to a high degree.
Faster response time: CRM tools allow your business to respond quickly to
customer requests. This means you can provide better service while handling
more business in less time.
Arranged by
Nowsherwan Adil Niazi
Page 107
Lower Costs: Virtual work can reduce or eliminate the need for travel, phone
calls, faxes, and over right mail. This decreased overhead can provide a
needed boost to a firms bottom line.
COLLABORATION SOLUTIONS
Collaborative workspace:
These solutions can make remotes network access a step further by creating
virtual
conference
Arranged by
Nowsherwan Adil Niazi
rooms
where
companies
can
meet
and
exchange
Page 108
Messaging solutions
Instant messaging and real time chat features, which are common elements
of collaborative workspace, allow companies to converse online with clients
instead of having to pick up the phase. Some solutions also utilize vip
technology, allowing members to conduct real time, web based voice
conferences. Message boards permit companies and their clients to keep a
running record of comments regarding specific projects, boosting overall
knowledge management. Paging solutions can be used to invite users to a
workspace when specific documents have been posted.
Calendaring / Scheduling
Companies such as medical practices, salons, or restaurants can use internet
based scheduling solutions to play customers set up appointments. These
solutions act as virtual appointment books, allowing customers to go online to
schedule, view, move, or even cancel appointments at any time of the day or
night. This can make it easier for a company to manage its schedule, while
providing it with another way to reach customers with its message.
Arranged by
Nowsherwan Adil Niazi
Page 109
Arranged by
Nowsherwan Adil Niazi
Page 110
Select a sales automation tool from that was compatible with our business.
Win-win-win advantages for the sales force, the delivery teams and management.
To gain rapid acceptance, SFA was designed to help salespeople get much more
organized around managing their own business in their own territories, allowing
them to spend more time with customers.
It also intended to help delivery teams gain visibility into pending opportunities,
so they can plan when their services will be needed.
Provide easy to create, self serve management reports that can be detailed and
summarized in many ways, allowing much better business predictability and what
if planning.
Validation of how will services offerings are selling for marketing purposes.
The ability for individuals to bring up a list of sales opportunities and search and
sort in a number of different ways.
Improved account planning by attaching account plans, so the entire selling team
can see the breeder context of the account.
Arranged by
Nowsherwan Adil Niazi
Page 111
Chapter 10
COBIT
Control Objectives for Information and
Related Technology
For IT to be successful in delivering against business requirements, management
should put an internal control system or framework in place. The COBIT control
framework contributes to these needs by:
a)
b)
c)
d)
a)
b)
c)
d)
Strategic Alignment
Focuses on ensuring the linkage of business and IT plans, on defining,
maintaining and validating the IT valve proposition; and on aligning IT operations
with enterprise operations.
Valve Delivering
Is about executing the valve proposition throughout the delivery cycle, ensuring
the IT delivers the promised benefits against the strategy, concentrating on
optimizing costs and providing the intrinsic value of IT.
Arranged by
Nowsherwan Adil Niazi
Page 112
Resource Management
Is about the optimal investment in, and the proper management of, critical IT
resources: applications, information, infrastructure and people. Key issues relate
to the optimization knowledge and infrastructure.
Risk Management
Requires risk awareness by senior corporate officers, a clear understanding of the
enterprises
appetite
for
risk,
understanding
of
compliance
requirement,
transparency about the significant risks to the enterprise, and embedding of risk
management responsibilities into the organization.
Performance Management
Tracks and monitors strategy implementation, project
Completion, resource usage, for example, balanced scorecards that translate
strategy into action to achieve goals measures beyond conventional accounting.
The COBIT process model has been mapped to the IT governance focus areas,
providing bridge between what operational managers need to execute and what
executive wish to govern. To achieve effective governance; executives expect
controls to be implemented by operational managers within a defined control
framework for all IT processes.
Arranged by
Nowsherwan Adil Niazi
Page 113
Define process
Optimized
(Detail from PBP book)
IFAC IT GUIDELINE
MANAGING SECURITY OF INFORMATION
The security objective is supported by the eight core principles;
Accountability:
Responsibility and accountability most be explicit.
Awareness:
Awareness of risks and security interactive must be disseminated.
Multidisciplinary:
Security must be addressed taking into consideration bath technological and nontechnological issues.
Cost Effectiveness:
Security must be cost effective.
Integration:
Security must be coordinated & integrated.
Reassement:
Security must be reassessed periodically.
Timeliness:
Security procedures must provide for monitoring and timely response.
Social Factors:
Ethics must be promoted by respecting the rights and interests of others.
Arranged by
Nowsherwan Adil Niazi
Page 114
Arranged by
Nowsherwan Adil Niazi
Page 115
THE IMPLEMENTATION OF IT
An IT project may cover the acquisition and implementation of IT resources such as
date, application systems, technical components, facilities and, eventually, the
relevant in terms of its needs and circumstances and may vary considerably in
complexity, it is generally conducted according to the following principles:
Aligned Scope:
The scope of the implementation of an IT solution should be aligned with the
objective first developed during the acquisition phase, including any issues of
integration and implementation timing.
Project Management & Commitment:
An IT project must be properly managed. To achieve this goal, the human resources
allocated to the project need to have experience in project management, technical
competence and knowledge of the organizations business process.
Managing Changes, Awareness and Communication:
When preparing an organization for the implementation of new systems, the issue of
change management must be specifically addressed and a communication plan must
Arranged by
Nowsherwan Adil Niazi
Page 116
solutions
identified.
performance indicators
must
To
ensure
be established
effective
and
project
reviewed
management,
regularly, regular
Interactive approach:
A prototype is built and entranced until all needs are dealt with and users are
satisfied. Some phases of this type of project are more or less linked. This
approach is usually applied to the implementation of a software package or
development of a system using rapid application development method.
Linear approach:
A project follows a step by step method, with a strict vacillation of each
phase before proceeding to the next. This approach typically applies to the
large, specific development projects.
Arranged by
Nowsherwan Adil Niazi
Page 117
Arranged by
Nowsherwan Adil Niazi
Page 118
WEB TRUST
The web trust standards have been developed by experts in auditing, accounting and
risk management. These standards also incorporate, whenever possible, prevailing
international best practices and guidelines for conducting business over the
internet.
Arranged by
Nowsherwan Adil Niazi
Page 119
(ii)
How that information will be used and distributed as well as corrected when
necessary.
