Chapter Five

MANAGING THE IT FUNCTION

 5 Areas in Managing
IT Function.
 Organizing
 Funding
 Staffing
 Directing
 Controlling
 Organizing the IT Function
 The IT Function must be organized and
structured.
 IT Manager must define the role and
articulate the value of the IT Function.
 Configuration within a company depends on
external and internal organizational factors.
 Sound internal controls are essential to the
structural framework.
 Locating the IT Function – to whom should
the IT manager report?

 Important ramifications on It Manager’s

– Ability to acquire needed resources
– Ability to prioritize workloads.
 Locating the IT Function
 Consider segregation of incompatible duties.
 Must vest in different people:
– Authorizing Transactions
– Recording Transactions
– Maintaining Custody of Assets
 Can be accomplished with judicious choices with
respect to
– placing the IT function in the organization
– integrating programmed controls into computing
infrastructures and applications.
 Should the IT manager report to the
accounting manager?

 Good Idea!
– Most IT applications deal with accounting
transactions! So everyone would benefit by
having the accounting manager involved from
the start.
 Bad Idea!
– Most controllers perform 2 of the 3
incompatible duties. This would make 3 of the
3.
– Fraud would be difficult to detect.
 Should the IT manager report to another
operations or administrative manager?
 Good Idea! Many software applications deal with these areas.
 Bad Idea!
– Many managers can authorize transactions, so custody of
computing assets would attribute them with 2 of the 3 incompatible
duties.
– Other managers would not likely have the expertise to guide and
support an IT manager.
– Managers would likely give priority to their own IT needs and less
to the rest of the company.
– The IT function may not have access to upper management for
influencing decisions about placing priorities and setting strategies.
 Should the IT manager report alongside
another line managers?

 Good Idea!
– Politically strong to compete for resources and
set priorities and strategies.
– CEO has responsibility over, but rarely
performs the 3 incompatible duties.

 With sound internal controls, can be

effectively managed.
Should the IT manager report above another
line managers?

 In a VP position, the IT manager can

– coordinate strategies
– set standards
– establish priorities across the entire
organization
 This structure allows the IT managers, who
report to the Vice President, to focus on
local issues and needs.
 Chief
Executive
Officer
(CEO)

Vice Vice Vice

President President President
Foreign North American Information
Operations Operations Technology

Sales & Human Finance & Information Research &

Marketing Resources Accounting Technology Operations
Manager Manager Manager Manager Manager
Profit Control

Short-Term

Long-Term

Goals

Growth Opportunity
 Designing the IT Function

 Designing the ultimate structure of the IT

function is often determined by cultural,
political and economic forces inherent in each
organization.
Internal control considerations
within an IT function
 Separate from one another :

– systems development

– computer operations

– computer security
 Systems Development
 Staff has access to operating systems, business
applications and other key software.
 Systems developers are authorized to create
and alter software logic, therefore, they should
not be allowed to process information
 They should not maintain custody of
corporate data and business applications.
 Computer Operations
 Operation staff are responsible for:
– Entering Data (similar to the internal control
concept of ‘authorizing transactions’)
– Processing information (similar to the internal
control concept of ‘recording transactions’)
– Disseminating Output (similar to the internal
control concept of ‘maintaining custody’)
 Must segregate duties.
 Computer Security
 Responsible for the safe-keeping of
resources
– includes ensuring that business software
applications are secure.
– responsible for the safety (‘custody’) of
corporate information, communication
networks and physical facilities
 Systems analysts and programmers should
not have access to the production library.
 IT
Function
Manager

Systems Computer Computer User

Development Operations Security Services
Manager Manager Manager Manager
(a) (b) (c)
Systems Data Software Technical
Analysis (a) Input (a) Security Support

Computer Information Information Application

Programming Processing Security Support
(b) (b)
Database Information Network User
Administration Output (c) Security Training
(c)
Continuity of Physical Help
Quality Operations Security Desk
Control
 IT Auditors examination of the
IT Function
 Auditors should ensure that systems
developers and computer operators are
segregated.

