Professional Documents
Culture Documents
ITMAC Notes by Nowsherwan Adil Niazi PDF
ITMAC Notes by Nowsherwan Adil Niazi PDF
TECHNOLOGY
MANAGEMENT,
AUDIT AND
CONTROL
Arranged by
Nowsherwan Adil Niazi
Society Publishers
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Contents
Anum
THE INFORMATION SYSTEMS FUNCTION ORGANIZATIONAL ISUESS ....... 10
IS/IT DIRECTORS .................................................................................................... 10
IS/IT STEERING COMMITTEE .............................................................................. 10
FUNCTIONS OF STEERING COMMITTEE .......................................................... 11
POLICIES .................................................................................................................. 12
PROCEDURES.......................................................................................................... 13
OPERATIONS CONTROL ....................................................................................... 13
INFORMATION CENTRE ....................................................................................... 13
ROLES PERFORMED BY INFORMATION CENTRES (ICs) .............................. 14
CENTRALIZATION ................................................................................................. 16
DECENTRALIZATION: .......................................................................................... 16
ACCOUNTING ISSUES ........................................................................................... 17
1. IT as a Corporate Overhead ............................................................................. 18
2. IT charged at cost ............................................................................................ 18
3. IT charged at market ........................................................................................ 18
ESTABLISHING IT DEPARTMENT AS A SEPARATE COMPANY ...................... 19
LEGACY DATA MANAGEMENT ......................................................................... 19
OUT SOURCING ...................................................................................................... 20
TYPES OF OUTSOURCING.................................................................................... 20
LEVEL OF SERVICE PROVISION ......................................................................... 21
ORGANIZATION INVOLVED IN OUTSOURCING............................................. 21
CATEGORIES OF CONSULTING ACTIVITIES ................................................... 22
DEVELOPMENTS IN OUTSOURCING ................................................................. 23
MANAGEMENT OF OUTSOURCING ARRANGEMENT ................................... 23
SERVICE LEVEL AGREEMENT............................................................................ 24
ADVANTAGES OF OUTSOURCING .................................................................... 25
DISADVANTAGES OF OUTSOURCING .............................................................. 25
BUSINESS RISKS FROM OUTSOURCING .......................................................... 26
TERMINATION POLICIES ..................................................................................... 27
LOGGING SYSTEM................................................................................................. 27
INTRODUCTION TO STRATEGY & INFORMATION STRATEGIES ................... 29
CHARACTERISTICS OF STRATEGIC DECISIONS ............................................ 29
STRATEGY............................................................................................................... 29
Arranged by
Nowsherwan Adil Niazi Page 1
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Arranged by
Nowsherwan Adil Niazi Page 2
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Arranged by
Nowsherwan Adil Niazi Page 4
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Arranged by
Nowsherwan Adil Niazi Page 6
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Arranged by
Nowsherwan Adil Niazi Page 7
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Arranged by
Nowsherwan Adil Niazi Page 9
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
CHAPTER 01
THE INFORMATION SYSTEMS
FUNCTION ORGANIZATIONAL ISUESS
IS/IT DIRECTORS
At the head of the IS/IT function will be either the IS/IT manager, IS/IT directors.
This person will be responsible for:-
The general purpose of the IS/IT steering committee is to make decision relating to
the future use and development of IS/IT by the organization. An organization’s senior
management should appoint a planning or steering committee to oversee information
systems department activities. The planning or steering committee should contain
Arranged by
Nowsherwan Adil Niazi Page 10
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
i) Review the long and short range plans of the IS division to ensure that
they are in accordance with the corporate objectives.
ii) Review and approve major acquisitions of hardware and software within
limits approved by the BOD.
iii) Approve and monitor major products, establish priorities, approve
standards and procedures and monitor overall IS performance.
iv) Provide liaison b/w the IS deptt. & User deptt.
iv) Approve and monitor major projects, the status of IS plans and annual
budgets.
v) Review adequacy of resources and allocation of resources in terms of time,
personnel an equipment.
vi) Make decisions regarding centralization versus decentralization and
assignment and responsibility.
Arranged by
Nowsherwan Adil Niazi Page 11
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
vii) Review and approve plans for the outsourcing of selected or all IS
activates. The committee should monitor performance and institute
appropriate action of achieve desired results. Formal minutes of the IS
steering committee meetings should be maintained to document the
committee’s activities and decisions and inform the BOD, of IS activities.
Committee members should be chosen with the aim of ensuring the committee
contains the wide range of technical and business knowledge required. The
committee should liase closely with those affected by the decision it will make.
POLICIES
Policies are high level documents. They represent the corporate philosophy of an
organization. To be effective they must be clear and concise. Management must
create a positive control environment by assuming responsibility for formulating,
developing, documenting, promulgating and controlling policies covering general
goals and directives.
In addition to corporate policies that set the tone for the organization as a whole,
individual divisions and depths should define lower level policies. These would apply
to the employees and operations of these units and would focus at the operational
level.
Arranged by
Nowsherwan Adil Niazi Page 12
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
PROCEDURES
Procedures are detailed documents. They must be derived form the parent policy and
must implement the spirit (intent) of the policy statement. Procedures must be
written in a clear and unambiguous manner so that they may be easily and properly
understood by all who will be governed by them.
Generally, procedures are generally more dynamic than their respective parent
policies. They must reflect the regular changes in business focus and environment.
Hence, frequent reviews and updates of procedures are essential if they are to be
relevant. An auditor will find a divergence b/w practice and percept in organizations
that neglect the review process.
An independent review is necessary to ensure that policies and procedures have been
properly understood and executed. The reviewer should maintain independence at all
times and not be influenced by anyone in the group being reviewed. Evidence of
reviewer with a level of confidence that the work was performed in compliance with
established policies and procedures.
OPERATIONS CONTROL
Operations control is concerned with ensuring IS/IT systems are working and
available to users. Key tasks include:
a) Maintaining the IS/IT infrastructure.
b) Maintaining network usage and managing network resource.
c) Keeping employs informed e.g. advance working of service interruptions.
d) Virus protection measures e.g. ensuring anti-virus software updates are
loaded.
e) Fault fixing.
INFORMATION CENTRE
An information centre (IC) is a small unit of staff with a good technical awareness of
computer systems, whose task is to provide a supportive function to computer users
within the organization. Information centre, sometimes referred to as support
centers, are particularly useful in organization which use distributed systems and so
are likely to have hardware, data and software scattered throughout the
organization. The IC provide a centralized source of support and co-ordination.
Arranged by
Nowsherwan Adil Niazi Page 13
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
The IC’s help desk ensures that staff time is spent on customer service
rather than on IT problems:
Arranged by
Nowsherwan Adil Niazi Page 14
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Arranged by
Nowsherwan Adil Niazi Page 15
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
CENTRALIZATION
A centralized IS/IT department, involves all IS/IT staff and functions being based out
at a single central location, such as head office.
Advantages:
Disadvantages:
DECENTRALIZATION:
A decentralized IS/IT department involves IS/IT staff and functions being spread out
throughout the organization.
Advantages:
a) Each office can introduce an information system specially tailored for its
specific needs. Local changes in business requirements can be taken into
account.
b) Each office is more self-sufficient.
c) Offices are likely to have quicker access IS/IT support / advice.
Arranged by
Nowsherwan Adil Niazi Page 16
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Disadvantages:
a) Control may be more difficult different and uncoordinated information systems
may be introduced.
b) Self – sufficiency may encourage a back of coordination b/w departments.
c) Increased risk of data duplication, with different offices holding the same data
on their own separate files.
ACCOUNTING ISSUES
CAPITAL COST
Hardware purchase
Cabling
System installation
Arranged by
Nowsherwan Adil Niazi Page 17
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Power
Maintenance & support.
Ongoing e.g. paper, printer ink, floppy disks, CDs.
1. IT as a Corporate Overhead
It implies that all the expenses on IT should be born by the head office. No cost
allocation.
Advantages:
No complexability in calculation.
Encourage innovation because no one is being charged.
Good relations between IT and use department.
Disadvantages:
No cost control
Inefficiency
Substandard services to user department, because no one will complaint for
inefficient working /system.
No true performance picture.
2. IT charged at cost
IT cost is allocated to each user department on the basis of services received by
each.
Advantages
Realistic
Efficiency
Good services to user department
True performance picture
Disadvantages
Finding a cost unit, whether per page, per data entry or per print.
No good relations
Inefficiency may be passed e.g. waste pages by IS department may be
claimed as test pages.
3. IT charged at market
IS department will charge its services to other user department at market rates.
(This changing is actually on books not on reality)
Advantages
Profit centre
High standard services, because it is being provided at market rates
Cost cutting
Efficiency
Arranged by
Nowsherwan Adil Niazi Page 18
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Disadvantages
Administrative hassles
No comparable services
Advantages
More skills because outsiders may also hire for different services.
IT department becomes a profit centre
Better career path for IT people
Employees are retained.
Disadvantages
Administrative hassles
Focus is lost (earlier IT department was developing application for the banks
only but now also for other business)
No priority for parent company.
Advantages:
Cost savings.
Occupies less storage space.
Enhance data consistency.
Increased data availability.
Minimal data less.
Improved Responsiveness Implementing LDM Involves:
Performing a system needs analysis.
Performing a cost benefit analysis.
Developing a conversion plan.
Arranged by
Nowsherwan Adil Niazi Page 19
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
OUT SOURCING
There are various outsourcing option available, with different levels of control
maintained “in-house”. Outsourcing has advantage (e.g. use of highly skilled people)
and disadvantage (e.g. back of control). Outsourcing is a contractual agreement
whereby an organization hands over control of part or all of the functions of the
information systems department to an external party. The organization pays a fee
and the contractor delivers a level of service that is defined in a contractually-binding
service level agreement. The contractor provides the resources and expertise
required to perform the agreed service. Outsourcing is becoming increasingly
important in many organizations. The IS auditor must be aware of the various forms
outsourcing can take and the associated risks. Objectives of the outsourcing to
achieve lasting, meaningful improvement in IS, through corporate restructuring to
take advantage of a vendor’s care competencies.
TYPES OF OUTSOURCING
There are four broad classification of outsourcing:
Arranged by
Nowsherwan Adil Niazi Page 20
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
The degree to which the provision and management of IS/IT services are transferred
to the third party varies according to the situation and skills of both organizations.
SOFTWARE HOUSE:
Software houses concentrates on the provision of software services. These
include: Feasibility study, system analysis and design, development of OS
software, provision of application program packages, tailor-made application
programming, specialist systems advice and so-on. For example a software
Arranged by
Nowsherwan Adil Niazi Page 21
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
CONSULTANCY FIRMS:
Some consultancy firms work at a fairly high level, giving advice to
management on the general approach to solving problems and on the types of
system to use. Other specialize in giving more particular systems advice,
carrying out flexibility studies and recommending computer manufacturers /
software. When a consultancy firm is used, the terms of the contract should
be agreed at the outset.
The use of consultancy services enables management to learn directly or
indirectly form the experience of others. Many large consultancies are owned
by big international accountancy firms, smaller consul Turing many consist of
on-or two person outfit with a high level of specialist experience in one area.
Arranged by
Nowsherwan Adil Niazi Page 22
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
DEVELOPMENTS IN OUTSOURCING
a) Multiple sourcing.
b) Incremental approach.
c) Joint-venture sourcing.
d) Application Service Provider (ASP).
ASPs are third parties that manage and distribute software service and
solutions to customers across a wide area network.
Arranged by
Nowsherwan Adil Niazi Page 23
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
The contract provides the framework for the relationship b/w the and the service
provider. A key factor when choosing and repudiating with external venders is the
contract offered and subsequently negotiated with the supplier. The contract is
sometimes referred to as the service level contract (SLC) or service level agreement
(SLC).
i) Time scale:
When does the contract expire? Is the timescale suitable for the organization’s
needs or should it be negotiated?
ii) Service level:
The contract should clearly specify the minimum levels of service to be
provided penalties should be specified for failure to meet those standards.
Relevant factors will vary depending on the nature of the services outsourced
but could include:
Response time to requests for assistance / information.
System uptime percentage.
Deadlines for performing relevant tasks.
iii) Exit routes:
Arrangement for an exit route, addressing how transfer to another supplier, or
the move back in house, would be contused.
iv) Software ownership:
Relevant factors include:
Software licensing and security.
If the arrangement include the development of new software who
owns the copyright?
v) Dependencies:
If related services are outsourced the level of service quality agreed should
group these activities together.
Arranged by
Nowsherwan Adil Niazi Page 24
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
ADVANTAGES OF OUTSOURCING
DISADVANTAGES OF OUTSOURCING
Arranged by
Nowsherwan Adil Niazi Page 25
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Arranged by
Nowsherwan Adil Niazi Page 26
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
TERMINATION POLICIES
Written termination policies should be established to provide clearly-defined steps
employee separation. It is important that policies be structured to provide adequate
protection for the organization’s computer assets and data. Termination practices
should address both voluntary termination and involuntary (immediate) terminations.
In all other cases however, the following control procedures should be applied:
Return of all access keys, ID cards and badges to prevent easy physical
access.
Deletion of assigned lagan-ID and passwords to prohibit system access.
Notification to other staff and facilities security to increase awareness of the
terminated employee’s status.
Arrangement of the final pay routines to remove the employee from active
payroll files.
Performance of a termination interview to gather insight on the employee’s
perception of management.
Return of all company property.
LOGGING SYSTEM
The information system department should implement comprehensive logging
systems. These will include manual as well as automated logs. Logs allow managers
to monitor work and compare actual performance with the usual averages. They can
also serve as early warning systems for serious errors. An effective IS department
should have various logs that individuals examine regularly and take appropriate
action on when necessary.
Arranged by
Nowsherwan Adil Niazi Page 27
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Examples:
i) Data entry staff should keep full details of each bath of work, with
duration and error.
ii) Computer operators should maintain logs of all batch job and the time
taken to complete them.
iii) Backup, storage of data off-site should be logged.
iv) Any problems in hardware or software infrastructure should be indentured
in daily logs.
v) Software application systems may generate their own logs of error.
vi) A security subsystem could maintain detailed logs of who did what and
when and also if there any attempted security violations.
