Presentation is loading. Please wait.

Presentation is loading. Please wait.

PowerPoint Presentation by Charlie Cook Copyright © 2004 South-Western. All rights reserved. Chapter 8 IT Governance: Management Control of Information.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "PowerPoint Presentation by Charlie Cook Copyright © 2004 South-Western. All rights reserved. Chapter 8 IT Governance: Management Control of Information."— Presentation transcript:

1 PowerPoint Presentation by Charlie Cook Copyright © 2004 South-Western. All rights reserved. Chapter 8 IT Governance: Management Control of Information Technology and Information Integrity

2 Copyright © 2004 South-Western. All rights reserved.8–2 Learning Objectives To explain why business organizations need to achieve an adequate level of internal control To explain the importance of internal control to organizational and IT governance, and business ethics To enumerate IT resources and explain how difficult it is to control them To describe management fraud, computer fraud, and computer abuse

3 Copyright © 2004 South-Western. All rights reserved.8–3 Learning Objectives To describe the major IT control processes organizations use to manage their IT resources To identify operations and information process control goals and categories of control plans

4 Copyright © 2004 South-Western. All rights reserved.8–4 Why Controls? To ensure attainment of objectives To lessen risks of unwanted outcomes  Heightened awareness of scandals  Impact of software and hardware on corporate governance  Management’s legal responsibilities  Highly publicized management and employee fraud

5 Copyright © 2004 South-Western. All rights reserved.8–5 Fraud and Control Fraud  Deliberate act or untruth intended to obtain unfair or unlawful gain. Management is charged with the responsibility to prevent and/or disclose fraud.  Control systems enable management to meet this responsibility. Last paragraph on page 245 Understand computer abuse technologies & viruses on pages 246-247

6 Copyright © 2004 South-Western. All rights reserved.8–6 Computer Abuse Technologies Salami ( 義大利香腸 ): The name of this technique comes from the fact that small slices of assets are taken w/o noticeably reducing the whole Trap door ( 後門程式 ): 寫程式時, 程式設計師加入 一些讓他能繞過程式安全機制的指令, 目的是簡化 工作, 但事後卻未移除. Logic bomb: 也是當程式設計師能合法存取程式 時, 他在其中加入未授權的指令. 當這些指令啟動 時 …..

7 Copyright © 2004 South-Western. All rights reserved.8–7 Computer Abuse Technologies Spyware ( 間諜軟體 ): program that monitors a user’s computing habits and personal information and sends this information to third parties w/o the user’s authorization or knowledge.  For example, key loggers can gather credit card numbers, passwords and other sensitive information and transmit to third parties (note: telnet 用明碼傳輸 )  Cookies record web surfing habits and personal information.

8 Copyright © 2004 South-Western. All rights reserved.8–8 Internal Control A system of integrated elements—people, structure, processes, and procedures—acting together to provide reasonable assurance that an organization achieves its process goals.  The internal control system is the responsibility of top management and therefore should:  Reflect management’s careful assessment of risks.  Be based on management’s evaluation of costs versus benefits.  Be built on management’s strong sense of business ethics and personal integrity.

9 Copyright © 2004 South-Western. All rights reserved.8–9 Ethics and Controls COSO report stresses ethics as part of control environment (tone at the top). Many corporations have developed a Code of Conduct.

10 Copyright © 2004 South-Western. All rights reserved.8–10 Business Process Control Goals and Plans Goals  Objectives to be obtained  Operations process  Information process Plans  Policies and procedures that assist in accomplishing control goals

11 Copyright © 2004 South-Western. All rights reserved.8–11 Effectiveness and Efficiency Effectiveness  A measure of individual or organizational success in meeting established goals. Efficiency  A measure of the productivity of resources applied to individual and organizational goals.

12 Copyright © 2004 South-Western. All rights reserved.8–12 Control Goals of Operations Process Effectiveness of operations  Ensure operations process is fulfilling its purpose  Satisfying critical success factors Efficient employment of resources  Prevent unnecessary waste of resources  Accomplish goals with a minimum deployment of resources Security of resources  Lock the door  Lock the computer door (access codes/passwords)

13 Copyright © 2004 South-Western. All rights reserved.8–13 Control Goals of the Information Process For transaction data (temporary)  Input validity (only approved/authorized data)  Input completeness (all valid data captured/entered)  Input accuracy (correct data entered correctly) For master data (permanent)  Update completeness (all data entered in updated master)  Update accuracy (data entered reflected accurately in updated master)

14 Copyright © 2004 South-Western. All rights reserved.8–14 Control Plans Information processing policies and procedures that assist in accomplishing control goals  Control environment  Pervasive control plans  Process control plans

15 Copyright © 2004 South-Western. All rights reserved.8–15 FIGURE 8.1 The Control Environment Overall policies and procedures that demonstrate an organization’s commitment to the importance of control Pervasive Control Plans Address multiple goals and apply to many processes Process Control Plans Relate to specific business process or to the technology used to implement the process A Control Hierarchy Overall protection: Enhances the effectiveness of the pervasive and application control plans. Second level of protection: A major subset of these controls, IT processes (i.e., controls) are discussed in this chapter. Third level of protection: Discussed and illustrated in Chapters 9–14. Corporate ethics; “Tone at the top” Access to systems; fidelity bonds. Edit checks; batch totals

16 Copyright © 2004 South-Western. All rights reserved.8–16 Control Plans: Other Classifications Preventive Detective Corrective

