unpad02 - it environment1 v1
DESCRIPTION
UNPAD02 - IT Environment1 v1TRANSCRIPT
Technology and Security Risk Services
24 Sept 2005 1
Session 2IT Environment (1)
for Universitas PadjadjaranAccounting DepartmentIT Audit – S1 Regular Class
by Isnaeni Achdiat, CISA, CIA, CISMShinta Marina
Session 2IT Environment (1)
for Universitas PadjadjaranAccounting DepartmentIT Audit – S1 Regular Class
by Isnaeni Achdiat, CISA, CIA, CISMShinta Marina 24 September 2005
IS Audit SyllabusIS Audit SyllabusNo Subject Name Date
1 Introduction of IS Audit 17-Sep-05
2 IT Environment (1) 24-Sep-05
3 IT Environment (2) 1-Oct-05
4 IT Processes 8-Oct-05
5 General Computer Control Review (1) 15-Oct-05
6 General Computer Control Review (2) 22-Oct-05
7 General Computer Control Case Study 29-Oct-05
8 Mid-semester Exam 12-Nov-05
9 Application Control Review (1) 19-Nov-05
10 Application Control Review (2) 26-Nov-05
11 Application Control Case Study 3-Dec-05
12 IT Sarbanes-Oxley and IT Governance 10-Dec-05
13 IT Security and Data Analysis Approach 17-Dec-05
14 IT Risk Management & ERP Systems 24-Dec-05
15 Final Exam TBA
24 Sept 2005 2
Technology and Security Risk Services
24 Sept 2005 3
AgendaAgenda
• Role of IT for the Business• IT Organization in the Business• Hardware
• Role of IT for the Business• IT Organization in the Business• Hardware
Session 2 ObjectivesSession 2 Objectives
• Gain understanding of the importance and role of IT for the Business
• Understand IT organization & its requirements
• Introduce the students to:– The concepts of hardware and the risks and controls associated
with them, and– The basic audit/review aspects and considerations of the above
concepts.
• Gain understanding of the importance and role of IT for the Business
• Understand IT organization & its requirements
• Introduce the students to:– The concepts of hardware and the risks and controls associated
with them, and– The basic audit/review aspects and considerations of the above
concepts.
24 Sept 2005 4
Technology and Security Risk Services
24 Sept 2005 5
Role of IT for the BusinessRole of IT for the Business
Examples of IT in the businessExamples of IT in the business
• Accounting systems• Payroll systems• Production planning systems• Inventory management systems• Network• Document scanning, printing, digital storing• Email, Internet
• Accounting systems• Payroll systems• Production planning systems• Inventory management systems• Network• Document scanning, printing, digital storing• Email, Internet
24 Sept 2005 6
Examples of IT in the businessExamples of IT in the business
• How is Information Technology used in organizations, examples?
• How is Information Technology used in organizations, examples?
24 Sept 2005 7
Elements of Information TechnologyElements of Information Technology
• Software– Business applications– Office applications– Spreadsheets, databases, etc.
• Hardware– PC’s/workstations– Terminals– Servers– Network equipment (hub, switch, router, etc.)– Printers, scanners, etc.
• Software– Business applications– Office applications– Spreadsheets, databases, etc.
• Hardware– PC’s/workstations– Terminals– Servers– Network equipment (hub, switch, router, etc.)– Printers, scanners, etc.
24 Sept 2005 8
Elements of Information TechnologyElements of Information Technology
• Support tools– System development tools– Change Management tools– Helpdesk software– Security software (firewall, anti-virus software, etc.)
• Support tools– System development tools– Change Management tools– Helpdesk software– Security software (firewall, anti-virus software, etc.)
24 Sept 2005 9
What Matters to CEOs?What Matters to CEOs?
1. Maximizing shareholder value
2. Protecting the market position of the company
Therefore they want IT to:• Enable/facilitate the business’ strategy• Deliver ROI• Enhance competitive advantage• Deliver quality while minimizing risk• Achieve compliance goals
1. Maximizing shareholder value
2. Protecting the market position of the company
Therefore they want IT to:• Enable/facilitate the business’ strategy• Deliver ROI• Enhance competitive advantage• Deliver quality while minimizing risk• Achieve compliance goals
24 Sept 2005 10
CFO IT PerspectivesCFO IT Perspectives
• 49% of CIOs report to the CFO (29% to the CEO)• Technology expertise considered most important skill
after financial expertise (44% response)• IT training first priority for developing accounting staff
(52%)• 82% of CFOs say accounting departments have
become more involved in technology initiatives• Responsibilities outside the scope of traditional
financial functions will occupy 37% of a senior accountant’s time in five years.