Arranged by
Nowsherwan Adil Niazi Page 28
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
CHAPTER 02
STRATEGY
Strategy is a pattern of activities that seek to achieve the objectives of an
organization and adopt its scope, resources and operations to environmental changes
in the long term.
All the organizations carry out some form of strategic management. As the
organization grows larger, and more complex, there is a greater need for
involvement in the strategy process at all levels of the organizations.
Arranged by
Nowsherwan Adil Niazi Page 29
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
STRATEGIC PLANNING
Strategic planning is the formulation evaluation and selection of strategies for the
purpose of preparing a long term plan of action to attain objectives. Strategic
information systems are systems at any level of an organization that change goals,
processes, products services or environmental relationships with the aim of gaining
competitive advantage. Strategic level systems are systems used by senior managers
for long term decision making.
A strategic plan can provide the foundation and framework for a business plan. The
strategic plan provides:
A framework for decisions or for securing support / approval.
Provide a basis for more detailed planning.
Explain the business to others in order to inform, motivate & involve.
Assist performance monitoring.
Stimulate change and become building black for next plan.
Arranged by
Nowsherwan Adil Niazi Page 30
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Tactical: Ensuring that the resources are obtained and used effectively and
efficiently in the accomplishment of the organization’s objective.
Operational: Ensuring that specific tasks are carried out effectively and efficiently.
Following guidelines will help ensure that the plan is developed and successfully
implemented.
i) When conducting the planning process, involve the people who will be
responsible for implementing the plan. Use a cross-functional team to ensure
the plan is realistic and collaborative.
ii) Ensure plan is realistic “con really do this”
iii) Organize the overall strategic plan into smaller action plans, often including an
action plan for each committee on the board.
iv) In the overall planning document, specify who is doing what and by when.
v) In an implementation section plan, specify and clarify the plan’s
implementation rules and responsibilities. Build in regular reviews of status of
the implementation of the plan.
vi) Translate the strategic plan’s action into job descriptions and personnel
performance reviews.
Arranged by
Nowsherwan Adil Niazi Page 31
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
vii) Communicate the rule of follow-ups to the plan. If people know the action
plans will be regularly reviewed, implementers tend to do their jobs before
there are checked on.
viii) Be sure to document & distribute the plan, including inviting review input form
all.
ix) Be sure that me internal person has ultimate responsibility that the plan is
enacted in a timely fashion.
x) The chief executive’s support of the plan is a major driver to the plan’s
implementation. Integrate the plan’s goals and objectives into the chief
executive’s performance reviews.
xi) Place huge emphasis on feedback to the board’s executive committee from
the planning participants.
xii) Have designated rotating “checkers” to verify e.g. every quarter, if each
implementer completed their assigned tasks.
CORPORATE STRATEGY
Corporate strategy is the most general level of strategy in an organization. Corporate
strategy is concerned with what types of business the company as a whole should be
in and is therefore concerned with decision of scope. Corporate strategy is
concerned with the scope of an organization’s activities and the matching of these to
the organization’s environment, its resource capabilities and the valves and
expectations of its various stakeholders.
Arranged by
Nowsherwan Adil Niazi Page 32
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
The is a sense of direction for the entire corporate group. It is primarily concerned
with the determination of ends, e.g. what business or businesses the firm is in or
should be in and how integrated these businesses should be with one another. It
covers a longer time period and has a wider scope than the other levels of corporate
planning. At this level the global objectives e.g. growth, stability or retrenchment and
the general orientation to achieve them are defined.
BUSINESS STRATEGY
Business strategy or competitor strategy is concerned with how each strategic
business unit (SBU) attempts to achieve its mission within its chosen area of activity.
Here strategy is about which products or services should be developed and offered to
which markets and the extent to which the customer needs are met whilst achieving
the objectives of the organization.
These strategies are either cost leadership or differentiation of products and may
encompass an entire market or be focused on a particular segment of it. Business
strategy relates to how an organization approaches to a particular market, or the
activity of a particular business unit. For example, this can involve decisions as to
whether, in principle, a company should:
(i) Segment the market and specialize in particularly profitable areas:
(ii) Compete by offering a wide range of products.
Strategic Business Unit (SBU): It is a unit within the overall corporate entity,
which should have an identifiable and definable product or service range, market
segment competitor set.
Arranged by
Nowsherwan Adil Niazi Page 33
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Functional or operational strategies are concerned with how the various functions of
the organization (marketing, administration, production, corporate and competitive
strategies. To improve performance in the organization, functional strategies harness
the activities, skills and resources available.
INFORMATION SYSTEM (IS) includes all systems and procedures involved in the
collection, storage, production and distribution of information.
VS.
INFORMATION TECHNOLOGY (IT) describes the equipment used to capture,
store, transmit or present information. IT provides a large part of the information
systems infrastructure.
Arranged by
Nowsherwan Adil Niazi Page 34
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
ELEMENTS OF A IT STRATEGY
i) Executive Summary: A statement containing the main points of the
schemes. The document should have a section on the goals, specific and
general, of information processing in the organization.
Arranged by
Nowsherwan Adil Niazi Page 35
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
iii) Assumptions: The plan will be based on certain assumptions about the
organization and the current business strategy. It is essential that this
plan is linked to the organization’s strategic plan.
iv) Application Areas: The plan should outline and set priorities for new
application areas being planned and for that application which are in the
process of development. A report on the progress and status should be
produced. For major new applications there should be a break-down of
costs and schedules. The plan should outline and set priorities for the
application areas.
v) Operations: The current systems will be continuing and the plan should
identify the existing systems and the cost of maintaining them.
vi) Maintenance: The plan should incorporate the budget for the
maintenance of, and enhancements to, the existing system.
vii) Organizational Structure: The plan should describe the existing and
future organizational structure for the technology, in terms of location, and
human and financial resources.
Arranged by
Nowsherwan Adil Niazi Page 36
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Arranged by
Nowsherwan Adil Niazi Page 37
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
iii) IS Strategy:
The defines the policies for software and hardware, for example any standards
to be used and any stand on preferred suppliers. This also defines the
organization’s stand on the IS organization, e.g. whether it is to centralized or
distributed, what are to be the investment, vender and human impact policies
and IS accounting techniques.
STRATEGIC SYSTEMS
The following items provide a good starting point for organizations planning to use
information systems as strategic weapon against competition, for the betterment of
products and services, and for overall growth of the company.
Arranged by
Nowsherwan Adil Niazi Page 38
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Three factors can summarize all of them: people, process and tools.
People and process need to be related to each other to improve quality and increased
productivity. A process is a sequence of steps or operations used to accomplish a
certain goal. People perfume operations. E.g. all processes need to be changed where
needed, and applications, methodologies tools need to be evaluated. In all these
activities, people are an integral part.
Arranged by
Nowsherwan Adil Niazi Page 39
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Strategic Planning:
An IS strategic plan should be a part of the organization strategic plan. Due to their
long-term nature, strategic plans are not updated frequently. External or internal
changes within an organization are often the catalyst for organization strategic
planning.
Arranged by
Nowsherwan Adil Niazi Page 40
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
INFORMATION SYSTEM STRATEGY refers to the long term plan concerned with
exploiting IS and IT either to support business strategies or create new strategic
options. It should be developed with the aim of ensuring IS/IT is utilized as efficiently
and effectively as possible in the pursuit of organizational goals and objectives.
Arranged by
Nowsherwan Adil Niazi Page 41
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
1. To cut production cost and so probably to reduce sale prices to the customer.
2. To develop better quality product and services.
3. To develop products and service that did not exist before.
4. To provide products or services to customers more quickly or effectively.
5. To free staff from repetitive work and to tap their creativity.
Arranged by
Nowsherwan Adil Niazi Page 42
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Arranged by
Nowsherwan Adil Niazi Page 43
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
ENTERPRISE ANALYSIS
Enterprise analysis involves examining the entire organization in terms of structure,
processes, functions and data elements to identify the key elements and attributes of
organizational data and information.
Arranged by
Nowsherwan Adil Niazi Page 44
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Step 2
Aggregate the finding from step 1 into sub units, functions, processes and data
metrics. Compile a process / data class matrix to show:
What data classes are required to support particular organizational
processes.
Which processes are the creators and users of data?
Step 3
Use the matrix to identify areas that IS should focus on, e.g. on process that create
data.
The enterprise analysis approach gives a comprehensive view of the organization and
its use of data and systems. The enterprise analysis approach results in a mountain
of data that is expensive to collect and difficult to analyze.
Survey questions tend to focus on how systems and information are currently used,
rather than on how information that is needed to result in existing systems being
automated rather than looking at the wider picture.
TYPES OF CSFs
A monitoring CSF is one that if achieved will contribute towards the
success of existing activities and operations. Monitoring CSFs are
important for maintaining business.
Arranged by
Nowsherwan Adil Niazi Page 45
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Where measure KPIs use quantitative data, performance can be measured in number
of ways.
In physical quantities, for example units produced or units sold.
In money terms, for example profit, revenues, casts or variances.
In ratios and percentages
The determination of key performance indicators for CSFs is not necessarily straight
forward. Some measures might use factual, objectively verifiable, data while others
might make use of softer concepts, such as opinions, perceptions and hunches.
Example
The reliability of stock records can be measured by means of physical stock
counts, either at discrete intervals or on a rolling basis. Forecasting of demand
variations will be much harder to measure.
Arranged by
Nowsherwan Adil Niazi Page 46
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
(a) The Existing System: The existing system can be used to generate reports
showing failure to meet CSFs.
(b) Customer service deptt: This department will maintain details and
complaints received, refunds handled, customer enquiries etc. these should be
reviewed to ensure all failure types have been identified.
(c) Customers A survey of customers, provided that it is properly designed and
introduced would reveal (or confirm) those areas where satisfaction is high or
low.
(d) Competitors Competitor’s operations, pricing structures and publicity should
be closely monitored.
(e) Accounting system: The profitability of varies aspects of the operation is
probably a key factor in any review of CSFs.
(f) Consultants: A specialist consultancy might be able to perform a detailed
review of the system in order to identify ways of satisfying CSFs.
Arranged by
Nowsherwan Adil Niazi Page 47
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Budgetary controls are in place and should be adhered to. New projects
should be subject to cost benefit analysis (CBA).
vi) Necessary evil: IS/IT is seen as a necessary evil of modern business. IS/IT
is allocated enough resources only to meet basic needs. This strategy is
usually adopted in organizations that believe that information is not important
to the business.
STRATEGIC MANAGEMENT
It is a district mode of management which proceeds from analysis to
implementation and shares the some functions, planning, organizing, directing
and controlling as operations management.
A) STRATEGIC ANALYSIS
The first step in the process involves analysis of the situation in which the
organization finds itself. This means identifying the conditions prevailing in
both the internal and external environment and the effects of these conditions
on the organization. The following matters to be addressed.
(i) SWOT ANALYSIS (internal strengths and weakness, external opportunities
and threats)
(ii) CUSTOMER ANALYSIS: The organization must analyse who its competitors
are, how and why they are competing, and whether and how competition will
increase. The nature of the industry’s competitive force should be address.
(iii) MARKET ANALYSIS: In many markets the needs / demands of customers
are becoming increasing sophisticated and complex.
(iv) CULTURAL ANALYSIS: The culture or feel of an organization is seen as
being of critical strategic important. An organization which has an
enterprising, innovative and unique culture will be attractive to investors,
customers and employees. Culture must be therefore be analysed to see what
kind of message it is giving out absent the organization.
(v) SOCIAL ANALYSIS: Identify how the complexity of modern society impacts
on the organization and its customers. It will take into account demographic
and economic changes, changes in attitudes in society (such as towards
environmental issues) and changes in political attitudes e.g. the favorable
light in which the Govt. views initiative).
Arranged by
Nowsherwan Adil Niazi Page 48
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
B) STRATEGIC CHOICE
Arranged by
Nowsherwan Adil Niazi Page 49
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Some legal factors that may impact upon organizations are as follows:
Governments are responsible for enforcing and creating a stable framework in which
business can be done. The quality of government policy is important in providing the
right:
a) Physical infrastructure 9e.g. transport, communication)
b) Social infrastructure (education, a welfare safety net, law enforcement)
c) Market infrastructure (enforceable contracts, policing corruption)
Arranged by
Nowsherwan Adil Niazi Page 50
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
INTEREST RATES
a) A rise might increase the cost of any borrowing, thereby reducing profitability. It
also raises the cost of capital. An investment project, (new information system)
therefore has a higher hurdle to overcome to be accepted.
b) Interest rate also have a general effect on consumer confidence and liquidity,
and hence demand.
INFLATION
a) Inflation reduces the value of financial assets and the income of these on fixed
incomes.
b) Inflation makes it hard for business to plan, owing to the uncertainty of future
financial returns. Inflation and expectations of it encourages organizations to
focus on the short term (short termism)
c) Inflation requires high nominal interest rates to offer investors a real return
Arranged by
Nowsherwan Adil Niazi Page 51
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Social change involves changes in the nature, attitudes and habits of society. Social
changes occur continually, and trends can be identified which may or may not be
relevant to an organization.
Demography is the analysis of statistics on birth and death rates, age structures of
populations, ethnic groups within communicates etc. It is important because:
a) Labour is a factor of production
b) People create demand for goods, services and resources
c) It has a long term impact on government policies
d) There is a relationship between population growth and living standards.
Arranged by
Nowsherwan Adil Niazi Page 52
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
FUTUROLOGY
Futurology is the science and study of sociological and technological developments,
values and trends with a view to planning for the future.
a) Alignment
b) Scope
c) Time frame
d) Cost benefit justification
e) Achievability
f) Monitoring and control
g) Reassessment
h) Awareness
i) Accountability
j) Commitment
a) Orientation
b) Assessment
c) Strategic
d) Tactical
Arranged by
Nowsherwan Adil Niazi Page 53
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
ORIENTATION
The first phase establishes the scope of the IT planning process, the methodology
and techniques to be applied and identifies for planning team and reporting lines for
the planning process. The planning process may have been initiated in response to a
major change in the business strategy or as a reaction to changes in the business or
IT assumptions of the existing plan.
