Managing the IT Function
Revised on 2014
Content
• What is IT Function?• How to plan, measure and monitor
IT function in an organization• Managing IT function in terms of:
1. Organizing the IT function
2. Funding the IT function
3. Staffing the IT function
4. Directing the IT function
5. Controlling the IT function
CIS
B4
24
, S
ulf
eeza
Overview of IT functionSo what is an IT function?
Basically, what does an IT department do in an organization
According to Gartner Group:A company's Information Technology department:a) plans, operates and supports an organization’s
IT infrastructure which enables business users to carry out their roles efficiently, productively and securely.
b) must fulfill the multiple business and technical requirements by providing a secure and reliable IT infrastructure and minimizing costs
(Source: Ian Linton , Demand Media)
CIS
B4
24
, S
ulf
eeza
Overview of IT function• Effective management of IT function is a critical
success factor in ensuring economic viability of an organization
• Why?
Mismanagement of IT function could result in serious risks, such as:
a) Risks associated with ensuring the availability, security, integrity and maintainability of computing infrastructure
b) Risks associated with ensuring the effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability of company information
• IT auditors must ensure that IT managers are properly managing the IT functions of an organization in ensuring that the IT function will add value to the organization
CIS
B4
24
, S
ulf
eeza
How to plan, measure and monitor IT Functions performance?
• Using the concept of IT Function Scorecard
• Based on balanced scorecard Kaplan & Norton (1996)
A performance metric used in strategic management to identify and improve various internal functions and their resulting external outcomes. The balanced scorecard attempts to
measure and provide feedback to organizations in order to assist in implementing strategies and
objectives
CIS
B4
24
, S
ulf
eeza
Balanced Scorecard
CIS
B4
24
, S
ulf
eeza
Source: Balanced Scorecard Organization
Strategy Mapping using Balanced Scorecard Approach
CIS
B4
24
, S
ulf
eeza
Source: Balanced Scorecard Organization
Financial
Traditional Balanced Scorecard
IT Balanced Scorecard
CIS
B4
24
, S
ulf
eeza
IT Balanced Scorecard
Customer
Internal Business Process
Learning and Growth
Corporate Contribution
User Orientation
Operational Excellence
Future Orientation
IT Balanced Scorecard
CIS
B4
24
, S
ulf
eeza
Strategic
Contribution
Synergy
Achievement
Management
of IT
Investment
Business Value
of IT Projects
Service Capability
ImprovementStaff
Management
Effectiveness
Enterprise
Architecture
Evolution
Emerging
Technology
Process
Excellence
Responsiveness
Security &
Safety
Backlog
Management
Internal Cost of
Quality Measures
Customer
Satisfaction
Application
Development
Performance
Service Level
AgreementIT Business
Partnership
Corporate
Contribution
Customer
Orientation
Future
Orientation
Operational
Excellence
Vision and
Strategy
1. Organizing the IT Function
• Structuring IT function in an organization has becoming more complex as corporate structures also becoming more complicated
• In order to fully benefit IT function and is recognized as an important entity in the organization, IT functions in an organizational setting must be planned well
• One of the issues to be determine is on the “location” of IT function
1. Organizing the IT FunctionWhat are the risks of improper locating and structuring IT functions:
1. IT function fail to address the organization’s strategic initiatives
2.The potential efficiency and effectivenessof IT function are not fully optimized
3. Improper segregation of incompatible functions which can threaten the integrity and security of enterprise-wide information and computing infrastructure
1. Organizing the IT Function
So, how does IT function should be structured in an organization?