Source: RHI Management Resources / FEI-CSC Surveys
• 49% of CIOs report to the CFO (29% to the CEO)• Technology expertise considered most important skill
after financial expertise (44% response)• IT training first priority for developing accounting staff
(52%)• 82% of CFOs say accounting departments have
become more involved in technology initiatives• Responsibilities outside the scope of traditional
financial functions will occupy 37% of a senior accountant’s time in five years.
Source: RHI Management Resources / FEI-CSC Surveys
24 Sept 2005 11
Changing Role of CFOsChanging Role of CFOs
interaction with
More strategic planning and
decision making
26%
Increased other
departments16%
Expanded leadership and management
role14%
Other/don't know
5%
Greater role in technology and
information systems
initiatives39%
Source: RHI Management Resources Survey
24 Sept 2005 12
IT Priorities for CFOsIT Priorities for CFOs
0
1020
3040
50
6070
80
A B C D
A. Identifying appropriate level of IT investment 61.2%
B. Prioritizing technology investments 55.3%
C. Identifying how IT can improve or influence business processes 53.3%
D. Determining appropriate use of eCommerce 32.4%
Source: FEI-CSC Survey
200120001999
24 Sept 2005 13
Management ChallengesManagement Challenges
• 30% of businesses are unable to determine their return on technology investments
• 61% do not have a written strategic plan for information systems
• Only 23% of those with plans believe them to be fully aligned to the business strategy
Source: FEI-CSC Survey
• 30% of businesses are unable to determine their return on technology investments
• 61% do not have a written strategic plan for information systems
• Only 23% of those with plans believe them to be fully aligned to the business strategy
Source: FEI-CSC Survey
24 Sept 2005 14
Business Requirements on ITBusiness Requirements on IT
• Confidentiality
• Integrity and Reliability
• Availability
• Effectiveness and Efficiency
• Compliance
• Confidentiality
• Integrity and Reliability
• Availability
• Effectiveness and Efficiency
• Compliance
24 Sept 2005 15
Impact of IT on the BusinessImpact of IT on the Business
• Software implementation failures leading to process failure, financial and reputational loss
• Lack of valid information required to make business decisions
• Lack of security resulting in financial and reputational loss
• Hardware failure leading to inability to process transactions and/or trade effectively
• Legislative implications of non-compliance
• Software implementation failures leading to process failure, financial and reputational loss
• Lack of valid information required to make business decisions
• Lack of security resulting in financial and reputational loss
• Hardware failure leading to inability to process transactions and/or trade effectively
• Legislative implications of non-compliance
24 Sept 2005 16
Possible ResultsPossible Results
• Restatement of accounts
• Bankruptcy
• Falling share price
• Poor financial performance
• Bad publicity
• Customer dissatisfaction
• Restatement of accounts
• Bankruptcy
• Falling share price
• Poor financial performance
• Bad publicity
• Customer dissatisfaction
24 Sept 2005 17
Top 10 IT IssuesTop 10 IT Issues1. Strategy – prioritizing technology investments2. Budgeting – identifying appropriate investment level3. Efficiency – evaluating/measuring return on technology4. Security – confidentiality/integrity/reliability of data5. Continuity – securing the availability of information6. eCommerce – re-volution to e-volution7. Project Management – high price of implementation failure8. ERP – pros and cons of integrated software9. Outsourcing – trusting your business to third parties10. Regulation – legislation compliance (e.g., data privacy)
1. Strategy – prioritizing technology investments2. Budgeting – identifying appropriate investment level3. Efficiency – evaluating/measuring return on technology4. Security – confidentiality/integrity/reliability of data5. Continuity – securing the availability of information6. eCommerce – re-volution to e-volution7. Project Management – high price of implementation failure8. ERP – pros and cons of integrated software9. Outsourcing – trusting your business to third parties10. Regulation – legislation compliance (e.g., data privacy)
24 Sept 2005 18
Technology and Security Risk Services
24 Sept 2005 19
IT Organization in the BusinessIT Organization in the Business
Responsibility of IT ManagementResponsibility of IT Management
Where can you find the IT organization in a company?
•Finance manager ( no specific IT manager)
•IT Manager, reporting to Finance Manager
•IT Manager or CIO, reporting to CEO
•CIO and IT Manager
Where can you find the IT organization in a company?
