Information Systems Control and Audit - Chapter 3 - Top Management Controls - Ron Weber
- 2. contents IS Control & Audit 2 INTRODUCTION EVALUATING THE PLANNING FUNCTION EVALUATING THE ORGANIZING FUNCTION EVALUATING THE LEADING FUNCTION EVALUATING THE CONTROLLING FUNCTION SUMMARY
- 3. Introduction IS Control & Audit 3 Top management must determine the implications of the hardware and software technology changes that support information systems function and the organization. Auditors can evaluate top management by examining how well the senior management performs four major functions: Planning: Determining the goals of the information systems function and means of achieving these goals. Organizing: Gathering, allocating, coordinating the resources needed to accomplish the goals. Leading: Motivating, guiding and communicating with personnel. Controlling: Comparing actual performance with planned performance and taking corrective actions that are needed.
- 4. Evaluating the planning function IS Control & Audit 4 Top management is responsible for preparing a master plan for the information systems function. Preparing the plan involves three tasks (Boynton and Zmud 1987): 1. Recognizing opportunities and problems that confront the organization in which information technology and information systems can be applied cost effectively. 2. Identifying the resources needed to provide the required information technology and information systems. 3. Formulating strategies and tactics for acquiring the needed resources.
- 5. Evaluating the planning function IS Control & Audit 5 TYPES OF PLANS: Top management is responsible for recognizing opportunities, identifying the resources and formulating strategy. Top management must prepare two types of IS plans for IS functions: Strategic plan: It is a long-run plan covering 3-5 years of operations. Its contents include: 1. Current information assessment. 2. Strategic directions. 3. Development strategy. Operational plan: It is a short-run plan covering 1-3 years of operations. Its contents include: 1. Progress report. 2. Initiatives to be taken. 3. Implementation schedule.
- 6. Evaluating the planning function IS Control & Audit 6 Need for contingency approach to planning: Both Mc.Farlan et al’s model and Sullivan’s model are useful as they allow auditors to develop an appropriate set of expectations about the ways IS planning should be done within an organization. The strategic-grid model is developed by Mc.Farlan et al. (1983). Its two important factors are: 1. The strategic importance of an organization’s portfolio of existing information systems. 2. The strategic importance of an organization’s portfolio of proposed systems.
- 7. Evaluating the planning function IS Control & Audit 7 Need for contingency approach to planning: Sullivan (1985) has developed a similar model to determine the information systems planning needs of an organization. He also focuses on two dimensions: 1. Infusion—the extent lo which information technology and information systems have been integrated into the daily operations of the organization. 2. Diffusion—the extent to which information systems and information technology has been dispersed throughout the organization.
- 8. Evaluating the planning function IS Control & Audit 8 Need for contingency approach to planning: Mc. Farlan et al’s grid model Sullivan’s infusion-diffusion model
- 9. Evaluating the planning function IS Control & Audit 9 Role of steering committee: The steering committee should assume overall responsibility for the activities of the information systems function. The information systems plan is a critical tool needed by the steering committee to discharge its responsibilities. Information systems steering committees seem to work best if they have only a small number of members. Their makeup should vary depending on how critical the information systems function is to the success of the organization.
- 10. Evaluating the ORANIZING function IS Control & Audit 10 The planning function establishes goals and objectives for IS within an organization. Resourcing the IS functions: Top management must ensure that sufficient resources are available to the information systems function for it to be able to fulfil its role. These resources include hardware, software, personnel, finances and facilities. Staffing the IS functions: It involves three major activities: 1. Acquisition of information systems personnel. 2. Development of information systems personnel. 3. Termination of information systems personnel.
- 11. Centralization Vs Decentralization of the Information systems function IS Control & Audit 11 Centralized IS allows better top- management control over the information systems function. It provides economies of scale in terms of hardware, software, and personnel and has been advocated as a basis for improved data-resource planning and control. King (1983) says management should consider three dimensions namely control, location and function. Decentralization improves an organization’s capacity to exploit information systems opportunities. Reduces the costs of communications associated with information systems activities. Decentralized control is difficult to sustain.