ACTIVITIES
1) Establish scope
2) Establish techniques and mobilize resources
ASSESSMENT
In second phase, data is collected and analyzed to describe the existing usage and
management of IT and the extent to which they are unable, or may be unable, to
support business objectives.
This phase also provides an opportunity to identify other potential uses of
information technology which may assist in meeting objectives.
ACTIVITIES
3) Confirm business direction and drives to ensure the key driver for the IT plan
is the business direction of the organization.
4) Review technology trends
5) Outline future requirements
6) Inventory existing information systems
7) Develop an assessment
STRATEGIC PLAN
In the third phase of IT Planning process, appropriate strategies are formulated.
These strategies are funded on the assessment of the business needs and priorities.
IT direction and other related issues considered in the assessment phase.
ACTIVITIES
8) Develop a vision
9) Conduct option analysis
10) Develop a strategic plan
Arranged by
Nowsherwan Adil Niazi Page 54
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
TACTICAL PLAN
In the last phase of the planning process, the tactical or implementation plan is
developed. In the tactical plan, the focus is on the projects that need to be
undertaken to implement each of the strategies.
ACTIVITIES
11) Identify and specify projects
12) Prioritize projects
13) Develop the tactical plan
14) Establish monitoring and control mechanisms
IT PLAN
a) Demonstrate to the organization how it can gain business benefits from IT.
b) Act as a yardstick by which to measure performance
c) Provide a framework for offering incentive to managers
d) Provide a framework for justifying
Arranged by
Nowsherwan Adil Niazi Page 55
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
PRIORITIZE SOLUTIONS
i) Prioritize critical software systems.
ii) Indicate resources and timeframes.
iii) Plan how you will manage changes to the document.
iv) Commutate and seek feedback.
v) Get authorizations.
VIDEO CONFERENCING
Improving communication between project team and between site offices. Hence
eliminating unnecessary travel.
VISUALIZATION
Improve design visualization and communication with clients. This allows clients to
see exactly what a design will look like giving them increased confidence in the
design.
Arranged by
Nowsherwan Adil Niazi Page 56
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Arranged by
Nowsherwan Adil Niazi Page 57
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Many strategies have ended as shelf ware. But information strategy planning is an
ongoing process, not a document. An organization needs to be capable of
implementing its strategies, then maintaining and updating them. It need s to
manage innovation on an ongoing basis. In particular, ongoing strategic planning will
require:
a) Continuous support and involvement from senior management.
b) In house skills to develop and maintain the strategy.
c) Time and tools, which should be planned for in advance
d) Appropriate incentive schemes, so that in competition with other
organization activities, it receives appropriate priority.
e) A change management plan, setting out who will manage the changes,
and what procedures they will use to do so. This plan should be included in
your initial strategy document.
Arranged by
Nowsherwan Adil Niazi Page 58
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
CHAPTER 03
E-COMMERCE
E-business can be defined as commerce conducted via any electric medium, such as
TV, fax or the internet. E-commerce is the ability to buy and sell goods and services
over the internet.
Arranged by
Nowsherwan Adil Niazi Page 59
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
B-E e-commerce does not generate revenue like the previously discussed types of e-
commerce business models. Instead, it increases profiles by reducing expenses
within a company. e.g. using BRE e-commerce employee collaborate with each other,
exchange data and information, and access in-house databases, sales information,
market news, and competitive analysis. By having instantaneous access to this type
of technology, employees do not spend time manually looking up information.
Many professional firms in the west, with central offices in big cities and project
offices or client offices in smaller cities are using BRE to receive and process
employee time sheet, expense claims prepare to invest in secure commotions for
employees to safely access company internets.
Arranged by
Nowsherwan Adil Niazi Page 60
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
CHALLENGES:
Availability of deep & secure access to govt. sites.
Govt. must be cognizant of the fact that such access must be made widely
available to all classes of its citizenry.
Arranged by
Nowsherwan Adil Niazi Page 61
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
The SSL protocol provides connection security that has three basic properties.
i) The connection is private. Encryption is used after an initial handshake to
define a secure key.
ii) Symmetric cryptography is used for data encryption is a program layer
created by Netscape for managing the security of message transmissions in a
network.
iii) The connection is reliable.
DIGITAL SIGNATURE:
Arranged by
Nowsherwan Adil Niazi Page 62
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
4. Define the role of live interaction. Some products are bought through live
interaction: e.g perfumes, cars,cloths etc.
5. Technology decide
Zero touch (It has no human interaction)
Low touch (It has human interaction)
c) Online banking
e) E- Cheque
f) E- Wallets
Arranged by
Nowsherwan Adil Niazi Page 63
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
CHAPTER 04
In-House Development
Many organizations require systems that are highly tuned to their unique operations.
These firms design their own information systems through in house system
development activities. In house development requires maintaining a full time
systems staff of analysts and programmers who identify user information needs and
satisfy their needs with custom systems.
TURNKEY SYSTEMS
Turnkey systems are completely finished and tested systems that are ready for
implementation. They are often general purpose systems or systems customized to a
specific industry. Turnkey systems are usually sold only as compiled program
modules, and users have limited ability to customize them to their specific needs.
Some turnkey systems have software options that allow the user to customize input,
output, and some processing through menu choices. Other turnkey systems venders
will sell their customers the source code if program changes are desired. For a fee,
the user or the vender can then customize the system by reprogramming the original
source code.
Arranged by
Nowsherwan Adil Niazi Page 64
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Examples
(a) General Accounting System
(b) Special Purpose System (medial field banking industry)
(c) Office automation system (word processing spreadsheets desktop
publisher systems). These are computer systems that improve the
productivity of office works.
(d) Backbone Systems (SAP)
Backbone systems provide a basic system structure on which to
build. Backbone systems come with all the primary processing modules
programmed. The vender designs and programs the user interface to
suit the clients’ needs.
(e) Vender Supported system
Vender supported systems are hybrids of custom systems and
commercial software. Under this approach, the vender develops
custom systems for its clients. The systems themselves are custom
products, but the system development service is commercially
provided.
LEGACY SYSTEM
A legacy system is an old, outdated system which continues to be used because it is
difficult to replace.
The main reason legacy systems continue to be used often include the cost of
replacing it, and the significant time and effort involved in introducing a new system.
Legacy system often requires specialized knowledge to maintain them in a condition
suitable for operation. This may leave an organization exposed should certain staff
leave the organization. Legacy system may also require data to be in a specific, may
Arranged by
Nowsherwan Adil Niazi Page 65
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
be unusual format. This can cause compatibility problems if other systems are
replaced throughout an organization.
Each stage is divided into two parts the actual work associated with the stage
followed by a procedure to check what has been done. Verification in this context is
concerned with ensuring required specifications have been met. Validation is
concerned with ensuring the system it fit for its operational role.
Arranged by
Nowsherwan Adil Niazi Page 66
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Arranged by
Nowsherwan Adil Niazi Page 67
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
ADVANTAGES OF SSADM
Detailed documentation is produced
Standard methods allow less qualified staff to carry out some of the analysis
works, thus cutting the cost of the exercise.
Using a standard development process lead to improved system
specifications.
Systems developed in this way are easier to maintain and improve.
Users are involved with development work from an early stage and are
required to sign off each stage.
The emphasis on diagramming makes it easier for relevant parties, including
users, to understand the system than if purely narrative descriptions were
used.
The structured framework of a methodology helps with planning. This allows
control by reference to actual achievements rather than to estimates the
progress.
A logical design is produced that is independent of hardware and software.
Arranged by
Nowsherwan Adil Niazi Page 68
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
DISADVANTAGES OF SSADM
It is inappropriate for information of a strategic nature that is collected on an
ad-hoc basis.
Scope limits the impact on actual work processes or social context of the
system.
Encourage excessive documentation and bureaucracy.
PROTOTYPING
A prototyping is a model of all or part of a system, built to show users early in the
design process how it is envisaged the completed system will appear.
Prototyping enables programmers to write programs more quickly and allows the
user to see a preview of the system that is envisaged.
ADVANTAGES OF PROTOTYPING
It makes possible for the programmers to present a mock up version of an
envisaged system to users before a substantial amount of time and money
has been committed.
The process facilities the production of custom built application software
rather than off the shelf packages which may or may not suit user needs.
Prototyping may speed up the design stage of the systems development
lifecycle.
A prototyping does not necessarily have to be written in the language of what
it is prototyping, so prototyping is not only a tool, but a design technique.
DISADVANTAGES OF PROTOTYPING
Some prototyping tools are tied to a particular make of hardware, or a
particular database system.
It is sometimes argued that prototyping tools are inefficient in the program
codes they produce, so that programs are bigger and require more memory
than a more efficient coded program.
Prototyping may help users to steer the development of a new system
towards an existing system.
Prototyping tools encourage programmers to produce programs quickly, but to
neglect program quality.
Arranged by
Nowsherwan Adil Niazi Page 69
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
STRUCTURED WALKTHROUGHS
Structure walkthroughs are a technique used by those responsible for the design of
some aspect of a system (particularly analysts and programmers) to present their
design to interested user groups in other word to walk them through the design
structured walkthroughs are formal meetings, in which the documentation produced
during development is reviewed and checked for errors or omissions.
Users are involved in structured walkthroughs because their knowledge of the desired
system is more extensive than that of the systems development personnel.
Walkthroughs are sometimes referred to as user validation.
At the end of each stage of development, the resulting output is presented to users
for their approval. There must be a formal sign off of each completed stage before
work on the next stage begins. It clarifies responsibilities and leaves little room for
later disputes.
(a) If the system developers fail to deliver something that both parties formally
agreed to it is the developers’ responsibility to put it right, at their own expense, and
compensate the user for the delay.
(b) If users ask for something extra or different, that was not formally agreed to,
the developers cannot be blamed and the user must pay for further amendments and
be prepared to accept some delay.
Arranged by
Nowsherwan Adil Niazi Page 70
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
DISADVANTAGES
(i) The relative inexperience of many users may lead to misunderstandings and
possibly unreasonable demands / expectations on the system performance.
(ii) The danger of lack of coordination leading to fragmented individual possibly
esoteric information systems.
CASE tools are software tools used to automate some tasks in the development of
information system e.g. generating documentation and diagrams. The more
sophisticated tools facilitate software prototyping and code generation.
Arranged by
Nowsherwan Adil Niazi Page 71
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Upper case tools are geared towards automating tasks associated with system
analysis. They include:
(a) Diagramming tools that automate the production of diagrams using a range of
modeling techniques.
(b) Analysis tools that check the logic, consistency and completeness of system
diagrams, forms and reports.
(c) A case repository that holds all data and information relating to the system.
The data dictionary records all data items held in the system and control
access to the repository. The dictionary will list all data entities, data flows,
data stories, processes, external and individual data items.
Lower case tools are geared towards automating tasks later in the development
process (after analysis and design). They include:
(a) Document generators that automate the production of documents using a
range of modeling techniques.
(b) Screen and report layout generators that allow prototyping of the user
interface to be produced and amended quickly.
(c) Code generators that automate the production of code based on the
processing logic input to the generators.
Arranged by
Nowsherwan Adil Niazi Page 72
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
CHAPTER 05
QUALITY ASSURANCE
The concept of quality is concerned with “fitness for purpose”. Quality may be
defined as conformance of customer (user) needs.
Arranged by
Nowsherwan Adil Niazi Page 73
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
APPROACHES TO QUALITY
(a) Quality management
(b) Quality assurance
(c) Quality control
QUALITY MANAGEMENT
Quality management is concerned with controlling activities with the aim of ensuring
that products or services are fit for their purpose, and meet specifications. Quality
management encompasses quality assurance and quality control. The essence of
quality management is that quality should be built in to all processes and materials
used within an organization with the ultimate aim of no substandard output.
QUALITY ASSURANCE
Arranged by
Nowsherwan Adil Niazi Page 74
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
QUALITY CONTROL
Quality control is concerned with checking and reviewing work that has been done.
Quality control therefore has a narrower focus than quality assurance. Quality control
focuses on the product or service produced, rather than the production procedures.
Quality control involves establishing standards of quality for a product or service,
implementing procedures that are expected to produce products of the required
standard in most cases and monitoring output to ensure substandard output is
rejected or corrected.
Arranged by
Nowsherwan Adil Niazi Page 75
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
TQM is involving and empowering the entire workforce to improve the quality of
goods and services actively and continuously.
Arranged by
Nowsherwan Adil Niazi Page 76
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Example:
The ISO 9000 series that govern software development processes.
The ISO 9126 standard that focuses on the end result of good software
processes; i-e, the quality of the actual software product.
The capability maturity model developed by the software engineering institute
at Carnegie Mellon University.
STAGES OF TESTING
The path of different types of data and transactions are manually plotted through the
system, to ensure all possibilities have been catered for and that the processing logic
is correct. When all results are as expected, programs can be written.
PROGRAM TESTING
Program testing involves processing test data through all programs. Test data should
be of type that the program will be required to process and should include
Arranged by
Nowsherwan Adil Niazi Page 77
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
The testing process should be fully documented recording data used, expected
results, actual results and action taken. Two types of program testing are unit testing
and unit integration testing.
UNIT TESTING
Means testing one function or part of a program to ensure it operates as intended.
UNIT INTEGRATION TESTING
Involves testing two or more software units to ensure they work together as
intended. The output from unit integration testing is a debugged module.
SYSTEM TESTING
When it has been established that indivisual programs and interfaces are operating
as intended, overall system testing should begin. System testing should extend
beyond areas already tested, to cover:
a) Input documentation and the practicalities of input e.g time taken.
b) Flexibility of system to allow amendments to the ‘normal’ processing cycle.
c) Ability to produce information on time.
d) Ability to cope with peak system resource requirements e.g transaction
volumes, staffing levels.
e) Viability of operating procedures.