(iii)
(iv)
(b)
Confidentiality:
Assures customers about their confidential information.
The enterprise ensure that access to the information obtained as a result of electronic
commerce and designated as confidential is restricted to authorized individuals in
conformity with its disclosed confidentiality practices.
Example:
(i)
(ii)
(iii)
(iv)
(v)
(c)
Security:
Ease concerns about your commitment to security.
The security ensures that access to the electronic commerce system and data is
restricted only to authorized individuals in conformity with its disclosed security
policies.
Example:
(i)
(ii)
Arranged by
Nowsherwan Adil Niazi
Page 120
(iv)
(d)
The
enterprises
electronic
commerce
transitions
are
processed
completely,
(ii)
(iii)
(iv)
(v)
(e)
The enterprise ensures that e-commerce systems and data are availability as
disclosed.
Examples of areas evaluated are:
(i)
(ii)
Availability
policies
that
conform
with
legal,
contractual
and
other
requirements.
(iii)
(iv)
(v)
Assurance that hardware and software have properly tested and documented
availability objectives.
Awareness
(b)
Accountability
(c)
Multidisciplinary
(d)
Cost effectiveness
(e)
Integration
(f)
Reassessment
(g)
Social factors
Arranged by
Nowsherwan Adil Niazi
Page 121
Alignment
(b)
Awareness
(c)
Achievability
(d)
Relevant scope
(e)
Relevant
(f)
Commitment
(g)
Benefit Realization
(h)
Measurable performance
Alignment
Accountability
Vegetation
Relevant requirements
Trangerancy
Obsolesce
Implementation of an IT:
(a)
Aligned scope
(b)
(c)
(d)
(e)
Implementation phasing.
(f)
Integration.
(g)
IT Monitoring:
(a)
Compare heaviness
(b)
Relevance
(c)
Acceptability
(d)
Timeliness
(e)
(f)
(g)
Vendibility
Action oriented
Flexibility
Arranged by
Nowsherwan Adil Niazi
Page 122
Chapter
11
(b)
(c)
Arranged by
Nowsherwan Adil Niazi
Page 123
CONTROL STRUCTURE
The policies and procedures which have been established to ensure that the
organizations specific objectives are achieved, as termed as internal control
structure.
Following are elements of internal control structure.
Control environment
Arranged by
Nowsherwan Adil Niazi
Page 124
Control Environment:
Control environment consist of attitude of management and employees towards
various policies and objectives of the organization. Positive attitude increases the
wealth of organization.
The factors which effect the establishment, enhancement or working of various
policies and procedures adopted by the management are as follows:
(a)
(b)
Integrity
and
ethical
valves
followed
by
employees
and
the
management.
(c)
(d)
(e)
(f)
(g)
(h)
(b)
(c)
(d)
(e)
Arranged by
Nowsherwan Adil Niazi
Page 125
(b)
(c)
Design and use of adequate documents and records to help ensure the
proper recoding of transactions and event.
(d)
(e)
RISK ASSESSMENT
Risk refers to a possible loss in future which could be a result of a threat it that
comes true.
Its
assessment
is
necessary
to
ensure
that
control
system
adopted
is
comprehensive one. Following steps may facilitate the proper assessment of the risk.
(a)
Identification of threats:
The threat which could be faced by organization must be identified to avoid
possible losses. e.g. threat in constructing down in on area of frequent
earthquake.
(b)
(c)
Identification of controls:
The identification of controls which could protect on organization from threat
is must. Protective controls are much superior as compared to detective
controls which involve additional costs.
(d)
Arranged by
Nowsherwan Adil Niazi
Page 126
Effective supervision
Responsibility accounting
Internal awaiting
APPLICATION CONTROLS
CODES
Data codes are used to identify an entity uniquely. Poorly designed data codes cause
recording and keying errors.
Four type of coding systems used are:
(a)
Serial Codes:
Which assign consultative numbers or alphabetic to an entity.
(b)
(c)
Hierarchical codes:
Which assign codes on the basis of an assigned order of importance of the
attributes of an entity.
(d)
Association codes:
Which are concatenations of codes assigned to different attributes of an
entity.
Arranged by
Nowsherwan Adil Niazi
Page 127
VALIDATION CHECKS
Validation of input data is ensured by putting in following checks.
(a)
(a)
Field Check
(b)
Record Check
(c)
Batch Check
(d)
File Check
Field Check:
Field are used to ensure the completeness and correctness of independent field in the
records. Following types of fields checks are used:
(i)
Completeness:
Items should be of a specific length e.g. 17 digit for A/C #.
(ii)
Format:
Format should be of a standard form e.g. postal code in the address comes
after the city or date field as mm/dd/yyyy.
(iii)
Range:
Only data within specified range is acceptable e.g. code ranges b/w 0000 to
9999.
(iv)
Check Digit:
A Check digit is a redundant digit added to a code that enables the accuracy
of other characters in the code to be checked e.g. customer or product #.
(b)
Record Check:
With a record checks a relationship amongst the field in a record is checked logically
to ensure data integrity rules of databases. Following types of record checks are
applied in an input system.
(i)
Reasonableness:
Even though a field is checked for a range check, the content of another field
in the record may be used to ensure the correctness of dependent field e.g.
Range of valid salaries must be depended upon the organizational positions.
(ii)
Arranged by
Nowsherwan Adil Niazi
Page 128
Size:
If a variable length record are used, the size of the record is a function of the
sizes of variable length fields or the sizes of the fields whose valves may be
omitted from the record.
(iv)
Sequence check:
A logical record might contain more than one physical record e.g. an invoice
data will have more then once occurrences of the details like item and their
quantities. The input program might check the sequence of the physical
record it receives.
(c)
Batch Checks:
Batching is the process of grouping together transactions that bear some type of
relationship to each other. Two types of batches are used.
Physical Batches:
Are groups of transactions that constitute a physical unit e.g. a batch of
source documents.
Logical Batches:
Are groups of transactions bound together on some logical basis e.g.
transactions entered directly into a terminal during some time period.
(d)
File Checks:
With file check, the validation tests examine whether the characteristics of a file used
during data entry are harmonious with the stated characteristics of a file. The input
programs ensures that files which are being used is accessing the correct file for this
very propose an internal label is used. It is also important for input programs to
validate that file while is being used does not use an older file with and expired date.
