Embed Size (px)
Citation preview
1
• IS371 WEEK 10
• IT Investment• IT Controls
InstructorOnlineEvaluations
2
IT Resources Must Be Accounted For
• IT funds are spent in a wide variety of ways
• Accounting for IT expenditures is difficult but mandatory
• Accounting methods can modify an organization's behavior
• Managerial accounting enables financial control of IT
• Accounting systems must be devised to meet the needs
• IT resource accountability is a critical issue
3
The Objectives of Resource Accountability
• Helps measures progress toward objectives
• Provides basis for financial control actions
• Assists in IT and user planning activities
• Communicates important information to managers
• Provides performance appraisal information
• What is the relationship between planning, budgeting, measuring, controlling, and accounting for IT activities?All these activities are interrelated and depend on each other for success. Planning leads to budgets, required for measuring and controlling, and accounting supports these activities.
4
IT Cost Accounting and Recovery
• Helps clarify costs/benefits of IT services
• Strengthens communication between IT and user organization
• Permits IT to operate as a “business within a business”
• Increases employees’ sensitivity to costs and benefits
• Spotlights potentially unnecessary expenses
• Encourages effective resource use
• Improves IT’s cost effectiveness
• Enables IT benchmarking
• Provides a financial basis for evaluating outsourcing
5
Charge-back Systems
• Must be easy to administer and for customers to understand
• Must distribute costs effectively and promote effective use of IT resources
• Provide incentives to change and improve behavior
• How does a good charge-back system improve IT effectiveness?
It allows IT to know where it is spending its money and to determine whether its expenditures are justified. This requires input from customers. Without cost recovery, operations are less well understood and tend to be looser and less rigorous.
6
Alternative Methodologies
· Profit centers
· Cost centers
7
Profit Centers
• Like a business within a business
• Follows most rules of financial accounting
• Can develop profits or losses on its operations
• Easy to understand and explain
• Encourages business management
• Provides basis for benchmark comparisons
• Establishes financial rigor—allows sale of service
8
Cost Centers
• Promotes intensely interactive planning and budgeting
• Establishes prices in advance of known support
• Forces managers to handle variances
• Exposes the planning process to manipulation
• May lead to conflict (which may be beneficial)
• Forces decision making
• Reinforces the SLA
9
Additional Cost Recovery Considerations
• No single method is appropriate for all situations
• Applications, operations, distributed systems, and networks need individual considerations
10
Application Development
• IT can recover costs through labor rates
• Period support is useful for maintenance tasks
• Programming can be funded on a pay-as-you-go basis
• Funding and recovery are linked to phase reviews
• Costs can be recovered over the application's life
• Funding and recovery can occur at the corporate level
Good cost recovery methods improve development planning and execution and prevent excessive expenditures because intermediate checkpoints contain financial incentives that improve development performance.
11
Production Operations
• CPU cycles or elapsed times are frequently used
• Rate differentials can be effective in some cases
• Dedicated equipment can be charged directly
• Multiyear plans avoid abrupt rate changes
• Some services can be sold outright
12
Networks
• Networks complicate IT accounting processes
• Communication services are hard to isolate
• Some rates are difficult to understand
• Common carriers are frequently involved
• IT managers should strive for simplicity
• Methods are likely to change as the service matures
Configuration databases contain many physical items that have cost elements associated with them (costs can be in the database) so network managers can use these databases for accounting purposes.
13
Cost Recovery and Client Behavior
• Most clients are motivated by cost implications
• Free services may encourage technology adoption
• Rates can be adjusted to encourage goal attainment
• Some firms generate revenue by selling services outside
14
Compromise
• IT accounting systems must be flexible
• They must serve managers
• They need not be totally precise
• They should be changed over time as needed
15
Expectations and Cost Recovery
• Cost recovery methods must appear equitable
• They must be easy to understand and use
• Cost recovery must help promote cost-effective operations
• Cost recovery helps measure IT's cost and value to the business
• However, most approaches are less than perfect
• Judgments still are appropriate and required
16
Measuring IT Investment Returns
• IT managers must find ways to value IT investments
• ROI calculations are a good starting point but they have limitations
• IT investments change the environment disrupting ROI assumptions
• On a broad scale, IT investments seem not very profitable
• All organizations must ensure by any means possible that IT lends value
17
4 FUNCTIONS OF MANAGEMENT
PLANNING
LEADINGCONTROLING
ORGANIZING
18
Managers are responsible for protecting IT assets
• hardware: physical devices and processor power
• data: company owned information
• employees behavior/use of time
from:
• theft: removal and unauthorized access• damage: loss and unauthorized alteration• misuse: use that does not benefit the company
19
Definition of Quality:
Quality is adherence to specifications
Phil Crosby(Originated concept of “zero
defects.”)
20
CONTROLS are important
• Control is a primary management responsibility.
• Uncontrolled events can be subtle and very damaging.