System testing will involve testing both before installation (known as off line
testing) after implementation (on-line testing)
User acceptance testing is carried out by those who will use the system to determine
whether the system meets their needs. These needs should have previously been
Arranged by
Nowsherwan Adil Niazi Page 78
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
stated as acceptance criteria. The aim is for the customer to determine whether or
not to accept the system.
User’s process test data, system performance is closely monitored and users report
how they felt the system meets their needs. Test data may include some historical
data, because it is then possible to check results against the ‘actual’ output from the
old system.
METHODS OF TESTING
(a) Static Analysis Test
(b) Dynamic analysis test
This test evaluates the quality of a module through a direct inspection of source
code. Some important types of static analysis checks follow:
(i) Desk checking
Desk checking involves programmer examining the source code for
verification of errors or any irregularities e.g. the programmer might look for
syntax errors, logical errors or variation from coding standards.
(ii) Structured walk through
Structured walk through is a type of checking in which a programmer who is
responsible for the development of the modules leads the other programmers
through the module in order to detect the errors. Group who is responsible for
review is comprised of the independent programmers.
(iii) Design and Code inspections
Design and Code inspections a special team, led by an experienced
moderator, is composed to conduct review of program module. A proper
checklist is used to conduct the review and results are documented which is
followed by the correction of the module to ensure correctness of programs.
This type of test requires modules to be executed on the machines and can be
classified into following two types:
Arranged by
Nowsherwan Adil Niazi Page 79
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
A system becomes operation when it is released for daily use of the organization. It
is a continuous process to keep on monitoring the performance of the system. Over a
period of type the system is required to be maintained to keep the functionality of
the system up to date with the changing organizational requirements. Three types of
maintenance is conducted.
(a) Repair Maintenance
In which program errors are corrected which have been overlooked in the
earlier tests or which might arise after the program is implemented and
comes functional.
(b) Adoptive maintenance
In which the program is modified to meet changing user requirements. These
requirements might include business requirements or any changes in the
technologies.
(c) Perfective maintenance
In which the program is tuned to decrease resource consumption so that both
efficiency and effectiveness of the program can be improved.
Arranged by
Nowsherwan Adil Niazi Page 80
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
BETA VERSION
Commercial software producers often carry out user acceptance testing through the
use of beta versions of software. A beta version is an almost finalized package, that
has been tested in controlled conditions, but has not been used in the field. Some
users are prepared to use beta versions and report any remaining bugs.
Arranged by
Nowsherwan Adil Niazi Page 81
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Chapter 06
Error:
It is likely that bugs will exist in a newly implemented system. The effect of errors
can obviously very enormously.
Constraints:
Cost constraints may have meant that certain requested features were not
incorporated. Time constraints may have meant that requirements suggested
during development were ignored in the interest of prompt completion.
Changes in requirements:
Although over should be consulted at all stages of system development, problems
may arise after a system is implemented because users may have found it
different to express their requirements, or may have been concerned about the
future of their jobs and not participated fully in development.
Arranged by
Nowsherwan Adil Niazi Page 82
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Poor Documentation:
If old systems are accompanied by poor documentation, or even complete lack of
documentation, it may be very difficult to understand their programs. It will be
hand to update or maintain such programs.
Programmers may opt instead to patch up the system with new applications using
newer technology.
System Change Procedure
System should be built with a certain amount of flexibility that allows changes to
be made in the future to cope with different demands. Changing a system carries
the some risks associated with the initial system development to system changes
should therefore pass through change procedure.
IN – HOUSE MAINTENANCE
With large computer systems, developed by the organization itself, in–house systems
analysts and programmers might be given the responsibility for software
maintenance.
Arranged by
Nowsherwan Adil Niazi Page 83
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
(d) The new program version should be tested when it has been written. A
programmer should prepare test data and establish whether the program will
process the data according to he specification given by system analyst.
(e) Provisions should be made for further program amendments in the future.
One way of doing this is to leave space in the program instruction numbering
sequence for new instructions to be inserted later.
(f) A record should be kept of all program errors that are found during live
processing and of the corrections that are made to the program.
(g) Each version of a program should be separately identified, to avoid a mix – up
about what version of a program should be used for live operating.
With ready-made software, the software house or supplier is likely to issue a version
of a package if significant changes are required.
MAINTENANCE CONTRACTS
There is also likely to be an agreement b/w the supplier of software and the
customer for the provision of a software support service. A maintenance contract
typically includes the following services:
HARDWARE MAINTENANCE
Arranged by
Nowsherwan Adil Niazi Page 84
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
DISADVANTAGES:
USER GROUPS
A user group is a forum for user of particular hardware or, more usually, software,
that they can share ideas and experience.
User of a particular package can meet, or perhaps exchange views over the internet
to discuss solutions, ideas or shat cuts to improve productivity. An electronic new
letter service might be appropriate, based on views exchanged by members, but also
incorporating ideas culled from the wider environment by IT specialist.
Arranged by
Nowsherwan Adil Niazi Page 85
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
A cost – benefit review is similar to a cost benefit analysis, except that actual data
can be used.
EFFICIENCY
Efficiency can be measured by considering the resource input into, and the output
from, a process or an activity.
An entity uses resources such as staff, money and materials. If the same activity can
be performed using fewer resources, for example fewer staff or less money, or if it
can be completed more quickly, the efficiency of the activity is improved. An
improvement in efficiency represents an improvement in productivity.
EFFECTIVENESS
It focuses primarily on the relationship of the organization with its environment. For
example, automation might be perused because it is expected that the company will
be more effective at increasing market share or at satisfying customer needs. Recent
Arranged by
Nowsherwan Adil Niazi Page 86
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
trends are more towards the development of “front office” systems, for example to
improve an organization’s decision – making capability or to seek competitive
advantage. This approach seeks to improve the effectiveness of the organization.
METRICS
Metrics are quantified measurements used to measure system performance. The use
of metrics enables system quality to be measured and the early identification of
problems. Examples of metrics include system response time, the number of
transactions that can be processed per minute, the number of bugs per hundred lines
of codes and the number of system crashes per week.
Many facets of system quality are not easy to measure statistically (e.g. user
friendliness). Indirect measurements such as the number of calls to the help – desk
per month can be used as an indication of overall quality / performance.
Systems evaluation may use computer based monitoring. Four methods used are:
HARDWARE MONITORS:
Hardware monitors are devices which measure the presence or absence of electrical
signals in selected circuits in the commuter hardware. They might measure idle time
or levels of activity in the CPU, peripheral activity. Data is sent from the sensors to
counters which periodically write it to disk or tape.
A program will then analyze the data and produce an analysis of findings as output.
It might identify for example inefficient co-ordination of processors and peripherals,
or excessive delays in writing data to backing storage.
SOFTWARE MONITORS:
Software monitors are commuter programs which interrupts the application in use
and record data about it. They might identify, for example, excessive waiting time
during program exaction. Unlike hardware monitors, they may slow down the
operation of the program being monitored.
Arranged by
Nowsherwan Adil Niazi Page 87
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
SYSTEM LOGS
Many computer systems provide automatic log details, for example job start and
finish times or which employee has used which program and for how longs. The
systems log can therefore provide useful data for analysis.
a) Unexplained variations in job running times might be recorded.
b) Excessive machine down-time is sometimes a problem.
c) Mixed workloads large and small jobs might be scheduled inefficiently.
HYBIRD MONITOR
A hybrid monitor has hardware, software and perhaps firmware components. These
components can be configured in many different ways. For example, software and
firmware probes can detect events and write them to a hardware interface. An
external device that reads processes stores and present the data written to the
hardware interface. Thus, hybrid monitor can detect both software and hardware
related events. They are sometimes difficult to use. However, because of the
measurement taken by the software component the measurement taken by hardware
component must be coordinated.
a) Gantt charts:
Gantt charts use the horizontal bar to show the percentage utilization of a
resource and the extent of overlap of resource utilization among a number of
resources.
b) Kiviat graphs:
Kiviat graphs present performance measurements results so the problem
with the performance can be recognized easily. They use radial axes in a
circle to plot performance measurement results. The shape of the resulting
plot can be used to determine the extent to which the system is balanced in
terms of its resource utilization.
Auditors should have two concerns about data integrity whenever performance
monitors are used
Arranged by
Nowsherwan Adil Niazi Page 88
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
a) First, they should determine whether the monitor has been installed correctly
in the target system. They must evaluate the integrity of the measurements
made by the monitor and the integrity of the target system processes after
instrumentation.
b) Second, auditors must try to determine whether a monitor has been used to
violate data integrity. They should evaluate whether unauthorized use of the
monitor to breach data privacy.
PERFORMANCE REVIEWS
Performance reviews can be carried out to look at a wide range of system functions
and character technological change often gives scope to improve the quality of
outputs or reduce the cost of inputs.
Arranged by
Nowsherwan Adil Niazi Page 89
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Performance reviews will vary in contact form organization, but the matters which
will probably be looked at are as follows:
a) The growth rates in file sizes and the number of transactions processed by the
system. Trends should be analyzed and projected to access whether there are
likely to be problems with lengthy processing time or an inefficient file structure
due to volume of processing.
b) The clerical manpower needs for the system, and deciding whether they are more
or less than estimated.
c) The identification of any delays in processing and an assessment of the
consequences of any such delays.
d) An assessment of the efficiency of security procedures, in terms of number of
breaches, number of viruses encountered.
e) A check of the error rates for input data. High error rates may indicate inefficient
preparation of input documents, an inappropriate method of data capture or poor
design of input media.
f) An examination of whether output from computer is being used to good purpose.
(Is it used? Is it timely? Does it go to the right people?)
g) Operational running costs, examined to discover any inefficient programs or
processes. This examination may reveal excessive costs for certain items
although in total, cost may be acceptable.
Computer systems efficiency audits are concerned with improving outputs from the
system and their use and / or reducing the costs of system inputs. With falling costs
of computer hardware and software, and continual technological advance, there
should often be scope for improvements in computer systems.
Arranged by
Nowsherwan Adil Niazi Page 90
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
(iii) The timing of outputs could be better. Computer systems could give managers
immediate access to the information they require, by means of file ensuing or
special software (such as databases, or spreadsheet modeling packages.
(iv) It might be found that outputs are not as satisfactory as they should be,
perhaps because access to information from the system is limited, and could
be improved by the use of a database and network system.
Available outputs are restricted because of the method of data processing used (e.g.
batch processing instead of real – time processing) or type of equipment used (e.g.
stand-alone PCs am pared with client / server systems).
The efficiency of a computer system could be improved if the same volume and
frequency of output could be achieved with fewer input resources, and at less cost.
(i) Multi user or network systems might be more efficient than stand – alone
system. Multi user systems allow several input operators to work on the same
file at the heavy workload and another is warranty short of work, the person
who has some free time can help his or her busy college – thus improving
operator efficiency.
(ii) Real – time systems might be more efficiency than batch processing.
(iii) Using more up – to – date software.
(iv) Using computer and external storage media with bigger storage capacity. A
frequent can be very long & tedious. Computer systems with better backing
storage facilities can reduce this operator waiting time, & so be more efficient.
Management might also wish to consider whether time spent checking & correcting
input data can be eliminated. An alternative method of input might be chosen. e.g.
burr codes & scanners eliminate input errors.
Arranged by
Nowsherwan Adil Niazi Page 91
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
CHAPTER 07
An imitation to tender (ITT) sets out the specification for the required system,
explaining how it is to be used and setting out the timescale for implementation. It
will set the performance required of the new system.
Details about the company should relate to its present organization structure, the
nature and size of its business and its plan for future expansion.
General Matters
a) Contact name within the company.
b) A Financial constraint.
c) The form that submissions are to take.
d) The closing date for submission of tenders.
e) The address to which tenders should be sent.
Arranged by
Nowsherwan Adil Niazi Page 92
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Responses to ITT
Sending of standard broachers & price lists.
Officers to visit the organization’s site and provide free demonstration of
equipment and its capabilities.
FINANCING METHODS
Once supplier proposal have been obtained, they must be evaluated. Evaluated
becomes very complicated if there is any doubt about system’s performance, as this
may necessitate a test of the system. The varsity of responses may make a direct
comparison of different tender difficult.
The supplier will usually try to match the customer’s profile with that of an existing
customer to demonstrate that the system can handle such a workload. However, if
the application is unusual or new, this will not be possible, and so a formal evaluation
using bank marking simulation tests will be necessary.
Arranged by
Nowsherwan Adil Niazi Page 93
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
BENCHMARK TESTS
Benchmark tests test how long it takes a machine to run through a particular set of
programs.
One way of computing power is to conduct benchmark tests. More powerful machine
will do the processing more quickly. There is some concern that some benchmarks
tests are created by manufacturers are designed to give the most favorable result to
their products. Also, it may be hard to say that one computer performs better than
another, as it may depend on application used.
These tests are carried out to compare the performance of piece of hardware or
software against pre-set criteria. Typical criteria which may be used as benchmarks
include:
Speed of performance of performance of a particular operation;
Acceptable volumes before a degradation in response times is apparent;
General user-friendliness of equipment.
These do not have to be objective, though clearly with subjective tests, such as user-
friendliness, it may be harder to reach definitive contusions.
Software can also be benchmarked. Organization might try out a series of different
package on its own existing hardware to see which performed the best speed of
respond, ability, to process different volume of transactions, reporting capabilities
and so on.
SIMULATION TESTS
Simulation testing uses synthetic programs written specifically for testing purposes
and incorporating routines designed to test variety of situations programs are
particularly appropriate for testing PCs, which generally execute one program step at
a time. However carrying out simulation tests on larger computers is more complex,
as multiple jobs are usually processed at the same time and realistic operating
conditions must be created.
Arranged by
Nowsherwan Adil Niazi Page 94
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Liaison b/w information systems professionals and the rest of the organization is a
key role. Such function includes the following:
Arranged by
Nowsherwan Adil Niazi Page 95
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
CHAPTER 08
Typically, SCM will attempt to centrally control or link the production, shipment and
distribution of a product. By managing supply chain, companies are able to cut
excess fat and provide products faster. This is done by keeping control of internal
inventories, internal production, distribution, sales and the monitories of the
company’s product purchasers.
