Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2004 South-Western. All rights reserved.

Published byAlannah Johns Modified over 6 years ago

Similar presentations

Presentation on theme: "Copyright © 2004 South-Western. All rights reserved."— Presentation transcript:

1 Copyright © 2004 South-Western. All rights reserved.
Chapter 8 IT Governance: Management Control of Information Technology and Information Integrity Copyright © 2004 South-Western. All rights reserved.

2 Learning Objectives To explain why business organizations need to achieve an adequate level of internal control To explain the importance of internal control to organizational and IT governance, and business ethics To enumerate IT resources and explain how difficult it is to control them To describe management fraud, computer fraud, and computer abuse Copyright © 2004 South-Western. All rights reserved.

3 Learning Objectives To describe the major IT control processes organizations use to manage their IT resources To identify operations and information process control goals and categories of control plans Copyright © 2004 South-Western. All rights reserved.

4 Why Controls? To ensure attainment of objectives
To lessen risks of unwanted outcomes Heightened awareness of scandals Impact of software and hardware on corporate governance Management’s legal responsibilities Highly publicized management and employee fraud Copyright © 2004 South-Western. All rights reserved.

5 Fraud and Control Fraud
Deliberate act or untruth intended to obtain unfair or unlawful gain. Management is charged with the responsibility to prevent and/or disclose fraud. Control systems enable management to meet this responsibility. Copyright © 2004 South-Western. All rights reserved.

6 Internal Control A system of integrated elements—people, structure, processes, and procedures—acting together to provide reasonable assurance that an organization achieves its process goals. The internal control system is the responsibility of top management and therefore should: Reflect management’s careful assessment of risks. Be based on management’s evaluation of costs versus benefits. Be built on management’s strong sense of business ethics and personal integrity. Copyright © 2004 South-Western. All rights reserved.

7 Ethics and Controls COSO report stresses ethics as part of control environment (tone at the top). Many corporations have developed a Code of Conduct. Copyright © 2004 South-Western. All rights reserved.

8 Business Process Control Goals and Plans
Objectives to be obtained Operations process Information process Plans Policies and procedures that assist in accomplishing control goals Copyright © 2004 South-Western. All rights reserved.

9 Effectiveness and Efficiency
A measure of individual or organizational success in meeting established goals. Efficiency A measure of the productivity of resources applied to individual and organizational goals. Copyright © 2004 South-Western. All rights reserved.

10 Control Goals of Operations Process
Effectiveness of operations Ensure operations process is fulfilling its purpose Satisfying critical success factors Efficient employment of resources Prevent unnecessary waste of resources Accomplish goals with a minimum deployment of resources Security of resources Lock the door Lock the computer door (access codes/passwords) Copyright © 2004 South-Western. All rights reserved.

11 Control Goals of the Information Process
For transaction data (temporary) Input validity (only approved/authorized data) Input completeness (all valid data captured/entered) Input accuracy (correct data entered correctly) For master data (permanent) Update completeness (all data entered in updated master) Update accuracy (data entered reflected accurately in updated master) Copyright © 2004 South-Western. All rights reserved.

12 Control Plans (space domain)
Information processing policies and procedures that assist in accomplishing control goals Control environment Pervasive control plans Process control plans Copyright © 2004 South-Western. All rights reserved.

13 A Control Hierarchy The Control Environment Pervasive Control Plans
Overall policies and procedures that demonstrate an organization’s commitment to the importance of control Overall protection: Enhances the effectiveness of the pervasive and application control plans. Corporate ethics; “Tone at the top” Pervasive Control Plans Address multiple goals and apply to many processes Second level of protection: A major subset of these controls, IT processes (i.e., controls) are discussed in this chapter. Access to systems; fidelity bonds. Process Control Plans Relate to specific business process or to the technology used to implement the process Edit checks; batch totals Third level of protection: Discussed and illustrated in Chapters 9–14. A Control Hierarchy Copyright © 2004 South-Western. All rights reserved. FIGURE 8.1

14 Control Plans: Other Classifications(time domain)
Preventive Detective Corrective Copyright © 2004 South-Western. All rights reserved.

15 Information Technology Resources
Data Application systems Technology Facilities People Copyright © 2004 South-Western. All rights reserved.

16 Four Broad IT Control Process Domains (from COBIT)
Copyright © 2004 South-Western. All rights reserved. FIGURE 8.2

17 Ten Important IT Control Processes
Copyright © 2004 South-Western. All rights reserved. FIGURE 8.2

18 IT Control Processes and Domains
Planning and Organization Process 1: Establish strategic vision Process 2: Develop tactics to realize strategic vision Acquisition and Implementation Process 3: Identify automated solutions Process 4: Develop and acquire IT solutions Process 5: Integrate IT solutions into operations Process 6: Manage change to existing IT systems Copyright © 2004 South-Western. All rights reserved.

