Previous | Table of Contents | Next |
The IT Auditor can only perform effective reviews of automated application systems after evaluating the general controls underlying and supporting the proper functioning of those applications. These general controls affect the operation of every application running on a system, and inadequate or missing general controls have the potential to compromise the controls in all automated application systems.
Part III guides the IT auditor through the general controls areas that should be evaluated in a normal systems environment review. This approach to the general controls review groups all possible controls into the following five categories:
These categories are discussed in Sections 7 through 11, and are included in a set of fully articulated workpapers at the end of Section 12.
Controls over IT administration should ensure that the function is managed in a way that efficiently and effectively supports strategic and tactical business activities. The controls in this area often include:
The common element among these controls is that none of them has any direct association with an automated application system. The idea of an indirect relationship is familiar to first-time managers as they realize that they may no longer be doing any work, at least not as they have known it in the past. They draw their salary based on the direction and guidance they provide.
These administrative responsibilities provide the guidance needed to move both individual and functional activities in the appropriate directions. Guidance takes many forms, some of which are further defined in the sections that follow.
The Information Technology (IT) department should always be aware of advances and changes in technology that can affect the hardware and software that the company uses in meeting its objectives. A strategic plan usually looks at least one year ahead, then continuing as far into the future as appropriate.
The Strategic Plan
The strategic plan ensures that company executives and managers are able to establish the overall systems direction for the enterprise. This knowledge permits other management levels to determine how their individual areas will be supported or identifies where changes should be made in their tactical activities. The IT auditor should be cognizant that having a strategic plan is important, but it should not unreasonably limit individual decisions or prevent needed day-to-day changes.
GENERIC DOMESTIC COMPANY |
---|
Technology activities within the Domestic Company will be conducted in accordance with the following guidelines. Any deviations from these guidelines must be approved in advance of making any contractual or financial commitments. |
All transaction processing systems will have a single storage location for all primary data files, whether the systems are mainframe, midrange, or client/server based. |
Hardware changes will be to appropriate IBM equipment to maximize our corporate ability to negotiate discounts on acquisition and maintenance of technical hardware. |
The use of conversion tables to interface incompatible data structures will be eliminated as part of the companys effort to move toward seamless integration and an enterprise model. |
Electronic commerce is becoming increasingly important to the companys business, and all Electronic Data Interchange (EDI) will be done in compliance with ANSI standards, while Internet and World Wide Web activity will be guided by provisions of the Internet guidelines currently being developed. |
Personal computers will only be purchased from an approved vendor to improve our ability to provide for effective support and maintenance, and will be purchased with one of the approved application suites specified by the Information Technology department. |
Exhibit 7-1 is an example of a strategic IT plan. For another company this exhibit might only be a vision statement. There are no rules concerning the degree of detail appropriate for strategic planning, but the IT auditor should evaluate strategic plan provisions based on the answers to these questions:
The IT auditor should use caution when reviewing a strategic plan, particularly if it has already been publicized, due to the potential political implications of suggesting that it be changed and re-issued. Although independence should be preserved, the auditors should make an extra effort in this area to ensure their participation during development of the strategic plan. The auditors suggestions during plan development are likely to be much better received than if they are made later in the process.
The tactical IT plan, which can also be referred to as the short-term plan, should be based on the strategic plan and identify specific activities to be performed and objectives to be met over the next 12 to 24 months. The tactical plan can be divided by operating unit, product line, department, or other internal division of the entity.
The tactical plan is often the product of both IT and end-user personnel. This is a joint effort because the end users often must prioritize their open and in-process requests. End-user prioritization is necessary if their requests require more development and implementation hours than are available based on the tactical planning horizon and the number of resources available to satisfy those hours.
The tactical plan can also be changed more easily than the strategic plan, and it must be changed to reflect changing circumstances and shifts in the overall focus of the company The tactical plan should also include specific elements of each activity such as estimated work effort and implementation date. If the tactical plan does not include those elements, they should be readily available from another source, and be available to all parties with a specific interest in that information.
Exhibit 7-2 is an example of a tactical plan. This sample tactical plan is not complete and represents only a fictitious first page of such a report. The report would most likely also include sections for those items expected to be completed within the tactical planning horizon, prioritized items that would be worked on next if a project is completed early or taken off of the list, and a group of nonprioritized items that had been submitted but deemed to have a priority low enough that they are not being considered at all for planning purposes.
Previous | Table of Contents | Next |