Arranged by
Nowsherwan Adil Niazi Page 96
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Channel Management
Growth companies find, develop and continually review the most effective ways
to connect customer segments with their products and service. Some companies
have grown by creatively using alternative distribution channels, and in many
instances developing multi-channel strategies. The exploitation of e-commerce
opportunities has in many cases resulted in significant growth opportunities.
ECONOMICS
Comparatively superior economics across value chain
Supply chain must be aligned with the customer’s and the organization’s growth
strategy. Tradeoffs among the logistics cost components exist along to supply chain
e.g. higher service levels vs higher inventory holding costs.
Define company’s supply chain as broadly as possible.
Understanding the economics levers (drivers)
To be more agile in order to adopt to the changing market place.
Requirements are faster info. flows, reduced cycle times, flexible production,
minimal inventories, integrated inter, Co.SC
Arranged by
Nowsherwan Adil Niazi Page 97
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
EXECUTION
Consistently superior strategy execution via organization alignment
RESISTANCE TO CHANGE
Arranged by
Nowsherwan Adil Niazi Page 98
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Transport cost
Fleet size
Vehicle scheduling
Logistic MIS
FEATURES OF ERP
ERP facilities companywide integrated information system covering all functional
areas like manufacturing selling and distribution payables receivables inventory
accounts human resources purchases etc.
Arranged by
Nowsherwan Adil Niazi Page 99
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
ERP performs core corporate activities and increases customer services and
thereby augmenting the corporate image.
ERP bridges the information gap across the organization.
ERP provides for complete integration of systems not only across the departments
in a company sat also across the companies under the same management.
ERP is the only solution for better project management.
ERP allows automatic introduction of latest technologies like EFT, EDI, Internet,
Internet video conferencing, e-commerce etc.
ERP eliminates he most of the business problems like material shortages
productivity enhancements, customer service, cash management, inventory
problems, quality problems.
ERP not only addresses the current requirements of the company but also
provides the opportunity of continually improving and refining business process.
ERP provides business intelligence tools like decision support systems (DSS
executive information system (EIS) reporting data miing and early warning
systems (Robots) for enabling people to make better decisions and thus improve
their business processes.
COMPONENTS OF ERP
Sales and marketing
Master scheduling
Material requirement planning
Capacity requirement planning
Bill of materials
Purchasing
Shop floor control
Account payable
Account receivable logistics
Asset management
Financial accounting
Arranged by
Nowsherwan Adil Niazi Page 100
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
The principle followed for BPR may be defined as USA principle (understand, simplify,
automate) i.e. understanding the existing practices, simplifying the processes and
automate the process. Various tools used for this principle are
Understand simplify automate
Diagramming eliminating EDI
Story boarding combining ERP
Brain storming rearranging
SELECTION OF ERP
Evaluation and selection involves:
Checking whether all functional aspects of the business are duly covered
Checking whether all the business functions and processes are fully integrated.
Checking whether all the latest IT trends are covered
Checking whether the vendor has customizing and implementing capabilities
Checking whether the business can absorb the cost
Checking whether the ROI is optimum
IMPLEMENTATION OF ERP
Implementing an ERP package has to be done on a phased manner. Step by step
method of implementing will yield a better result than a big-bang introduction. The
total time required for successfully implementing on ERP package will be anything
s/w 18 and 24 months. The normal steps involved in implement of an ERP are as
follows
Arranged by
Nowsherwan Adil Niazi Page 101
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Arranged by
Nowsherwan Adil Niazi Page 102
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
BENEFITS OF ERP
Gives accounts payable personnel increased control of invoicing and payment
processing and thereby boosting their productivity and eliminating their reliance
on computer personnel for these generations.
Reduce proper documents by providing on line formats for quickly entering and
retrieving information.
Improves timelines of information by permitting, posting daily instead of monthly.
Greater accuracy of information with detailed content, better presentation, fully
satisfaction for the auditors.
Improved cost control
Faster response and follow up on customers
Most efficient cash collection, say material reduction in delay in payment by
customers.
Better monitoring and quicker resolution of queries.
Enables quick response to change in business operations and market conditions.
Help to achieve competitive advantage by improving its business process.
Improve supply demand linkage with remote locations and branches in different
countries.
Provides a unified customer database usable by all applications
Improves information access and management throughout the organization.
Improves international operations by supporting a variety of two structures,
invoicing, shares, multiple currencies, multiple period accounting and languages.
Arranged by
Nowsherwan Adil Niazi Page 103
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Ensures that the internal controls and checks are consistently maintained
Ensures that the provisions of income tax or other fiscal laws are not
ignored
Ensures that the accounting standards are consistently followed across the
company.
Improves the quality of the reporting.
CA as an Liaison
CA as a Manager (accounts, timely information for taking appropriate business
decisions)
Arranged by
Nowsherwan Adil Niazi Page 104
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
CHAPTER 09
CUSTOMER RELATIONSHIP
MANAGEMENT &
SALES FORCE AUTOMATION
BENEFITS OF CRM
CRM tools can help your business track opportunities and close sale quickly, but their
capabilities go beyond these areas. The real power lies in their ability to help you
build smart customer relationships that will grow into long term success.
Examples
(i) Track Orders
At their most basic level, CRM tools automate the process of tracking
customer’s order histories. You can find out which products they order and
how many, so you can easily identify your best customers, not only in terms
of volume, but also in terms of profitability. You can use this information to
give these bread and butter clients special discounts for volume buying and
other incentives that will encourage loyalty and send the message that you
value their business.
Arranged by
Nowsherwan Adil Niazi Page 105
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Arranged by
Nowsherwan Adil Niazi Page 106
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
traveling sales reps rely on it? If so, you’ll want to make it easily accessible
from the road.
(iv) How does your business receive order?
If your company takes orders from many channels such as telephone order
centres, a web site, and through sales reps you will want to make sure your
solution can accommodate information from each source.
(v) Does your inventory allow for significant cross sell and / or up sell?
If your business sells a deep range of related products and services, it is
especially well suited to CRM tools. You will want to look for a solution that
can help you make the most of cross sell and up sell opportunities, with the
flexibility to handle multiple layers of data sorting. This will allow you to
customize outreach efforts to a high degree.
CRM tools aggregate and maintain customer information so it is easy for sales staff,
service representative, and support teams to access. The goal is to have the same
set of up to the minute information available across an organization so every client
need can be met quickly.
Arranged by
Nowsherwan Adil Niazi Page 107
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
COLLABORATION SOLUTIONS
Remote network access:
Using your network management solution, you can create specific customer
accounts that provide limited, secure access to the information on your
server. Customers can log on to download files they are authorized to view,
collaborate on served based documents, or transfer files on the fly. Some
companies set up client only servers for this purpose, posting files to these
servers as needed, to reduce the impact of their captive network
Collaborative workspace:
These solutions can make remotes network access a step further by creating
virtual conference rooms where companies can meet and exchange
Arranged by
Nowsherwan Adil Niazi Page 108
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
SFA is the fastest growing component of CRM. The interaction of sales force with the
prospect, turning the prospect into a customer and then maintaining a loyal
relationship, is a core business concern for the enterprise’s success. The sales
process must be managed across many domains interfacing with other business
units.
Arranged by
Nowsherwan Adil Niazi Page 109
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Arranged by
Nowsherwan Adil Niazi Page 110
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Arranged by
Nowsherwan Adil Niazi Page 111
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Chapter 10
COBIT
Control Objectives for Information and
Related Technology
Strategic Alignment
Focuses on ensuring the linkage of business and IT plans, on defining,
maintaining and validating the IT valve proposition; and on aligning IT operations
with enterprise operations.
Valve Delivering
Is about executing the valve proposition throughout the delivery cycle, ensuring
the IT delivers the promised benefits against the strategy, concentrating on
optimizing costs and providing the intrinsic value of IT.
Arranged by
Nowsherwan Adil Niazi Page 112
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Resource Management
Is about the optimal investment in, and the proper management of, critical IT
resources: applications, information, infrastructure and people. Key issues relate
to the optimization knowledge and infrastructure.
Risk Management
Requires risk awareness by senior corporate officers, a clear understanding of the
enterprise’s appetite for risk, understanding of compliance requirement,
transparency about the significant risks to the enterprise, and embedding of risk
management responsibilities into the organization.
Performance Management
Tracks and monitors strategy implementation, project
Completion, resource usage, for example, balanced scorecards that translate
strategy into action to achieve goals measures beyond conventional accounting.
The COBIT process model has been mapped to the IT governance focus areas,
providing bridge between what operational managers need to execute and what
executive wish to govern. To achieve effective governance; executives expect
controls to be implemented by operational managers within a defined control
framework for all IT processes.
Governance over information technology and its processes with the business goal of
adding valve, while balancing risk versus return.
Arranged by
Nowsherwan Adil Niazi Page 113
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
IFAC – IT GUIDELINE
Accountability:
Responsibility and accountability most be explicit.
Awareness:
Awareness of risks and security interactive must be disseminated.
Multidisciplinary:
Security must be addressed taking into consideration bath technological and non-
technological issues.
Cost Effectiveness:
Security must be cost effective.
Integration:
Security must be coordinated & integrated.
Reassement:
Security must be reassessed periodically.
Timeliness:
Security procedures must provide for monitoring and timely response.
Social Factors:
Ethics must be promoted by respecting the rights and interests of others.
Arranged by
Nowsherwan Adil Niazi Page 114
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Alignment:
The plan should support and complement the business direction of an organization.
Relevant Scope:
The scope of the plan should be established to facilitate formulation of effective
strategies.
Relevant Timeframe:
A planning horizon should be formulated that provides long-term direction and short
to-medium term deliverable in a manner consistent with the business strategy.
Benefit Realization:
Cost of implementation should be justified through tangible & intangible benefits that
can be realized.
Achievability:
The planning process should recognize the capability & capacity of the organization to
deliver solutions within the stated planning timeframe.
Measurable Performance:
The plan should provide a basis for measuring and monitoring performance.
Reassessment:
The plan should be reassessed periodically.
Awareness:
The plan should be disseminated widely.
Accountability:
Responsibility for implementing the plan should be explicitly.
Commitment:
Management commitment in implementing the plan should be exhibited.
The objective of the IT acquisition process is to acquire the right solution, at the right
price, and at the right time. Regardless of the nature of the acquisition, its size, cost
and complexity, the following generic core principles apply:-
Arranged by
Nowsherwan Adil Niazi Page 115
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Alignment:
The objectives, scope and requirements of the acquisition should be clearly defined
and documented, including any integration issues that need to be addressed.
Obsolesce:
The impact of new and emerging technologies on the acquisition must be considered.
Accountability:
Responsibilities and accountability for the acquisition most be considered.
Opinion analysis:
The available options must be identified and assessed.
Evaluation:
Selection criteria must be established and consistently applied across the alternatives
available.
Negotiation:
Effective negotiation mist be conducted before any decision is made.
Transparency:
Good governance dictates that the IT acquisition process be fair, open and
consistent.
THE IMPLEMENTATION OF IT
An IT project may cover the acquisition and implementation of IT resources such as
date, application systems, technical components, facilities and, eventually, the
relevant in terms of its needs and circumstances and may vary considerably in
complexity, it is generally conducted according to the following principles:
Aligned Scope:
The scope of the implementation of an IT solution should be aligned with the
objective first developed during the acquisition phase, including any issues of
integration and implementation timing.
Project Management & Commitment:
An IT project must be properly managed. To achieve this goal, the human resources
allocated to the project need to have experience in project management, technical
competence and knowledge of the organization’s business process.
Managing Changes, Awareness and Communication:
When preparing an organization for the implementation of new systems, the issue of
change management must be specifically addressed and a communication plan must
Arranged by
Nowsherwan Adil Niazi Page 116
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
be established to ensure that all relevant parties are kept informed about the
progress of the project.
Selection of the relevant implementation methods:
There are several methods for implementation of a new IT system. The method
chosen will depend on the type of IT development selected. To ensure the successful
implementation of the solution developed, it may be necessary to follow elements of
several different methods.
Implementation Phasing:
Depending on the method chosen, the phasing of an IT project may either be strict
and detailed or more iterative. It is essential, however, to include the following five
major project phases: general design, specification, development, completion and
deployment.
Integration:
The final product of IT project will generally either be a new application system or
new technical facilities which must be integrated into the existing information
system.
Risk Management & Monitoring:
The project risks must be continuously evaluated during the project and alternative
congruency solutions identified. To ensure effective project management,
performance indicators must be established and reviewed regularly, regular
management reporting is also essential.
Interactive approach:
A prototype is built and entranced until all needs are dealt with and users are
satisfied. Some phases of this type of project are more or less linked. This
approach is usually applied to the implementation of a software package or
development of a system using rapid application development method.
Linear approach:
A project follows a step – by – step method, with a strict vacillation of each
phase before proceeding to the next. This approach typically applies to the
large, specific development projects.
Arranged by
Nowsherwan Adil Niazi Page 117
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Arranged by
Nowsherwan Adil Niazi Page 118
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
IT MONITORING
WEB TRUST
The web trust standards have been developed by experts in auditing, accounting and
risk management. These standards also incorporate, whenever possible, prevailing
international “best practices” and guidelines for conducting business over the
internet.
Arranged by
Nowsherwan Adil Niazi Page 119
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Example:
(i) Information on the sources of private information being collected.
(ii) How that information will be used and distributed as well as corrected when
necessary.
(iii) How “cookies” are used.
(iv) How customers can opt out of translations.
(b) Confidentiality:
“Assures customers about their confidential information.”
The enterprise ensure that access to the information obtained as a result of electronic
commerce and designated as confidential is restricted to authorized individuals in
conformity with its disclosed confidentiality practices.
Example:
(i) Assurance that the security surrounding transmission.
(ii) Collection and distribution of confidential information is adequate.
(iii) Proper procedures for confidentiality breaches.
(iv) Choices provided to customers, including opting out.