IT Function operating modelsa) Centralized ITb) Decentralized ITc) Federated IT
CIS
B4
24
, S
ulf
eeza
1. Organizing the IT Functiona) Centralized IT
All IT infrastructure and application services throughout each line of business (LOB) in the organization are delivered by a single internal IT department
(Source: http://blog.thehigheredcio.com/2012/07/20/it-organization-structure)
CIS
B4
24
, S
ulf
eeza
LOB LOB
LOB
LOB
CIO
1. Organizing the IT Function
b) Decentralized ITEvery LOB has its own dedicated internal IT department
(Source: http://blog.thehigheredcio.com/2012/07/20/it-organization-structure)
CIS
B4
24
, S
ulf
eezaLOB
CIO
LOB
CIO
LOB
CIO
CEO
1. Organizing the IT Function
c) Federated ITSome services (such as infrastructure services) are offered centrally to the entire organization, and some services (such as application services) are offered by the dedicated IT department within the individual LOB
(Source: http://blog.thehigheredcio.com/2012/07/20/it-organization-structure)
CIS
B4
24
, S
ulf
eeza
CIO
CIO
CIOGroup
CIO
1. Organizing the IT FunctionThree (3) main categories of activities performed by IT function in an organizationa) IT Infrastructure management
Decisions that address the nature of hardware and software platforms, annual enhancement to these platforms, the nature of network and data architectures, and the corporate standards for procurement and deployment of IT assets
b) IT use management Decisions that address applications prioritization and
planning, budgeting, and the day-to-day delivery of operations and services
c) IT project management
(Source: Sambamurthy and Zmud, 1999)
IT auditor tasks in examining the IT Function
1.IT Auditors should ensure that segregation of incompatible duties are enforced Systems development and computer operation functions
are segregated It is also advisable for the IT function to form a separate
security specialization to maintain custody of software applications and corporate data
Systems Development
• Systems developers are authorized to create and alter software logic, therefore, they should not be allowed to process information
• They should not maintain custody of corporate data and business applications
Computer Operations
Computer Operation staff are responsible for:
Entering Data (similar to the internal control concept of ‘authorizing transactions’)
Processing information (similar to the internal control concept of ‘recording transactions’)
Disseminating Output (similar to the internal control concept of ‘maintaining custody’)
Computer Security• Responsible for the safe-keeping of resources
includes ensuring that business software applications are secure
responsible for the safety (‘custody’) of corporate information, communication networks and physical facilities
• Systems analysts and programmers should not have access to the production library
IT auditor tasks in examining the IT Function
1.IT Auditors should ensure that segregation of incompatible duties are enforced Systems development and computer operation functions
are segregated It is also advisable for the IT function to form a separate
security specialization to maintain custody of software applications and corporate data
2. IT Auditors should also ensure that control over applications and data are integrated into the system development and computer operations
2. Funding the IT Function
• IT function must be adequately funded to conduct day-to-day operations and fulfill strategic objectives
• Risks associated with lack of proper financing and funding for IT function: a. Inability to fulfill the needs and demands
of customers, vendors, employees and other stakeholders, which can adversely impact the success of the company
b. Heavy workloads can lead to a culture of ‘working around’ the system of internal controls
2. Funding the IT Function
Two (2) main approaches in funding the IT function in an organization:a) Cost center approach– part of a company that does not produce direct
profit and adds to the cost of running a company
b) Profit center approach– a part of a company that is treated as a separate
business, and thus the profits or losses are calculated separately
(Source: Wikipedia)
2. Funding the IT Function
Cost Center Profit Center
Pros:
IT requests may be
justified using the IT
balanced scorecard
approach
Pros:
IT department can run its
own operations by
‘charging’ the services that
it provides
Cons:
IT department has to
compete with other
departments in the
organization for budget
Cons:
IT department may ‘overly’
charge their services and
products
2. Funding the IT Function
IT Auditor should assess whether :
Cost center Profit center
1. IT requests are
appropriate and properly
justified
1. Reasonableness check is
performed at least
annually to ensure that
IT charges are not
excessive
2. An independent party
within the company
should compare rates to
outside services
3. Staffing the IT Function• Human resources of IT function is as important as
the other types of resources of IT function• The possible risks associated with mismanaging
the human resources of IT function: IT employees lack of sufficient knowledge and experience IT employees are not being utilized in efficient and
effective manner IT employees are unaware or unconcerned about the
internal controls of IT related function Disgruntled or bad IT employees might expose the
company to computer security threats, information integrity problems or asset misappropriation
• The risks can be effectively controlled via sound human resource procedures in the areas of hiring, rewarding and terminating employees
3. Staffing the IT Function - Hiring• Acquiring and retaining qualified IT personnel is
critical factor in the ultimate success of IT function
• The process of hiring IT personnel include i. Recruitingii. Verifyingiii.Testingiv. Interviewing
• IT Auditor should ensure that:a) the company has formal procedures in
hiring new employees and that the procedures are followed
b) each job should have a substantive description of roles and responsibilities.