Control totals can be calculated for a file on he basis of the staffing of a file. The
input validation program checks to see that it is using a file with accurate control
totals.
INSTRUCTION INPUT
There are six major ways in which instructions can be entered into on IS:
(a)
(b)
Question-answer dialogs,
Which ask users to respond to questions presented by the application system.
Arranged by
Nowsherwan Adil Niazi
Page 129
Command Languages,
Which require users to recall and initiate instructions for the application
system.
(d)
(e)
Natural languages,
Which allow users to instruct an application system via free-form input.
(f)
INSTRUCTION INPUT
Ensuring the quality of instruction input to an application system is a more difficult
objective to achieve. During instruction input, however, users, often attempt to
communicate complex actions that they want the system to undertake. Following are
the application system used to communicate instruction to an application system.
1. Menu driven languages
Menu is the simplest way to provide instruction to an application system. The
system presents users with a list of options. Users then choose an option. The
following guidelines should reduce the no. of errors that are likely to occur using
menu input:
i)
ii)
iii)
iv)
The basis for selecting a menu item should be clear for e.g. numbers, a
mnemonic abbreviation
v)
Where other output is displayed on the screen, the menu should be clearly
differentiated.
Arranged by
Nowsherwan Adil Niazi
Page 130
They do not always cope with the ambiguity and redundancy present in
natural language for e.g., the meaning
Electronic spreadsheet users see visual image on the spreadsheet and its
associated cell values. They can alter values by using a mouse to move the
cursor to the cell to be altered and keying of new value.
Lexical validation,
Which evaluates whether commands contain valid commands;
Arranged by
Nowsherwan Adil Niazi
Page 131
Syntactic validation,
Which evaluates whether commands contain a string of valid operations,
(c)
Semantic validation,
Which evaluates whether the actins to be invoked by a command are
meaningful.
(b)
(c)
STORAGE CONTROLS
Three major centrals should exist in relation to storage of output.
(a)
(b)
(c)
(b)
Distribution list
(c)
(d)
Contact person
(e)
Retention data
(f)
Page reading
(g)
Page numbers
(h)
Arranged by
Nowsherwan Adil Niazi
Page 132
(b)
(c)
(d)
Four types of controls are used to minimize expected losses from errors &
irregularities associated with central processors:
(a)
(b)
(c)
(d)
Two types of controls are used to reduce expected losses from errors and
irregularities associated with real memory.
(a)
Memory errors can be detected via parity checks and hamming codes,
which also allows correcting the errors.
(b)
These are few threats involved with the integrity of computer these may
include but not limited to:
(a)
(b)
(c)
(d)
Arranged by
Nowsherwan Adil Niazi
Page 133
Chapter 13
Effective Management of IS
OPERATIONS MANAGEMENT CONTROL
Operations management is responsible for the daily running of hardware and
software facilities so that:
(a)
(b)
Computer operations
(b)
(c)
(d)
File library
(e)
(f)
(g)
(h)
Outsourced operations
The production control section under operations management performs five major
functions.
(a)
(b)
Job scheduling
(c)
(d)
(e)
The file library function within the operations area takes responsibility for the
management of an organizations machine readable storage media. Four functions
must be undertaken:
Arranged by
Nowsherwan Adil Niazi
Page 134
(b)
(c)
Maintenance of documentation
(b)
(c)
(d)
(e)
(f)
Suitable backup for the software often has responsibility for managing
the day to day activities
(g)
(b)
(c)
(d)
of
the
information
processing
facility
(IPF).
Organizational
and
management control provide effective and efficient operations staffed with qualified
and dependable personal. Proper level of responsibility should be clearly defined and
provide for an adequate separation of duties.
Organization and management controls within the IPF encompass the following:
Arranged by
Nowsherwan Adil Niazi
Page 135
Control Group:
the collection, logging and submission of input for the various user groups.
ii)
ii)
Help Desk:
& software and provide technical support for production systems by assisting
with problem resolution.
iv)
End User:
services: used to distinguish the person for whom the product was designed,
form the person who programs, services or install applications.
v)
vi)
vii)
Database Administrator:
Responsible for maintenance and integrity of the organizations database
systems.
viii)
ix)
x)
System Administrator:
Operations Manager:
including
computer
operators,
librarians,
schedulers
and
data
control
personnel.
Arranged by
Nowsherwan Adil Niazi
Page 136
Network Manager/Administrator:
Responsible
for
planning,
implementing
&
maintaining
the
Job descriptions and organizational structure charts are important items for all
employees to have as they provide a clear definition of their job responsibilities and
authority. Given the dynamic nature of information technology, job disruptions and
organization structure can change frequently. Therefore, it is important that
procedures be in place to maintain them.
Systems analysis
Data Entry
Application programming
Control Group
Librarian
Network management
Security Administration
Quality assurance
System programming
Database administration.
Preparing and monitoring the security awareness program for all employees.
Testing the security architecture to evaluate the security strengths & detect
possible threats.
Arranged by
Nowsherwan Adil Niazi
Page 137
Batch Entry
Online Entry
proper
A supervisor should be assigned to ensure that the work is properly prepared and
submitted for processing. This individual should also ensure that all exception and
rejected inputs are brought to the attention of the originating department and
resubmitted in a timely fashion and must ensure that the entry staff maintains
confidentiality and does have to temper sensitive data.
Data Security
It includes the standards and procedures designed to protect data against accidental
or intentional unauthorized disclosure, modification or destruction. A critical part of
the management control exercised by the IPF is providing an adequate level of data
security. Data security covers many aspects of security and must be contumely
modified and expanded to cover IS technological advances.
Data security program must effectively integrate:
Arranged by
Nowsherwan Adil Niazi
Page 138
as
safeguarding
hardware
used
during
the
Employee Education:
privacy; employees also must understand that disciplinary action will be taken
against anyone who violates corporate guidelines in this area.
iii)
Logical Security:
Processing Controls
Include those items necessary to ensure that the organization receives timely,
complete, accurate and secure processing of data. These controls are particularly
pertinent to the work performed by the computer operations group that includes:
Data control is often responsible for all the data necessary to run various
systems and for checking to ensure that output information received is
complete. Adequate, up-to-data control manuals are essential for each
system. Manuals should state the source of various forms of input, which such
input should be available.
Production control is often responsible for job scheduling, job submission and
media management. Job scheduling may be done manually or with scheduling
is essential if the computer resources are to be used at optimum efficiency.