• IT eliminates the risks of manual processing and introduced new risks.
• Publicly owned (publicly traded stock) companies are required by law to have adequate controls.
• Controls assist organizations in protecting assets.
• Environmental / Executive pressures require controls.
• Technology introduction requires controlled processes.
21
PRINCIPLES OF BUSINESS CONTROLS
• Asset Identification and Classification
• Separation of Duties
• Efficiency and Effectiveness
• Constant Vigilance
22
1 The application program owner (usually a manager)
2 Application users (sometimes many users)
3 The application’s programming manager
4 The individual providing the computing environment
5 The IT manager (either with line or staff responsibility)
Control Responsibilities
Each individual has definite responsibilities that must be discharged correctly for the application controls to be effective.
23
Assignment of RESPONSIBILITY
If everyone is responsible, then no one is responsible . . .
- System Owners / Users
- IT Managers
Policies and Procedures
If (when) one of your employees makes a mistake, is that the same as you (the supervisor/manager) making a mistake?
Jacques Cousteau
24
System CONTROL Points
ORIGIN
DATA PREPARATION
DATA INPUT
DATA STORAGE/RETRIEVALCOMPUTER PROCESSINGDATA TRANSMISSION
DATA OUTPUT
25
System CONTROL Points
ORIGIN
DATA PREPARATION
INPUT DOCUMENT/SCREEN DESIGN
MANUAL REVIEW OF SOURCE DOCUMENTS
AUTHORIZATION
SEPARATION OF DUTIES TRANSACTION NUMBERING
USER IDENTIFICATION
TRANSMITTAL LOGS BETWEEN ORGANIZAIONS
ERROR DETECTION AND CORRECTION
DOCUMENT RETENTION AND STORAGE
26
System CONTROL Points ORIGIN
DATA PREPARATION
INPUT PROCESSING SCHEDULES
SOURCE DOCUMENT CANCELLATION
EDITING AND VALIDATION
TERMINAL ACCESS SECURITY
TERMINAL USAGE LOGS CONTROL TOTALS
ERROR HANDLING PROCEDURES
DISPLAY AND PROMPTING FORMATS
INPUT
27
System CONTROL Points
DATA STORAGE/RETRIEVALCOMPUTER PROCESSINGDATA TRANSMISSION
DATA OUTPUT
VALIDATE THE INPUT DATASET RECONCILE OUTPUT TO INPUT
VALIDATE THE DATASET VERSION MAINTAIN TRANSACTION RECORDS
VERIFY PROCESSING CORRECTNESS BALANCE TRANSACTION VOLUMES
VERIFY PROCESSING COMPLETENESS CONTROL ERROR HANDLING
DETECT AND CORRECT ERRORS RETAIN RECORDS
DISTRIBUTE OUTPUT
28
DISTRIBUTED SYSTEMS – Special Requirements
PHYSICALLY SECURE WORKSTATIONS
PHYSICALLY SECURE NETWORK COMPONENTS
USER IDENTIFICATION AND VERIFICATION
PROCESSES TO DEAL WITH UNAUTHORIZED USE
DATASET PROTECTION MECHANSIMS
DATA ENCRYPTION AND AUTHENTICATION PROCESSES
FIREWALLS
29
PHYSICAL CONTROLS
– Restricted access to data centers and all non-public areas
– IT staff display visible IDs
– Visitors must sign-in and sign-out
30
CYBERCRIME • Hackers • Hacktivism • Criminal Groups • Cyber-terrorism • Foreign Intelligence
Services
31
INFORMATION SYSTEM SECURITY
FBI STATISTICS
COMPANIES THAT DETECTED SECURITY BREACHES IN 1999 90%
BREACHES THAT INVOLVED 74%
-THEFT OF PROPRIETARY INFORMATION
-FINANCIAL FRAUD
-SYSTEM PENETRATION BY OUTSIDERS
-DATA OR NETWORK SABOTAGE
-DENIAL OF SERVICE ATTACKS
TEN OR MORE INCIDENTS 19%
32
System Security Management
Create Usage Policy Statement
Conduct Risk Analysis
Low Risk Systems or data that if compromised (data viewed by unauthorized personnel, data corrupted, or data lost) would not disrupt the business or cause legal or financial ramifications. The targeted system or data can be easily restored and does not permit further access of other systems.
Medium Risk Systems or data that if compromised (data viewed by unauthorized personnel, data corrupted, or data lost) would cause a moderate disruption in the business, minor legal or financial ramifications, or provide further access to other systems. The targeted system or data requires a moderate effort to restore or the restoration process is disruptive to the system.
High Risk Systems or data that if compromised (data viewed by unauthorized personnel, data corrupted, or data lost) would cause an extreme disruption in the business, cause major legal or financial ramifications, or threaten the health and safety of a person. The targeted system or data requires significant effort to restore or the restoration process is disruptive to the business or other systems.
Establish a Security Team Structure
http://www.cert.org/
