Chapter 8 - Controlling Information Systems

Chapter 8 Controlling Information Systems:
Introduction to Pervasive Controls
Accounting Information Systems 8e
Ulric J. Gelinas and Richard Dull
© 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated,
in whole or in part, except for use as permitted in a license distributed with a certain product
or service or otherwise on a password-protected website for classroom use
Learning Objectives
• Describe the major pervasive controls that organizations employ
as part of their internal control structure.
• Explain how pervasive controls help ensure continuous, reliable
operational and IT processes.
• Appreciate how an organization must plan and organize all
resources, including IT resources, to ensure achievement of its
strategic vision.
• Overview the major controls used to manage the design and
implementation of new processes, especially new IT processes.
• Appreciate the integral part played by the monitoring function in
ensuring the overall effectiveness of a system of internal controls.
Summary of Organizational Control
Illustration of Segregation of
Personnel Policy Control Plans
• Selection & Hiring Control Plans
– Qualified personnel including technical background
• Retention Control Plans
– Retaining may be harder than hiring
– Provide challenging work and opportunities for
• Personnel Development Control Plans
– Training and development
Personnel Policy Control Plans (cont’d.)
• Personnel Management Control Plans
− Personnel Planning Control Plans
• Skills, turnover, filling positions
− Job Description Control Plans
• Job descriptions written and updated
− Supervision Control Plans
• Approving, monitoring, and observing the work of others
− Personnel Security Control Plans
• Rotation of duties, forced vacations, bonding
• Personnel Termination Control Plans
− Procedures when an employee voluntarily or involuntarily
leaves an organization.
Monitoring Control Plans
• Assessment to determine if control plans
are continuing to function over time.
• Timely communication of control
• Appropriate corrective action.
• Differ from normal control plans, as they
verify the operation of normal control
Organizational Governance vs.
IT Governance
• Organizational governance: processes
employed by organizations to select
objectives, establish processes to achieve
objectives, and monitor performance.
• IT governance: process that ensures the
enterprise’s IT sustains and extends the
organization’s strategies and objectives.
Hypothetical Computer System
Hypothetical Computer System
• Consists of one or more servers clustered together
and housed in a computer room within the
organization’s headquarters.
• Connected to printers, external storage devices and
PCs (clients) located within the building and to PCs
located in the organization’s other facilities.
Connections are via networks – LANs or WANs.
• Computer facilities operated by other organizations
are connected, perhaps via the Internet and through
a firewalls to the internal servers, PCs and other
Information Systems Organization
Summary of IT Organization
Summary of IT Organization
Functions (cont’d.)
Summary of IT Organization
Functions (cont’d.)
Control Objectives for Information
and Related Technology (COBIT)
• Developed by the IT Governance Institute to provide
guidance on the best practices for the management of
information technology.
• IT resources must be managed by IT control processes to
ensure an organization has the information it needs to
achieve its objectives.
• Provides a framework to ensure that IT:
– is aligned with the business.
– enables the business and maximizes benefits.
– resources are used responsibly.
– risks are managed appropriately.
IT Resources
• Applications: Automated systems and
manual procedures that process
• Information: Data, in all their forms, that
are input, processed, and output by
information systems.
• Infrastructure: Technology and facilities
that enable the processing of the
• People: Personnel who plan, organize,
acquire, deliver, support, monitor, and
evaluate information systems and services.
Questions for the IT Control Process
• How we can protect the computer from misuse,
whether intentional or inadvertent, from within and
outside the organization?
• How do we protect the computer room, and other
rooms and buildings where connected facilities are
• Do we have disaster plans in place for continuing our
• What policies and procedures should be established
to provide for efficient, effective, and authorized use
of the computer?
• What measures can we take to help ensure that the
personnel who operate and use the computer are
competent and honest?