(v) Safeguard an transmission to unintended recipients and against unauthorized
access secure storage of backup media.
(c) Security:
“Ease concerns about your commitment to security.”
The security ensures that access to the electronic commerce system and data is
restricted only to authorized individuals in conformity with its disclosed security
policies.
Example:
(i) The existence of a functioning disaster recovery plan
(ii) Procedures to handle security breaches.
Arranged by
Nowsherwan Adil Niazi Page 120
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
(e) Availability:-
“Show you keep your promises”
The enterprise ensures that e-commerce systems and data are availability as
disclosed.
Examples of areas evaluated are:
(i) Access terms and conditions.
(ii) Availability policies that conform with legal, contractual and other
requirements.
(iii) Procedures to handle availability problems and security incidents.
(iv) A functioning disaster recovery plan.
(v) Assurance that hardware and software have properly tested and documented
availability objectives.
Arranged by
Nowsherwan Adil Niazi Page 121
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Implementation of an IT:
(a) Aligned scope
(b) Project management & commitment
(c) Managing changes, awareness, and communication.
(d) Selection of relevant information methods.
(e) Implementation phasing.
(f) Integration.
(g) Risk management & monitoring.
IT Monitoring:
(a) Compare heaviness
(b) Relevance
(c) Acceptability
(d) Timeliness
(e) Vendibility
(f) Action oriented
(g) Flexibility
Arranged by
Nowsherwan Adil Niazi Page 122
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Chapter 11
Management Operation& Controls
An internal control system consist of all the policies and procedures adapted by
management of an entity to assist in achieving management’s objective of ensuring,
as for as practicable, the orderly and efficient conduct of its business, including
adherence to management policies, the safeguarding of assents, the prevention and
detection of fraud and error, the accuracy and completeness of the accounting
records, and the timely preparation of reliable financial information.
Management Control:
Arranged by
Nowsherwan Adil Niazi Page 123
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Administrative Controls:
The administrative controls are designed to ensure operational efficiency and
adherence to managerial polices.
Accounting Controls:
Accounting controls are designed to ensure that assents are safeguarded and that
financial data and records are reliable.
General Controls:
The controls which are used to ensure that an organization’s control environment is
sound and is properly managed to enhance the effectiveness of application controls
are referred to as general controls.
Application Controls:
The application controls are the controls which are used to prevent, detect, and
correct errors and irregularities in various transactions during their processing.
Input Controls:
Input controls are designed to ensure the only accurate, valid, and properly authorize
date are processed and entered into the system.
Processing Controls:
To ensure the correct and complete processing of all transactions and proper of
record, the control and are termed as processing controls.
Output Control:
Output controls are designed to ensure that system output is properly controlled and
protected.
CONTROL STRUCTURE
The policies and procedures which have been established to ensure that the
organization’s specific objectives are achieved, as termed as internal control
structure.
Arranged by
Nowsherwan Adil Niazi Page 124
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Control Environment:
Arranged by
Nowsherwan Adil Niazi Page 125
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
RISK ASSESSMENT
Risk refers to a possible loss in future which could be a result of a threat it that
comes true.
Arranged by
Nowsherwan Adil Niazi Page 126
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Internal control system, if not reviewed periodically, will become in-effective with the
passage of time, as such the quality of internal control performance of must be
assessed on a timely basis. Monitoring of control system is important to keep this
updated and to meet the changing environment.
APPLICATION CONTROLS
CODES
Data codes are used to identify an entity uniquely. Poorly designed data codes cause
recording and keying errors.
Arranged by
Nowsherwan Adil Niazi Page 127
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
INPUT CONTROL
1. VALIDATION CHECKS
Validation of input data is ensured by putting in following checks.
(a) Field Check
(b) Record Check
(c) Batch Check
(d) File Check
(i) Reasonableness:
Even though a field is checked for a range check, the content of another field
in the record may be used to ensure the correctness of dependent field e.g.
Range of valid salaries must be depended upon the organizational positions.
(ii) Valid Sign Numbers:
The contents of one field might establish which sign is valid for a numeric
field.
Arranged by
Nowsherwan Adil Niazi Page 128
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
(iii) Size:
If a variable length record are used, the size of the record is a function of the
sizes of variable length fields or the sizes of the fields whose valves may be
omitted from the record.
(iv) Sequence check:
A logical record might contain more than one physical record e.g. an invoice
data will have more then once occurrences of the details like item and their
quantities. The input program might check the sequence of the physical
record it receives.
INSTRUCTION INPUT
There are six major ways in which instructions can be entered into on IS:
(a) Menu driven languages,
Which ask users to select from a list of options with which they are presented.
(b) Question-answer dialogs,
Which ask users to respond to questions presented by the application system.
Arranged by
Nowsherwan Adil Niazi Page 129
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
INSTRUCTION INPUT
Ensuring the quality of instruction input to an application system is a more difficult
objective to achieve. During instruction input, however, users, often attempt to
communicate complex actions that they want the system to undertake. Following are
the application system used to communicate instruction to an application system.
Arranged by
Nowsherwan Adil Niazi Page 130
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Arranged by
Nowsherwan Adil Niazi Page 131
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Auditors should have three concerns in relation to the execution of report programs.
(a) Only authorized persons should be able to execute the programs.
Otherwise, confidential data could be revealed.
(b) The action privileges assigned to the authorized users of report
programs should be appropriate to their need.
(c) Report programs that produce a large amount of output should include
checkpoint restart facilities.
STORAGE CONTROLS
Arranged by
Nowsherwan Adil Niazi Page 132
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
PROCESSING CONTROL
Processing refers to computing, sorting, classifying, and summarizing data. Main
components involved in processing are:
(a) Control processing unit for execution of program.
(b) Main or virtual memory storage of data and programs.
(c) Operating system for system management.
(d) Application programs to execute specific user requirement.
Four types of controls are used to minimize expected losses from errors &
irregularities associated with central processors:
(a) Errors in processor can be detected via parity checks or instruction
velocity checks. Temporary errors can be corrected by attempting to
execute failed instruction again.
(b) Privileged instructions can only be executed if the processor is in
special state.
(c) Timing controls can be used to prevent the processor idol state in an
endless loop.
(d) Processor component can be replicated to allow processing to continue
if any component fails.
Two types of controls are used to reduce expected losses from errors and
irregularities associated with real memory.
(a) Memory errors can be detected via parity checks and hamming codes,
which also allows correcting the errors.
(b) Access controls, which are implemented via boundary registers, are
used to ensure that one process does not gain unauthorized access to
real memory assigned to another process.
These are few threats involved with the integrity of computer these may
include but not limited to:
(a) Privileged personnel misuse their powers
(b) Penetrates deceive privileged personnel into giving them special
powers.
(c) Special devices are used to detect electromagnetic radiation, unit
electromagnetic radiation or wiretap communication lines.
(d) Penetrates interact with as a to determine & exploit any flow in the
system.
Arranged by
Nowsherwan Adil Niazi Page 133
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Chapter 13
Effective Management of IS
The production control section under operations management performs five major
functions.
(a) Receipt and dispatch of input & output
(b) Job scheduling
(c) Management of SLA with users
(d) Transfer pricing charge out control
(e) Acquisition of computer consumables
The file library function within the operations area takes responsibility for the
management of an organization’s machine readable storage media. Four functions
must be undertaken:
Arranged by
Nowsherwan Adil Niazi Page 134
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
(a) Ensuring that removable storage media used only for authorized
purpose.
(b) Maintaining storage media in good working order, and.
(c) Locating storage media appropriately at either on site or off site
facilities.
Organization and management controls within the IPF encompass the following:
Sound human resource policies and management practices.
Separation of duties among the information processing environment and
other organizational environment or functions.
Arranged by
Nowsherwan Adil Niazi Page 135
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
i) Control Group: Members of the operation area that are responsible for
the collection, logging and submission of input for the various user groups.
ii) System Development Manager:
Responsible for programmers and analysts who implement new systems &
maintain existing systems
ii) Help Desk: Responsible for easting and users to employ and user hardware
& software and provide technical support for production systems by assisting
with problem resolution.
iv) End User: Responsible for operations related to business application
services: used to distinguish the person for whom the product was designed,
form the person who programs, services or install applications.
v) End User support manager:
Responsible as lesions b/w the IS deptt and the and user.
vi) Data Management: Responsible for the data architecture in larger IT
environments and tasked with managing data as a corporate asset.
vii) Database Administrator:
Responsible for maintenance and integrity of the organization’s database
systems.
viii) Technical Support Manager:
Responsible for system programmers who maintain the system software.
ix) Security Administrator: Responsible for implementing information security
policy and providing assurance that adequate Physical and logical security for
IS programs, data and equipment are carried out.
x) System Administrator: Responsible for maintaining major multi-user
computer systems, including local area networks.
xi) Operations Manager: Responsible for computer operations personnel,
including computer operators, librarians, schedulers and data control
personnel.
Arranged by
Nowsherwan Adil Niazi Page 136
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Job descriptions and organizational structure charts are important items for all
employees to have as they provide a clear definition of their job responsibilities and
authority. Given the dynamic nature of information technology, job disruptions and
organization structure can change frequently. Therefore, it is important that
procedures be in place to maintain them.
Arranged by
Nowsherwan Adil Niazi Page 137
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Data Entry
Batch Entry
Online Entry
A supervisor should be assigned to ensure that the work is properly prepared and
submitted for processing. This individual should also ensure that all exception and
rejected inputs are brought to the attention of the originating department and
resubmitted in a timely fashion and must ensure that the entry staff maintains
confidentiality and does have to temper sensitive data.
Data Security
It includes the standards and procedures designed to protect data against accidental
or intentional unauthorized disclosure, modification or destruction. A critical part of
the management control exercised by the IPF is providing an adequate level of data
security. Data security covers many aspects of security and must be contumely
modified and expanded to cover IS technological advances.
Arranged by
Nowsherwan Adil Niazi Page 138
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Processing Controls
Include those items necessary to ensure that the organization receives timely,
complete, accurate and secure processing of data. These controls are particularly
pertinent to the work performed by the computer operations group that includes:
Data control is often responsible for all the data necessary to run various
systems and for checking to ensure that output information received is
complete. Adequate, up-to-data control manuals are essential for each
system. Manuals should state the source of various forms of input, which such
input should be available.
Production control is often responsible for job scheduling, job submission and
media management. Job scheduling may be done manually or with scheduling
is essential if the computer resources are to be used at optimum efficiency.
Database Administration
DBA defines and maintains the data structures in the corporate database systems.
He is responsible for the actual design, definition and proper maintenance of the
corporate databases. The DBA has the tools to establish control over the database
and the ability to override these controls. The DBA also has the capability of gaining
access to all data, inhaling production data. It is usually not practical to prohibit or
completely prevent access by the DBA to production data.
DBA’s Roles
i) Specifying physical (computer oriented) data definition.
ii) Changing physical data definition to improve performance.
iii) Selecting and implementing database optimization tools.
iv) Testing and evaluating programmer and optimization tools.
v) Answering programmer queries and educating programmers in the
database structures.
Arranged by
Nowsherwan Adil Niazi Page 139
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
i) Segregation of duties.
ii) Management approval of DBA activities.
iii) Supervisor review of access logs.
iii) Detective controls over the use of database tools.
Arranged by
Nowsherwan Adil Niazi Page 140
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Arranged by
Nowsherwan Adil Niazi Page 141
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Arranged by
Nowsherwan Adil Niazi Page 142
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
CHAPTER 14
CRITICAL CHARACTERISTICS OF
INFORMATION
Arranged by
Nowsherwan Adil Niazi Page 143
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Possession:
The possession of information is the quality of state of having ownership or
control of some object or item. Information is said to be in possession of one
obtains it, independent of format or other characteristic. Encryption protects
confidentiality of information but possession may change.
Software People
Hardware Procedure
Data Network
Organization
The information security policy should provide general guidance on the
allocation of security roles and responsibilities in the organization. All
responsibilities regarding information security management must be well
defined which includes information security management personnel and
management. Following responsibilities could be assigned to different levels of
management in the organization.
Executive Management
Executive management in the organization is responsible for overall
information system asset protection. Executive management has to show
commitment for information security management by providing budgets and
have follow ups on information security management policies and plans.
Security Committee
In order to implement the security policies and procedures in the organization,
a security committee may be formulated. Formal terms of references may also
be formulated for this committee and recommendation be adopted by the
organization.
Arranged by
Nowsherwan Adil Niazi Page 144
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Data Owners:
Data owners have the responsibility of maintaining accuracy, completeness
and integrity business processes.
Process Owners:
Process owners have to ensure that the processes running on computer
systems are secure and are in line with the procedures defined in the scope of
security policies of the organization.
IT Developers:
IT developers are responsible for implementing the security policy in the
organization.
Users:
It/ is users of the organization are responsible for having full knowledge of all
policies and procedures developed within organization. Users also have a
heavy responsibility for protecting.
IS Auditors
IS Auditors are responsible for providing independent assurance to
management regarding aptness and effectiveness of information security
objectives and its implementation in the organization.
(a) Hackers
A hacker is a person who attempts to invade the privacy of a computer
system. Hackers are normally skilled programmers and have been known to
crack system passwords with consummate ease.
Arranged by
Nowsherwan Adil Niazi Page 145
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
(b) Employees
Unauthorized employees intentionally attempt to break the security
implementations within the organization and try to gain access to
organizational information assets. While authorize employees may cause loss
to assets intentionally or by mistake.
(c) IS Personnel
These have the easiest access to organizational information, since they are to
custodians of information assets. Good segregation of duties apart from
checks like logical access controls will ensure reduction in attacks on reset
from this category of personnel.
(d) Outsiders
This may include the organized criminals like hackers, competitors or crackers
(paid hackers)
FIRE DAMAGE
Fire is often most serious threat to physical security of information system assets. A
well designed fire-protection plan should be made in the organization. Such plan may
include:
(a) Both automatic and manual fire alarms are placed in computer rooms etc.
(b) Automatic fire extinguishers are placed at strategic places in the organization.
