1
IS371 WEEK 10 IT Investment IT Controls
Instructor Online Evaluations
2
IT Resources Must Be Accounted For IT funds
are spent in a wide variety of ways Accounting
for IT expenditures is difficult but mandatory
Accounting methods can modify an organization's
behavior Managerial accounting enables
financial control of IT Accounting systems must
be devised to meet the needs IT resource
accountability is a critical issue
3
The Objectives of Resource Accountability
Helps measures progress toward objectives
Provides basis for financial control actions
Assists in IT and user planning activities
Communicates important information to managers
Provides performance appraisal information What
is the relationship between planning, budgeting,
measuring, controlling, and accounting for IT
activities?
All these activities are interrelated and depend
on each other for success. Planning leads to
budgets, required for measuring and controlling,
and accounting supports these activities.
4
IT Cost Accounting and Recovery Helps clarify
costs/benefits of IT services Strengthens
communication between IT and user organization
Permits IT to operate as a business within a
business Increases employees sensitivity to
costs and benefits Spotlights potentially
unnecessary expenses Encourages effective
resource use Improves ITs cost effectiveness
Enables IT benchmarking Provides a financial
basis for evaluating outsourcing
5
Charge-back Systems Must be easy to
administer and for customers to understand Must
distribute costs effectively and promote
effective use of IT resources Provide
incentives to change and improve behavior How
does a good charge-back system improve IT
effectiveness?
It allows IT to know where it is spending its
money and to determine whether its expenditures
are justified. This requires input from
customers. Without cost recovery, operations are
less well understood and tend to be looser and
less rigorous.
6
Alternative Methodologies Profit centers Cost
centers
7
Profit Centers Like a business within a
business Follows most rules of financial
accounting Can develop profits or losses on its
operations Easy to understand and explain
Encourages business management Provides basis
for benchmark comparisons Establishes financial
rigorallows sale of service
8
Cost Centers Promotes intensely interactive
planning and budgeting Establishes prices in
advance of known support Forces managers to
handle variances Exposes the planning process
to manipulation May lead to conflict (which
may be beneficial) Forces decision making
Reinforces the SLA
9
Additional Cost Recovery Considerations No
single method is appropriate for all situations
Applications, operations, distributed systems,
and networks need individual considerations
10
Application Development IT can recover costs
through labor rates Period support is useful
for maintenance tasks Programming can be funded
on a pay-as-you-go basis Funding and recovery
are linked to phase reviews Costs can be
recovered over the application's life Funding
and recovery can occur at the corporate
level Good cost recovery methods improve
development planning and execution and prevent
excessive expenditures because intermediate
checkpoints contain financial incentives that
improve development performance.
11
Production Operations CPU cycles or elapsed
times are frequently used Rate differentials
can be effective in some cases Dedicated
equipment can be charged directly Multiyear
plans avoid abrupt rate changes Some services
can be sold outright
12
Networks Networks complicate IT accounting
processes Communication services are hard to
isolate Some rates are difficult to
understand Common carriers are frequently
involved IT managers should strive for
simplicity Methods are likely to change as the
service matures Configuration databases contain
many physical items that have cost elements
associated with them (costs can be in the
database) so network managers can use these
databases for accounting purposes.
13
Cost Recovery and Client Behavior Most
clients are motivated by cost implications Free
services may encourage technology adoption
Rates can be adjusted to encourage goal
attainment Some firms generate revenue by
selling services outside
14
Compromise IT accounting systems must be
flexible They must serve managers They need
not be totally precise They should be changed
over time as needed
15
Expectations and Cost Recovery Cost recovery
methods must appear equitable They must be easy
to understand and use Cost recovery must help
promote cost-effective operations Cost recovery
helps measure IT's cost and value to the
business However, most approaches are less than
perfect Judgments still are appropriate and
required
16
Measuring IT Investment Returns IT managers
must find ways to value IT investments ROI
calculations are a good starting point but they
have limitations IT investments change the
environment disrupting ROI assumptions On a
broad scale, IT investments seem not very
profitable All organizations must ensure by any
means possible that IT lends value
17
4 FUNCTIONS OF MANAGEMENT
PLANNING
ORGANIZING
LEADING
CONTROLING
18
Managers are responsible for protecting IT
assets hardware physical devices and
processor power data company owned
information employees behavior/use of time
from theft removal and unauthorized
access damage loss and unauthorized
alteration misuse use that does not benefit
the company
19
Definition of Quality Quality is adherence
to specifications Phil Crosby (Originated
concept of zero defects.)
20

• CONTROLS are important
• Control is a primary management
  responsibility.
• Uncontrolled events can be subtle and very
  damaging.
• IT eliminates the risks of manual processing
  and introduced new risks.
• Publicly owned (publicly traded stock)
  companies are required by law to have adequate
  controls.
• Controls assist organizations in protecting
  assets.
• Environmental / Executive pressures require
  controls.
• Technology introduction requires controlled
  processes.

