Chapter FiveChapter Five

MANAGING THE IT FUNCTIONMANAGING THE IT FUNCTION

Lecture OutlineLecture Outline

Organizing the IT FunctionOrganizing the IT Function Financing the IT FunctionFinancing the IT Function Staffing the IT FunctionStaffing the IT Function Directing the IT FunctionDirecting the IT Function Controlling the IT FunctionControlling the IT Function

Organizing the IT FunctionOrganizing the IT Function

Locating the IT FunctionLocating the IT Function

To whom should IT manager report?To whom should IT manager report?– Important ramifications on IT Manager’sImportant ramifications on IT Manager’s

» Ability to acquire needed resourcesAbility to acquire needed resources» Ability to prioritize workloads.Ability to prioritize workloads.

Must Consider segregation of incompatible duties.Must Consider segregation of incompatible duties.– Responsibilities vest in different people:Responsibilities vest in different people:

» Authorizing TransactionsAuthorizing Transactions» Recording TransactionsRecording Transactions» Maintaining Custody of AssetsMaintaining Custody of Assets

While difficult to vest the responsibilities in different While difficult to vest the responsibilities in different people, it can be accomplished bypeople, it can be accomplished by– Choices of placing the IT function in the organizationChoices of placing the IT function in the organization– integrating programmed controls into computing integrating programmed controls into computing

infrastructures and applications.infrastructures and applications.

IT manager report to the accounting manager?IT manager report to the accounting manager?– Seems to be good ideaSeems to be good idea

» Most IT applications deal with accounting transactions.Most IT applications deal with accounting transactions.– HoweverHowever

» Most controllers can already authorize and record certain Most controllers can already authorize and record certain transactions. If allowed to maintain custody of assets, transactions. If allowed to maintain custody of assets, then all three incompatible duties would be located under then all three incompatible duties would be located under one them.one them.

» Fraud would be difficult to detect.Fraud would be difficult to detect.

IT manager report to another functional/line manager?IT manager report to another functional/line manager?– Make sense Make sense

» Many software applications deal with these functional/line Many software applications deal with these functional/line areas.areas.

– However However » Many managers can authorize transactions, so custody of Many managers can authorize transactions, so custody of

computing assets would attribute them with 2 of the 3 computing assets would attribute them with 2 of the 3 incompatible duties.incompatible duties.

» Other managers would not likely have the expertise to Other managers would not likely have the expertise to guide and support an IT manager.guide and support an IT manager.

» Managers would likely give priority to their own IT needs Managers would likely give priority to their own IT needs and less to the rest of the company.and less to the rest of the company.

» The IT function may not have access to upper The IT function may not have access to upper management for influencing decisions about placing management for influencing decisions about placing priorities and setting strategiespriorities and setting strategies..

IT manager alongside other functional/line managers?IT manager alongside other functional/line managers?– Make senseMake sense

» Politically strong enough to compete for resources Politically strong enough to compete for resources

» Work directly with upper management to set strategies, Work directly with upper management to set strategies, placing priorities and allocating resourcesplacing priorities and allocating resources

– HoweverHowever

» From internal control perspective, CEO has From internal control perspective, CEO has responsibility over authorizing, recording transactions responsibility over authorizing, recording transactions and maintaining custody of assets. But CEO rarely and maintaining custody of assets. But CEO rarely performs the 3 incompatible duties.performs the 3 incompatible duties.

– But with sound internal controls, it can be effectively But with sound internal controls, it can be effectively managed.managed.

Designing the IT FunctionDesigning the IT Function Designing the structure of the IT function is often Designing the structure of the IT function is often

determined by cultural, political and economic forces determined by cultural, political and economic forces inherent in each organization.inherent in each organization.

Internal control considerations within an IT functionInternal control considerations within an IT function– Separate from one another :Separate from one another :

» systems development systems development

» computer operations computer operations

» computer securitycomputer security

– Why??Why??

In system developmentIn system development– Staff has access to operating systems, business applications Staff has access to operating systems, business applications

and other key software. and other key software.

– They are eventually authorized to create and alter software They are eventually authorized to create and alter software logic, therefore, they logic, therefore, they should not be allowedshould not be allowed to process to process information information

– They They should not maintainshould not maintain custody of corporate data and custody of corporate data and business applications.business applications.

In computer operationIn computer operation– Operation staff are responsible for:

» Entering Data, processing information, disseminating Output

» Must segregate duties.Must segregate duties.

In computer securityIn computer security– Responsible for the safe-keeping of resources Responsible for the safe-keeping of resources

» includes ensuring that business software applications are includes ensuring that business software applications are secure. secure.

» responsible for the safety (‘custody’) of corporate responsible for the safety (‘custody’) of corporate information, communication networks and physical information, communication networks and physical facilities facilities

– Systems analysts and programmers should not have access Systems analysts and programmers should not have access to the production library.to the production library.

IT auditors should ensure that systems developers and IT auditors should ensure that systems developers and computer operators are segregated. computer operators are segregated.

