Chapter 8

IT Processes
Learning Objectives
Learn the major IT resources
Appreciate the problems in
providing adequate controls over IT
Study major IT control processes
and practices organization use to
manage IT resources
Understand how IT and personnel
control plans can help an
organization achieve its strategic
vision for IT
Overview the major steps in
acquiring and implementing new IT
Examine business continuity and
security controls that help ensure
continuous, reliable IT service
Value the integral part played by the
monitoring function in ensuring the
overall effectiveness of a system of
internal controls
Information Systems:
IT Processes
Internal Control Processes on
AIS Wheel
• In this chapter, we continue our
investigation of internal accounting
controls, as indicated by the shaded
areas on the AIS Wheel icon.
• Herein, you will learn how to control
information technology resources and
processes, which form the underpinning
of accounting information systems.
• Importantly, you will be exposed to a
fundamental control concept that must
be incorporated into every aspect of an
organization; that is, managers need to
segregate four key functions:
authorizing events
executing events
recording events
safeguarding resources.
Control Objectives for Information
Technology (COBIT)
• Developed by the Information Systems Audit and
Control Foundation to provide guidance—to
managers, users, and auditors—on the best practices
for the management of information technology.
• According to COBIT
– IT resources must be managed by IT control processes to
ensure that the organization has the information it needs to
achieve its objectives.
– Exhibit 8.1 defines the IT resources that must be managed
and Chapter 1 describes the qualities that this information
must exhibit in order for it to be of value to the organization.
IT Resources
• Data: Objects in their widest sense (i.e., external and
internal), structured and nonstructured, graphics,
sound, etc.
• Application systems: Application systems are
understood to be the sum of manual and
programmed procedures reflecting business
• Technology: Technology covers hardware, operating
systems, database management systems,
networking, multimedia, etc.
• Facilities: Facilities are all resources used to house
and support information systems.
• People: People include staff skills; awareness; and
productivity to plan, organize, acquire, deliver,
support, and monitor information systems and
A Hypothetical Computer System
• The IT resources are typically configured with some or
all of the elements shown in Figure 8.1
• This computer system consists of one or more
mainframe computers connected to several networked
client computers (CCs) and PCs perhaps through an
LAN and to PCs and CCs located in the organization’s
other facilities, perhaps through a WAN
• Computer facilities operated by other organizations are
connected, perhaps via the Internet and through a
firewall to the mainframe, servers, and PCs.
Hypothetical Computer System: Figure 8.1
Questions for the IT Control Process
• How we can protect the computer from misuse,
whether intentional or inadvertent, from within and
outside the organization?
• How do we protect the computer room, and other
rooms and buildings where connected facilities are
• Do we have disaster plans in place for continuing our
• What policies and procedures should be established
to provide for efficient, effective, and authorized use
of the computer?
• What measures can we take to help ensure that the
personnel who operate and use the computer are
competent and honest?
Organization Structures
• Centralized: CIO is central leader of all information
system functions
• Decentralized: Assigns personnel to non-central (e.g.,
departments) organizational units
• Functional organization: Assigns personnel to skillsbased units (e.g., programming, systems analysis).
Used by both decentralized and centralized
• Matrix: Assembles work groups or teams, comprised of
members from different functional areas, under the
authority of a team leader
• Project: Establishes permanent systems development
structures such as “Financial Systems Development”
Centralized Information System Organization
• COBIT organizes IT internal control into
domains and process
• Domains include:
– Planning and organization
– Acquisition and implementation
– Delivery and support
– Monitoring
• Processes detail steps in each domain
IT Control Domains and Processes
IT Control Processes &
• Planning & Organization Domain
– IT Process 1: Establish strategic vision
– IT Process 2: Develop tactics to realize strategic
• Acquisition & Implementation Domain
– IT Process 3: Identify automated solutions
– IT Process 4: Develop & acquire IT solutions
– IT Process 5: Integrate IT solutions into
– IT Process 6: Manage change to existing IT
IT Control Processes & Domains
• Delivery & Support Domain
– IT Process 7: Deliver required IT services
– IT Process 8: Ensure security &
continuous service
– IT Process 9: Provide support services
• Monitoring Domain
– IT Process 10: Monitor Operations
IT Process 1
Elements of Strategic IT Plan
1. A summary of the organizational strategic plan’s
goals and strategies, and how they are related
to the information systems function.
2. IT goals and strategies, and a statement of how
each will support organizational goals and
3. An information architecture model
encompassing the corporate data model and the
associated information systems.
4. An inventory of current information systems
IT Process 1: Elements of Strategic IT Plan
5. Acquisition and development schedules for
hardware, software, and application systems and
for personnel and financial requirements.
6. IT-related requirements to comply with industry,
regulatory, legal, and contractual obligations,
including safety, privacy, transborder data flows,
e-Business, and insurance contracts.
7. IT risks and risk action plan
8. Process for modifying the plan to accommodate
changes to the organization’s strategic plan and
changes in information technology conditions.