21

• PRINCIPLES OF BUSINESS CONTROLS
• Asset Identification and Classification
• Separation of Duties
• Efficiency and Effectiveness
• Constant Vigilance

22
Control Responsibilities
1 The application program owner (usually a manager)
2 Application users (sometimes many users)
3 The applications programming manager
4 The individual providing the computing environment
5 The IT manager (either with line or staff responsibility)
Each individual has definite responsibilities
that must be discharged correctly for the
application controls to be effective.
23
Assignment of RESPONSIBILITY If everyone is
responsible, then no one is responsible . . . -
System Owners / Users - IT Managers Policies
and Procedures If (when) one of your employees
makes a mistake, is that the same as you (the
supervisor/manager) making a mistake? Jacques
Cousteau
24
System CONTROL Points
ORIGIN
DATA PREPARATION
DATA INPUT
DATA STORAGE/RETRIEVAL
COMPUTER PROCESSING
DATA TRANSMISSION
DATA OUTPUT
25
System CONTROL Points
ORIGIN
DATA PREPARATION
INPUT DOCUMENT/SCREEN DESIGN MANUAL REVIEW OF SOURCE DOCUMENTS AUTHORIZATION
SEPARATION OF DUTIES TRANSACTION NUMBERING USER IDENTIFICATION
TRANSMITTAL LOGS BETWEEN ORGANIZAIONS ERROR DETECTION AND CORRECTION DOCUMENT RETENTION AND STORAGE
26
ORIGIN
System CONTROL Points
DATA PREPARATION
INPUT
INPUT PROCESSING SCHEDULES SOURCE DOCUMENT CANCELLATION EDITING AND VALIDATION
TERMINAL ACCESS SECURITY TERMINAL USAGE LOGS CONTROL TOTALS
ERROR HANDLING PROCEDURES DISPLAY AND PROMPTING FORMATS
27
System CONTROL Points
DATA STORAGE/RETRIEVAL
COMPUTER PROCESSING
DATA TRANSMISSION
DATA OUTPUT
VALIDATE THE INPUT DATASET RECONCILE OUTPUT TO INPUT
VALIDATE THE DATASET VERSION MAINTAIN TRANSACTION RECORDS
VERIFY PROCESSING CORRECTNESS BALANCE TRANSACTION VOLUMES
VERIFY PROCESSING COMPLETENESS CONTROL ERROR HANDLING
DETECT AND CORRECT ERRORS RETAIN RECORDS
DISTRIBUTE OUTPUT
28
DISTRIBUTED SYSTEMS Special Requirements
PHYSICALLY SECURE WORKSTATIONS
PHYSICALLY SECURE NETWORK COMPONENTS
USER IDENTIFICATION AND VERIFICATION
PROCESSES TO DEAL WITH UNAUTHORIZED USE
DATASET PROTECTION MECHANSIMS
DATA ENCRYPTION AND AUTHENTICATION PROCESSES
FIREWALLS
29

• PHYSICAL CONTROLS
• Restricted access to data centers and all
  non-public areas
• IT staff display visible IDs
• Visitors must sign-in and sign-out

30

• CYBERCRIME
• Hackers
• Hacktivism
• Criminal Groups
• Cyber-terrorism
• Foreign Intelligence Services

31
INFORMATION SYSTEM SECURITY
FBI STATISTICS COMPANIES THAT DETECTED
SECURITY BREACHES IN 1999 90 BREACHES THAT
INVOLVED 74 -THEFT OF PROPRIETARY
INFORMATION -FINANCIAL FRAUD -SYSTEM
PENETRATION BY OUTSIDERS -DATA OR NETWORK
SABOTAGE -DENIAL OF SERVICE ATTACKS TEN OR
MORE INCIDENTS 19
32

• System Security Management
• Create Usage Policy Statement
• Conduct Risk Analysis
• Low Risk Systems or data that if compromised
  (data viewed by unauthorized personnel, data
  corrupted, or data lost) would not disrupt the
  business or cause legal or financial
  ramifications. The targeted system or data can be
  easily restored and does not permit further
  access of other systems.
• Medium Risk Systems or data that if compromised
  (data viewed by unauthorized personnel, data
  corrupted, or data lost) would cause a moderate
  disruption in the business, minor legal or
  financial ramifications, or provide further
  access to other systems. The targeted system or
  data requires a moderate effort to restore or the
  restoration process is disruptive to the system.
• High Risk Systems or data that if compromised
  (data viewed by unauthorized personnel, data
  corrupted, or data lost) would cause an extreme
  disruption in the business, cause major legal or
  financial ramifications, or threaten the health
  and safety of a person. The targeted system or
  data requires significant effort to restore or
  the restoration process is disruptive to the
  business or other systems.
• Establish a Security Team Structure

http//www.cert.org/