chapter four information technology deployment risks (week 5)
TRANSCRIPT
Chapter FourChapter Four
INFORMATION TECHNOLOGYINFORMATION TECHNOLOGYDEPLOYMENT RISKSDEPLOYMENT RISKS
(Week 5)(Week 5)
Lecture OutlineLecture Outline
Developing Strategic PlansDeveloping Strategic Plans Managing Development ProjectsManaging Development Projects Acquiring Software ApplicationsAcquiring Software Applications Developing Software ApplicationsDeveloping Software Applications Changing Software ApplicationsChanging Software Applications Implementing Software ApplicationsImplementing Software Applications
Developing Strategic PlansDeveloping Strategic Plans
Serves as primary guideline for allocating Serves as primary guideline for allocating resources throughout the firm.resources throughout the firm.
Keeps the organization headed in a Keeps the organization headed in a profitable direction.profitable direction.
Strategic planning begins with a vision Strategic planning begins with a vision following clearly defined path of following clearly defined path of visionvisionmissionmissionobjectivesobjectivesstrategystrategypoliciespolicies
Objectives Strategy Policies
Mission Objectives Strategy Policies
InformationTechnology Plans Must Complement & Support Company Plans
Mission
The IT auditor should look for evidence of a The IT auditor should look for evidence of a prescribed, documented IT strategic planning process.prescribed, documented IT strategic planning process.
The existence of an ongoing process of this nature The existence of an ongoing process of this nature indicates that the company is constantly and indicates that the company is constantly and diligently seeking an optimal “fit” between the diligently seeking an optimal “fit” between the information technology infrastructure and the information technology infrastructure and the organization’s overall goals. organization’s overall goals.
Planning Process increases the likelihood that the Planning Process increases the likelihood that the company is making the most efficient & effective use company is making the most efficient & effective use of IT throughout the organizationof IT throughout the organization
Important Policy Areas for IT FunctionsImportant Policy Areas for IT Functions
1.1. Planning PoliciesPlanning Policiesa.a. ResponsibilityResponsibility (who is involved with (who is involved with
planning?)planning?)
b.b. TimingTiming (when does planning take place?) (when does planning take place?)
c.c. ProcessProcess (how should planning be conducted?) (how should planning be conducted?)
d.d. DeliverablesDeliverables (what planning documents are (what planning documents are produced?)produced?)
e.e. PrioritiesPriorities (what are the most to least critical (what are the most to least critical planning issues?)planning issues?)
Important Policy Areas for IT FunctionsImportant Policy Areas for IT Functions
2.2. Organizational PoliciesOrganizational Policiesa.a. StructureStructure (what is the organizational form of the IT (what is the organizational form of the IT
function?)function?)
b.b. Information ArchitectureInformation Architecture (is the infrastructure (is the infrastructure aligned with the firm’s mission?)aligned with the firm’s mission?)
c.c. CommunicationCommunication (are the IT strategy and policies (are the IT strategy and policies known by all affected parties?)known by all affected parties?)
d.d. ComplianceCompliance (are all external regulations and laws (are all external regulations and laws being addressed?)being addressed?)
e.e. Risk assessmentRisk assessment (are IT risks identified, measured (are IT risks identified, measured and controlled?)and controlled?)
3.3. Human Resource PoliciesHuman Resource Policiesa.a. TrainingTraining (what kind of training is provided and to (what kind of training is provided and to
whom?)whom?)
b.b. TravelTravel (what are the travel guidelines and priorities?) (what are the travel guidelines and priorities?)
c.c. HiringHiring (who determines needs and who screens (who determines needs and who screens applicants?)applicants?)
d.d. PromotionPromotion (what are the guidelines and how does the (what are the guidelines and how does the process work?)process work?)
e.e. TerminationTermination (what are voluntary and involuntary (what are voluntary and involuntary termination guidelines?)termination guidelines?)
Important Policy Areas for IT FunctionsImportant Policy Areas for IT Functions
4.4. Software PoliciesSoftware Policiesa.a. Acquisition (how is software acquired from outside Acquisition (how is software acquired from outside
vendors?)vendors?)
b.b. StandardsStandards (what are the software compatibility (what are the software compatibility standards?)standards?)
c.c. Outside contractorsOutside contractors (should contractors be used for (should contractors be used for software development?)software development?)
d.d. ChangesChanges (how to control and monitor the software (how to control and monitor the software change process?)change process?)
e.e. ImplementationImplementation (how to handle conversions, (how to handle conversions, interfaces, and users?)interfaces, and users?)
