You are here

IT Process 2: Develop Tactics to Plan, Communicate, and Manage Realization of the Strategic Mission

19 January, 2016 - 12:35

To ensure adequate funding for IT, controlled disbursement of financial resources, and effective and efficient utilization of IT resources, IT resources must be managed through use of information services capital and operating budgets, by justifying IT expenditures, and by monitoring costs (in light of risks).

To ensure the overall effectiveness of the ISF, IS management must establish a direction and related policies addressing such aspects as positive control environmentthroughout the organization, code of conduct/ethics, quality, and security. Then, these policies must be communicated (internally and externally) to obtain commitment and compliance. IS management’s direction and policies must be consistent with the control environment established by the organization’s senior management.

To ensure that projects are completed on time and within budget and that projects are undertaken in order of importance, management must establish a project management framework to ensure that project selection is in line with plans and that a project management methodology is applied to each project undertaken.

Management should establish a quality assurance (QA) plan and implement related activities, including reviews, audits, and inspections, to ensure the attainment of IT customer requirements. A systems development life cycle methodology (SDLC) is an essential component of the QA plan.

To ensure that IT services are delivered in an efficient and effective manner, there must be adequate internal and external IT staff, administrative policies and procedures for all functions (with specific attention to organizational placement, roles and responsibilities, and segregation of duties), and an IT steering committee to determine prioritization of resource use. We divide these controls into two groups: organizationalcontrol plans and personnel control plans.

Organizational Control Plans

We will concentrate on two organizational control plans: segregation of duties and organizational control plans for the information systems function.

Review Question

Segregation of duties consists of separating what four basic functions? Briefly define each function.

 

Segregation of duties control plan. The concept underlying segregation of duties is simple enough: Through the design of an appropriate organizational structure, no single employee should be in a position both to perpetrate and conceal frauds, errors, or other kinds of system failures. Segregation of duties consists of separating the four basic functions of event processing. The functions are:

  • Function 1: authorizing events.
  • Function 2: executing events.
  • Function 3: recording events.
  • Function 4: safeguarding resources resulting from consummating events.

A brief scenario should illustrate this concept. John Singletary works in the general office of Small Company. He initiates a sales order and sends the picking ticket to the warehouse, resulting in inventory being shipped to his brother. When Sue Billings sends Singletary the customer invoice for the shipment, he records the sale as he would any sale. Sometime later, he writes his brother’s account off as a bad debt. What is the result? Inventory was stolen and Singletary manipulated the information system to hide the theft. Had other employees been responsible for authorizing and recording the shipment or for the bad debt write-off, Singletary would have had a tougher time manipulating the system.

Table 8.3 illustrates segregation of duties in a typical system. Examine the top half of the table, which defines the four basic functions. The bottom half of the table extends the coverage of segregation of duties by illustrating the processing of a credit sales event.

Now, let’s examine Table 8.3 as a means of better understanding the control notion underlying segregation of duties. Ideal segregation of duties requires that different units (departments) of an organization carry out each of the four phases of event processing. In this way, there would need to be collusion between one or more persons (departments) in order to exploit the system and conceal the abuse. Whenever collusion is necessary to commit a fraud, there is a greater likelihood that the perpetrators will be deterred by the risks associated with pursuing a colluding partner and that they will be caught.

Controls to prevent unauthorized execution of events ensure that only valid events are recorded. Therefore, function 1—authorizing events—takes on particular significance in our segregation of duties model. Control plans for authorizing or approving events empower individuals or machines to initiate events and to approve actions taken subsequently in executing and recording events.

media/image5.png

Authorization control plans often take the form of policy statements and are implemented by including necessary procedures and process controls within the information system that will process the events. For example, through proper design of the sales order form, an organization can see that credit is granted by including a block on the document that requires the credit manager’s signature. Or, a computer-based system can be designed to approve events within some predetermined credit limits. Digital signatures on electronic documents also authenticate or authorize requests from external parties, as seen in Technology Excerpt 8.2. These procedures receive management authorization when the system is approved during initial development, or when the system is changed.

 
Table 8.3 Illustration of Segregation of Duties
Function 1 Function 2 Function 3 Function 4
Authorizing Events Executing Events Recording Events Safeguarding Resources Resulting from Consummating Events
  • Approve steps of event processing.
  • Physically move resources.
  • Complete source documents.
  • Record events in the appropriate data store(s).
  • Post event summaries to the master data store.
  • Physically protect resources.
  • Maintain accountability of physical resources.
Example: Processing a credit sales event.
Authorizing Events Physical Movement of Resources Record Event Details Physically Protect Resources
  • Approve customer credit.
  • Approve picking inventory and sending inventory to shipping department.
  • Approve shipping inventory to customer.
  • Approve recording accounting entries.
  • Pick inventory from bins.
  • Move inventory from warehouse to shipping department.
  • Ship inventory to customer.
  • Update accounts receivable, sales, and inventory event data.
  • Safeguard inventory while in storage at warehouse, while in transit to shipping department, and while preparing for shipment to customer.
  Complete Source Documents Post Event Summaries Maintain Accountability
 
  • Enter sales order.
  • Enter shipping document.
  • Enter invoice.
  • Update general ledger and marketing master data.
  • Examine and count inventory periodically, and compare physical total to recorded total.
 