IT Control Domains and Processes
IT Control Process Domains
• COBIT groups IT processes into four broad
– Plan and organize
– Acquire and implement
– Deliver and support
– Monitor and evaluate
IT Control Process Domains
• Plan & Organize Domain
– IT Process 1: Establish Strategic Vision for Information
– IT Process 2: Develop Tactics to Plan, Communicate, &
Manage Realization of the Strategic Vision
• Acquire & Implement Domain
– IT Process 3: Identify Automated Solutions
– IT Process 4: Develop & Acquire IT Solutions
– IT Process 5: Integrate IT Solutions into Operational
– IT Process 6: Manage Changes to Existing IT Systems
IT Control Process Domains
• Deliver & Support Domain
– IT Process 7: Deliver Required IT Services
– IT Process 8: Ensure Security & Continuous
– IT Process 9: Provide Support Services
• Monitor & Evaluate Domain
– IT Process 10: Monitor & Evaluate the
IT Process 1: Establish Strategic
Vision for Information Technology
Summary of the organizational strategic plan’s
goals and strategies, and how they relate to IT.
IT goals and strategies, and a statement of how
each will support organizational goals and
An information architecture model
encompassing the corporate data model and
associated information systems.
An inventory of current IT capabilities.
IT Process 1: Establish Strategic
Vision for Information Technology
Acquisition and development schedules for hardware,
software, and application systems and for personnel and
financial requirements.
IT-related requirements to comply with industry,
regulatory, legal, and contractual obligations, including
safety, privacy, transborder data flows, e-business, and
insurance contracts.
IT risks and the risk action plan.
Process for modifying the plan to accommodate changes
to the organization’s strategic plan and changes in IT
IT Process 2: Develop Tactics to Plan,
Communicate, and Manage Realization
of the Strategic Vision
• Manage IT resources.
• Policies consistent with the control environment established
by senior management.
• Project-management framework.
• Quality Assurance (QA) plan with activities to ensure the
attainment of IT customer requirements.
• Organizational design principles and segregation of duties.
Segregation of Duties within
the IT Department
IT Process 3: Identify Automated
• SDLC must include procedures to:
– define information requirements
– formulate alternative courses of action
– perform feasibility studies
– assess risks
• Solutions should be consistent with the strategic IT plan
• Organization must decide what approach will be taken to
satisfy users’ requirements and
– whether it will develop the IT solution in-house OR
– contract with third parties for all or part of the
IT Process 4: Develop and
Acquire IT Solutions
• Develop and acquire application software
• Acquire technology infrastructure
• Develop service level requirements and application
documentation which typically includes the following:
– Systems documentation
– Program documentation
– Operations run manual
– User manual
– Training materials
IT Process 5: Integrate IT
Solutions Into Operational
• Provide for a planned, tested,
controlled, and approved conversion
to the new system.
• After installation review to determine
that the new system has met users’
needs in a cost-effective manner.
IT Process 6: Manage Changes
to Existing IT Systems
• Changes to the IT infrastructure must be managed via
change request, impact assessment, documentation,
authorization, release and distribution policies, and
• Program change controls provide assurance that all
modifications to programs are authorized, and that
changes are completed, tested, and properly
• These controls take on a higher level of significance
with enterprise systems due to the interdependence and
complexity of the business processes and their
Program Change Controls
IT Process 7:
Deliver Required IT Services
Define service levels
– Minimum levels must be established so that
quality of service can be evaluated
Manage third-party services
Manage IT operations
Manage data (backup)
– Pervasive and application controls must be
established to protect data
Identify and allocate costs
Delivering Required Services
IT Process 8: Ensure Security
and Continuous Service
• Ensure Continuous Service
– Business continuity planning identifies events that may threaten an
organization and provides a framework to ensure operations will continue.
• Secure IT Assets
– Restrict physical access to computer facilities.
– Restrict logical access to stored programs, data, and documentation.
• Ensure Physical Security
– Smoke detectors, fire alarms, fire extinguishers, fire-resistant construction
materials, insurance.
– Waterproof ceilings, walls, and floors; adequate drainage; water and
moisture detection alarms; insurance.
– Regular cleaning of rooms and equipment, dust-collecting rugs at entrances,
separate dust-generating activities from computer, good housekeeping.
– Voltage regulators, backup batteries and generators.
Access to
Resources –
Layers of
Hacking techniques
Environmental Controls
IT Process 9: Provide
Support Services
• Identify training needs of all personnel
- internal and external.
• Conduct timely training sessions.
• Provide assistance through a “help
desk” function.
IT Process 10: Monitor and
Evaluate the Processes
• Establish a system for defining service
• Gather data about processes
• Generate performance reports
• Outside confirmation based on
independent review
• WebTrust - ISP
Trust Services Principles