•Finance manager ( no specific IT manager)
•IT Manager, reporting to Finance Manager
•IT Manager or CIO, reporting to CEO
•CIO and IT Manager
24 Sept 2005 20
Responsibilities in IT ManagementResponsibilities in IT Management
• System developmentDevelopment and implementation of new information systems
• Application management
• Network Management
• Helpdesk/user support
• Project management
• System developmentDevelopment and implementation of new information systems
• Application management
• Network Management
• Helpdesk/user support
• Project management
24 Sept 2005 21
Types of IT organizationsTypes of IT organizationsSmall IT organization (1-5 people)
Marketing
Application managementand support
Network (hardware) management
Head of IT
Finance Production
CEO/PresDir
Small IT organization (1-5 people)
Marketing
Application managementand support
Network (hardware) management
Head of IT
Finance Production
CEO/PresDir
24 Sept 2005 22
Types of IT organizationsTypes of IT organizationsMedium size IT organization (5 - 50 staff)
Marketing
Finance
Production
Programmers
Information analysts
System Development
Network management
Hardware management
Telecommunication management
Infrastructure management
Database Manager
Office application management
Business application management
Application management Helpdesk
IT Department
CEO/PresDir
Medium size IT organization (5 - 50 staff)
Marketing
Finance
Production
Programmers
Information analysts
System Development
Network management
Hardware management
Telecommunication management
Infrastructure management
Database Manager
Office application management
Business application management
Application management Helpdesk
IT Department
CEO/PresDir
24 Sept 2005 23
Organizational requirements for IT departmentsOrganizational requirements for IT departments
• Position in the organization
• Segregation of duties
• Screening and hiring
• Staff skills and development (training)
• Position in the organization
• Segregation of duties
• Screening and hiring
• Staff skills and development (training)
24 Sept 2005 24
Technology and Security Risk Services
24 Sept 2005 25
HardwareHardware
HardwareHardware
• Hardware architecture
• Hardware components
• Risks and Controls
• Hardware Review/audit techniques
• Hardware architecture
• Hardware components
• Risks and Controls
• Hardware Review/audit techniques
24 Sept 2005 26
Hardware …Hardware architectureHardware …Hardware architectureClasses• Large (mainframe)
– IBM S-360/370, S390, z900– Unisys NX4801-21– Bull, Fujitsu
• Medium (mini computer)– IBM S/36, S/38, AS/400 (i-series), RISC 6000– DEC VAX– HP3000 series, Bull
• Small (microcomputer)– IBM PC Compatible
Classes• Large (mainframe)
– IBM S-360/370, S390, z900– Unisys NX4801-21– Bull, Fujitsu
• Medium (mini computer)– IBM S/36, S/38, AS/400 (i-series), RISC 6000– DEC VAX– HP3000 series, Bull
• Small (microcomputer)– IBM PC Compatible
24 Sept 2005 27
24 Sept 2005 28
Hardware …Hardware componentsHardware …Hardware components
DevicesProcessorsStorage
FDD, Hard disk, CD-ROM, Magnetic Tape, Micro filmInput/output devices
Keyboard, POS terminals, Barcode readers, Mouse, Stylus, scannerPrinter, Monitor, Plotter
Communication and networking devicesModems, routers, switches & hubs, NIC
24 Sept 2005 29
Hardware …Risks and controlsHardware …Risks and controls
Risks ControlsFailures • Environmental controls (humidifiers,
AC, UPS, surge protector)
• Monitoring and MaintenanceTheft, vandalism Physical access
Disasters Backup, avoid flammable materials (incl. Printers)
Under/over capacity Capacity planning
24 Sept 2005 30
Hardware …Hardware review/audit techniquesHardware …Hardware review/audit techniques• Physical controls• Environmental controls • Hardware capacity management
– CPU, I/O, terminal, telecommunication, bandwidth and storage utilization– Number of users– New technologies, applications– Service level agreements
• Hardware monitoring– Hardware error reports– Availability reports– Utilization reports
• Hardware acquisition plan & maintenance– Information processing requirements, Hardware requirements, System software requirements,
Support and maintenance requirements.
• Physical controls• Environmental controls • Hardware capacity management
– CPU, I/O, terminal, telecommunication, bandwidth and storage utilization– Number of users– New technologies, applications– Service level agreements
• Hardware monitoring– Hardware error reports– Availability reports– Utilization reports
• Hardware acquisition plan & maintenance– Information processing requirements, Hardware requirements, System software requirements,
Support and maintenance requirements.
24 Sept 2005 31
Technology and Security Risk Services
24 Sept 2005 32
Operating SystemsOperating Systems
SummarySummary
• The hardware are one of the organizations assets that should be properly controlled and managed by management.
• Today’s auditors should familiar and be prepared to deal with various rapid development in IT and its risks
• IS Auditors tasks:– Review the existing controls available– Test the compliance– Recommend adequate controls
• The hardware are one of the organizations assets that should be properly controlled and managed by management.
• Today’s auditors should familiar and be prepared to deal with various rapid development in IT and its risks
• IS Auditors tasks:– Review the existing controls available– Test the compliance– Recommend adequate controls
24 Sept 2005 33
Technology and Security Risk Services
24 Sept 2005 34
Question and AnswerQuestion and Answer
Technology and Security Risk Services
24 Sept 2005 35
Thank YouThank You