Database Administration
DBA defines and maintains the data structures in the corporate database systems.
He is responsible for the actual design, definition and proper maintenance of the
corporate databases. The DBA has the tools to establish control over the database
and the ability to override these controls. The DBA also has the capability of gaining
access to all data, inhaling production data. It is usually not practical to prohibit or
completely prevent access by the DBA to production data.
DBAs Roles
i)
ii)
iii)
iv)
v)
Arranged by
Nowsherwan Adil Niazi
Page 139
Implementing
database
definition
controls,
access
controls,
update
viii)
Segregation of duties.
ii)
iii)
iii)
Job descriptions.
Operations procedures.
Organization
functional
charts
provide
the
IS
auditor
with
an
Arranged by
Nowsherwan Adil Niazi
Page 140
System
development
and
program
change
procedures
provide
Actual Fluctuations:
Observation is the best test to ensure that the individual who is assigned and
authorized to perform a particular function is the person who is actually doing
the job. It allows the IS Auditor an opportunity to witness how policies and
procedures are understood and practiced.
Security Awareness:
Security awareness should be observed to verify on individuals understanding
and practice of good preventative and detective security measures to
safeguard the Co assets & data.
Reporting Relationships:
Reporting
relationship
should
be
observe
to
ensure
that
assigned
The mission /goal is to provide world class computer systems and to deliver
quality computer services to users.
Put a value information system planning process in place and to ensure its
continuity.
Arranged by
Nowsherwan Adil Niazi
Page 141
Install
management.
Identify and analyze the drivers of IT and computing cost structures and to
reduce such costs where possible.
Excessive costs.
Budget overruns
Lode Projects
Inexperienced staff
Poor motivation
Arranged by
Nowsherwan Adil Niazi
Page 142
CHAPTER 14
CRITICAL CHARACTERISTICS OF
INFORMATION
The value of information comes from the characteristic it possesses.
Availability
Availability enables users who need to access information to do so without
interference or obstruction, and to receive it in required format.
Accuracy
Information is accurate when it is free from mistakes or errors and it has the
value that the end users expect.
Authenticity
Authenticity of information is the quality or state of being genuine or original,
rather than a reproduction or fabrication. Information is authentic when it is
the information that was originally created, placed, stored, or transferred.
Confidentiality
The confidentiality of information is the quality or state of preventing
disclosure or exposure to unauthorized individuals or systems. Confidentiality
of information is ensuring that only those with the rights and privileges to
access a particular set of information are able to do, and that those who are
not authorized are prevented from obtaining access.
Integrity
The quality or state of being whole, complete and uncorrupted is the integrity
of
information.
The
integrity
of
information
is
threatened
when
the
Utility
The utility of information is the quality of state of having value of some
purpose or information has value when it serves a particular purpose. This
means that if information is available but not in a format meaningful to the
end user, it is not useful.
Arranged by
Nowsherwan Adil Niazi
Page 143
Possession:
The possession of information is the quality of state of having ownership or
control of some object or item. Information is said to be in possession of one
obtains it, independent of format or other characteristic. Encryption protects
confidentiality of information but possession may change.
People
Hardware
Procedure
Data
Network
Organization
The information security policy should provide general guidance on the
allocation of security roles and responsibilities in the organization. All
responsibilities regarding information security management must be well
defined which includes information security management personnel and
management. Following responsibilities could be assigned to different levels of
management in the organization.
Executive Management
Executive
management
in
the
organization
is
responsible
for
overall
Security Committee
In order to implement the security policies and procedures in the organization,
a security committee may be formulated. Formal terms of references may also
be formulated for this committee and recommendation be adopted by the
organization.
Arranged by
Nowsherwan Adil Niazi
Page 144
Data Owners:
Data owners have the responsibility of maintaining accuracy, completeness
and integrity business processes.
Process Owners:
Process owners have to ensure that the processes running on computer
systems are secure and are in line with the procedures defined in the scope of
security policies of the organization.
IT Developers:
IT developers are responsible for implementing the security policy in the
organization.
implement
Users:
It/ is users of the organization are responsible for having full knowledge of all
policies and procedures developed within organization. Users also have a
heavy responsibility for protecting.
IS Auditors
IS
Auditors
are
responsible
for
providing
independent
assurance
to
Hackers
A hacker is a person who attempts to invade the privacy of a computer
system. Hackers are normally skilled programmers and have been known to
crack system passwords with consummate ease.
Arranged by
Nowsherwan Adil Niazi
Page 145
Employees
Unauthorized
employees
implementations
within
intentionally
the
attempt
organization
and
to
try
break
to
the
gain
security
access
to
IS Personnel
These have the easiest access to organizational information, since they are to
custodians of information assets. Good segregation of duties apart from
checks like logical access controls will ensure reduction in attacks on reset
from this category of personnel.
(d)
Outsiders
This may include the organized criminals like hackers, competitors or crackers
(paid hackers)
Both automatic and manual fire alarms are placed in computer rooms etc.
(b)
(c)
(d)
To minimize the risk of extensive damage from electrical fires, electrical wiring
should be placed in fire resistant panels and conduct.
Security administrators should arrange regular inspections and test of all fire
protection system and ensure that they are properly serviced. Periodic
trainings of the staff to use such like equipments should also be arranged.
WATER DAMAGES
Water damages to IS assets might results in due to fire or could also happen due to
other natural disasters like floods or terrestrial rains. To protect, following measure:
(a)
(b)
Arranged by
Nowsherwan Adil Niazi
Page 146
(d)
(e)
ENERGY VARIATIONS
Energy variations occur from increase in power (surge or spikes), decrease in
power (sags on brain outs), or loss of power (blackouts). Voltage regulators and
circuit breakers may be used to avoid such instances. UPS may also be used or two
different sources of power to avoid blackouts.
TERRORIST ACTIVITIES
Political terrorism is the main risk, but there are also threats from individuals with
grudges. In some cases there is every little that an organization can do: its buildings
may just happen to be in the wrong place and bear the brunt of an attack aimed at
another organization or intended to cause general disruption.
(a)
(b)
ACCIDENTAL DAMAGE
People are physical threat to computer installations or cause of accidental damage to
installation.
Combating accidental damage is a measure of:
(a)
(b)
(c)
(d)
Educate users about the dangers of viruses and the ways to prevent infection.
