Top Management Controls

1
Top Management Controls

• Chapter 3

2
Introduction - Challenges

• Hardware and software technology constantly
  changes
• Manage relationship between information systems
  and other functions
• Role of information systems in competitive
  strategy
• Auditors can evaluate top management by how well
  they perform their four major functions
  Planning, organizing, leading and controlling

Senior managers of the IS function
Challanges
3
Evaluating the Planning Function

• Top management is responsible for preparing a
  master plan for long and short term IS
• Recognizing opportunities and problems
• Identifying the resources required
• Formulating strategies and tactics to acquire
  the resources.
• Auditors evaluate whether senior management has
  formulated a high quality information system
  plan
• Poor IS planning can lead to controls
  deteriorating and loss of competitiveness

4
Types of Plans - Strategic

• Current information assessment
• existing IS systems, platform, personnel ,
  technology, strengths , weaknesses and
  opportunities
• Strategic directions
• future information services
• Development strategy
• Vision statement for IT application and
  databases, platform, finances, implementation
• Operational plan covers one to three years
• Progress report, Initiatives, Implementation
  schedule

5
Types of Plans - Operational

• Progress report
• Current plan initiatives achieved or missed
• Platform changes
• Initiatives to be undertaken
• Systems, platform, personnel, financial resources
• Implementation schedule
• start / finish dates, milestones, control
  procedures

6
Contingency Approach to Planning

• Harvard - McFarlan
• Support small planning
• Factory short run resource needs
• Turnaround long run application needs
• Strategic - both
• Sullivan
• Traditional
• Federation
• Backbone
• Complex

Importance of Proposed SystemsLow High
Systems Infusion and Integration
Low High
SystemsDiffusionand dispersion
Low
High
7
Role of the Steering Committee

• Take ultimate responsibility
• Functions and makeup depending upon how critical
  IS is to the organization
• Strategic Organizations - chaired by CEO
• Support - Middle management
• More Diffusion - broader membership
• More Infusion - steering committee much more
  important

8
Evaluating the Organizing Function

• Resourcing
• Staffing
• Centralization Versus decentralization of the
  information systems function
• Internal organization
• Location

9
Resourcing the IS Function

• Acquire resources needed
• Hardware software, personnel, finances, and
  facilities
• Detailed requirements
• Requests for proposals
• Submissions evaluated
• Contracts
• Testing and modification

Projects late? Projects cancelled? Moral in
IS? Day-today operations OK? IS role understood
by top management?
10
Staffing the IS Function

• Personnel acquisition
• Top management evaluates the integrity and
  capabilities of applicants
• Background check, screening mental and physical
  health, bonding, explaining organizational
  protocols, indoctrination
• Personnel development
• promotional and personal growth opportunities
• Education, reviews, identifying opportunities for
  personal growth, training and continuing
  education
• Personnel termination
• Notification, security review
• replacement training, exit interview

11
Centralization Versus Decentralization of The IS
Function

• Advantages
• Centralization
• better control and economies of scale
• Decentralization
• more flexible and less communication cost
• Dimensions
• control - responsibility for decision making
  about IS
• location of facilities
• functions - development, operations, maintenance

Does the structure seem appropriate?
12
Internal Organization of IS

• Workstation Specialist
• End/User Support
• Quality Assurance
• Executive IS
• Expert Systems
• Operations
• Operator
• Librarian
• Data Entry
• Administrative Support

• Systems Analyst
• Application Programmer
• Systems Programmer
• Data Administrator
• Database Administrator
• Security Administrator
• Network Administrator

13
Traditional Organization
14
More Recent Organization
15
(No Transcript)
16
(No Transcript)
17
(No Transcript)
18
(No Transcript)
19
Location of IS

• Depend upon McFarlans Strategic grid
• Separate department
• Under top management or controller
• Dispersed to user groups

20
Leading the IS Function

• Motivating IS personnel
• Auditors should examine variable which may
  indicate motivation levels - turnover, failure to
  meet budgets, absenteeism

• Matching leadership styles with IS personnel and
  their jobs
• Authoritarian to democratic
• Effectively communicating with IS personnel
• Examine form al evidence of communication
• Interviews

21
Controlling the IS Function

• Overall control
• Technology diffusion and control
• Control of IS activities
• Control over users of IS services

22
Overall Control of IS

• How much? Value for Money?
• Industry averages
• Benchmarking
• Look at spending as a capital investment rather
  than an expense.
• Post implementation - Benefits Versus Costs
• Sustaining competitive advantage / cost savings /
  obsolescence

23
Technology Diffusion and Control of IS

• Nolan S curve
• Initiation
• New installation, little control, loose budget,
  FIFO
• Contagion
• promotion of use, high status, lax budget, few
  standards
• Control
• control oriented management, many controls,
  transfer pricing, budgets
• Integration
• Resource oriented planning and control,
  refinement, master plan

24
Control of IS Activities

• Establishment and enforcement of
• Policies - broad general guidelines
• Standards - specific guidelines for behavior
• depends upon type of structure

• Methods Standards
• Performance Standards
• Documentation Standards
• Project-Control Standards
• Post Audit Standards

25
Control over User of IS Services

• Zero Based Budgeting
• Highlight applications which have outlived their
  usefulness
• Options for transfer pricing and charge-out
• Cost center
• Profit Center
• Investment Center
• Hybrid Center

• Type of charge
• Allocated cost
• Standard Cost
• Dual Price
• Negotiated Prices
• Market Price
• Purpose and other factors
• stimulate innovation
• responsibility level
• maturity level

26
CoBIT Management Guidelines

• In summary, this development has concentrated on
  the definition of both action-oriented and
  generic guidelines for management, required to
  maintain control over the enterprises
  information and related processes and technology
• MATURITY MODELS for strategic choice and
  benchmark comparison.
• CSFS for getting these processes under control
• KGIS for monitoring achievement of IT process
  goals
• KPIS for monitoring performance within each IT
  process
• In an age of increasing electronic business and
  technology dependence, organizations will have to
  demonstrably attain increasing levels of security
  and control. Every organization must understand
  its own performance and must measure its
  progress. Benchmarking and measuring progress
  against peers and the enterprise strategy is one
  way of achieving a competitive level of IT
  security and control. The COBIT Management
  Guidelines provide management with pragmatic
  guidance via these maturity models, practical and
  critical success factors and suggested
  performance measures, to answer the perpetual
  question
• What is the right level of control for my IT
  such that it supports my enterprise objectives?

27
CoBit Maturity Models
28
COBIT
29
Management Guidelines
30
Summary Maturity Models
31
Control Model
32
Developing Critical Success Factors
33
IT Governance
34
Critical Success Factors
35
Critical Success Factors
36
Key Goal Indicators
A Key Goal Indicator, representing the process
goal, is a measure of what has to be
accomplished. It is a measurable indicator of the
process achieving its goals, often defined as a
target to achieve.
37
Key Goal Indicators
38
Key Performance Indicators
39
Key Performance Indicators