It is also advisable for the IT function to form a It is also advisable for the IT function to form a separate security specialization to maintain custody of separate security specialization to maintain custody of software applications and corporate data.software applications and corporate data.

IT Function Manager

SystemsDevelopment

Manager(a)

ComputerOperationsManager

(b)

ComputerSecurityManager

(c)

UserServicesManager

SystemsAnalysis (a)

ComputerProgramming

(b)

QualityControl

DataInput (a)

InformationOutput (c)

Continuity ofOperations

DatabaseAdministration

(c)

InformationProcessing

(b)

TechnicalSupport

UserTraining

HelpDesk

ApplicationSupport

SoftwareSecurity

NetworkSecurity

PhysicalSecurity

InformationSecurity

Financing the IT FunctionFinancing the IT Function Must be adequately funded to fulfill strategic Must be adequately funded to fulfill strategic

objectives.objectives.

Business riskBusiness risk of under-funding: of under-funding:– Needs and demands of customers, vendors, employees and Needs and demands of customers, vendors, employees and

other stakeholders will go unfulfilled. other stakeholders will go unfulfilled.

– can adversely impact the success of the company. can adversely impact the success of the company.

Audit riskAudit risk of under-funding: of under-funding:– Heavy workloads can lead to a culture of ‘working around’ Heavy workloads can lead to a culture of ‘working around’

the system of internal controls the system of internal controls

Funding the IT FunctionFunding the IT Function

Two funding approaches: cost & profit centerTwo funding approaches: cost & profit center Cost Center ApproachCost Center Approach

– IT manager prepares budget, submit to upper management IT manager prepares budget, submit to upper management and justifies the request for operating fundsand justifies the request for operating funds

– Typically budget request for human resources, materials Typically budget request for human resources, materials and supplies, and overhead.and supplies, and overhead.

Profit Center ApproachProfit Center Approach– Submit detailed budget to upper management.Submit detailed budget to upper management.

– Charge internal users for IT services creating intra-Charge internal users for IT services creating intra-company funding of the IT function based on the usage.company funding of the IT function based on the usage.

–Positive Outcome: Managers will not be overly Positive Outcome: Managers will not be overly demanding of IT servicesdemanding of IT services

–Negative Outcome: IT can build excessive expenses into Negative Outcome: IT can build excessive expenses into billing rates until the rates exceed costs of outside providers.billing rates until the rates exceed costs of outside providers.

–Independent Party within the company should compare Independent Party within the company should compare rates to outside services.rates to outside services.

–IT Auditor should confirm that reasonableness check is IT Auditor should confirm that reasonableness check is performed at least annually to ensure that billing rates are performed at least annually to ensure that billing rates are not excessivenot excessive

Acquiring IT ResourcesAcquiring IT Resources

IT function should engage in long-term planning IT function should engage in long-term planning includes developing, purchasing, and includes developing, purchasing, and implementing various components of the implementing various components of the computing infrastructurecomputing infrastructure

IT manager should justify IT Capital projects IT manager should justify IT Capital projects using a methodological approach.using a methodological approach.– Determine the net benefitDetermine the net benefit

» Present value of benefits minus costsPresent value of benefits minus costs– Use Scorecard approach for non-quantifiable paybacks.Use Scorecard approach for non-quantifiable paybacks.– Goal of capital projects is to ensure that company Goal of capital projects is to ensure that company

resources are being judiciously allocated across the resources are being judiciously allocated across the organization.organization.

Staffing the IT FunctionStaffing the IT Function Business risk with mismanaging HRBusiness risk with mismanaging HR

– Employees lack sufficient knowledge and experienceEmployees lack sufficient knowledge and experience– Inefficient and ineffectively usedInefficient and ineffectively used

Audit riskAudit risk– Employees unaware or unconcern about ICEmployees unaware or unconcern about IC– ex[pose company to computer security threats, ex[pose company to computer security threats,

information integrity problems, and asset information integrity problems, and asset misappropriationmisappropriation

Business and audit risks can be effectively Business and audit risks can be effectively controlled via sound human resource procedures controlled via sound human resource procedures in the areas of hiring, rewarding and terminating in the areas of hiring, rewarding and terminating employees.employees.

Includes recruiting, verifying, testing, and interviewing Includes recruiting, verifying, testing, and interviewing prospective employeesprospective employees

IT auditor determine if company have formal procedures that IT auditor determine if company have formal procedures that if they are followedif they are followed

Each job should have a substantive description of Each job should have a substantive description of responsibilities and procedures.responsibilities and procedures.

RecruitingRecruiting– Carefully plan and execute each step in compliance with Carefully plan and execute each step in compliance with

company policy.company policy.

Identify NeedsIdentify NeedsWrite a job descriptionWrite a job descriptionObtain Obtain permissions permissions Advertise Advertise Accept Applications Accept Applications Review Review Applications Applications select qualified candidates select qualified candidates

HiringHiring

VerifyingVerifying– Extent depends on the position, but all candidates should Extent depends on the position, but all candidates should

have some checking.have some checking.

