Previous | Table of Contents | Next |
The IT Steering Committee
Many companies have a management group that is responsible for overseeing IT department activities. This group may bear one of various titles: IT steering committee, IT operations committee, etc. The committee should include corporate senior managers, select end-user managers, and IT managers. The internal audit department should also participate, although only in an advisory capacity.
These managers do not have to be department heads but should be knowledgeable about policies and procedures. They should also have the authority to speak for, and make decisions affecting, the areas they represent. The committee should not become directly involved with daily operations, and the duties and responsibilities of the committee should be clearly defined in a formal charter. Such committees typically:
The IT Steering Committee should solicit information from all the areas served by the IT department, including the audit department to effectively monitor IT departmental activities. The committee also works to ensure that expected results are achieved by taking whatever action is necessary. The IT steering committee meetings should be documented in minutes, not only as a record of the proceedings and decisions but to inform management of various IT activities.
Control
The reason that corporate senior management wants IT management to develop and implement effective controls is to ensure that business objectives are met on an accurate, timely, and complete basis. The company needs to be able to rely on the IT department. The following is a discussion of key elements needed to implement effective controls.
Policies and Procedures. Formal written standards and procedures are essential to establishing and maintaining control. Written standards promote uniform policy implementation and support new employees orientation. IT management must provide individual groups within the IT department with operational policies. These policies should give each group the guidelines needed to effectively coordinate and perform their jobs. IT policies and procedures can be established in a variety of areas, including the following:
These standards and procedures support the segregation of duties, limit physical and electronic access to valuable assets, and provide for the efficient and effective allocation of resources. Procedures should provide audit trails to ensure that independent control is exercised by the user departments.
Internal Controls. The American Institute of Certified Public Accountants has defined these as the plan of organization and all of the coordinate methods and measures adopted within a business to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to prescribed managerial policies. In the past, accounting systems were clearly segregated from the daily business cycle. Financial auditors had become accustomed to situations where, once a month, information from sales, accounts receivable, accounts payable, inventory, etc. was posted to the ledger in the form of a summary ledger. This led to the conceptual separation of accounting controls from operational controls.
The continuing integration of these two control groups is evident when todays auditors look at the general ledger and see the details of every sale, every purchase, etc. The following list of six controls represent three former accounting controls and three former operational controls that must be considered together in an integrated environment.
Statistical Reporting. This is the next logical step in the control process. IT management has numerous opportunities to gather and summarize statistical data that measures overall IT department performance. Reporting can be separated into three areas: data center operations, applications development, and administration. The scope, frequency, and sophistication of such reporting varies greatly depending on the size and nature of the installation. IT personnel should review the raw data that is, or could be, easily generated, looking for elements that could be summarized into useful information.
Automatic logging generally produces data that can be summarized by a job accounting system or an audit retrieval program. The summarized data may be used to produce statistical reports. In addition, project management software may also be used to summarize data for application development activities.
A total list of all possible statistical reports may be lengthy and contain many diverse options, depending on the hardware and software being used. Examples of statistical reports are:
IT management must decide on the best reports to be used in monitoring data center operations. The reporting period varies with anticipated usage. Although middle management may review weekly or monthly statistics, first-line supervisors may need data daily in many areas. Senior management and the IT steering committee may require monthly or quarterly statistics, reduced to graphic format. Typically, senior management reports compare projections with actual performance and prior periods with current performance. This is as valid for statistical analysis as it is for financial budget vs. actual vs. prior reporting.
Variance Analysis. The next step is to understand significant differences in these reports and respond to them. In this instance, significance should be deferred in both technical and financial terms. Standard cost/benefit analysis should be prepared whenever a meaningful change is considered. Please note that cost in these instances should include the cash expenditures along with the internal opportunity cost of the project. The IT auditor should also always remember that the direct responsibility for IT controls lies with IT management, and ultimate responsibility with company senior management.
Both internal and external IT auditors should perform IT reviews that are independent, measure performance, and provide and assess the adequacy of policies and procedures. This provides management with an impartial evaluation of the IT departments condition. IT audit reports should cite exceptions and recommend corrective action. The IT auditors then must follow up to ensure that corrective action has been taken. In addition, IT and senior management must review and follow up on recommendations made in audit reports.
Previous | Table of Contents | Next |