Chapter 8IT Governance: IT Governance: Management Control Management Control of Information of Information Technology and Technology and Information IntegrityInformation Integrity

Learning Objectives To explain why business organizations need to

achieve an adequate level of internal control To explain the importance of internal control to

organizational and IT governance, and business ethics

To enumerate IT resources and explain how difficult it is to control them

To describe management fraud, computer fraud, and computer abuse

Learning Objectives

To describe the major IT control processes organizations use to manage their IT resources

To identify operations and information process control goals and categories of control plans

Why Controls?

To ensure attainment of objectives Technological risks

computer fraud, security threats Organizational risks

fraud by management / employees Emergencies – natural / man-made disasters

Contingency planning

Fraud and Control Fraud

Deliberate act or untruth intended to obtain unfair or unlawful gain.

Management has the responsibility to prevent and/or disclose fraud. Control systems enable management to meet this

responsibility.

Agency Problem

Managers’ incentives are not the same as firm’s incentives

Principal – firm, agent – manager Control mechanisms are used to align the

incentives of managers with incentives of the firm

Internal Control A system of integrated elements—people, structure,

processes, and procedures—acting together to provide reasonable assurance that an organization achieves its process goals. The internal control system is the responsibility of top

management and therefore should: Reflect management’s careful assessment of risks. Be based on management’s evaluation of costs

versus benefits. Be built on management’s strong sense of business

ethics and personal integrity.

Ethics and Controls

COSO (Committee of Sponsoring Organizations of the National Commission on Fraudulent Financial Reporting) report stresses ethics as part of control environment

Ethics and integrity arise from corporate culture that includes standards for behavior, how they are communicated, how they are enforced.

Example – codes of conduct

Business Process Control Goals and Plans Goals

Objectives to be obtained Operations process objectives Information process objectives

Plans Policies and procedures that assist in

accomplishing control goals

Control Goals of Operations Process Effectiveness of operations

Ensure operations process is fulfilling its purpose Is the goal reached?

Efficiency of operations Is the use of resources optimal?

Security of resources Protection from loss, disclosure, misuse Example - Lock the door, use access

codes/passwords

Control Goals of the Information Process For transaction data (temporary)

Input validity (only approved/authorized data) Input completeness (all valid data captured/entered) Input accuracy (correct data entered correctly)

For master data (permanent) Update completeness (all data entered in updated

master) Update accuracy (data entered reflected accurately in

updated master)

Control Plans

Information processing policies and procedures that assist in accomplishing control goals Control environment – awareness of and

commitment to control Pervasive control plans – broad application of

controls (IT, financial, access controls) Process control plans – specific procedures

process by process

The Control EnvironmentOverall policies and procedures that demonstrate an

organization’s commitment to the importance of control

Pervasive Control PlansAddress multiple goals and apply to many processes

Process Control PlansRelate to specific business process or to

the technology used to implement the process

A Control Hierarchy

Overall protection:Enhances the effectiveness of the pervasive and application control plans.

Second level of protection:A major subset of these controls, IT processes (i.e., controls) are discussed in this chapter.

Third level of protection:Discussed and illustrated in Chapters 9–14.

Corporate ethics

Control Plans: Other Classifications Preventive – prevent a problem Detective – detect a problem Corrective – correct a problem

Four Broad IT Control Process Domains (from COBIT)

FIGURE 8.2FIGURE 8.2

Ten Important IT Control Processes

FIGURE 8.2FIGURE 8.2

IT Control Processes and Domains Planning and Organization

Process 1: Establish strategic vision Process 2: Develop tactics to realize strategic

vision Acquisition and Implementation

Process 3: Identify automated solutions Process 4: Develop and acquire IT solutions Process 5: Integrate IT solutions into operations Process 6: Manage change to existing IT systems

IT Control Processes and Domains (cont’d) Delivery and Support

Process 7: Deliver required IT services Process 8: Ensure security and continuous

service Process 9: Provide support services

Monitor operations

Process 1: Strategic Plan for IT Summary of the organization’s strategic goals

and how they relate to the IT function. Once strategic goals are established, they

can be transformed into short-term tactical objectives

Controls are about ensuring attainment of goals. Those goals and objectives are set starting from the strategic plan.

Process 2: Realization of strategic mission Many techniques are use to reach strategic

goals IT steering committee Project management techniques Quality assurance plan Reviews, audits, inspections, monitoring

Control Plans

Segregation of duties control plan Access control plans Personnel control plans

rotation of duties termination policies

Illustration of Segregation of Duties

TABLE 8.2aTABLE 8.2a

Function 1Authorizing

EventsApprove steps of event processing.

Function 2Executing

EventsPhysically move resources.

Complete source documents.

Function 3Recording

EventsRecord events in the

appropriate data store(s).Post event summaries to

the master data store.

Function 4Safeguarding Resources

Resulting from Consummating Events

Physically protect resources.Maintain accountability of

physical resources.

Illustration of Segregation of Duties (cont’d)

TABLE 8.2bTABLE 8.2b

• Develop/acquire application software• Acquire technology infrastructure• Develop service-level requirements and

application documentation

Process 4: Develop/Acquire IT Solutions

Process 3: Identify IT Solutions Develop solutions consistent the strategic IT

plan – ensure analysis stages of SDLC are carried through

• Change request, impact assessment• All changes are authorized, documented, and

properly implemented

Process 6: Manage Changes to Existing IT Systems

Process 5: Integrate IT Solutions Into Operational Processes Planned, tested, and controlled conversion to

new system

Process 7: Deliver Required IT Services Define service levels Manage Third-party services Manage IT Operations Manage data (backup) Identify and allocate costs

Process 8: Ensure Security and Continuous Service Disaster recovery

Mirror site – copy of all data Hot site (fully equipped) Cold site (equipped by customer)

Restrict Access Physical access to facilities Logical access to data / programs

Restricting Access to Computing Resources—Layers of Protection

FIGURE 8.4aFIGURE 8.4a

Restricting Access to Computing Resources—Layers of Protection (cont’d)

FIGURE 8.4bFIGURE 8.4b

Process 9: Provide Support Services Regular Training sessions should be provided Advice and assistance should be given Very often a “help desk” is set up for these purposes

• Gather data about processes• Generate performance reports.• Internal and external monitoring

Process 10: Monitor Operations