Chapter 11 Management Control of Information Technology

Control Systems Manager’s job - control - deviation, something wrong - indicate a serious problem Gauges - provided by IS –Control mechanism –Technology helps with control - also need to control IT The components of control systems are –Standards for performance –Sensory determination of actual conditions –Comparison of standard with actual conditions –Compensatory action if the deviation is too great

11 - 3

Control in the Organization Controls can be created through –Structure of the organization Decentralized or centralized More difficult time Trust subordinates Need new ways –Rewards –Management committee –Budget –Direct supervision - remote work - difficult –Procedures Routine audits help establish control

11 - 5

Failure of Control Control breakdown - high sales - mask lack of control –Worldcom - largest bankruptcy in US history - 7/02 - $107 billion, Enron - $63 billion –Qwest - stock options encouraged to overstate company performance –Global Crossing - reward system led to control failure Reward systems for senior managers may have caused these control failures –Stock options IS can strengthen routine control systems though they can tend to be complex

Control of Systems Development It is difficult to predict development time and development cost for new systems –Package implementation can reduce this uncertainty Projects slip for a number of reasons –Lack of user input –Too few resource –Too few individuals working on the project –Lack of top management support –Poor project management

Control of Operations The Foreign Corrupt Practices Act requires publicly held companies to devise and maintain a system of internal accounting controls pertaining to the –Execution of transactions –Recording of transactions –Records of assets –Managerial sign-off on financial statements (Sarbanes- Oxley Act) Control issue - all around - painfully evident - Enron, Martha Stewart - what can happen when controls do not work

Control of Operations All levels of control - organization - responsibility of management IT - ability to process large numbers of transactions in efficient manner - create significant control problems, challenges Error spread through an immense number of transactions very quickly Numerous opportunities for error

Vulnerability of Systems to Transaction Processing Errors 1.Errors and intrusion of the operating system for clients and servers 2.Application programs errors 3.Database security 4.Network operating system reliability and security 5.Adequate control of manual procedures 6.Organizational control 7.Network connectivity 8.Misuse by external users

Control and Electronic Commerce Security of transmitted credit card information Encryption of data Secure electronic transmission Secure payment schemes

Security Manager - not expected to develop all controls - incredibly complex Managers establish environment - encourages control - allocate resources to it - tell network designer - what is needed Internet - myriad of opportunities - disrupt Firewalls –Corporate firewalls –Host based firewalls Monitoring programs –Virus checking Monitoring firms –Can examine connectivity logs to determine hostile threats to the organization

Auditing Information Systems Auditors examine –Databases –Transactions –Processing logic –Controls of critical information systems Audit IS - most concerned with those systems that affect financial statements Internal auditors - continually examine IS Control - fundamental responsibility of management - safeguard assets - protect against errors, fraud, attack Need backup - continue operating if major problem

Management Issues Backup - off-site data storage Security - because so accessible Budget - cannot afford to buy everything Project management - system Data control - accuracy of data - important management consideration