Important Policy Areas for IT FunctionsImportant Policy Areas for IT Functions
5.5. Hardware PoliciesHardware Policiesa.a. AcquisitionAcquisition (how is hardware acquired from outside (how is hardware acquired from outside
vendors?)vendors?)
b.b. StandardsStandards (what are the hardware compatibility (what are the hardware compatibility standards?)standards?)
c.c. PerformancePerformance (how to test computing capabilities?) (how to test computing capabilities?)
d.d. ConfigurationConfiguration (where to use client-servers, personal (where to use client-servers, personal computers, and so on?)computers, and so on?)
e.e. Service ProvidersService Providers (should third-party service bureaus (should third-party service bureaus be used?)be used?)
Important Policy Areas for IT FunctionsImportant Policy Areas for IT Functions
6.6. Network PoliciesNetwork Policiesa.a. AcquisitionAcquisition (how is network technology acquired (how is network technology acquired
from outside vendors?)from outside vendors?)
b.b. StandardsStandards (compatibility of local area networks, (compatibility of local area networks, intranets, extranets, and so on?)intranets, extranets, and so on?)
c.c. PerformancePerformance (how much bandwidth is needed and is (how much bandwidth is needed and is the network fast enough?)the network fast enough?)
d.d. ConfigurationConfiguration (use of servers, firewalls, routers, hubs, (use of servers, firewalls, routers, hubs, and other technology?)and other technology?)
e.e. AdaptabilityAdaptability (capability to support emerging e- (capability to support emerging e-business models?)business models?)
Important Policy Areas for IT FunctionsImportant Policy Areas for IT Functions
7.7. Security PoliciesSecurity Policiesa.a. TestingTesting (how is security tested?) (how is security tested?)
b.b. AccessAccess (who can have access to what information and (who can have access to what information and applications?)applications?)
c.c. MonitoringMonitoring (who monitors security?) (who monitors security?)
d.d. FirewallsFirewalls (are they effectively utilized?) (are they effectively utilized?)
e.e. ViolationsViolations (what happens if an employee violates (what happens if an employee violates security?)security?)
Important Policy Areas for IT FunctionsImportant Policy Areas for IT Functions
8.8. Operations PoliciesOperations Policiesa.a. StructureStructure (how is the operations function structured?) (how is the operations function structured?)
b.b. ResponsibilitiesResponsibilities (who is responsibility for transaction (who is responsibility for transaction processing?)processing?)
c.c. InputInput (how does data enter into the information (how does data enter into the information system?)system?)
d.d. ProcessingProcessing (what processing modes are used?) (what processing modes are used?)
e.e. Error HandlingError Handling (who should correct erroneous (who should correct erroneous input/processing items?)input/processing items?)
Important Policy Areas for IT FunctionsImportant Policy Areas for IT Functions
9.9. Contingency PoliciesContingency Policies1.1. BackupBackup (what are the backup procedures?) (what are the backup procedures?)
2.2. RecoveryRecovery (what is the recovery process?) (what is the recovery process?)
3.3. DisastersDisasters (who is in charge and what is the plan?) (who is in charge and what is the plan?)
4.4. Alternate SitesAlternate Sites (what types of sites are available for (what types of sites are available for off-site processing?)off-site processing?)
Important Policy Areas for IT FunctionsImportant Policy Areas for IT Functions
10.10. Financial and Accounting PoliciesFinancial and Accounting Policies1.1. Project ManagementProject Management (are IT projects prioritized, (are IT projects prioritized,
managed, and monitored?)managed, and monitored?)
2.2. Revenue GenerationRevenue Generation (should services be sold inside or (should services be sold inside or outside the organization?)outside the organization?)
3.3. Technology InvestmentsTechnology Investments (are the investment returns (are the investment returns being properly evaluated?)being properly evaluated?)
4.4. Funding PrioritiesFunding Priorities (where to most effectively allocate (where to most effectively allocate resources?)resources?)
5.5. BudgetsBudgets (are budgets aligned with funding levels and (are budgets aligned with funding levels and priorities?)priorities?)
Important Policy Areas for IT FunctionsImportant Policy Areas for IT Functions
““Red Flags” for IT AuditorsRed Flags” for IT Auditors The following are key planning risks indicators, The following are key planning risks indicators,
should trigger red flags for the IT auditor.should trigger red flags for the IT auditor.