 It is also advisable for the IT function to

form a separate security specialization to
maintain custody of software applications
and corporate data.
 Funding the IT Function
 Must be adequately funded to fulfill strategic
objectives.
 Business risk of under-funding:
– Needs and demands of customers, vendors, employees
and other stakeholders will go unfulfilled.
– can adversely impact the success of the company.
 Audit risk of under-funding:
– Heavy workloads can lead to a culture of ‘working
around’ the system of internal controls
 Two funding approaches
1. Cost Center Approach
 Submit detailed budget to upper management
 Justify each line item
 Use the IT function scorecard approach
– Operational Performance
– User satisfaction
– adaptability and scalability
– Organizational contribution
 Two funding approaches
2. Profit Center Approach
 Submit detailed budget to upper management.
 Charge internal users for services through
intra-company billing.
– Positive Outcome: Managers will not be overly
demanding of IT services
– Negative Outcome: IT can build excessive
expenses into billing rates until the rates exceed
costs of outside providers.
 Billing Rates
 Independent Party within the company
should compare rates to outside services.
 IT Auditor should
– Confirm that reasonableness check is
performed at least annually to ensure that
billing rates are not excessive
 Acquiring IT Resources
 IT manager should justify IT Capital
projects using a methodological approach.
– Determine the net benefit
» Present value of benefits minus costs
– Use Scorecard approach for non-quantifiable
paybacks.
 Example with Scorecard Approach
Justify the in-house development of web-based customer
ordering system
Scorecard Action
Operational Estimate the increased number of sales the system
Performance will handle each day.
Determine faster speed of each sale.
User Satisfaction Survey customers for what they need and how they
would receive proposed system.

Adaptability & Forecast increased sales.

Scalability Show how new system integrates with existing
accounting & inventory systems.
Organizational Perform net benefit analysis.
Contribution Estimate financial costs & benefits.
 Staffing the IT Function
 Business and audit risks can be effectively
controlled via sound human resource
procedures in the areas of hiring, rewarding
and terminating employees.
 Hiring
 Should have formal procedures that are
followed
 Each job should have a substantive
description of responsibilities and
procedures.
 Recruiting
 Carefully plan and execute each step in
compliance with company policy.
1. Identify Needs
2. Write a job description
3. Obtain permissions
4. Advertise
5. Accept Applications
6. Review Applications
 Verifying
Extent depends on the position, but all candidates
should have some checking.

 Contact references, both personal and professional.

 Conduct Background checks
– Verify Education
– Checks for criminal or civil violations

 Document everything!
 Testing
 Written and/or oral tests can be
administered to test skills.
 Company must be consistent in testing
procedures.
 Interviewing
 Follow Sound Procedures
 Follow Company, Regulatory & Statutory
Rules
 Steps of interviewing:
– Select appropriate interviewers
– Develop an internal interview schedule
– Arrange for interviews with interviewees
– Conduct the interviews
 Rewarding
 It is important to continually challenge and motivate
employees.
 Improperly rewarding employees may result in
business and audit risks:
 Rewarding
 Business risks:
– might develop a ‘bad attitude’ toward the IT manager and the
company
– leads to
» lower productivity
» frustration
» turnover
 Audit risks:
– employees can become bored and disgruntled
– engage in mischievous and criminal behaviors
– can threaten the availability, accuracy, security and reliability of
corporate information
 Evaluating
 Most common is the annual review.
 The evaluation process must have structure
and reasonableness.
 Evaluator must be as fair as possible to
prevent frustration and resentment.
 Compensating
 The company should strive to compensate
employees at least as well as peer organizations.
 Turnover:
– Can cause productivity losses
– Replacement costs are high
– Risks the availability and reliability of systems
– Employees take sensitive information to competitors
 Compensation Issues:
Equal Pay for Equal Work
 IT Function must not discriminate in
appearance or substance among employees.
 Test by comparing the compensation
packages of employees holding similar
positions.
 Compensation Issues:
Compression and Inversion
 Compression: The compensation of newly hired
employees gets very close to experienced employees
in similar positions or the compensation of
subordinates is nearly the same as their superiors.

 Inversion: The compensation of new hires is greater

than more experienced employees in the same
position, or the compensation of subordinates
exceeds that of superiors.
 Promoting
 Should be based on merit
 Compensation should be commensurate
with the new job’s role and responsibilities.
 Must be formal written procedures that are
consistently followed.
 Learning
 Training benefits the employee, the employer and
society as a whole. Failure to offer learning
opportunities create:
 Business Risk:
– potential loss of competitive positioning due to an
uneducated workforce
– low employee morale
 Audit Risk:
– stagnate and frustrated employees
– attitude of complacency toward internal controls
– or utter disregard for internal controls
 Terminating
 A disgruntled employee can disrupt the company’s systems
and controls.
 The IT function needs to design and implement
countervailing controls
– backup procedures
– checks-and-balances
– cross-training
– job rotations
– mandated vacations
– immediately separate them from the computing environment
– terminate all computer privileges
 User #3 [ID = XXXXX, Password = YYYYY]
Sample Authorization Matrix
User #2x