(c) When a fire alarm is activated, a signal is sent automatically to a control
station that is always staffed.
(d) To minimize the risk of extensive damage from electrical fires, electrical wiring
should be placed in fire resistant panels and conduct.
Security administrators should arrange regular inspections and test of all fire
protection system and ensure that they are properly serviced. Periodic
trainings of the staff to use such like equipment’s should also be arranged.
WATER DAMAGES
Water damages to IS assets might results in due to fire or could also happen due to
other natural disasters like floods or terrestrial rains. To protect, following measure:
(a) Installation of water proof ceilings and walls
(b) Proper drainage system existence in premises
Arranged by
Nowsherwan Adil Niazi Page 146
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
ENERGY VARIATIONS
TERRORIST ACTIVITIES
Political terrorism is the main risk, but there are also threats from individuals with
grudges. In some cases there is every little that an organization can do: its buildings
may just happen to be in the wrong place and bear the brunt of an attack aimed at
another organization or intended to cause general disruption.
(a) There are some avoidance measures that should be taken, however
(b) Physical access to buildings should be controlled.
ACCIDENTAL DAMAGE
Unauthorized entry
Damage
Vandalism/Sabotage (Strikes)
Arranged by
Nowsherwan Adil Niazi Page 147
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Theft
Copying or viewing of sensitive data
Alteration of sensitive equipment and information
Public disclosure of sensitive information
Abuse of data processing
Blackmailing
Embezzlement
Security guards
Bolting/secure door locks
Combination of door locks (multiple kinds of locks)
Electronic doors
Dead man door (e.g. Bank lockers, only one person can enter at one time)
Controlled single entry point
Alarm system
Manual logging
Electronic logging
Identification
Video cameras
Secured report distribution carts
Bounded personnel (fixed the people to enter)
No advertising of sensitive location
Computer workstation
Physical access controls are designed to prevent intruder getting access to physical
assets of the company like computer equipment and storage media etc. following are
the areas which should be physically protected from intruder:
Arranged by
Nowsherwan Adil Niazi Page 148
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
LOGICAL THREATS
VIRUSES
A virus is a piece of software which infects programs and data and which replicates
itself. Viruses need an opportunity to spread. The programmers of virus therefore
place viruses in the kind of software which is most likely to be copied. This includes
(a) Free Software
(b) Pirated Software
(c) Games Software
Arranged by
Nowsherwan Adil Niazi Page 149
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
TROJANS
A Trojan is a program that while visibility performing one functions secretly carries
out another. For example, a program could be running a game, while simultaneously
destroying a data file or another program. 4 Trojan’s work is immediate, and
obvious. They are easy to avoid as they do not copy themselves onto the target disk.
WORMS
Whereas a Trojan attacks from without, a worm, which is a type of virus, attacks
from within. A worm is a program that survives by copying and replicating itself
inside the computer system it has entered, without necessarily altering that system.
Other viruses attach themselves to a program.
TRAP DOOR
A trap door is an undocumented entry-point into a computer system. It is not to be
found in design specification but may be put in by software developers to enable
them to bypass access controls while working on a new piece of software. Because, it
is not documented, it may be forgotten and rediscovered by a hacker perhaps, at a
later date.
LOGIC BOMBS
A large bomb is a piece of code triggered by certain events. A program will behave
normally until a certain event occurs, for example when disk utilization reaches a
certain percentage. A large bomb, by responding to set conditions, maximizes
damage.
TIME BOMBS
A time bomb is similar to a logic bomb, except that it is triggered at a certain date.
Companies have experienced virus attacks on April Fools’ Day and on Friday 13th.
These were released by time bombs.
SPAM
Spam is flooding the internet with many copies of the some messages in an attempt
to force the message on people who would not otherwise choose to receive it. Most
spam is commercial advertising, often for doubles products, get rich quickly schemes,
Arranged by
Nowsherwan Adil Niazi Page 150
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
or quasi-logical services. Spam costs the sender very little to send most of the costs
are paid by the recipient or the carriers rather than by the sender.
Cancelable Spams
Email Spam
SNIFFERS
A sniffer is a program or device that can monitor data traveling over a network.
Sniffers can be used both for legitimate network management functions and for
stealing information from a network. Unauthorized sniffers can be extremely
dangerous to a network’s security, because they are virtually impossible to detect.
They often work on TCP/IP networks, where they are sometimes called “packet
sniffers.”
SPOOFING
This type of attack takes place when the attacker is on the same subset as the
victim. The sequence and acknowledgement numbers can be sniffed, eliminating the
potential difficulty of calculating them accurately. The biggest threat of spoofing in
this instance would be session hijacking. This is accomplished by corrupting the data
stream of an established connection, then re-establishing it based on correct
sequence and acknowledgement number with the attack machine. Using this
technique, an attacker could effectively by pass any authentication measures taken
place to build the connection.
Arranged by
Nowsherwan Adil Niazi Page 151
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Function:
Arranged by
Nowsherwan Adil Niazi Page 152
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Hand geometry
Iris checking
Retinal imaging
Facial imaging
Signature recognition
Voice recognition
e) Single Sign On (SSO)
Multiple password for every server
One password and you have access to every servers, its most dangerous
(MSN Messenger)
Features to be considered
Every system has logon IDs when you install window as administrator and then other
IDs are guest users i.e. called special system logon IDs, this should be disabled.
c) System Exists
This should not be available to user; complex maintenance task/tailoring: there are
thing which cannot be recorded by system e.g. in cell phone removing battery or SIM
system cannot record it.
Arranged by
Nowsherwan Adil Niazi Page 153
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
a) Threats
Viruses
Hackers
b) Security
Antivirus
Dial back mechanism, firewall
i. Passive attacks
Get knowledge before going for active attack.
Arranged by
Nowsherwan Adil Niazi Page 154
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Types of IDS
Arranged by
Nowsherwan Adil Niazi Page 155
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Firewall IDS
HR Termination policies
There should be clearly defined steps of termination policy in writing. The policy
should address both types of policies.
Control Procedures
Return all access keys.
Delete log on IDs and Password.
Notification to other staff about the terminated employee.
Arrangement of final pay.
Termination / exit Interview.
Return all company property.
Escort the person to main Gate.
SECURITY PROGRAMME
(a) Alignment:
The programme must be aligned with the organizational goals.
(b) Enterprise Wide:
Everyone in the organization must become part of the security
programme.
(c) Continuity:
The programme must be operational continuously without any disruption.
(d) Validation:
The security programme must be tested and validated to ensure its
operability.
Arranged by
Nowsherwan Adil Niazi Page 156
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
(e) Proactive:
Organization should not wait from something to happen rather must use
innovative, preventive and protective measures.
(f) Formal:
It must be a formal programme with authority, responsibility and
accountability.
(i) The plan must show who is to be nitrified immediately when the disaster
occurs management, police or fire deptt.
(ii) The plan must show any actions to be undertaken, such as shutdown of
equipment, removal of files, and termination of power.
(iii) Any evaluation procedures required must be specified.
(iv) Return procedures (e.g. conditions that must be met before the site is
considered safe) must be designated.
Arranged by
Nowsherwan Adil Niazi Page 157
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Whereas the backup plan is intended to restore operations quickly so the information
systems function can continue to service an organization, recovery plans set out
procedures to restore full information system capabilities. Recovery plans depend on
the circumstances of a disaster. E.g. They will depend on whether the disaster is
global or localized and if localized, the nature of the machine, the applications, and
the data to be recovered. The plan should specify the responsibilities of the
committee and provide guidelines or priorities to be followed. Plan might also include
which applications are to be recovered first.
The final component of a DRP is a test plan. The purpose of a test plan is to identify
deficiencies in the emergency, backup or recovery plans or in the preparedness of an
organization and its personnel in the event of a disaster. It must enable a range of
disaster to be simulated and specify the criteria by which emergency, backup and
recovery plans can be deemed satisfactory.
Arranged by
Nowsherwan Adil Niazi Page 158
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
To facilitate testing, a phased approach can be adopted. First, the DRP can be tested
by desk checking and inspection and walk through, must like validation procedures
adopted for programs. A disaster can be simulated at a convenient time. Finally,
disaster could be simulated without warning at any time. These are the acid tests of
the organization’s ability to recover from a real disaster.
BACKUP OPTIONS
Following are some viable backup options security administrators should consider:
If a third party site is to be used for backup and recovery purposes, security
administrators must ensure that a contract is written to cover such issues as:
Arranged by
Nowsherwan Adil Niazi Page 159
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
(i) How soon the site will be made available subsequent to a disaster.
(ii) The number of organizations that will be allowed to use the site on currently
in the event of a disaster.
(iii) The priority to be given to concurrent users of the site in the event of a
common disaster.
(iv) The period during which the site can be used.
(v) The conditions under which the site can be used.
(vi) The facilities and services the site provider agrees to make available.
(vii) What controls will be in place and working at the off-site facility.
BCP is the act of proactively working out a way to prevent and manage the
consequences of a disaster, limiting it to the extent that a business can afford. BCP
determines how a company will keep functioning until its normal facilities are
restored after a disruptive event.
There are two key performance indicators (KPIs) that measure across the business
continuity spectrum.
Arranged by
Nowsherwan Adil Niazi Page 160
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
4. Disaster tolerance
Disaster tolerance defines an environment’s ability to withstand major
disruptions to systems and related business processes. Disaster tolerance at
various levels should be built into an environment and can take form of
hardware redundancy, high availability/clustering solutions, multiple data
centers, eliminating single points of failure, and disaster solutions.
Arranged by
Nowsherwan Adil Niazi Page 161
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
CHAPTER 15
NETWORK INFRASTRUCTURE
SECURITY
Arranged by
Nowsherwan Adil Niazi Page 162
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
(k) X.25
This is a data communications interface specification developed to describe
how data passes into and out of switched packet network. The x.25 protocol
suite defines protocol layer I-3.
NETWORK
Arranged by
Nowsherwan Adil Niazi Page 163
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Our mobile phones processes do not form a network because they are not intelligent
enough to work independently. Similarly if several I/O devices are attached with a
super, mainframe or minicomputer, it is not a network because I/O devices are not
able to work independently if they are disconnected. However, if two or more micro
computers are connected with each other and they are able to work independently as
well as in a sharing network, then it is a NETWORK.
NETWARE (SOFTWARE NEEDED TO RUN THE NETWORK)
Client – Server
One computer is server and other computer is client. The biggest example might be
internet in which we are the clients of an internet ISP. Again IPSs are client of
internationally recognized networking bodies. (Hyundai, AT & T, British Telecom)
Peer to Peer
No one is server, no one is client. Every machine is server and every machine is
client.
Sharing of data/information
Sharing of resources (e.g. printer, hard disk, CD drive)
Sharing of services (e.g. internet service, stock exchange service)
Security (You cannot take data away from the network hard disk. A lot of
instructions are imposed even to access data.)
Functions
Advantages
Arranged by
Nowsherwan Adil Niazi Page 164
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Flexibility
Disadvantages
Same as outsourcing
Serious points to consider
1. Customer access:
Browser for websites
Special browsers E.g. at Airport terminal we can use internet
2. Customer Issues:
Training
Queries
3. Secure Connection
4. Dedicated or shared application server (dedicated is recommended)
5. Problem resolution capacity
6. Level of Redundancy / backup
7. Disaster recovery
8. Date ownership
9. Data security
10. Transfer of date between In-house application and ASP
11. How to switch to another ASP.
IP SPOOFING
This is where one host claims to have the IP address of another. Since many systems
(such as router access control list) define which packets may and which packets may
not pass based on the sender’s IP address. This is a useful technique to on attacker.
He can send packets to a host, perhaps causing it to take some sort of action.
DENIAL OF SERVICE
The promise of DOS attack is simple: Send more requests to the machine than it can
handle. Dos attacks are probably the nastiest, and the most difficult to address.
These are the nastiest, because they are very easy to launch, difficult to track, and it
is not easy to refuse the requests of the attacker, without also refusing legitimate
requests for service.
There are tool kits available in the underground community that make this simple
matter of running a program and telling it which host to blast with request.
Arranged by
Nowsherwan Adil Niazi Page 165
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Some things that can be done to reduce the risk of being stung by a Dos attack
include:
(a) Not running your visible to the world services at a level too close to capacity.
(b) Using packet filtering to prevent obviously forged packets from entering into
your network address space.
(c) Obviously forged packet would include those that claim to come from your
own hosts; addresses reserved for private networks, and the look back
network (127.0.0.0).
(d) Keeping up to date on security related patches for your hosts operating
systems.
DESTRUCTIVE BEHAVIOUR
Among the destructive sorts of break-ins and attacks, there are two major
categories.
Data diddling
Data destruction
Data Diddling
The data diddling is likely the worst sort, since the fact of a break-in might not be
immediately obvious. Perhaps he’s toying with the numbers in your spreadsheets, or
changing the dates in your projections and plans. May be he is changing the account
numbers for the auto deposit of certain paychecks.
Data Destruction
Some of those perpetrate attacks are simply twisted jerks who likes to delete things.
In these cases, the impact on your computing capability and consequently your
business can be nothing less than if a fire or other disaster caused your computing
equipment to be completely destroyed.
Preventive Measures
1) Regular backups should be maintained
2) Don’t put data where it doesn’t need to be
3) Avoid systems with single point of failure
4) Stay current with relevant operating system patches
5) Have someone on staff be familiar with security practices.
Arranged by
Nowsherwan Adil Niazi Page 166
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
ROUTER
Routers are used to direct or route traffic on the network and work at the network
layer (layer 3) of the OSI model. Router link two or more physically separate network
segments. Although they are linked via route, they can function as independent
networks. Routers look at the headers in networking packets to determine source
addresses (logical addresses). Router can be used as packet filtering firewalls by
comparing header information in packets only against their rules. The creation of rule
in packet filtering involves both permit and deny statements.
BRIDGE
A bridge works at the data link layer (layer 2) of the OSI model and cannot
two separate networks to form a logical network. They can store and forward frames.