1.1. A strategic planning process is not used.A strategic planning process is not used.
2.2. Information technology risks are not assessed.Information technology risks are not assessed.
3.3. Investment analyses are not performed.Investment analyses are not performed.
4.4. Quality assurance reviews are not conducted.Quality assurance reviews are not conducted.
5.5. Plans and goals are not communicatedPlans and goals are not communicated..
Key planning risks indicatorsKey planning risks indicators
6.6. Information technology personnel are Information technology personnel are disgruntled.disgruntled.
7.7. Software applications do not support Software applications do not support business processes.business processes.
8.8. The technology infrastructure is inadequate.The technology infrastructure is inadequate.9.9. The user community is unhappy with the The user community is unhappy with the
level of support.level of support.10.10.Management’s information needs are not Management’s information needs are not
met.met.
CobiT GuidelinesCobiT Guidelines
Guidelines suggest eleven processes should Guidelines suggest eleven processes should be incorporated into IT strategic plans.be incorporated into IT strategic plans.
Each process is integrated throughout IT Each process is integrated throughout IT policy areas.policy areas.
Processes designed to manage the key IT Processes designed to manage the key IT risks.risks.
11 Processes11 Processes
1.1. Develop a strategic IT plan.Develop a strategic IT plan.2.2. Articulate the information architecture.Articulate the information architecture.3.3. Find an optimal fit between IT and the company’s Find an optimal fit between IT and the company’s
strategy.strategy.4.4. Design the IT function to match the company’s needs.Design the IT function to match the company’s needs.5.5. Maximize the IT investment.Maximize the IT investment.6.6. Communicate IT policies to the user community.Communicate IT policies to the user community.7.7. Manage the IT workforce.Manage the IT workforce.8.8. Comply with external regulations, laws, and contracts.Comply with external regulations, laws, and contracts.9.9. Conduct IT risk assessments.Conduct IT risk assessments.10.10. Maintain a high-quality systems development process.Maintain a high-quality systems development process.11.11. Incorporate sound project management techniques.Incorporate sound project management techniques.
Managing Development ProjectsManaging Development Projects
Regardless of types of projects, there are project Regardless of types of projects, there are project management techniques that apply to most situations.management techniques that apply to most situations.
Using structured methodology minimizes risk of Using structured methodology minimizes risk of failure:failure:– Late deliveryLate delivery
– Cost overrunCost overrun
– Lack of functionsLack of functions
– Poor qualityPoor quality
IT auditor should check that project management IT auditor should check that project management techniques are employed.techniques are employed.
Project ManagerProject Manager
First step is to assign project to a managerFirst step is to assign project to a manager Needs experience in domain areaNeeds experience in domain area Needs skill at managing projectsNeeds skill at managing projects Must work well with staff on planning and Must work well with staff on planning and
executing the project.executing the project.– Senior management representativesSenior management representatives
– IT staffIT staff
– Affected usersAffected users
Generic Project Life CycleGeneric Project Life Cycle
Activity Resources
Activity Resources
Activity ResourcesParameters
Deliverable
Deliverable DeliverableActivit
y 1
Parameters
Activity Resources
Activity 2
Parameters
Activity 4
Parameters
Deliverable
Activity 3
ProjectOutcom
e
Planning
Scheduling
Monitoring Controlling
ProjectResource
s
BoundaryConditions
ScopeTimeCost
Beginning End
Closing
Project Life CycleProject Life Cycle
Phase1 : Plan the ProjectPhase1 : Plan the Project– Set the Time, Cost & ScopeSet the Time, Cost & Scope
– Identify resourcesIdentify resources
– Articulate project outcomeArticulate project outcome
– Work with specialists I.e., analysts, programmers, usersWork with specialists I.e., analysts, programmers, users
– Determine the WBS – Work Breakdown StructureDetermine the WBS – Work Breakdown Structure
Phase 2 :Phase 2 : Schedule the Project Schedule the Project (Create Time Table for each (Create Time Table for each activity)activity)– Gantt chartsGantt charts
– Critical Path AnalysisCritical Path Analysis
– Critical Math MethodCritical Math Method
– Microsoft ProjectMicrosoft Project
Project Life CycleProject Life CyclePhase 3 : Continuous MonitoringPhase 3 : Continuous Monitoring
– Use benchmarks, milestones, deliverables to track progressUse benchmarks, milestones, deliverables to track progress
– Monitoring frequency varies by project depending on sensitivity Monitoring frequency varies by project depending on sensitivity of the project to deviationof the project to deviation
– Rule of Thumb: Determine the maximum percent deviation Rule of Thumb: Determine the maximum percent deviation allowed & monitor activities at the half-way point.allowed & monitor activities at the half-way point.