IT Process 2
Organizational Control Plans
• Segregation of duties control plan
• Organizational Control Plans for the
Information Systems Function
• Personnel Control Plans
of Duties
Segregation of Duties Applied to
IS Function
IT Process 2: Organizational Control Plans
• Organizational Control Plans for the
Information Systems Function
– The information systems function (ISF) normally
acts in a service capacity for other operating units
in the organization. In this role, it should be
limited to carrying recording events and posting
event summaries.
– Approving and executing events along with
safeguarding resources should be carried out by
departments other than IS.
IT Process 2: Organizational Control Plans
• Within the ISF we segregate duties
– Data librarian grants access to stored data and programs to
authorized personnel to reduce the risk of unauthorized computer
operation by programmers or unauthorized programming by
– The security officer assigns passwords, monitors employees’
network access, grants security clearance for sensitive projects, and
works with human resources on interview practices and background
– The information technology steering committee
• Coordinates the organizational and IT strategic planning processes
• Reviews and approves the strategic IT plan
• Helps the organization establish and meet user information requirements
Help ensure effective and efficient use of IT resources.
• The committee should consist of about seven executives from major
functional areas of the organization, including the information systems
executive; report to senior management; and meet regularly.
IT Process 2: Personnel Control Plans
• Selection & Hiring Control Plans
– Qualified personnel including technical background
• Retention Control Plans
– Retaining may be harder than hiring
– Provide challenging work and opportunities for advancement
• Personnel Development Control Plans
– Training and development
• Personnel Management Control Plans
– Personnel Planning Control Plans
• Skills, Turnover, Filling Positions
– Job Description Control Plans
• Job descriptions written and updated
– Supervision Control Plans
• Approving, monitoring, and observing the work of others
– Personnel Security Control Plans
• Rotation of duties, Forced vacations, Bonding
– Personnel Termination Control Plans
• procedures when an employee voluntarily or involuntarily leaves an organization.
IT Process 3: Identify Automated Solutions
• To ensure selection of the best approach to satisfying
users’ IT requirements, an organization’s systems
development lifecycle must include procedures to:
– define information requirements
– formulate alternative courses of action
– perform technological, economic, and operational feasibility
– assess risks
• Solutions should be consistent with the strategic
information technology plan
• At completion of this process
– Organization must decide what approach will be taken to satisfy
users’ requirements, and whether it will develop the IT solution inhouse or will contract with third parties for all or part of the
IT Process 4
Develop/Acquire IT Solutions
• Develop and Acquire Application Software
• Acquire Application Infrastructure
• Develop Service Level Requirements and Application
Documentation which typically includes the following:
– Systems documentation
– Program documentation
– Operations run manuals
– User manuals
– Training materials
IT Process 5: Integrate IT Solutions Into
Operational Processes
• To ensure that a new or significantly revised system is suitable,
the organization’s SDLC should provide for a planned, tested,
controlled, and approved conversion to the new system.
• After installation, the SDLC should call for a review to determine
that the new system has met users’ needs in a cost-effective
• When organizations implement enterprise systems, the
successful integration of new information systems modules into
existing information and operations processes becomes more
difficult and more important.
• The challenges are the result of the interdependence of the
business processes and the complexity of these processes and
their connections.
• Any failure in a new system can have catastrophic results.
IT Process 6: Manage Changes to
Existing IT Systems
• To ensure processing integrity between versions of systems
and to ensure consistency of results from period to period,
changes to the IT infrastructure (hardware, systems
software, and applications) must be managed via change
request, impact assessment, documentation, authorization,
release and distribution policies, and procedures.
• Program change controls provide assurance that all
modifications to programs are authorized, and ensure that
the changes are completed, tested, and properly
• Changes in documentation should mirror the changes
made to the related programs.
IT Process 7:
Deliver Required IT Services
Define service levels
Manage Third-party services
Manage IT Operations
Manage data (backup)
Identify and allocate costs
IT Process 8:
Ensure Security & Continuous Service
• Ensure Continuous Service
– Disaster recovery planning; Contingency planning; Business
interruption planning; Business continuity planning.
• Restricting Access to Computing Resources
– Restrict physical access to computer facilities.
– Restrict logical access to stored programs, data, and documentation.
• Ensure Physical Security
– Smoke detectors, fire alarms, fire extinguishers, fire-resistant
construction materials, insurance
– Waterproof ceilings, walls, and floors; adequate drainage; water and
moisture detection alarms; insurance
– Regular cleaning of rooms and equipment, dust-collecting rugs at
entrances, separate dust-generating activities from computer, good
– Voltage regulators, backup batteries and generators
IT Process 8 (Cont.)
IT Process 9: Provide Support Services
• Identify the training needs of all
personnel, internal and external, who
make use of the organization’s
information services, and should see
that timely training sessions are
• Assistance through a “help desk”
IT Process 10: Monitor
• Gather data about processes
• Generate performance reports
• WebTrust - ISP
Web Trust Principles