Unauthorized entry
Damage
Vandalism/Sabotage (Strikes)
Arranged by
Nowsherwan Adil Niazi
Page 147
Theft
Copying or viewing of sensitive data
Alteration of sensitive equipment and information
Public disclosure of sensitive information
Abuse of data processing
Blackmailing
Embezzlement
Security guards
Bolting/secure door locks
Combination of door locks (multiple kinds of locks)
Electronic doors
Dead man door (e.g. Bank lockers, only one person can enter at one time)
Controlled single entry point
Alarm system
Manual logging
Electronic logging
Identification
Video cameras
Secured report distribution carts
Bounded personnel (fixed the people to enter)
No advertising of sensitive location
Computer workstation
Programming areas
Computer Rooms
Operator Console
Power Sources
Telecommunication
Printing facilities
Door Locks
Access Logging
Biometric access
Arranged by
Nowsherwan Adil Niazi
Micro Computers
Page 148
Password policies
Biometric devices
LOGICAL THREATS
VIRUSES
A virus is a piece of software which infects programs and data and which replicates
itself. Viruses need an opportunity to spread. The programmers of virus therefore
place viruses in the kind of software which is most likely to be copied. This includes
(a)
Free Software
(b)
Pirated Software
(c)
Games Software
reduce
expected
losses
from
viruses,
security
administration
can
(b)
Do not use public domain / shareware software or files unless that have been
checked for viruses individual login IDs & passwords to ensure security of assets and
also maintain physical security of assets.
Detective:
(a)
(b)
(c)
Arranged by
Nowsherwan Adil Niazi
Page 149
WORMS
Whereas a Trojan attacks from without, a worm, which is a type of virus, attacks
from within. A worm is a program that survives by copying and replicating itself
inside the computer system it has entered, without necessarily altering that system.
Other viruses attach themselves to a program.
TRAP DOOR
A trap door is an undocumented entry-point into a computer system. It is not to be
found in design specification but may be put in by software developers to enable
them to bypass access controls while working on a new piece of software. Because, it
is not documented, it may be forgotten and rediscovered by a hacker perhaps, at a
later date.
LOGIC BOMBS
A large bomb is a piece of code triggered by certain events. A program will behave
normally until a certain event occurs, for example when disk utilization reaches a
certain percentage. A large bomb, by responding to set conditions, maximizes
damage.
TIME BOMBS
A time bomb is similar to a logic bomb, except that it is triggered at a certain date.
Companies have experienced virus attacks on April Fools Day and on Friday 13th.
These were released by time bombs.
SPAM
Spam is flooding the internet with many copies of the some messages in an attempt
to force the message on people who would not otherwise choose to receive it. Most
spam is commercial advertising, often for doubles products, get rich quickly schemes,
Arranged by
Nowsherwan Adil Niazi
Page 150
Cancelable Spams
Email Spam
SNIFFERS
A sniffer is a program or device that can monitor data traveling over a network.
Sniffers can be used both for legitimate network management functions and for
stealing information from a network. Unauthorized sniffers can be extremely
dangerous to a networks security, because they are virtually impossible to detect.
They often work on TCP/IP networks, where they are sometimes called packet
sniffers.
SPOOFING
IP spoofing is one of the most common forms of online camouflage. In IP spoofing,
an attacker gains unauthorized access to a computer or a network by making it
appear that a malicious message has come from a trusted by spoofing the IP
address of that machine.
Arranged by
Nowsherwan Adil Niazi
Page 151
Function:
User identification (log on IDs) and authentication (password)
Apply restrictions
Create or change user profiles/setting
Create accountability (record each and every thing)and auditability(audit of
record)
Log events
Log user activities
Report capabilities e.g. message in window XP dont send
Arranged by
Nowsherwan Adil Niazi
Page 152
Features to be considered
a) Label processing, Bypass off; label process on
b) Special system log on IDs
Every system has logon IDs when you install window as administrator and then other
IDs are guest users i.e. called special system logon IDs, this should be disabled.
c) System Exists
This should not be available to user; complex maintenance task/tailoring: there are
thing which cannot be recorded by system e.g. in cell phone removing battery or SIM
system cannot record it.
Arranged by
Nowsherwan Adil Niazi
Page 153
i. Passive attacks
Get knowledge before going for active attack.
Three methods of passive attack:
a) Network analysis
Scan operating system, services and ports/software ports (monitoring
operating system)
Ports ( Software Port) e.g. http port
b) Eaves dropping (wiretapping)
c) Traffic analysis
look at nature of traffic flow, means audio, video, graphic, session length
(data packets)
message length and
frequency of packets)
Arranged by
Nowsherwan Adil Niazi
Page 154
read and analyze the clear text source and destination identifiers attached
to a message for routing purposes, and the content of data remains same
duplicate messages
Arranged by
Nowsherwan Adil Niazi
Page 155
IDS
HR Termination policies
There should be clearly defined steps of termination policy in writing. The policy
should address both types of policies.
Control Procedures
Return all access keys.
Delete log on IDs and Password.
Notification to other staff about the terminated employee.
Arrangement of final pay.
Termination / exit Interview.
Return all company property.
Escort the person to main Gate.
SECURITY PROGRAMME
A security programme is a series of on-going, regular, periodic reviews conducted to
ensure that assets associated with the information systems function are safeguarded
adequately. Security program must have six features:
(a)
Alignment:
The programme must be aligned with the organizational goals.
(b)
Enterprise Wide:
Everyone
in
the
organization
must
become
part
of
the
security
programme.
(c)
Continuity:
The programme must be operational continuously without any disruption.
(d)
Validation:
The security programme must be tested and validated to ensure its
operability.
Arranged by
Nowsherwan Adil Niazi
Page 156
Proactive:
Organization should not wait from something to happen rather must use
innovative, preventive and protective measures.
(f)
Formal:
It must be a formal programme with authority, responsibility and
accountability.
An emergency plan
(b)
A Back up Plan
(c)
A recovery Plan
(d)
A test Plan
(a)
An Emergency Plan
The emergency plan specifies the actions to be taken immediately when a disaster
occurs. Management must identify those situations that require the plan to be
invoked. When the situations that evoke the plan have been identified, four aspects
of energy plan must be articulated.
(i)
The plan must show who is to be nitrified immediately when the disaster
occurs management, police or fire deptt.
(ii)
(iii)
(iv)
Return procedures (e.g. conditions that must be met before the site is
considered safe) must be designated.
