Session 2

Technology and Security

Risk Services

IT Environment (1)

for
for Universitas
Universitas Padjadjaran
Padjadjaran
Accounting
Accounting Department
Department
IT
IT Audit
Audit S1
S1 Regular
Regular Class
Class

by Isnaeni Achdiat, CISA, CIA, CISM

Shinta Marina
24 Sept 2005

24 September 2005
1

IS Audit Syllabus
No

Subject Name

Date

Introduction of IS Audit

17-Sep-05

IT Environment (1)

24-Sep-05

IT Environment (2)

1-Oct-05

IT Processes

8-Oct-05

General Computer Control Review (1)

15-Oct-05

General Computer Control Review (2)

22-Oct-05

General Computer Control Case Study

29-Oct-05

Mid-semester Exam

12-Nov-05

Application Control Review (1)

19-Nov-05

10

Application Control Review (2)

26-Nov-05

11

Application Control Case Study

3-Dec-05

12

IT Sarbanes-Oxley and IT Governance

10-Dec-05

13

IT Security and Data Analysis Approach

17-Dec-05

14

IT Risk Management & ERP Systems

24-Dec-05

15

Final Exam

24 Sept 2005

TBA

Agenda

Technology and Security

Risk Services

Role of IT for the Business

IT Organization in the Business
Hardware

24 Sept 2005

Session 2 Objectives
Gain understanding of the importance and role of IT
for the Business
Understand IT organization & its requirements
Introduce the students to:
The
The concepts
concepts of
of hardware
hardware and
and the
the risks
risks and
and controls
controls associated
associated
with them, and
The
The basic
basic audit/review aspects and considerations of the above
concepts.

24 Sept 2005

Technology and Security

Risk Services

Role of IT for the Business

24 Sept 2005

Examples of IT in the business

Accounting systems
Payroll systems
Production planning systems
Inventory management systems
Network
Document scanning, printing, digital storing
Email, Internet
24 Sept 2005

Examples of IT in the business

How is Information Technology used in
organizations, examples?

24 Sept 2005

Elements of Information Technology

Software
Business applications
Office applications
Spreadsheets, databases, etc.

Hardware
PCs/workstations
Terminals
Servers
Network equipment (hub, switch, router, etc.)
Printers, scanners, etc.
24 Sept 2005

Elements of Information Technology

Support tools
System development tools
Change Management tools
Helpdesk software
Security software (firewall, anti-virus software, etc.)

24 Sept 2005

What Matters to CEOs?

1. Maximizing shareholder value
2. Protecting the market position of the company
Therefore they want IT to:

Enable/facilitate the business strategy

Deliver
Deliver ROI
ROI
Enhance competitive
competitive advantage
advantage
Deliver
Deliver quality
quality while
while minimizing
minimizing risk
risk
Achieve compliance
compliance goals
goals

24 Sept 2005

10

CFO IT Perspectives
49% of CIOs report to the CFO (29% to the CEO)
Technology expertise considered most important skill
after financial expertise (44% response)
IT training first priority for developing accounting staff
(52%)
82% of CFOs say accounting departments have
become more involved in technology initiatives
Responsibilities outside the scope of traditional
financial functions will occupy 37% of a senior
accountants time in five years.
Source:
Source: RHI
RHI Management
Management Resources
Resources // FEI-CSC
FEI-CSC Surveys
Surveys
24 Sept 2005

11

Changing Role of CFOs

More strategic
planning and
decision
making
26%

Greater role in
technology and
information
systems
initiatives
39%

Other/don't
know
5%

Expanded
leadership and
management
role
14%

Increased
other
interaction with
departments
16%

Source: RHI Management Resources Survey

24 Sept 2005

12

IT Priorities for CFOs

80

A. Identifying appropriate level of IT

investment 61.2%

70
60
50

2001
2000
1999

40
30
20
10

B. Prioritizing technology investments

55.3%
C. Identifying how IT can improve or
influence business processes
53.3%
D. Determining appropriate use of
eCommerce 32.4%

0
A

D
Source: FEI-CSC Survey

24 Sept 2005

13

Management Challenges
30% of businesses are unable to determine
their return on technology investments
61% do not have a written strategic plan for
information systems
Only 23% of those with plans believe them
to be fully aligned to the business strategy
Source:
Source: FEI-CSC
FEI-CSC Survey
Survey

24 Sept 2005

14

Business Requirements on IT
Confidentiality
Integrity and Reliability
Availability
Effectiveness and Efficiency
Compliance

24 Sept 2005

15

Impact of IT on the Business

Software implementation failures leading to
process failure, financial and reputational loss
Lack of valid information required to make business
decisions
Lack of security resulting in financial and
reputational loss
Hardware failure leading to inability to process
transactions and/or trade effectively
Legislative implications of non-compliance
24 Sept 2005

