Professional Documents
Culture Documents
INTRODUCTION TO INFORMATION
SYSTEMS AUDIT
Introduction to
Cobit Framework – Week 3
Agenda
Cobit Context
Cobit Principle
Bussiness Focused
Process Control Oriented
IT Resources
Performance Measurement
Overall Cobit Interrelationship
2
Introduction - Challenges
Hardware and software technology
constantly changes Senior managers of
Manage relationship between the IS function
information systems and other functions
Role of information systems in
competitive strategy
Auditors can evaluate top management
by how well they perform their four major
functions: Planning, organizing, leading
and controlling
Evaluating the Planning Function
6
Linking Business and IT
BUSINESS/IT ALIGNMENT STRATEGIC IT PLANNING CYCLE PRIORITIZATION & FUNDING
Corporate &
Project And Application Global Project-specific
Driven Requests Architecture Architectures
Direction
Technology
AAL
L
EAI / BPI / BPM
Other
TTUU
Operational Data
EPP
CRM
CE
NC
Agent Pr oduct
ON
Core P&C / Life Applications Supporting Claims
Request
CCO
Information Definitons
Steering
Business
Applications
Browser Rating
Rating Underwriting
Underwriting Imaging
Financials
Financials Home UW Rules
Technology
Engine Engine Data
Engine Engine (SAP)
(SAP)
Internal &
Windows Needs
Needs Human
Human
Producer
Producer Resources Specialty Auto Rating Tables
Analysis
Analysis Resources
Manager
Manager
Engine
Engine
Commissions
Commissions
Telephone
Rating Claims Financial
Rating Claims Commer cial Financials
B2B
B2BElectronic
Electronic Institutions
Workbench Manager
Evaluation
Workbench Manager Interfaces
Interfaces
Committee
Pager
External
Licensing
Licensing//
Product
Product Underwriting
Underwriting Per sonal Profiles Billing
Appointment
Appointment
Workbench Workbench
Requests
Workbench Workbench Manager
Manager
Terminal
Contract
Contract // Customer Human
Proposal Data Registration Life
Proposal Data Capture
Capture Registration Info Resources
Manager
Manager Manager
Manager Manager
Manager
Wireless
Forms Data Warehouse
Forms
Policy Scheduled Fulfillment
Fulfillment
Policy Scheduled
Requests
PDA Issuance
Issuance Activities
Activities
Engine
Engine Engine
Engine Billing
Billing
Data Marts
Forms
Forms && Correspondence
Correspondence Engine
Engine Reporting
Reporting
PROGRAM RESULTS
PLAN UPDATES
7
IT Architecture vs.
Infrastructure
IT infrastructure
Physical facilities, services, and management
that support all computing resources in an
organization.
IT architecture
A high-level map or plan that explain & guide
how IT elements work together
• Business activities and processes
• Data sets and information flows
• Applications, software, technology
8
Contingency
Approach to Planning(1)
Harvard - McFarlan
Support – small planning
Factory – short run resource needs
Turnaround – long
run application needs
Strategic - both
Sullivan
Traditional
Federation
Backbone
Complex
Contingency Approach to
Planning (2)
Harvard - McFarlan
Support – small Importance of Proposed
planning Systems
Low High
Factory – short run
resource needs
Turnaround – long Support Turnaround
Importance of Low
run application needs
Current
Strategic - both
systems Factory Strategic
Sullivan High
Traditional
Federation Systems Infusion and Integration
Backbone Low High
Complex Systems Low Traditional Backbone
Diffusion
and dispersion High Federation Complex
Strategic IT Planning
Challenges:
Many companies lack well-defined strategies
11
Types of Plans - Operational
Progress report
Current plan initiatives achieved or missed
Platform changes
Initiatives to be undertaken
Systems, platform, personnel, financial
resources
Implementation schedule
start / finish dates, milestones,
control procedures
Role of the Steering Committee
Personnel acquisition
Top management evaluates the integrity and capabilities
of applicants
Background check, screening mental and physical health,
bonding, explaining organizational protocols,
indoctrination
Personnel development
promotional and personal growth opportunities
Education, reviews, identifying opportunities for
personal growth, training and continuing education
Personnel termination
Notification, security review
replacement training, exit interview
Centralization Vs Decentralization
of The IS Function
Advantages
Centralization
• better control and economies of scale
Decentralization
• more flexible and less communication cost
Dimensions
control - responsibility for decision making about
IS
location of facilities
functions - development, operations, maintenance
Internal Organization of IS
Workstation Specialist
Systems Analyst
End/User Support
Application Programmer
Quality Assurance
Systems Programmer
Executive IS
Data Administrator
Expert Systems
Database Administrator
Operations
Security Administrator
Operator
Network Administrator
Librarian
Data Entry
Administrative Support
More Recent Organization
Job Title Position Description
Overall control
Technology diffusion and control
Control of IS activities
Control over users of IS services
Overall Control of IS
INTRODUCTION TO INFORMATION
SYSTEMS AUDIT
Information Analysis
Systems Design
Program Development
Acceptance Testing
Conversion
Users undermine
progress Will
No proposed Yes
IS changes power system change
IS - influence others the power
structure?