Phase 4 : ControllingPhase 4 : Controlling– Aimed at keeping the project movingAimed at keeping the project moving
– Adjust to unexpected issues, delays, and problems arisedAdjust to unexpected issues, delays, and problems arised
– ContinuallyContinually adjust the planadjust the plan
Project Life CycleProject Life Cycle
Phase 5 : Closing the ProjectPhase 5 : Closing the Project– Obtain client acceptance in writingObtain client acceptance in writing– Release and evaluate project personnelRelease and evaluate project personnel– Identify & reassign remaining project assetsIdentify & reassign remaining project assets– Evaluations of projectEvaluations of project– Chronicle project historyChronicle project history
Key Project Risk IndicatorsKey Project Risk Indicators1.1. Management does not use a formal project Management does not use a formal project
management methodology.management methodology.2.2. Project leaders are not adequately. experienced Project leaders are not adequately. experienced
at managing projects.at managing projects.
Key Project Risk IndicatorsKey Project Risk Indicators3.3. Project leaders have insufficient domain expertise.Project leaders have insufficient domain expertise.
4.4. Project teams are unqualified to handle the project Project teams are unqualified to handle the project size/complexity.size/complexity.
5.5. Project team members are dissatisfied and frustrated.Project team members are dissatisfied and frustrated.
6.6. Projects do not have senior-level executive support.Projects do not have senior-level executive support.
7.7. Projects do not include input from all affected parties.Projects do not include input from all affected parties.
8.8. Project recipients are dissatisfied with project Project recipients are dissatisfied with project outcomes.outcomes.
9.9. Projects are taking longer to develop than planned.Projects are taking longer to develop than planned.
10.10. Projects are costing more than budgeted.Projects are costing more than budgeted.
Acquiring Software ApplicationsAcquiring Software Applications
IT auditor should determine if the new IT auditor should determine if the new application would fit into the company’s application would fit into the company’s strategic plan.strategic plan.
There should be a formal software There should be a formal software application acquisition policy.application acquisition policy.
Needs must be identified and prioritized.Needs must be identified and prioritized. Determine which applications can be Determine which applications can be
developed in-house, and which to purchase.developed in-house, and which to purchase.
Selection ProcessSelection Process
Assign a project managerAssign a project manager– Must know the needs of users & include them in Must know the needs of users & include them in
decisionsdecisions
Identify alternatives and compare:Identify alternatives and compare:
Ease of useEase of use Internal controlsInternal controlsFunctionalityFunctionality Integration with existing systemsIntegration with existing systemsReportingReporting Future scalabilityFuture scalabilityDocumentationDocumentation PerformancePerformance
Security featuresSecurity features CostCost
Total Cost of SoftwareTotal Cost of Software– Price of acquisitionPrice of acquisition
– User trainingUser training
– Multiple licensesMultiple licenses
– Service and supportService and support
– Future upgradesFuture upgrades
– Software modificationsSoftware modifications
Key Acquisition Risk IndicatorsKey Acquisition Risk Indicators1.1. Software acquisitions are not mapped to the strategic Software acquisitions are not mapped to the strategic
plan.plan.
2.2. There are no documented policies aimed at guiding There are no documented policies aimed at guiding software acquisitions.software acquisitions.
Key Acquisition Risk IndicatorsKey Acquisition Risk Indicators
3.3. There is no process for comparing the “develop versus There is no process for comparing the “develop versus purchase” option.purchase” option.
4.4. No one is assigned responsibility for the acquisition No one is assigned responsibility for the acquisition process.process.
5.5. Affected parties are not involved with assessing Affected parties are not involved with assessing requirements and needs.requirements and needs.
6.6. There is insufficient knowledge of software alternatives.There is insufficient knowledge of software alternatives.7.7. Security features and internal controls are not assessed.Security features and internal controls are not assessed.8.8. Benchmarking and performance tests are not carried out.Benchmarking and performance tests are not carried out.9.9. Integration and scalability issues are not taken into Integration and scalability issues are not taken into
account.account.10.10. Total cost of ownership is not fully considered.Total cost of ownership is not fully considered.