(b)
Backup Plan
Arranged by
Nowsherwan Adil Niazi
Page 157
The site where these resources can be assembled and operations restarted.
The personal who are responsible for gathering backup resources and
restarting operations.
(c)
Recovery Plan
Whereas the backup plan is intended to restore operations quickly so the information
systems function can continue to service an organization, recovery plans set out
procedures to restore full information system capabilities. Recovery plans depend on
the circumstances of a disaster. E.g. They will depend on whether the disaster is
global or localized and if localized, the nature of the machine, the applications, and
the data to be recovered. The plan should specify the responsibilities of the
committee and provide guidelines or priorities to be followed. Plan might also include
which applications are to be recovered first.
(d)
Test Plan
The final component of a DRP is a test plan. The purpose of a test plan is to identify
deficiencies in the emergency, backup or recovery plans or in the preparedness of an
organization and its personnel in the event of a disaster. It must enable a range of
disaster to be simulated and specify the criteria by which emergency, backup and
recovery plans can be deemed satisfactory.
Arranged by
Nowsherwan Adil Niazi
Page 158
BACKUP OPTIONS
Following are some viable backup options security administrators should consider:
(a)
Cold Site
If an organization can tolerate some downtime, cold site backup might be
appropriate. A cold site has all the facilities needed to install a mainframe
system, raised floors, air conditioning, power, communication lines, and so
on. The mainframe is not present, however, and it must be provided by the
organization wanting to use the cold site.
(b)
Hot Site
If fast recovery is critical, an organization might need hot side backup. All
hardware and operations facilities will be available at the hot site. In some
cases, software, data and supplies might also be stored there. Hot sites are
expensive to maintain. They usually are shared with other organizations that
have hot site needs.
(c)
Warm Site
A warm site provides an intermediate level of backup. It has cold site facilities
plus hardware that might be difficult to obtain or install e.g. a warm sight
might certain selected peripheral equipment plus a small mainframe with
sufficient power to handle critical application in the short run.
(d)
Reciprocal Agreement
Two or more organizations might agree to provide backup facilities to each
other in the event of one suffering from a disaster. This, backup option is
relatively cheap, but each participant must maintain sufficient capacity to
operate another critical systems. Reciprocal agreements are often informal in
nature.
If a third party site is to be used for backup and recovery purposes, security
administrators must ensure that a contract is written to cover such issues as:
Arranged by
Nowsherwan Adil Niazi
Page 159
(ii)
The number of organizations that will be allowed to use the site on currently
in the event of a disaster.
(iii)
(iv)
(v)
(vi)
The facilities and services the site provider agrees to make available.
(vii)
(b)
1.
2.
Risk Analysis
Risk analysis identifies important functions and assets that are critical to a
firms operations, and then subsequently establishes the probability of a
disruption to those functions and assets. Once the risk is identified and
established, objectives and strategies to eliminate avoidable risks and
Arranged by
Nowsherwan Adil Niazi
Page 160
4.
Disaster tolerance
Disaster tolerance defines an environments ability to withstand major
disruptions to systems and related business processes. Disaster tolerance at
various levels should be built into an environment and can take form of
hardware redundancy, high availability/clustering solutions, multiple data
centers, eliminating single points of failure, and disaster solutions.
Arranged by
Nowsherwan Adil Niazi
Page 161
CHAPTER 15
NETWORK INFRASTRUCTURE
SECURITY
TCP/IP: THE LANGUAGE OF THE INTERNET
TCP/IP includes both network-communication and application-support protocols. The
TCP/IP protocol is defined as follows:
(a)
(b)
(c)
(d)
That
is
www.google.com
would
resolve
to
IP
address
Arranged by
Nowsherwan Adil Niazi
Page 162
(g)
(h)
(i)
(j)
(k)
X.25
This is a data communications interface specification developed to describe
how data passes into and out of switched packet network. The x.25 protocol
suite defines protocol layer I-3.
NETWORK
Network is a connection of autonomous processes. Two or more processes are said to
be autonomous if they can work independently with each other as well as
collectively.
Arranged by
Nowsherwan Adil Niazi
Page 163
Our mobile phones processes do not form a network because they are not intelligent
enough to work independently. Similarly if several I/O devices are attached with a
super, mainframe or minicomputer, it is not a network because I/O devices are not
able to work independently if they are disconnected. However, if two or more micro
computers are connected with each other and they are able to work independently as
well as in a sharing network, then it is a NETWORK.
NETWARE (SOFTWARE NEEDED TO RUN THE NETWORK)
Client Server
One computer is server and other computer is client. The biggest example might be
internet in which we are the clients of an internet ISP. Again IPSs are client of
internationally recognized networking bodies. (Hyundai, AT & T, British Telecom)
Peer to Peer
No one is server, no one is client. Every machine is server and every machine is
client.
FOUR REASONS FOR FORMING NETWORK
Sharing of data/information
Sharing of resources (e.g. printer, hard disk, CD drive)
Sharing of services (e.g. internet service, stock exchange service)
Security (You cannot take data away from the network hard disk. A lot of
instructions are imposed even to access data.)
Functions
Advantages
Arranged by
Nowsherwan Adil Niazi
Page 164
Flexibility
Disadvantages
Same as outsourcing
Serious points to consider
1. Customer access:
Browser for websites
Special browsers E.g. at Airport terminal we can use internet
2. Customer Issues:
Training
Queries
3. Secure Connection
4. Dedicated or shared application server (dedicated is recommended)
5. Problem resolution capacity
6. Level of Redundancy / backup
7. Disaster recovery
8. Date ownership
9. Data security
10. Transfer of date between In-house application and ASP
11. How to switch to another ASP.
IP SPOOFING
This is where one host claims to have the IP address of another. Since many systems
(such as router access control list) define which packets may and which packets may
not pass based on the senders IP address. This is a useful technique to on attacker.
He can send packets to a host, perhaps causing it to take some sort of action.
Additionally, some applications allow login based on the IP address of a person
making the request. These are both good examples how trusting on-trustable layers
can provide security that is at best-weak.
DENIAL OF SERVICE
The promise of DOS attack is simple: Send more requests to the machine than it can
handle. Dos attacks are probably the nastiest, and the most difficult to address.
These are the nastiest, because they are very easy to launch, difficult to track, and it
is not easy to refuse the requests of the attacker, without also refusing legitimate
requests for service.