19 IT Control Processes and Domains (cont’d)
Delivery and Support Process 7: Deliver required IT services Process 8: Ensure security and continuous service Process 9: Provide support services Monitor operations Copyright © 2004 South-Western. All rights reserved.

20 Process 1: Elements of Strategic IT Plan
Summary of the organization’s strategic goals and strategies and how they relate to the IT function. IT goals and strategies and how each will support the organization’s goals and strategies. Information architectural model Corporate data model and the associated information systems Copyright © 2004 South-Western. All rights reserved.

21 Process 2: Organizational Control Plans
Segregation of duties Authorizing transactions Executing transactions Recording transactions Safeguarding resulting resources Organizational plans for the information system function IT steering committee Copyright © 2004 South-Western. All rights reserved.

22 Illustration of Segregation of Duties
Function 1 Authorizing Events Approve steps of event processing. Function 2 Executing Events Physically move resources. Complete source documents. Function 3 Recording Events Record events in the appropriate data store(s). Post event summaries to the master data store. Function 4 Safeguarding Resources Resulting from Consummating Events Physically protect resources. Maintain accountability of physical resources. Copyright © 2004 South-Western. All rights reserved. TABLE 8.2a

23 Illustration of Segregation of Duties (cont’d)
Copyright © 2004 South-Western. All rights reserved. TABLE 8.2b

24 Process 3: Identify Automated Solutions
Develop solutions consistent the strategic IT plan Process 4: Develop/Acquire IT Solutions Develop/acquire application software Acquire technology infrastructure Develop service-level requirements and application documentation Copyright © 2004 South-Western. All rights reserved.

25 Process 5: Integrate IT Solutions Into Operational Processes
Develop solutions consistent the strategic IT plan Process 6: Manage Changes to Existing IT Systems Develop/acquire application software Acquire technology infrastructure Develop service-level requirements and application documentation Copyright © 2004 South-Western. All rights reserved.

26 Process 7: Deliver Required IT Services
Define service levels Manage Third-party services Manage IT Operations Manage data (backup) Identify and allocate costs Copyright © 2004 South-Western. All rights reserved.

27 Illustration of Program Change Controls
Copyright © 2004 South-Western. All rights reserved. FIGURE 8.3

28 Process 8: Ensure Security and Continuous Service
Disaster recovery Hot site (fully equipped) Cold site (environmentally conditioned) Restrict Access Physical access Logical access Copyright © 2004 South-Western. All rights reserved.

29 Restricting Access to Computing Resources— Layers of Protection
Copyright © 2004 South-Western. All rights reserved. FIGURE 8.4a

30 Restricting Access to Computing Resources— Layers of Protection (cont’d)
Copyright © 2004 South-Western. All rights reserved. FIGURE 8.4b

31 Environmental Controls
Environmental hazard Controls Fire Smoke detectors, fire alarms, fire extinguishers, fire-resistant construction materials, insurance Water damage Waterproof ceilings, walls, and floors, adequate drainage, water and moisture detection alarms, insurance Dust, coffee, Regular cleaning of rooms and equipment, dust- tea, soft drinks collecting rugs at entrances, separate dust- generating activities from computer, good housekeeping, prohibiting food and drinks within computing facilities Energy increase, Voltage regulators, backup batteries and decrease, loss generators, fiber optic networks Copyright © 2004 South-Western. All rights reserved. TABLE 8.5

32 Process 9: Provide Support Services
Regular Training sessions should be provided Advice and assistance should be given Very often a “help desk” is set up for these purposes Process 10: Monitor Operations Gather data about processes Generate performance reports. WebTrust - ISP Copyright © 2004 South-Western. All rights reserved.

Download ppt "Copyright © 2004 South-Western. All rights reserved."

Similar presentations

OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.

OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.
IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….

IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
9 - 1 Computer-Based Information Systems Control.

9 - 1 Computer-Based Information Systems Control.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
PowerPoint Presentation by Charlie Cook Copyright © 2004 South-Western. All rights reserved. Chapter 8 IT Governance: Management Control of Information.

PowerPoint Presentation by Charlie Cook Copyright © 2004 South-Western. All rights reserved. Chapter 8 IT Governance: Management Control of Information.
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.

Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
The Information Systems Audit Process

The Information Systems Audit Process
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
PowerPoint Presentation by Charlie Cook Copyright © 2004 South-Western. All rights reserved. Chapter 8 IT Governance: Management Control of Information.

PowerPoint Presentation by Charlie Cook Copyright © 2004 South-Western. All rights reserved. Chapter 8 IT Governance: Management Control of Information.

Similar presentations

Ads by Google