User #1

Information Applications
A/R A/P
Add
Edit
Customers Read
Delete
Add
Edit
Vendors Read √√
Delete √
Add
Edit √
Sales
Read √
Delete
Add √
Purchasing Edit
Read √
Delete
Add x √
Receipts Edit
Read x √
Delete
Add x√
x
Edit
Payments Read
x x√
 Directing the IT Function:
Administering the Workflow
 Effective capacity planning
 Schedule and perform the work
– Have enough resources for peaks yet minimize idle
time
 Develop formal workload schedules
 Monitor performance
 Denote actual-to-planned workload variances
 Continually adjust
 Managing the Computing
Environment
 Responsible for the computing
infrastructure:
– Computer hardware
– Network hardware
– Communication systems
– Operating systems
– Application softtware and data files
 Managing the Computing
Environment
 The IT manager must
– understand how the infrastructure elements
work together.
– establish policies for acquiring, disposing, and
accounting for inventory
– track rented equipment and software
– comply with licensing agreements
 Managing the Computing
Environment
 The IT manager must ensure the physical
environment is safe for humans and computers
with
– Fire suppression systems in place
– A tested fire evacuation plan
– A climate controlled environment
– Facilities that are inconspicuous in location and design
– Compliance with appropriate safety and health
regulations
 Third Party Services
 Examples:
– Internet service providers (ISP)
– Communication companies
– Security firms
– Call centers
 Offer economies of scale
 Use of 3rd party services is increasing .
 Third Party Services
Key Issues
 Policies must be established for purchase,
use, and termination of 3rd party services.
 Must have legally binding contracts.
 Must ensure the security and confidentiality
of company information.
 Must have a plan for disruption of services.
 Must have backup and recover plan in
place.
 Assisting Users
Training and Education
 Identify training needs.
 Design curricula.
 Deliver programs.
 Use outside training programs.
Assisting Users
Help Desk
 Assisting Users
Help Desk
 . The IT manager needs to design and
monitor effective ways to assist users when
they request help.
– Must create an atmosphere of mutual trust and
respect between the IT function and user
community.
 Effective handling of problems and
incidences requires a formal set of policies
and procedures.
 Assisting Users
Help Desk
 Requests for help generally arise from
users’ lack of understanding about how
applications work.

 Problems and incidences reflect

improperly functioning elements of the
computing infrastructure, and require the
intervention of experienced technicians and
programmers.
 Controlling the IT Function
 The major control categories involved in the IT
function are
– Security
– Input
– Processing
– Output
– Databases
– backup and recovery
 Each of these categories is intended to minimize
business and audit risk via internal controls.
 Security Controls
 Secure the computing infrastructure from
internal and external threats.
 A compromise of the infrastructure can
result in:
– business risk
» network downtime
» database corruption
– audit risk
» material misstatements in accounts due to
incomplete or inaccurate data capturing
 Physical Security

 Focuses on keeping facilities, computers,

communication equipment and other tangible
aspects of the computing infrastructure safe
from harm.
 Physical Security
Access Restriction
 Only authorized personnel should be allowed into
the facility.
 Visitors should be accompanied by authorized
personnel at all times.
 Use at all ingress and egress points
--Security guards -- Keys & lock
--Card readers -- Biometric devices

 Penetration points should be adequately secured

 Physical Security
Monitor Access
 Monitor who is entering, roaming and
leaving the facility.
– Security guards
– Video Cameras
– Penetration alarms
 Review access evidence.
– Signage log, paper or electronic
 Formal review procedures in place.
 Security Issue Physical Controls
Security Guards
Locks & Keys
Access Controls Biometric Devices
Monitor Controls Security Guards
Video Cameras
Penetration Alarms
Review Controls Formal Reviews
Signage Logs
Violation Investigations
Unauthorized attempts to
enter IT facilities
Attempts to break in through
Penetrating Tests vulnerable points
As authorized visitor,
attempts to leave authorized
personnel and wander around
the facility without oversight
Logical Controls
ID and Passwords
Authorization Matrix
Firewalls & Encryption
Access logs
Supervisory Oversight
Penetration alarms
Formal Reviews
Activity Logs
Violation Investigations
Unauthorized attempts to enter
servers and networks
Attempts to override access
controls (hacking)
As authorized user, attempts to
use unauthorized applications
and view unauthorized
information
 Physical Security
Communication & Power Lines
 The IT manager should:
– monitor the primary communication and power
lines via cameras and guards
– install secondary (backup) lines in case the
primary lines fail.
 Contingency plan must address the possible
failure of lines.
 Physical Security
Off-Site Equipment
 Equipment located in other places needs to
be monitored in the same way.

 Effective backup plan must be in place.