Hiring - Recruiting• IT manager should carefully plan and execute
each step in compliance with company policy or regulatory/statutory rules1. Identify Needs
2. Write a job description
3. Obtain permissions
4. Advertise
5. Accept Applications
6. Review Applications
• IT Auditor should ensure that:
a) Clear authoritative guidance in hiring
b) The personal and professional qualifications of candidates are being verified
Hiring - Verifying
• Extent depends on the position, but all candidates should have some checking, such as:• Contact references, both personal and
professional.• Conduct Background checks Verify Education Checks for criminal or civil violations
• IT Auditor should ensure that:a) the company has written procedures on
verifying new applicantsb) the company follows the procedures and
documents the evidences
Hiring - Testing
• Written and/or oral tests administered to the applicants to test skills and knowledge
• IT Auditor should:
a) determine that testing is performed (as needed)
b) ensure that company is consistent in testing procedures
Hiring - Interviewing
• Steps of interviewing:Select appropriate interviewersDevelop an internal interview scheduleArrange for interviews with intervieweesConduct the interviews
• IT Auditor should determine that:a) interview is conducted in proper
mannerb) interview follows company,
regulatory and statutory rules
3. Staffing the IT Function -Rewarding• Motivating and challenging employees in positive ways is important as to build their sense of self-efficacy and self-esteem, as well as develop their loyalty and commitment to the company
• The steps of rewarding IT personnel include i. Evaluatingii. Compensatingiii.Promotingiv. Learning
3. Staffing the IT Function -Rewarding
• The possible risks associated with improper rewarding of IT personnel: a) IT employees might develop a ‘bad attitude’
toward the IT manager and the company, which could lead to:
lower productivity
frustration
turnover
b) Disgruntled IT employees might engage in mischievous and criminal behaviors, which could threaten the availability, accuracy, security and reliability of corporate information
Rewarding - Evaluating• Most common is the annual performance review
• Evaluator must be as fair as possible to prevent frustration and resentment.
• IT Auditor should ensure that:a) the evaluation process have a proper
structure and is reasonable
Rewarding - Compensating• The company should strive to compensate
employees at least as well as peer organizations.• If IT employees are not being compensated well,
it could increase the number of turnover, which could result to: Can cause productivity losses Replacement costs are high Risks the availability and reliability of systems Employees take sensitive information to competitors
• IT Auditor should check whether:a) IT function periodically assess comparative wage
ratesb) IT function does not discriminate employees (race,
gender, etc)
• IT Auditor can perform test to see wage outliers
Rewarding - Promoting
• Should be based on merit• Compensation should be commensuratewith the new job’s role and responsibilities
• IT Auditor should check whether :a) a formal policies with regards to
promotion is availableb) the written procedures and
policies are consistently followed
Rewarding - Learning• Training benefits the employee, the employer
and society as a whole.
• Failure to offer learning opportunities create:
a) potential loss of competitive positioning due to an uneducated workforce
b) low employee morale
c) stagnate and frustrated employees
d) attitude of complacency toward internal controls
e) Disregard for internal controls
3. Staffing the IT Function -Terminating• Terminating an employee, either voluntarily or involuntarily is a delicate issue
• A disgruntled employee can disrupt the company’s systems and controls, whereby can put the availability, reliability and integrity of information, computers and networks at risk
• The IT function needs to design and implement countervailing controls such as backup procedures, checks-and-balances, cross-training, job rotations, mandated vacations, immediately separate them from the computing environment or terminate all computer privileges to eliminate the possible risks