– Contact references, both personal and professional.Contact references, both personal and professional.

– Conduct Background checksConduct Background checks

» Verify EducationVerify Education

» Checks for criminal or civil violationsChecks for criminal or civil violations

– Document everything!Document everything!

TestingTesting– Written and/or oral tests can be administered to test skills.Written and/or oral tests can be administered to test skills.

– Company must be consistent in testing procedures.Company must be consistent in testing procedures.

InterviewingInterviewing– Follow Sound ProceduresFollow Sound Procedures

– Follow Company, Regulatory & Statutory RulesFollow Company, Regulatory & Statutory Rules

– Steps of interviewing:Steps of interviewing:

» Select appropriate interviewersSelect appropriate interviewers

» Develop an internal interview scheduleDevelop an internal interview schedule

» Arrange for interviews with intervieweesArrange for interviews with interviewees

» Conduct the interviews Conduct the interviews

– Once selected candidate, others need to be notifiedOnce selected candidate, others need to be notified

– IT auditor should ensure that hiring procedures have been IT auditor should ensure that hiring procedures have been formally developed and followed.formally developed and followed.

RewardingRewarding– It is important to continually challenge and motivate It is important to continually challenge and motivate

employees – build self-esteem, loyalty and commitmentemployees – build self-esteem, loyalty and commitment

– Improperly rewarding employees may result in business and Improperly rewarding employees may result in business and audit risks:audit risks:

» Business risks: Business risks: might develop a ‘bad attitude’ toward the IT manager might develop a ‘bad attitude’ toward the IT manager

and the company and the company leads to leads to

– lower productivity lower productivity

– frustrationfrustration

– turnoverturnover

» Audit risks: Audit risks: employees can become bored and disgruntledemployees can become bored and disgruntled engage in mischievous and criminal behaviors engage in mischievous and criminal behaviors can threaten the availability, accuracy, security and can threaten the availability, accuracy, security and

reliability of corporate information reliability of corporate information

EvaluatingEvaluating– Most common is the annual review.Most common is the annual review.

– The evaluation process must have structure and The evaluation process must have structure and reasonableness.reasonableness.

– Evaluator must be as fair as possible to prevent frustration Evaluator must be as fair as possible to prevent frustration

and resentmentand resentment..

CompensatingCompensating– The company should strive to compensate employees at least The company should strive to compensate employees at least

as well as peer organizations.as well as peer organizations.

– Turnover:Turnover:

» Can cause productivity lossesCan cause productivity losses

» Replacement costs are highReplacement costs are high

» Risks the availability and reliability of systemsRisks the availability and reliability of systems

» Employees take sensitive information to competitors Employees take sensitive information to competitors

– Compensation Issues:Compensation Issues:» Equal Pay for Equal WorkEqual Pay for Equal Work

IT Function must not discriminate in appearance or IT Function must not discriminate in appearance or substance among employees.substance among employees.

Test by comparing the compensation packages of Test by comparing the compensation packages of employees holding similar positions.employees holding similar positions.

» Compression and InversionCompression and Inversion CompressionCompression: The compensation of newly hired : The compensation of newly hired

employees gets very close to experienced employees in employees gets very close to experienced employees in similar positions or the compensation of subordinates is similar positions or the compensation of subordinates is nearly the same as their superiors.nearly the same as their superiors.

InversionInversion: The compensation of new hires is greater : The compensation of new hires is greater than more experienced employees in the same position, than more experienced employees in the same position, or the compensation of subordinates exceeds that of or the compensation of subordinates exceeds that of superiors. superiors.

PromotingPromoting– Should be based on meritShould be based on merit– Compensation should be commensurate with the new job’s Compensation should be commensurate with the new job’s

role and responsibilities.role and responsibilities.– Must be formal written procedures that are consistently Must be formal written procedures that are consistently

followed.followed.

LearningLearning– Training benefits the employee, the employer and society as Training benefits the employee, the employer and society as

a whole. Failure to offer learning opportunities create:a whole. Failure to offer learning opportunities create:

– Business Risk:Business Risk:

» potential loss of competitive positioning due to an potential loss of competitive positioning due to an uneducated workforceuneducated workforce

» low employee morale low employee morale

– Audit Risk:Audit Risk:

» stagnate and frustrated employeesstagnate and frustrated employees

» attitude of complacency toward internal controls attitude of complacency toward internal controls

» or utter disregard for internal controls or utter disregard for internal controls

TerminatingTerminating– A disgruntled employee can disrupt the company’s systems A disgruntled employee can disrupt the company’s systems

and controls.and controls.– The IT function needs to design and implement The IT function needs to design and implement

countervailing controlscountervailing controls» backup proceduresbackup procedures» checks-and-balanceschecks-and-balances» cross-trainingcross-training» job rotationsjob rotations» mandated vacationsmandated vacations» immediately separate them from the computing immediately separate them from the computing

environment environment » terminate all computer privileges terminate all computer privileges