There are tool kits available in the underground community that make this simple
matter of running a program and telling it which host to blast with request.
Arranged by
Nowsherwan Adil Niazi
Page 165
Not running your visible to the world services at a level too close to capacity.
(b)
Using packet filtering to prevent obviously forged packets from entering into
your network address space.
(c)
Obviously forged packet would include those that claim to come from your
own hosts; addresses reserved for private networks, and the look back
network (127.0.0.0).
(d)
DESTRUCTIVE BEHAVIOUR
Among the destructive sorts of break-ins and attacks, there are two major
categories.
Data diddling
Data destruction
Data Diddling
The data diddling is likely the worst sort, since the fact of a break-in might not be
immediately obvious. Perhaps hes toying with the numbers in your spreadsheets, or
changing the dates in your projections and plans. May be he is changing the account
numbers for the auto deposit of certain paychecks.
Data Destruction
Some of those perpetrate attacks are simply twisted jerks who likes to delete things.
In these cases, the impact on your computing capability and consequently your
business can be nothing less than if a fire or other disaster caused your computing
equipment to be completely destroyed.
Preventive Measures
1)
2)
3)
4)
5)
Arranged by
Nowsherwan Adil Niazi
Page 166
BRIDGE
A bridge works at the data link layer (layer 2) of the OSI model and cannot
two separate networks to form a logical network. They can store and forward frames.
Bridge examines the media access control (MAC) header of a data packet to
determine where to forward the packet; they are transparent to end users. A MAC
address is the physical address of the device on the network. As packet pass through
it, the bridge determines whether the MAC address resides on its local network, if
not, the bridge forwards the packets to the appropriate network, segment. Bridge
can reduce collisions that result from segment congestion, but they do forward
broadcast fames. Bridges are good network devices if used for right purpose.
Arranged by
Nowsherwan Adil Niazi
Page 167
Remove or limit internet access from those employees who may not need it for
business purposes.
Ensure all current service level and security patches have been installed on
operating systems and softwares including antivirus updates.
Diligently review and monitor all critical system legs for suspect activity and
consider implementing a host instruction detection system.
Revisit your firewall configuration and rules to ensure that un-necessary parts
and services are turned off and that access control is tightly manages.
Consider changing passwords for all super users or power IDs such as root, DB
admin, application manager ID etc.
Arranged by
Nowsherwan Adil Niazi
Page 168
Revisit access control lists on routers firewalls, servers and applications to ensure
that access to critical functions and resources is limited to those whose need to
know.
Ensure all critical systems are regularly backed up and actual systems recovery
procedures have been tested.
Users working from home via high-speed, broad band connections should be
required to have a firewall installed on their system.
FIREWALLS
A firewall is a device (hardware/software) that restricts access between networks.
Those networks might be a combination of an internal and external networks
(organizations LAN and the internet) or might be within internal networks. A firewall
is implemented to support the organizational security policy, in those specific
restrictions or rules are configured within the firewall to restrict access to services
and ports. If configured correctly the firewall is the gateway through which all traffic
will flow. The network traffic (or packet) then is monitored as it comes into the
firewall and compared against a set of rules (filters) if the traffic does not meet the
requirements of the access control policy, it is not allowed access and might be
discarded or redirected.
Firewall can be considered a choke point on the network because all traffic must be
checked against the rules before gaining access. As a result, the rules that are
created for the network must take into account performance as well as security.
Firewall can filter traffic based on a variety of the parameters within the packet.
(a)
(b)
(c)
Protocol types
The firewall might not let certain protocol types access the network.
There are many different types of firewall but most enable organization to:
Arranged by
Nowsherwan Adil Niazi
Page 169
(ii)
(iii)
(iv)
(v)
FIREWALL ISSUES
Problems faced by organizations that have implemented firewall include:
(i)
(ii)
(iii)
(iv)
(v)
(vi)
Monitoring activities may not occur on a regular basis (i.e. log settings
not appropriately applied and reviewed.)
(vii)
Arranged by
Nowsherwan Adil Niazi
Page 170
CHAPTER 16
(b)
(c)
(d)
Defining Data
Undertake strategic data planning, determine user needs, specify conceptual
and external scheme definitions.
(ii)
Creating Data
Advertising user on collection, validation and editing criteria.
(iii)
(iv)
Retiring Data
Specify retirement policies
(v)
end
user
requirements
for
database
tools,
testing
and
Arranged by
Nowsherwan Adil Niazi
Page 171
(vii)
Defining Data
Specify internal schema definitions
(ii)
Creating Data
Preparing programs to create data, assist in populating database.
(iii)
(iv)
Retiring Data
Implement retirement policies
(v)
(vi)
programmer
queries,
educating,
informing
low
level
policy
information.
(vii)
DATA ADMINISTRATOR
(a)
Ensures that all data management role groups comply with data management
policies and guidelines.
(b)
Arranged by
Nowsherwan Adil Niazi
Page 172
(b)
(c)
(d)
RECOVERY STRATEGY
Existence controls encompass both a backup strategy and a recovery strategy. All
backup strategies require maintenance of a prior version of the database and a log of
transaction or changes made to the database. Recovery strategies take two forms:
(a)
Roll forward; where by the current stage of the database is recovered from
a previous version.
(b)
Rollback, where a previous state of the database is retrieved from the current
state.
Arranged by
Nowsherwan Adil Niazi
Page 173
DUMPING
Dumping involves copying the whole or a portion of the database to some backup
medium. Recovery involves rewriting the dump back to the primary storage medium
and reprocessing transactions that have occurred since the time of dump.
LOGGING
Logging involves recording a transaction that changes the database or and image of
the record changed by an update action.
Three types of log s can be kept;
(a)
(b)
(c)
RESIDUAL DUMPING
Residual dumping involves logging records that have not been changes since the last
database dump. The database is recovered by going back to but not including the
second last residual dump log. Residual dumping reduces the overheads associated
with dumping because records that have been changed and recorded on the log are
not then dumped.
Arranged by
Nowsherwan Adil Niazi
Page 174
(b)
(c)
(d)
(e)
Databases containing logical and mathematical inference rules and data for
these rules to operate upon, knowledge databases. These databases are
used as a tool in solving repeating complex problems or as a part in
embedded problem solvers.
Sequence checking the order of the transaction file and master file during
batch updates.
(b)
Ensuring correct end of file procedures are followed so that records are not
lost.