IS - symbolic power
Replace involvement
with negotiation User Face to face negotiation
participation and compromise
Confront users
Powerful ‘fixer’ Continue
Soft-systems approach
Recognize the problem situation
problem solver
problem owner
decision taker (power)
Express the problem situation
roles, norms and values
rich pictures
Produce root definitions of relevant systems
customers, actors and transformations,
Weltanschauung, owner, and environment
(CATWOE)
Soft-systems approach
Develop conceptual models of relevant systems
‘systems thinking’
ideal model
Compare conceptual models
with perceived problem situation
exploration
diagnosis
design
Identify desirable and feasible changes
Take action to improve the problem situation
Soft systems approach
Systems Thinking
Economic
Behavioral
Stop Go
Analysis of the existing system
.
Studying the existing organizational history,
structure, and culture
Studying the existing product and information flows
Auditors:
Oldabout
System Culture
Evaluate designers decisions what needed to be studied and to
what extent
Nature and extent
Historyof examination Structure
High-quality methodology New System
Computer aided software engineering tools CASE
Product Flows
Information Flows
Formulating strategic
requirements
Vague or specific?
Auditors evaluate:
Early
Doorsystems
late? designers recognize the
importance of articulating strategic
requirements for the quality of subsequent
Strategic requirements are
design work?
identified based on
If there are substantial behavioral impacts,
perceived deficiencies in
are there procedures in place to reach
the existing system or
agreement on strategic requirements?
perceived opportunities for
If substantial uncertainty surrounds the
enhanced task
proposed system, they should examine and
accomplishment and
evaluate the procedures to help clarify
quality of working life.
strategic requirements.
Organizational and job design
User Interface
Design
Database
Software design
Platform Design
Requirements
Elicitation
Elicitation of detailed
requirements
Ask the stakeholders what they require
Discover the requirements through analysis and
experimentation
Have designers chosen
appropriate
requirements-elicitation
strategies, and
methodologies.
Evidence of satisfactory
consensus and
documentation?
Design of the data/information
flow
The flow of data and information and the
transformation points
The frequency and timing of the data and
information flows
The extent to which data and information will be
formalized
Hardware
Batch / on-line / real time
Cycle
Design of the hardware /system software
Auditors should evaluate:
platform
Efficiency and effectiveness
Good design practices followed?
Adequate testing?
Modularity and generality– ease of
upgrade and change
Quality of connections and communication
Application software acquisition
Auditors should evaluate
and: development
Acquired software
Software acquired or developed
Quality of specifications to vendors
Generalized packages configured
Quality of procedures to evaluateand perhaps
software:
modified and accuracy,
functionality, adapted. completeness,
Prototyping
documentation, vendor stability and support,
SDLC
natureand program development from scratch –n
of contracts
Quality
see next of software and maintenance
chapter.
Developed software
Procedures during developme4n see next
chapter
Control risks during development
Testing and implementation
Insertion of audit routines and modules
Hardware/system software acquisition
Purchased hardware
Request for proposal
Vendor submission evaluated
Selection process
Design of procedures
Testing of procedures
Implementation of procedures
Documentation of procedures
Personnel training
Installation of new hardware and software
Conversion of files and programs
Schedule of operations and test running
Operations and maintenance
Repair maintenance
Adaptive maintenance
COBIT Guidleines
Planning & Organization
Define a Strategic Information Technology Plan
PO1 Maturity
Model