Академический Документы
Профессиональный Документы
Культура Документы
Good Idea!
– Most IT applications deal with accounting
transactions! So everyone would benefit by
having the accounting manager involved from
the start.
Bad Idea!
– Most controllers perform 2 of the 3
incompatible duties. This would make 3 of the
3.
– Fraud would be difficult to detect.
Should the IT manager report to another
operations or administrative manager?
Good Idea! Many software applications deal with these areas.
Bad Idea!
– Many managers can authorize transactions, so custody of
computing assets would attribute them with 2 of the 3 incompatible
duties.
– Other managers would not likely have the expertise to guide and
support an IT manager.
– Managers would likely give priority to their own IT needs and less
to the rest of the company.
– The IT function may not have access to upper management for
influencing decisions about placing priorities and setting strategies.
Should the IT manager report alongside
another line managers?
Good Idea!
– Politically strong to compete for resources and
set priorities and strategies.
– CEO has responsibility over, but rarely
performs the 3 incompatible duties.
Short-Term
Long-Term
Goals
Growth Opportunity
Designing the IT Function
– systems development
– computer operations
– computer security
Systems Development
Staff has access to operating systems, business
applications and other key software.
Systems developers are authorized to create
and alter software logic, therefore, they should
not be allowed to process information
They should not maintain custody of
corporate data and business applications.
Computer Operations
Operation staff are responsible for:
– Entering Data (similar to the internal control
concept of ‘authorizing transactions’)
– Processing information (similar to the internal
control concept of ‘recording transactions’)
– Disseminating Output (similar to the internal
control concept of ‘maintaining custody’)
Must segregate duties.
Computer Security
Responsible for the safe-keeping of
resources
– includes ensuring that business software
applications are secure.
– responsible for the safety (‘custody’) of
corporate information, communication
networks and physical facilities
Systems analysts and programmers should
not have access to the production library.
IT
Function
Manager
Document everything!
Testing
Written and/or oral tests can be
administered to test skills.
Company must be consistent in testing
procedures.
Interviewing
Follow Sound Procedures
Follow Company, Regulatory & Statutory
Rules
Steps of interviewing:
– Select appropriate interviewers
– Develop an internal interview schedule
– Arrange for interviews with interviewees
– Conduct the interviews
Rewarding
It is important to continually challenge and motivate
employees.
Improperly rewarding employees may result in
business and audit risks:
Rewarding
Business risks:
– might develop a ‘bad attitude’ toward the IT manager and the
company
– leads to
» lower productivity
» frustration
» turnover
Audit risks:
– employees can become bored and disgruntled
– engage in mischievous and criminal behaviors
– can threaten the availability, accuracy, security and reliability of
corporate information
Evaluating
Most common is the annual review.
The evaluation process must have structure
and reasonableness.
Evaluator must be as fair as possible to
prevent frustration and resentment.
Compensating
The company should strive to compensate
employees at least as well as peer organizations.
Turnover:
– Can cause productivity losses
– Replacement costs are high
– Risks the availability and reliability of systems
– Employees take sensitive information to competitors
Compensation Issues:
Equal Pay for Equal Work
IT Function must not discriminate in
appearance or substance among employees.
Test by comparing the compensation
packages of employees holding similar
positions.
Compensation Issues:
Compression and Inversion
Compression: The compensation of newly hired
employees gets very close to experienced employees
in similar positions or the compensation of
subordinates is nearly the same as their superiors.
User #1
Information Applications
A/R A/P
Add
Edit
Customers Read
Delete
Add
Edit
Vendors Read √√
Delete √
Add
Edit √
Sales
Read √
Delete
Add √
Purchasing Edit
Read √
Delete
Add x √
Receipts Edit
Read x √
Delete
Add x√
x
Edit
Payments Read
x x√
Directing the IT Function:
Administering the Workflow
Effective capacity planning
Schedule and perform the work
– Have enough resources for peaks yet minimize idle
time
Develop formal workload schedules
Monitor performance
Denote actual-to-planned workload variances
Continually adjust
Managing the Computing
Environment
Responsible for the computing
infrastructure:
– Computer hardware
– Network hardware
– Communication systems
– Operating systems
– Application softtware and data files
Managing the Computing
Environment
The IT manager must
– understand how the infrastructure elements
work together.
– establish policies for acquiring, disposing, and
accounting for inventory
– track rented equipment and software
– comply with licensing agreements
Managing the Computing
Environment
The IT manager must ensure the physical
environment is safe for humans and computers
with
– Fire suppression systems in place
– A tested fire evacuation plan
– A climate controlled environment
– Facilities that are inconspicuous in location and design
– Compliance with appropriate safety and health
regulations
Third Party Services
Examples:
– Internet service providers (ISP)
– Communication companies
– Security firms
– Call centers
Offer economies of scale
Use of 3rd party services is increasing .
Third Party Services
Key Issues
Policies must be established for purchase,
use, and termination of 3rd party services.
Must have legally binding contracts.
Must ensure the security and confidentiality
of company information.
Must have a plan for disruption of services.
Must have backup and recover plan in
place.
Assisting Users
Training and Education
Identify training needs.
Design curricula.
Deliver programs.
Use outside training programs.
Assisting Users
Help Desk
Assisting Users
Help Desk
. The IT manager needs to design and
monitor effective ways to assist users when
they request help.
– Must create an atmosphere of mutual trust and
respect between the IT function and user
community.
Effective handling of problems and
incidences requires a formal set of policies
and procedures.
Assisting Users
Help Desk
Requests for help generally arise from
users’ lack of understanding about how
applications work.
Duplicate Recording
On single mirrored disk
RAID Mirroring and Striping
Disk Striping (RAID)
Duplicate Recording
On an array of disks
Continuity Controls
Network Attached Storage (NAS)
Integrates one or more storage devices, (NAS
appliances,) into the local area network (LAN) .
Comprised of one or more disk drives and an
internal controller.
Employs RAID technology to ensure hardware
redundancy.
Can be shared by multiple users on the network.
Appliances are relatively affordable and scalable
Printer
User #1 User #2
Network Attached
Scanner Storage (NAS)
Continuity Controls
Server Area Network (SAN)
Expands NAS to wide area networks (WAN).
SAN is a dedicated network.
SAN can be linked to multiple LANs.
Multiple SANs can be simultaneously utilized.
SAN can be expensive and technically complicated
Capable of handling very high volumes
SAN is a great solution for large companies.
SAN is designed to be very fault tolerant.
Wide Area
Network
Input-Output
Controller
Disk Disk
Storage Storage
Disk Disk
Storage Storage
Disaster Recovery Controls
The first step is to plan for various disaster
scenarios:
– a) a single server is damaged
– b) an entire company site is demolished
– c) multiple company locations are simultaneously stuck
with disaster
– d) the entire company is destroyed?
Disaster Recovery Controls
IT managers and auditors should plan for what, who,
when, where, how, which and why.