Bridge examines the media access control (MAC) header of a data packet to
determine where to forward the packet; they are transparent to end users. A MAC
address is the physical address of the device on the network. As packet pass through
it, the bridge determines whether the MAC address resides on its local network, if
not, the bridge forwards the packets to the appropriate network, segment. Bridge
can reduce collisions that result from segment congestion, but they do forward
broadcast fames. Bridges are good network devices if used for right purpose.
A hub operates at the physical layer (layer 1) of the OSI model and can serve as the
center of a star topology. Hubs can be considered concentrators because they
concentrate all network communications for the device attached to them. A hub
contains several parts to which clients are directly connected.
A switch combines the functionality of a multi-port bridge and the signal amplification
of a repeater.
Arranged by
Nowsherwan Adil Niazi Page 167
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
several layers in order to successfully do so. Those layers are provided by various
components within the DMZ.
Arranged by
Nowsherwan Adil Niazi Page 168
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Revisit access control lists on routers firewalls, servers and applications to ensure
that access to critical functions and resources is limited to those whose “need to
know”.
Ensure all critical systems are regularly backed up and actual systems recovery
procedures have been tested.
Consider developing on incident response plan to address appropriate actions
should a deliberating cyber incident / event occur at your business.
Users working from home via high-speed, broad band connections should be
required to have a firewall installed on their system.
FIREWALLS
Firewall can be considered a “choke point” on the network because all traffic must be
checked against the rules before gaining access. As a result, the rules that are
created for the network must take into account performance as well as security.
Firewall can filter traffic based on a variety of the parameters within the packet.
(a) Source and Destination Addresses
The firewall can look at the source or destination address in the packet.
(b) Source and Destination ports
The firewall can look at the source or destination port identifier of the service
or application being accessed.
(c) Protocol types
The firewall might not let certain protocol types access the network.
There are many different types of firewall but most enable organization to:
Arranged by
Nowsherwan Adil Niazi Page 169
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
FIREWALL ISSUES
Arranged by
Nowsherwan Adil Niazi Page 170
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
CHAPTER 16
MANAGEMENT OF DATA
The organization needs information for making decision of running the business in a
successful manner. This necessitates that data should be collected and managed
properly.
Arranged by
Nowsherwan Adil Niazi Page 171
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
DATA ADMINISTRATOR
(a) Ensures that all data management role groups comply with data management
policies and guidelines.
(b) Periodically reports to director on status of compliance with data management
policies and guidelines.
Arranged by
Nowsherwan Adil Niazi Page 172
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
DATABASE MANAGEMENT
Under a discretionary access control policy, users who are not owners of data can
be subjected to four types of access restrictions:
(a) Name-dependent access control, which permits or denies access to a named
data resource.
(b) Content-dependent access control which permits or denies access depending
on the content of the data item.
(c) Context dependent restriction, which permits or denies access depending on
the context. E.g. revelation of a specific data item value versus access for
statistical purpose.
(d) History dependent access, which permits or denies access depending on the
history of prior accesses to the database.
RECOVERY STRATEGY
Existence controls encompass both a backup strategy and a recovery strategy. All
backup strategies require maintenance of a prior version of the database and a log of
transaction or changes made to the database. Recovery strategies take two forms:
(a) Roll forward; where by the current stage of the database is recovered from
a previous version.
(b) Rollback, where a previous state of the database is retrieved from the current
state.
Arranged by
Nowsherwan Adil Niazi Page 173
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
It involves maintaining the previous two versions of a master file and a previous
version of the transaction file. If the current (son) version of the master file is lost, it
can be recovered by processing the current transaction file against the previous
version of the master file (father). If the previous version of the master file is lost
during recovery, it too can be recovered by using the grand father’s version of the
master file and previous version of the transaction file.
DUMPING
Dumping involves copying the whole or a portion of the database to some backup
medium. Recovery involves rewriting the dump back to the primary storage medium
and reprocessing transactions that have occurred since the time of dump.
LOGGING
Logging involves recording a transaction that changes the database or and image of
the record changed by an update action.
Three types of log s can be kept;
(a) Transaction logs – to allow reprocessing of transactions during recovery
(b) Before image logs – to allow rollback of the database.
(c) After image logs – to allow roll forward of the database.
RESIDUAL DUMPING
Residual dumping involves logging records that have not been changes since the last
database dump. The database is recovered by going back to but not including the
second last residual dump log. Residual dumping reduces the overheads associated
with dumping because records that have been changed and recorded on the log are
not then dumped.
The differential file / shadow paging backup and recovery strategy involves. Keeping
the database intact and writing changes to the database, to a separate file. In due
course these changes are written to the database. If failure occurs before the
changes are applied, the intact database constitutes a prior dump of the database.
Arranged by
Nowsherwan Adil Niazi Page 174
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Providing a log of transactions has been kept, these transactions can then be
reprocessed against the database.
(a) Database containing structured data, the most common subtypes are
Arranged by
Nowsherwan Adil Niazi Page 175
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
(i) Printing control data for internal tables/ standing data to ensure it
remain accurate and complete.
(ii) Printing run to run control totals
(iii) Printing suspense account entries.
DEAD LOCK
Locking out one process while the other process completes it update can lead to a
situation called dead lock in which two processes are waiting for each other to
release a data item that other needs. A widely accepted solution to deal lock is a two
phase locking, in which all the data items needed to propagate the effects of a
transaction are first obtained and locked from other processes. The data items are
not released until all updates on the data items have been completed.
Arranged by
Nowsherwan Adil Niazi Page 176
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Arranged by
Nowsherwan Adil Niazi Page 177
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
CHAPTER NO. 17
COMPUTER AUDITING
INTERNAL AUDIT
The purpose of an internal audit is to evaluate the adequacy and effectiveness of a
company’s internal control system and responsibilities are actually carried out.
(a) Review the reliability and integrity of operating and financial information and
Arranged by
Nowsherwan Adil Niazi Page 178
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Automated working paper packages have now been developed which can make the
documentary of audit work much easier.
(a) Such programmes will aid preparation of working papers, lead schedules, and
even sets of accounts. These documents are automatically cross referenced
and balanced by the computer.
(b) The risk of error is reduced and the working papers produced will be neater
and easier to review.
(c) Standard forms will no longer have to be carried to audit locations.
(d) It will not be necessary for an audit manager to visit auditors “in the field” in
order to review completed audit working paper files: these can now be
transmitted to the audit manager at audit HQ or at home for review.
(e) Auditors may also benefit from on-line accessing and real time file updating.
(a) Standard software for word processing and spreadsheets which can be used to
carry out the various tasks.
(b) Expert systems which will determine sample sizes based specified risk criteria.
(a) The production of time budgets and budgetary control. The variances which
arises on the audit can be used as a basis for updating the future audit time
budget.
(b) The production of working papers, in particulars lead schedules, trial balances
and schedule of errors.
(c) Analytical review procedures can be more efficiently carried out on a micro-
computer as the necessary calculations can be carried out at much greater
speed and year-on-year information built-up.
(d) The production and retention of audit programmes. These can then be
reviewed and updated from year to year.
(e) The maintenance of permanent file information which can be updated from
one year to the next.
Arranged by
Nowsherwan Adil Niazi Page 179
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Controls which must be exercised when micro computers are used by he auditor in
his work: are as follows:
Access controls for users by means of passwords.
Back up of data contained on files, regular production of hard copy; back up
disks held off the premises.
Viral protection of programmes.
Training for users.
Evaluation and testing of programs before use.
Proper recording of input data to ensure reasonableness of output.
Computer assisted audit techniques (CAAT) are methods of using computer to assist
the auditor in the performance of a computer audit. Audit techniques that involve,
directly or indirectly, the use of client’s computer are referred to as CAATs, of which
the following are two “principle categories”.
Arranged by
Nowsherwan Adil Niazi Page 180
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
AUDIT SOFTWARE
Computer programs used for audit process to examine the contents of the
clients’ computer files.
TEST DATA
Dated used by the auditor for computer processing to test the operation of the
enterprise’s computer programs.
a. By using computer audit programs, the auditor can scrutinize large volumes of
data and concentrate skilled manual resources on the investigation of results,
rather than on the extraction of information.
b. Once the programs have been written and tested; the costs of operation are
relatively low; indeed the auditor does not necessarily have to be present
during its use.
TEST PACK
A “test pack” consists of input data submitted by the auditor for processing by the
enterprise’s computer based accounting system. It may be processed during a
normal production run (“live”) or during a special run at a point in time outside the
normal cycle (“dead”).
Arranged by
Nowsherwan Adil Niazi Page 181
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Integrated test facility involves the creation of fictitious entity within the framework
of a regular application. Transactions are then posted to the fictitious entity along
with the regular transaction. The results produced by the normal processing cycle are
compared with what should have been produced, which is predetermined by other
means.
Fictitious entities must not become part of the financial reporting of the organization
and several methods can be adopted to prevent this. The simplest and most secure
method is to make reversing journal entries at the appropriate cut-off dates. ITF
enables management and auditor to keep a constant check on the internal processing
functions applied to all types of valid and invalid transaction.
Each general ledger account has two fields. These are yes/no field indicating whether
or not SCARF applies to this account; and a monetary value which is a threshold
amount set by the auditor.
If SCARF does apply to the account then all transactions posted to the account which
have a value in excess of the threshold amount are also written to a SCARF file. The
contents of that file can be read by the user, but usually can only be altered or
deleted by the organization’s internal and internal auditors. The same restriction
applies to the yes/no and threshold fields associated with each account when new
Arranged by
Nowsherwan Adil Niazi Page 182
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Snapshot
The continuous and intermittent simulation (CIS) concurrent auditing technique can
be used whenever application systems use a database management system.
Transactions that are of interest to auditors are trapped by the database
management system and passed to CIS. CIS then replicates the application system's
processing, and the two sets of results are compared. If CIS's results differ from the
application system's results, data about the discrepancy is written to a special audit
file. If the discrepancies are material, CIS can instruct the database management
system not to perform the updates to the database on behalf of the application
system.
AUDIT SOFTWARE
Audit software comprises computer programs used by the auditor to examine an
enterprise’s computer files. It may consist of package programs or utility programs
which are usually run independently of the enterprise’s computer based accounting
system. It includes interrogation facilities available at the enterprise. The features of
the main typical of audit software are as follows:
Arranged by
Nowsherwan Adil Niazi Page 183
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
PACKAGE PROGRAMS:
Consist of prepared generalized programs for which the auditor will specify his
detailed requirements by means of parameters, and sometimes by
supplementary program code.
UTILITY PROGRAMS:
Consist of programs available for performing simple functions such as sorting
and printing data files.
(a) Logical path analysis will draw a flow chart of the program logic.
(b) Code comparison programs compare the original specific program to
the current program to detect unauthorized amendments.
Arranged by
Nowsherwan Adil Niazi Page 184
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
(e) One of the greatest advantages of online system is the ability to make
editing more effective.
The following controls (some of which are common to all real bone system) might be
incorporated to DBMS
Arranged by
Nowsherwan Adil Niazi Page 185
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
(ii) Satisfactory application controls over input, processing and master files
and their contents, including retrospective batching.
(iii) Use of operations manuals and training of all users.
(iv) Maintenance of logs showing unauthorized attempts to access and
regular scrutiny by the data processing manager and internal auditors.
(v) Physical protection of data files
(vi) Training in emergency procedures
Computer service bureaux are third party service organizations who provide facilities
to their clients.
The main types of bureaux are:
(a) Independent companies formed to provide specialist computing
services.
(b) Computer manufactures with bureaux
(c) Computer users with spare capacity who hire out computer time when
it is not required for their own purposes. e.g. (universities).
Arranged by
Nowsherwan Adil Niazi Page 186
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
(iii) Its staff will become familiar with the requirements of a computer
system.
In some cases the new system may be initially implemented using a bureau.
This will involve file conversion and pilot or parallel running.
(b) Cost: Many companies cannot justify the installation of an in house computer
on cost-benefit ground. With the enormous increase in the number of VCRs
and mini computers available this basis is becoming less common.
(c) Peak Loads: Some computer users find it convenient to employ a bureau to
cope with peak loads arising for example from seasonal variations in sales,
bureau may be used for data preparation work for file conversion, prior to the
implementation of a new computer system.
(d) Stand by: A bureau’s computer may be used in the event of breakdown of an
in house machine.
(e) Specialist skills: Management feel that the job of data processing should be
left to the experts.
(f) Consultancy: Bureau can provide advice and assistance in connection with
feasibility studies, system design equipment evaluation, staff training and so
on.
(g) For On – Off use.
ADVANTAGES OF BUREAU:
(a) A very few users can offered to pay for the services of system analysts and
programmers of the quantity that will be found working for the large bureau.
(b) Use of a bureau should enable a customer to obtain the use of up to date
computer technology in the bureau.
(c) Unloading responsibility on to the bureau (e.g payroll)
(d) Use of a bureau does not require high capital outlay.
DISADVANTAGES OF BUREAU
(a) Loss of control over time taken to process data and in particular the inability
to reschedule work should input delays occur.
(b) Problems may be encountered in the transfer of data to end from the bureau.
(c) The bureau may close down leaving the customer without any DP facilities.
Arranged by
Nowsherwan Adil Niazi Page 187
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
(d) Customer may feel that they will lose control over an important that it is bad
security to allow confidential information to be under the control of outsiders.
(e) Its employees will be uninterested in and often unaware of the type of data
they are processing.
(f) Standards of service and the provision of adequate documentation control and
any audit trail are also important consideration.
(i) Adopt a recognized and documented system analysis and design method.
(ii) Full on going documentation must be completed throughout the development
stage.
(iii) Review and approval should be carried out throughout the development stage.
(iv) Test data must be designed to impact on all system areas with pre-
determined results.
(v) Full testing should be carried out prior to implementation.
(vi) Approval of system documentation with external auditors.
(vii) Full training schemes should be set up.
(viii) User documentation should be reviewed prior to implementation.
(ix) Controlled file conversion from old to new system.
(x) Review of ability of development staff.
Arranged by
Nowsherwan Adil Niazi Page 188