16

Possible Results
Restatement of accounts
Bankruptcy
Falling share price
Poor financial performance
Bad publicity
Customer dissatisfaction
24 Sept 2005

17

Top 10 IT Issues
1. Strategy prioritizing technology investments
2. Budgeting identifying appropriate investment level
3. Efficiency evaluating/measuring return on technology
4. Security confidentiality/integrity/reliability of data
5. Continuity securing the availability of information
6. eCommerce re-volution to e-volution
7. Project Management high price of implementation failure
8. ERP pros and cons of integrated software
9. Outsourcing trusting your business to third parties
10. Regulation legislation compliance (e.g., data privacy)
24 Sept 2005

18

Technology and Security

Risk Services

IT Organization in the Business

24 Sept 2005

19

Responsibility of IT Management
Where can you find the IT organization in a
company?
Finance manager ( no specific IT manager)
IT Manager, reporting to Finance Manager
IT Manager or CIO, reporting to CEO
CIO and IT Manager

24 Sept 2005

20

Responsibilities in IT Management
System development
Development and implementation of new
information systems
Application management
Network Management
Helpdesk/user support
Project management
24 Sept 2005

21

Types of IT organizations
Small IT organization (1-5 people)
CEO/PresDir

Finance

Marketing

Production

Head of IT

Application management
and support
24 Sept 2005

Network (hardware) management

22

Types of IT organizations
Medium
Medium size
size IT
IT organization
organization (5
(5 -- 50
50 staff)
staff)
CEO/PresDir
CEO/PresDir
Marketing
Marketing

Finance
Finance

Production
Production

ITIT Department
Department

System
System Development
Development

Infrastructure
Infrastructure management
management

Application
Application management
management

Programmers
Programmers

Network
Network management
management

Database
Database Manager
Manager

Information
Information analysts
analysts

Hardware
Hardware management
management

Office
Office application
application management
management

Telecommunication
Telecommunication management
management

Business
Business application
application management
management

24 Sept 2005

Helpdesk
Helpdesk

23

Organizational requirements for IT

departments
Position in the organization
Segregation of duties
Screening and hiring
Staff skills and development (training)

24 Sept 2005

24

Technology and Security

Risk Services

Hardware

24 Sept 2005

25

Hardware
Hardware architecture
Hardware components
Risks and Controls
Hardware Review/audit techniques

24 Sept 2005

26

Hardware
Hardware architecture
Classes
Large (mainframe)
IBM S-360/370, S390, z900
Unisys NX4801-21
Bull, Fujitsu

Medium (mini computer)

IBM S/36, S/38, AS/400 (i-series), RISC 6000
DEC VAX
HP3000 series, Bull

Small (microcomputer)
IBM PC Compatible
24 Sept 2005

27

24 Sept 2005

28

Hardware
Hardware components
Devices
Processors
Storage
FDD, Hard disk, CD-ROM, Magnetic Tape, Micro film
Input/output devices
Keyboard, POS terminals, Barcode readers, Mouse,
Stylus, scanner
Printer, Monitor, Plotter
Communication and networking devices
Modems, routers, switches & hubs, NIC
24 Sept 2005

29

Hardware
Risks and controls
Risks
Failures

Theft, vandalism
Disasters
Under/over capacity

24 Sept 2005

Controls
Environmental controls (humidifiers,
AC, UPS, surge protector)
Monitoring and Maintenance
Physical access
Backup, avoid flammable materials
(incl. Printers)
Capacity planning

30

Hardware
Hardware review/audit techniques
Physical
Physical controls
controls
Environmental
Environmental controls
controls
Hardware
Hardware capacity
capacity management
management

CPU,
CPU, I/O,
I/O, terminal,
terminal, telecommunication,
telecommunication, bandwidth
bandwidth and
and storage
storage utilization
utilization
Number
of
users
Number of users
New
New technologies,
technologies, applications
applications
Service
Service level
level agreements
agreements

Hardware
Hardware monitoring
monitoring

Hardware
Hardware error
error reports
reports
Availability
Availability reports
reports
Utilization
Utilization reports
reports

Hardware
Hardware acquisition
acquisition plan
plan &
& maintenance
maintenance
Information
Information processing
processing requirements,
requirements, Hardware
Hardware requirements,
requirements, System
System software
software requirements,
requirements,
Support
and
maintenance
requirements.
Support and maintenance requirements.

24 Sept 2005

31

Technology and Security

Risk Services

Operating Systems

24 Sept 2005

32

Summary
The hardware are one of the organizations assets
that should be properly controlled and managed by
management.
Todays auditors should familiar and be prepared to
deal with various rapid development in IT and its
risks
IS Auditors tasks:

Review the existing controls available

Test
Test the
the compliance
compliance
Recommend
Recommend adequate
adequate controls
controls

24 Sept 2005

33

Technology and Security

Risk Services

Question and Answer

24 Sept 2005

34

Technology and Security

Risk Services

Thank You

24 Sept 2005

35