 Logical Security
 Data and software nature known as ‘logical’
components of the infrastructure:
– Corporate data
– Computer software
» user applications
» network systems
» communication systems
» operating systems
 Logical Security
 Physical controls
– most corporate data and software are located on
computers, servers, storage devices
 Computer controlled access, monitor &
review systems
 Logical Security
Points of Entry
 Computer Terminal
– Supply Authorized ID
– Password
 Internet
– Controls need to control external access Points
– Firewalls
– Track failed attempts to enter system
 Logical Security
Access and Monitor Systems
 Supervisory Oversight
 Penetration alarms
– Track usage patterns
– Report failed attempts
 Formal review procedure
 Information Controls
 Controls need to be in place and working
effectively to ensure the integrity and
accuracy of vital decision-making
information.
 Must Integrate sound backup controls.
 Information Controls
Input Controls
 The company must have and follow written
procedures regarding the proper
authorization, approval and input of
accounting transactions.
 These are incompatible functions.
– they should be carefully segregated, to the
extent possible, and controlled.
 Information Controls
Input Controls – 3 Scenarios- #1
 A customer purchases goods at a store counter.
– Authorizing the sale
 A cashier records the sale on the cash register
– Approving the sale, balances the register, logs the logs into
the register with ID
 An accounting clerk later processes cash register
sales in batches.
– Inputs sales transactions into accounting system in batches
 Information Controls
Input Controls – 3 Scenarios- #2
 Same except cash register automatically
records the sale into the accounting system.
 Process Controls
 Validating
 Error Handling
 Updating
 Database Controls
 Database processing involves simultaneous
updating of multiple tables.
 Multiple tables and data items can be
instantaneously corrupted when an
interruption occurs.
 Database Controls
Why corruption is so quick
1. Related tables are inexorably linked to one another.
2. Update routines often incorporate one or more of the
following processing techniques:
– Multi-tasking -- where the computer executes more than one
task [program] at a time
– Multi-processing -- where multiple CPUs simultaneously
execute interdependent tasks [programs]
– Multi-threading -- where a computer executes multiple parts of
a program [threads] at one time.
 Database Controls
Roll-back and Recovery
 Databases operate on a transaction principle.
– A logical unit of work is considered a transaction.
– The processing of a transaction takes the database from
an initial state to an altered state, to the new initial state.
– Each step must be completed.
– Any failure will result in database corruption.
 Database Controls
Roll-back and Recovery
 When there is an interruption, the database
management system (DBMS) begins to
restore.
 There are numerous technical processes
depending on the DBMS in use.
 Database Controls
Roll-back and Recovery – Basic Recovery
 A unique identifier tags each transaction.
 An activity log tracks the transaction as it
processes.
 After interruption, the DBMS identifies the
transactions in process.
 Roll-back procedure is performed:
– Uncompleted transactions placed back into
queue
 Recovery takes place.
 Database Controls
Concurrency Control
 Multiple users attempt to update the same
data item simultaneously.
or when
 One user is updating while another user is
reading the same data item.
 Database Controls
Concurrency Control
 A common way to prevent concurrency problems is
to lock a database object while it is in use and
release the object upon completion.

 The DBMS can determine which operation to

perform in what order, as it timestamps each
transaction when the processing request is initiated.
 Database Controls
Concurrency Control – Levels of Granularity
 Course level – database is locked during updates.
– No one can use the database until update is complete.
 Moderate level – Database locks at tuple (record)
level.
– No one else could use the record until update is finished.
 Fine level – Database locks at attribute (field) level.
– Only the field being updated would be locked.
 Database Controls
Concurrency Control – Levels of Granularity
 Tradeoff:

There is an inverse relationship between the

granularity level and system performance.

– A lower level of granular locking equates to

slower computer performance.
 Output controls
 Only properly authorized parties can request
certain output –
– computer screens
– printed reports

 Such logical access control is accomplished via

the ID-password authorization matrix
procedure.
 Output controls
Computer Screens
 Screens need to be physically secure when
output is visible.
 Output should be removed when user leaves
the terminal.
 Return to the screen should require a
password.
 Output controls
Printed Reports
 Printer rooms need trail of accountability.
– Locks to prevent unauthorized access.
– Logs to sign in anyone entering.
– Logs to sign for reports.
 End user report requests should be
password protected.
 Network printers should be placed where
unauthorized persons will not have access.
 Output controls
Printed Reports
 Must have record retention and destruction
policies.
– Mandated by regulatory agency.
– Dictated by company policy.
 Permanent reports must be in secured area.
 Temporary reports must by properly
destroyed.
 Continuity Controls
 Must develop and follow a sound backup
strategy to prevent disruption of business
activity due to computer failures and
disasters.