(c)
(d)
And posting monetary transactions that mismatch a master file record against
a suspense account.
(e)
Arranged by
Nowsherwan Adil Niazi
Page 175
(ii)
(iii)
DEAD LOCK
Locking out one process while the other process completes it update can lead to a
situation called dead lock in which two processes are waiting for each other to
release a data item that other needs. A widely accepted solution to deal lock is a two
phase locking, in which all the data items needed to propagate the effects of a
transaction are first obtained and locked from other processes. The data items are
not released until all updates on the data items have been completed.
(b)
(c)
Arranged by
Nowsherwan Adil Niazi
Page 176
software
products
which
might
complement
database
in
an
(f)
(g)
(h)
Arranged by
Nowsherwan Adil Niazi
Page 177
CHAPTER NO. 17
COMPUTER AUDITING
INTERNAL AUDIT
The purpose of an internal audit is to evaluate the adequacy and effectiveness of a
companys internal control system and responsibilities are actually carried out.
Review the reliability and integrity of operating and financial information and
how it is identified, measured, classified and reported.
(b)
(c)
Review how assets are safeguarded and verify the existence of assets as
appropriate.
(d)
(e)
The financial audit examines the reliability and integrity of accounting records
and therefore correlates with the first of the five scope standards.
(b)
The IS audits reviews the general and application controls of an AIS to assess
its
compliance
with
internal
control
policies
and
procedures
and
its
Arranged by
Nowsherwan Adil Niazi
Page 178
Such programmes will aid preparation of working papers, lead schedules, and
even sets of accounts. These documents are automatically cross referenced
and balanced by the computer.
(b)
The risk of error is reduced and the working papers produced will be neater
and easier to review.
(c)
(d)
It will not be necessary for an audit manager to visit auditors in the field in
order to review completed audit working paper files: these can now be
transmitted to the audit manager at audit HQ or at home for review.
(e)
Auditors may also benefit from on-line accessing and real time file updating.
Standard software for word processing and spreadsheets which can be used to
carry out the various tasks.
(b)
Expert systems which will determine sample sizes based specified risk criteria.
The production of time budgets and budgetary control. The variances which
arises on the audit can be used as a basis for updating the future audit time
budget.
(b)
(c)
Analytical review procedures can be more efficiently carried out on a microcomputer as the necessary calculations can be carried out at much greater
speed and year-on-year information built-up.
(d)
(e)
Arranged by
Nowsherwan Adil Niazi
Page 179
To ensure that all program changes are adequately rested and documented.
Arranged by
Nowsherwan Adil Niazi
Page 180
AUDIT SOFTWARE
Computer programs used for audit process to examine the contents of the
clients computer files.
TEST DATA
Dated used by the auditor for computer processing to test the operation of the
enterprises computer programs.
By using computer audit programs, the auditor can scrutinize large volumes of
data and concentrate skilled manual resources on the investigation of results,
rather than on the extraction of information.
b.
Once the programs have been written and tested; the costs of operation are
relatively low; indeed the auditor does not necessarily have to be present
during its use.
TEST PACK
A test pack consists of input data submitted by the auditor for processing by the
enterprises computer based accounting system. It may be processed during a
normal production run (live) or during a special run at a point in time outside the
normal cycle (dead).
b.
In using dead processing the auditor does not test the system actually used
by the audit subject.
c.
The system will be checked by the test pack, but not the year end balances,
which will still require sufficient audit work. Costs may therefore be high.
d.
Any auditor who wishes to design a test pack must have sufficient skill in
computing and also a thorough knowledge of the clients system.
e.
Any changes in the system will mean that the test pack will have to be rewritten which will be costly and time-consuming.
Arranged by
Nowsherwan Adil Niazi
Page 181
Snapshot
Arranged by
Nowsherwan Adil Niazi
Page 182
AUDIT SOFTWARE
Audit software comprises computer programs used by the auditor to examine an
enterprises computer files. It may consist of package programs or utility programs
which are usually run independently of the enterprises computer based accounting
system. It includes interrogation facilities available at the enterprise. The features of
the main typical of audit software are as follows:
Arranged by
Nowsherwan Adil Niazi
Page 183
PACKAGE PROGRAMS:
Consist of prepared generalized programs for which the auditor will specify his
detailed
requirements
by
means
of
parameters,
and
sometimes
by
UTILITY PROGRAMS:
Consist of programs available for performing simple functions such as sorting
and printing data files.
Logical path analysis will draw a flow chart of the program logic.
(b)
(b)
either
accidentally
or
deliberately,
without
proper
authority.
(i)
Arranged by
Nowsherwan Adil Niazi
Page 184
(d)
changed.
Although
the
complete
file
will
be
dumped
(ii)
(iii)
(iv)
(v)
(b)
Arranged by
Nowsherwan Adil Niazi
Page 185
(iii)
(iv)
(c)
(v)
(vi)
(ii)
(iii)
(iv)
Independent
companies
formed
to
provide
specialist
computing
services.
(b)
(c)
Computer users with spare capacity who hire out computer time when
(ii)
It can test and develop its programs prior to the delivery of its own
computer.
Arranged by
Nowsherwan Adil Niazi
Page 186
In some cases the new system may be initially implemented using a bureau.
This will involve file conversion and pilot or parallel running.
(b)
(c)
(d)
(e)
Specialist skills: Management feel that the job of data processing should be
left to the experts.
(f)
(g)
ADVANTAGES OF BUREAU:
(a)
A very few users can offered to pay for the services of system analysts and
programmers of the quantity that will be found working for the large bureau.
(b)
(c)
(d)
DISADVANTAGES OF BUREAU
(a)
Loss of control over time taken to process data and in particular the inability
to reschedule work should input delays occur.
(b)
Problems may be encountered in the transfer of data to end from the bureau.
(c)
The bureau may close down leaving the customer without any DP facilities.
Arranged by
Nowsherwan Adil Niazi
Page 187
Customer may feel that they will lose control over an important that it is bad
security to allow confidential information to be under the control of outsiders.
(e)
Its employees will be uninterested in and often unaware of the type of data
they are processing.
(f)
(ii)
(iii)
Review and approval should be carried out throughout the development stage.
(iv)
Test data must be designed to impact on all system areas with predetermined results.
(v)
(vi)
(vii)
(viii)
(ix)
(x)
Test data
Simulation
Code Comparison
Arranged by
Nowsherwan Adil Niazi
Page 188