Organizational control plans for the information systems function. The information systems function normally acts in a service capacity for other operating units in the organization. In this capacity, it should be limited to carrying out function 3 of Table 8.3, recording events and posting event summaries. Approving and executing events along with safeguarding resources should be carried out by departments other than the ISF. This arrangement allows for effective implementation of segregation of duties. There are situations, however, where the functional divisions we mentioned can be violated. For instance, some ISFs do authorize and execute events; for example, the computer might be programmed to approve customer orders.

Within the ISF, we segregate duties to control unauthorized use of and/or changes to the computer and its stored data and programs. Segregation of duties within the ISF can be accomplished in a number of ways. One method of separating systems development and operations is to prevent programmers from operating the computer; thus reducing the possibilities of unauthorized data input or unauthorized modification of organizational data and programs. Passwords, assigned by an information security specialist, are critical to separating key functions between the ISF and operational units within the ISF.

Technology Excerpt 8.2

Digital Signatures

The passage of the Electronic Signatures in Global and National Commerce Act, nicknamed E-Sign, gives electronic signatures the same legal status as handwritten ones. This law translates into great opportunities for actually completing high-stakes transactions, agreements, and approvals on the Web. With digital signatures, the velocity of funds transfers increases, the cost of acquiring customers drops, and entire transaction processes, such as procurement, can be automated.

The biggest impact of digital signatures will come in financial services. Think of all the transactions that currently require physical signatures—mortgages, insurance policies, service contracts, and many business-to-business transactions. The cost of signing up a single customer can be significantly reduced because E-Sign enables these transactions to be completed online.

E-Sign will also have big payoffs for vertical online exchanges. For many transactions initiated through exchanges or marketplaces, the electronic interplay stops well short of completing the transaction.

Eventually, the trading partners step offline—and therefore off the exchange—to complete the paperwork and financing. E-Sign gets around this obstacle, and it also simplifies the process of third-party legal validation for deals involving more than one trading partner.

Digital signatures can be any form of electronic seal agreed to by the two parties. The most common approach relies on digital certificates and encryption. The encrypted signature can reside on a machine, be carried on smart cards, be authenticated via passwords or personal identification numbers, or even be a biometric authentication, such as a fingerprint or retinal pattern.

Legal status is one big step for digital signatures, but trust is the next. Trading partners need to have a great deal of trust in the technology, especially in purely electronic transactions in which the two sides haven’t met or even spoken to one another. Technology needs to establish credibility, security, and trust.

Source: James K. Watson Jr. and Carol Choksy, “Digital Signatures Seal Web Deals,” Informationweek.com, September 18, 2000: Rb26 and Rb28.

Personnel Control Plans

IT personnel resources must be managed to maximize their contributions to IT processes. Specific attention must be paid to recruitment, promotion, personnel qualifications, training, backup, performance evaluation, job change, and termination. As we discussed earlier in the chapter, an organization that does not have honest, competent employees will find it virtually impossible to implement other control plans.

The personnel control plans described in Table 8.4 help to protect an organization against certain types of risks. As you study each plan, think of the problems that the plan can prevent or the control goal that could be achieved by implementing the plan. Also, consider how much more important these plans are when we consider the impact that they have on systems personnel.

Table 8.4 Personnel Control Plans
Control plans Discussion
Selection and hiring Job candidates should be carefully screened before being selected for a position
Retention To retain employees, provide creative and challenging work opportunities and, when possible, offer open channels to management-level positions
Personnel development Conduct performance reviews to: determine whether an employee is satisfying the requirements of a position as indicated by a job description, assess an employee’s strengths and weaknesses, assist management in determining whether to make salary adjustments and whether to promote an employee, identify opportunities for training and for personal growth
Personnel management
  • Project future managerial and technical skills of the staff, anticipate turnover, and develop a strategy for filling necessary positions
  • Lay out the responsibilities for each position on an organization chart
  • Identify the resources required by each staff member to perform their responsibilities
  • Prevent the organization’s own personnel from committing acts of computer abuse, fraud, or theft of assets through:
   
  • Rotation of duties—require employees to alternate jobs or responsibilities periodically
  • Forced vacations—require that an employee take leave from the job and substitute another employee in his or her place
  • Fidelity bond—indemnifies a company in case it suffers losses from financial misbehavior by its employees; employees who have access to cash and other negotiable assets are usually bonded
  • Personnel termination policies—when an employee leaves an organization, collect keys and badges and change passwords
 

Review Question

What are personnel control plans? Define the plans.

 

Three plans in Table 8.4 require a little discussion. The control notion underlying rotation of duties and forced vacation is that if an employee is perpetrating some kind of irregularity, it will be detected by his/her substitute. Furthermore, if these plans are in place, they should act as a deterrent to the irregularity ever occurring in the first place (i.e., a preventive control). Beyond the control considerations involved, these two plans also help to mitigate the disruption that might be caused when an employee leaves the organization. When another person is familiar with the job duties of each position, no single employee is irreplaceable.

Finally, rigorous application of personnel termination policies is particularly important in the ISF. Disgruntled employees working in the ISF have the opportunity to cause much damage in a short time. For example, computer operations personnel could erase large databases in a matter of minutes. For this reason, key employees who have access to important program and databases may be asked to leave the facility immediately, and in some cases, company security personnel may escort them from the premises.