 Two key considerations: downtime and

cost.
 Shorter downtime requirements equate to
higher backup costs.
 Continuity Controls
Backup Controls – Data Backup
 Slow Company
– Can Survive for days without its computer system.
– Would perform full backup each week.
 Medium Company
– Must be back on computers same day.
– Would perform weekly full backups
– Daily incremental backups
 Continuity Controls
Backup Controls – Data Backup
 Fast Company
– Must be back on computers within hours
– Needs daily full backup
– Hourly incremental backups
 Lightening Company
– Must be back on computers within minutes
– Needs real-time backup
– Simultaneouse updating on remote computer
 Continuity Controls
Storage location & hardware redundancy
Physical Vaulting
 One backup on-site, one off-site
– On site copy is readily accessible if no disaster
– Off-site copy retrievable if disaster
 Strategy involves more time and money
 Continuity Controls
Storage location & hardware redundancy
Electronic Vaulting
 Send backup data over a communications
network (such as the Internet) to an off-site
storage medium.
 Send to home of employee.
 Send to another company location.
 Purchase outside service.
 Costs and accessibility are considerations.
 Continuity Controls
Storage location & hardware redundancy
 Hardware Backup usually needed for
component failures:
– Power supplies
– Anything with moving parts
 There are 3 common configurations for
redundant storage devices:
– Redundant Array of Independent Disks (RAID)
– Network Attached Storage (NAS)
– Server Area Network (SAN)
 Continuity Controls
Redundant Array of Independent Disks (RAID)
 Disk mirroring
– Data is simultaneously written to the primary disk
and one or more redundant disks
 Disk striping
– An array of at least three, but usually five, disks is
established
– scheme of parity checks is utilized
– if one disk drive in the array fails, the remaining
drives can reconstruct the data on the failed drive
and continue processing
RAID Mirroring and Striping
Disk Mirroring (RAID)

Duplicate Recording
On single mirrored disk
RAID Mirroring and Striping
Disk Striping (RAID)

Duplicate Recording
On an array of disks
 Continuity Controls
Network Attached Storage (NAS)
 Integrates one or more storage devices, (NAS
appliances,) into the local area network (LAN) .
 Comprised of one or more disk drives and an
internal controller.
 Employs RAID technology to ensure hardware
redundancy.
 Can be shared by multiple users on the network.
 Appliances are relatively affordable and scalable
 Printer

User #1 User #2

Network Attached
Scanner Storage (NAS)
 Continuity Controls
Server Area Network (SAN)
 Expands NAS to wide area networks (WAN).
 SAN is a dedicated network.
 SAN can be linked to multiple LANs.
 Multiple SANs can be simultaneously utilized.
 SAN can be expensive and technically complicated
 Capable of handling very high volumes
 SAN is a great solution for large companies.
 SAN is designed to be very fault tolerant.
 Wide Area
Network

Input-Output
Controller

Disk Disk
Storage Storage

Disk Disk
Storage Storage
 Disaster Recovery Controls
 The first step is to plan for various disaster
scenarios:
– a) a single server is damaged
– b) an entire company site is demolished
– c) multiple company locations are simultaneously stuck
with disaster
– d) the entire company is destroyed?
 Disaster Recovery Controls
 IT managers and auditors should plan for what, who,
when, where, how, which and why.

– determine what just happened

– specify who to contact, in what order, and what they are
expected to do
– when to enact the remainder of the contingency plan
 Disaster Recovery Controls
 where to transfer the lost computer processing
load
– Plan to shift to one or more alternate company
locations
– Establish contractual relationships with peer
companies in the same industry
» Affordable, but needs may not be a priority.
» Compatibility problems with operation systems
– Establish contractual relationships with third-party
providers of alternate computing sites.
 Disaster Recovery Controls
 Three Levels:
1. Cold Site: Includes building & basic
infrastructure
» bring own computing equipment
» establish the necessary infrastructure
 telephone service - Internet connections
 specialized computer cooling systems (if needed)
 unique power requirements
2. Warm Site: provides basic computer needs
» Not the computers
3. Hot Site: Ready to Go!
» Complete with computers
» Operating system
 Disaster Recovery Controls
 How is the company going to get the computer
hardware, people, software and data to the
alternate site?
 Which applications are mission critical?
 Why one application or set of applications is
more time sensitive than another ?
 Disaster Recovery Controls
 All affected parties need to be involved in planning
phase.
 The disaster recovery plan is a living document.
 It must be reviewed and updated on a recurrent
basis.
 Everyone involved should be initially trained and
required to attend periodic refresher sessions.
 Portions of the recovery plan should be tested on an
unannounced basis.