Chapter 2. Management, Planning, and Organization of IS

- The primary goal of auditing information systems is to determine whether IT processes support business requirements in the most effective and secure manner.

- As a starting point, the IS auditor should review the following:
➤ Organization business plan—Establish an understanding of the organization’s mission and objectives.
➤ IT strategic plan—Establish both the short-term (one-year) and longterm (three- to five-year) plans.
➤ Organizational charts—Establish the responsibility and authority of individuals.
➤ Job descriptions—Establish responsibility and accountability for employee actions.
➤ Policies/procedures—Define strategic objectives in operational activities.

Reviewing an audit client’s business plan should be performed before reviewing an organization’s IT strategic plan.

- The goal of strategic planning is to ensure that the organization’s long-term (three- to five-year) and short-term (one-year) strategies are defined in writing and that there is a regular review process.

- Policies and procedures define the actual operational implementation of the strategic plan and, like the strategic plan, should have a formal process for creation, communication, and review. As stated earlier, policies and procedures are subject to change more often than the strategic plan as they guide operational activities.

- Involving senior management in the development of a strategic plan is critical to planning success.

- A primary purpose of the IS steering committee is to ensure efficient use of dataprocessing
resources.

- As an IS auditor, you can learn a significant amount about an organization by reviewing the strategic plan and organizational and lower-level policies. These documents can provide background on the business objectives and mission, as well as the line or operational policies supporting that mission. If you review strategy and policies before doing observation and conducting interviews, you might identify areas in which potential gaps exist.

- Organizations follow different approaches in policy development. The topdown approach aligns organization-wide policies with the business strategy; department- and office-level policy then is created in accordance with strategy and organizational policy.

- Other organizations create policy using the bottom-up approach. They identify immediate areas of concern, compliance, or risk, and develop policy for those areas by performing a risk assessment. Although this approach is more time- and cost-effective, it creates the risk that policies might not align with organizational policies and strategy.

- A bottom-up approach to the development of organizational policies is often driven by a risk assessment.

- ➤ Regulatory—These policies are written to ensure that the organization is following standards set by a specific industry and are regulated by law. These types of policies are frequently used in financial institutions, healthcare facilities, public utilities, and the federal government.
➤ Advisory—These policies strongly recommend certain types of behaviors, actions, or activities for the organization. These types of policies outline possible consequences for noncompliance and are enforced internally within the organization.
➤ Informative—These policies are generally not enforceable and are considered “teaching” policies. These types of policies are used in most organizations.

- Policies are high-level documents that align with the business strategy (both long and short term) and represent the corporate philosophy.

- IS auditors should look for both policies and procedures that apply to all phases of the system development life cycle (SDLC) and ensure that they align with the organization’s strategy.

- The SDLC encompasses the planning, analysis, design, implementation, integration/testing, acceptance, maintenance, and security of information systems. The SDLC is a formal model
that represents the phased implementation of information systems.

- Procedures are detailed documents that incorporate the intent of the parent policy and that document administrative and operational processes. In some cases, procedures provide step-by-step details for performing a function and writing in a clear and concise manner to allow easy understanding and implementation.

- The lack of procedures or adherence to procedures could be indicators of a larger issue: Necessary controls in the environment are being bypassed by ad-hoc procedures.

- When determining the effectiveness of IS policies communication, an auditor typically reviews interviews with user and IS personnel, information-processing facilities operations and procedures manuals, and user department systems and procedures manuals.

- The change-control board (CCB) similar to the IT steering committee, is a formal process, that is chartered by senior management. The CCB should accept requests for changes to systems and documentation, and should review and approve or deny recommended changes.

- The IT organization needs to ensure proper segregation of duties to reduce the risk of errors or misappropriations associated with the information systems or data.

- While performing operational tasks, certain functions act as controls across the IT organization and must be segregated accordingly. A clear example is the role of the security function within the IT organization. This function is responsible for the implementation and maintenance
of security controls, to ensure the confidentiality, integrity, and availability of systems and information. As such, security personnel should not be involved in the day-to-day operational administration of information systems.

- An IS auditor’s primary responsibility is to advise senior management of the risk involved in not implementing proper segregation of duties, such as having the security administrator perform an operations function.

- IT management should separate systems development, computer operations, and computer security. If these functions cannot be separated, compensating controls should be put in place.

-The contractual agreement generally includes a service-level agreement (SLA). The SLA outlines the level of service (uptime, downtime, and response time) for the outsourced information systems. The SLA usually outlines a guaranteed level of service, and this is used as a management tool to control the information resources maintained by the service provider. Outsourcing is a long-term strategy, and service-level providers face the same risks as organizations. The organization must ensure that proper contractual agreements provide the necessary level of assurance that the information systems will meet the expectations of the organization.

- An IS auditor should always review availability reports when auditing service-level
agreements (SLA) for minimum uptime compliance.


- Per ISACA, the auditor should be aware of the following risks associated with outsourcing:
➤ Contract protection—A contract that adequately protects the company
➤ Audit rights—The right to audit vendor operations
➤ Continuity of operations—Continued service in the event of a disaster
➤ Integrity, confidentiality, and availability of organization-owned data
➤ Personnel—Lack of loyalty toward customers, or disgruntled customers/ employees, over the outsource agreement
➤ Access control/security administration (vendor controlled)
➤ Violation reporting and follow-up (vendor controlled)
➤ Change control and testing (vendor controlled)
➤ Network controls (vendor controlled)
➤ Performance management (vendor controlled)

- As an example, an outsourcing contract for IT facilities should clearly define ownership
of intellectual property.