17 Copyright © 2004 South-Western. All rights reserved.8–17 Information Technology Resources Data Application systems Technology Facilities People

18 Copyright © 2004 South-Western. All rights reserved.8–18 Four Broad IT Control Process Domains (from COBIT) FIGURE 8.2

19 Copyright © 2004 South-Western. All rights reserved.8–19 Ten Important IT Control Processes FIGURE 8.2

20 Copyright © 2004 South-Western. All rights reserved.8–20 IT Control Processes and Domains Planning and Organization  Process 1: Establish strategic vision  Process 2: Develop tactics to realize strategic vision Acquisition and Implementation  Process 3: Identify automated solutions  Process 4: Develop and acquire IT solutions  Process 5: Integrate IT solutions into operations  Process 6: Manage change to existing IT systems

21 Copyright © 2004 South-Western. All rights reserved.8–21 IT Control Processes and Domains (cont’d) Delivery and Support  Process 7: Deliver required IT services  Process 8: Ensure security and continuous service  Process 9: Provide support services Monitor operations

22 Copyright © 2004 South-Western. All rights reserved.8–22 Process 1: Elements of Strategic IT Plan Summary of the organization’s strategic goals and strategies and how they relate to the IT function. IT goals and strategies and how each will support the organization’s goals and strategies. Information architectural model  Corporate data model and the associated information systems

23 Copyright © 2004 South-Western. All rights reserved.8–23 Process 2: Organizational Control Plans Segregation of duties  Authorizing transactions  Executing transactions  Recording transactions  Safeguarding resulting resources Organizational plans for the information system function IT steering committee

24 Copyright © 2004 South-Western. All rights reserved.8–24 Illustration of Segregation of Duties TABLE 8.2a Function 1 Authorizing Events Approve steps of event processing. Function 2 Executing Events Physically move resources. Complete source documents. Function 3 Recording Events Record events in the appropriate data store(s). Post event summaries to the master data store. Function 4 Safeguarding Resources Resulting from Consummating Events Physically protect resources. Maintain accountability of physical resources.

25 Copyright © 2004 South-Western. All rights reserved.8–25 Illustration of Segregation of Duties (cont’d) TABLE 8.2b

26 Copyright © 2004 South-Western. All rights reserved.8–26 Develop/acquire application software Acquire technology infrastructure Develop service-level requirements and application documentation Process 4: Develop/Acquire IT Solutions Process 3: Identify Automated Solutions Develop solutions consistent the strategic IT plan

27 Copyright © 2004 South-Western. All rights reserved.8–27 Develop/acquire application software Acquire technology infrastructure Develop service-level requirements and application documentation Process 6: Manage Changes to Existing IT Systems Process 5: Integrate IT Solutions Into Operational Processes Develop solutions consistent the strategic IT plan

28 Copyright © 2004 South-Western. All rights reserved.8–28 Process 7: Deliver Required IT Services Define service levels Manage Third-party services Manage IT Operations Manage data (backup) Identify and allocate costs

29 Copyright © 2004 South-Western. All rights reserved.8–29 Illustration of Program Change Controls FIGURE 8.3

30 Copyright © 2004 South-Western. All rights reserved.8–30 Process 8: Ensure Security and Continuous Service Disaster recovery  Hot site (fully equipped)  Cold site (environmentally conditioned) Restrict Access  Physical access  Logical access

31 Copyright © 2004 South-Western. All rights reserved.8–31 Restricting Access to Computing Resources— Layers of Protection FIGURE 8.4a

32 Copyright © 2004 South-Western. All rights reserved.8–32 Restricting Access to Computing Resources— Layers of Protection (cont’d) FIGURE 8.4b

33 Copyright © 2004 South-Western. All rights reserved.8–33 Process 9: Provide Support Services Regular Training sessions should be provided Advice and assistance should be given Very often a “help desk” is set up for these purposes Gather data about processes Generate performance reports. WebTrust - ISP Process 10: Monitor Operations

34 Copyright © 2004 South-Western. All rights reserved.8–34 Environmental Controls TABLE 8.5 Environmental hazardControls FireSmoke detectors, fire alarms, fire extinguishers, fire-resistant construction materials, insurance Water damageWaterproof ceilings, walls, and floors, adequate drainage, water and moisture detection alarms, insurance Dust, coffee,Regular cleaning of rooms and equipment, dust- tea, soft drinks collecting rugs at entrances, separate dust- generating activities from computer, good housekeeping, prohibiting food and drinks within computing facilities Energy increase,Voltage regulators, backup batteries and decrease, lossgenerators, fiber optic networks

Download ppt "PowerPoint Presentation by Charlie Cook Copyright © 2004 South-Western. All rights reserved. Chapter 8 IT Governance: Management Control of Information."

Similar presentations

OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.

OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
9 - 1 Computer-Based Information Systems Control.

9 - 1 Computer-Based Information Systems Control.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Security Controls – What Works

Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.

Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.
Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.

Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
The Information Systems Audit Process

The Information Systems Audit Process
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
PowerPoint Presentation by Charlie Cook Copyright © 2004 South-Western. All rights reserved. Chapter 8 IT Governance: Management Control of Information.

PowerPoint Presentation by Charlie Cook Copyright © 2004 South-Western. All rights reserved. Chapter 8 IT Governance: Management Control of Information.
Session 3 – Information Security Policies

Session 3 – Information Security Policies

Similar presentations

Ads by Google