- The strategic plan keeps the organization headed in a profitable direction, and long-term planning minimizes the risk that organizational resources will not support the company’s overall objectives. IT management is responsible for establishing sound project management and
organizational policies. The combination of the IT strategic plan, sound project management, and organizational policies reduces business risks.

- The core principles of project management include the development of a detailed plan, the reporting of project activity against the plan, and the adjustment of the plan to enable corrective action. All project plans should be assigned to a project manager who is experienced in the area of implementation, who has skills associated with managing projects, and who has a
good working relationship with the staff in planning and executing the project.

- The following list outlines the five basic phases of the project life cycle.
➤ Phase I: Plan the project—This phase includes setting the time, cost, and scope of the project.
➤ Phase II: Schedule the project—This phase of the project breaks the project into logically grouped activities and creates a timetable for each activity.The team should create Gantt charts to show timelines, milestones, and dependencies. When this is complete, the team should perform
critical path analysis on the project plan. The critical path analysis shows areas of risk due to resource constraints, project timelines, or priority against existing projects.
➤ Phase III: Monitor continuously—The project teams should monitor the progress of the project against the baseline using planning benchmarks, milestones, and deliverables.
➤ Phase IV: Controlling the project— The skills of the project manager and the planning team, and adequate communication of the resources on the project are key to successfully
overcoming obstacles during this phase.
➤ Phase V: Closing the project—This phase includes user acceptance of the products and services, as well as written acceptance of all expected outcomes.

- If an IS auditor observes that project approval procedures do not exist, the IS auditor
should recommend to management that formal approval procedures be adopted and documented.

- The objectives of an effective risk-management program should enable the organization to realize its business objectives:
➤ Better secure IT systems that store, process, or transmit organizational information
➤ Enable management to make well-informed risk-management decisions to justify expenditures that are part of the IT budget

- To coordinate the planning, design, and implementation of changes that could affect the connected systems or data, such as upgrading hardware or software or adding services, the organization should develop a change management process. The change process is usually facilitated by a chartered change control board (CCB). A CCB generally is charged with reviewing all changes in the environment and has the authority to accept, deny, postpone, or send back a change request for additional information.

- The CRs generally are reviewed by subject matter experts (SMEs) before they are submitted to the CCB and include suggestions or concerns. The SME can be in the business or IT area and can include business managers, users, security personnel, application developers, or network and systems engineers. SMEs provide the board with enough information to make a decision
on the request and to understand the impacts in the environment.

- Per ISACA, quality assurance usually performs two distinct tasks:
➤ Quality assurance (QA)—Helps the IT department ensure that the personnel are following prescribed quality processes. For example, QA helps ensure that programs and documentation adhere to the standards and naming conventions.
➤ Quality control (QC)—Is responsible for conducting tests or reviews to verify that software is free from defects and meets user expectations. This can be done at various stages of the development of application systems, but it must be done before the programs are moved into production.

- Quality management is the means by which the IS department processes are controlled, measured, and improved. Management principles focus on areas such as people, change, processes, and
security.

- The quality assurance group ensures that the programs and program changes and documentation adhere to established standards.

- The International Organization for Standardization (ISO) has created the ISO 9000 series, which is implemented by 634,000 organizations in 152 countries. ISO 9000 has become an international reference for quality management requirements in business-to-business dealings.

- ➤ Certification—This is a major consideration before processing is authorized, but it is not the only consideration. Certification is the technical evaluation that establishes the extent to which a computer system, application, or network design and implementation meet a prespecified
set of security requirements.
➤ Accreditation—This is the authorization and approval granted to an information system to process in an operational environment. It is made on the basis of a certification by designated technical personnel that the system meets prespecified technical requirements for achieving adequate system security.

- Certification activities include testing systems and their controls to ensure that the systems meet the control objectives. When the certification is complete, any deficiencies are noted and forwarded to the appropriate authority for accreditation. During the accreditation process, the approving authority reviews the results of controls testing and determines the level of risk associated with the deficiencies. If the approving authority determines that the risk associated with the deficiencies is acceptable, the system is allowed to process in an operational environment with a plan to correct the deficiencies (remediation). If the level of risk is beyond an acceptable level, the deficiencies must be corrected before the system can go into operation.

- Although BCP and DRP are commonly interchanged, they are distinctly different. Per
ISACA, BCP is a process designed to reduce the organization’s business risk from an unexpected disruption of the critical functions or operations (manual or automated) necessary for the survival of the organization.

- DRP is generally the plan followed by IS to recover an IT processing facility or by business units to recover an operational facility. The IS recovery plan must be consistent with and must support the overall plan of the organization.

- BCP is, at best, an annual project and is effective only if it is continuously performed
and tested. During BCP, the organization must define what qualifies as a disruptive
event or disaster.

- The degree to which a BCP/DRP plan is successful depends on the support and leadership of senior management.

- Specific security administration is directed by senior management and implemented by system custodians. Still, ultimate accountability for data and system security lies with senior management.