- 12. Centralization Vs Decentralization of the Information systems function IS Control & Audit 12 Auditors must consider whether the particular centralization-decentralization configuration chosen for the information systems function in an organization seems consistent with the organization’s history, environment, culture, and structure. The structure of the information systems function must be congruent with the organization’s needs. If congruency does not exist, personnel conflicts are likely to arise. The effectiveness and efficiency of the information systems function will be undermined as a result. The decision of centralized and decentralized have to be made w.r.t control over IS resources, location of IS resources and the IS functions to be performed at different cities.
- 13. Evaluating the organizational function IS Control & Audit 13 Internal organization of IS function: A centralized data-processing or information systems department was established within organizations. The department usually had a systems-development group, a programming group, an operations group, a data preparation group, and a general support or control group. Each user department is responsible for its own hardware/software facilities and the development, operation, and maintenance of its own systems.
- 14. Evaluating the organizational function IS Control & Audit 14 Internal organization of IS function: Regardless of the organization structure chosen for the information systems function, some of the typical jobs that must be performed include workstation specialist, system analyst, application programmer, data administrator, database administrator, security administrator, network administrator, end-user/client support specialist, QA specialist, expert system specialist etc.. Location of IS function: The information systems function should be located in the organizational hierarchy so that its independence is preserved through separation of duties.
- 15. Evaluating the leading function IS Control & Audit 15 Motivating IS personnel: Auditors can examine variables that often indicate when motivation problems exist. For instance, staff turnover statistics, frequent failure of projects to meet their budget. Various major theories of motivation have been proposed like Maslow’s hierarchy-of- needs theory, Herzberg’s motivator-hygiene theory, and Vroom’s expectancy theory. Matching leadership styles with IS personnel and their jobs: Managers who adopt an effective leadership style exhibit certain characteristics like awareness, empathy, objectivity and self-knowledge. Leadership styles must vary depending upon personalities and task.
- 16. Evaluating the leading function IS Control & Audit 16 Effectively communicating with IS personnel: Effective communications are essential to the conduct of high-quality planning, organizing, and controlling. Effective communications are also essential to promoting good relationship and sense of trust among work colleagues. Auditors can use both formal and informal sources of evidence to evaluate how well top managers communicate with their staff. The formal sources include IS plans, documented standards and policies, the minutes of meetings, and memoranda distributed to information systems staff. We can evaluate this evidence to determine how clearly it communicates top management’s intentions.
- 17. Evaluating the leading function IS Control & Audit 17 The informal sources of evidence include interviews with IS staff about their level of satisfaction with the ways top managers communicate their wishes, observations of whether a sense of purpose seems to exist among members of a project group, and assessments of the general awareness that staff possess of activities being carried out within the IS function. Hence, auditors must try to assess both the short-run and long-run consequences of poor communications, motivation skills and the leadership styles within the information systems function and to assess the implications for asset safeguarding, data integrity, system effectiveness, and system efficiency.
- 18. Evaluating the controlling function IS Control & Audit 18 The level of control exercised over the information systems function needs to vary depending upon whether top management wish to encourage diffusion of new technologies or constrain use of existing technologies. Policies and standards are an important means of exercising control over the information systems function. Top managers must develop policies and implement procedures that provide incentives for users to employ information systems services effectively and efficiently. Users of computer services can be controlled by implementing a review mechanism, such as zero based budgeting, or a transfer pricing (chargeout) scheme.
- 19. Evaluating the controlling function IS Control & Audit 19 A specific Transfer price or charge out must be determined in which options are available like transfer pricing, allocated cost, dual price, negotiated price. Zero- Based budgeting (ZBB) allows strong, centralized control to be exercised over information systems activities without placing onerous requirements on users to quantify the benefits and costs of applications for the review committee. If top managers choose to control users via a transfer pricing or charge out scheme, two decisions must be made.
- 20. Transfer pricing or charge out scheme IS Control & Audit 20 First, they must determine how they wish to view the providers of IS services. Several options are available: 1. Cost center: The providers of information systems services are given the goal of recouping their costs. 2. Profit center: The providers of information systems services are given the goal of making a profit on their activities. 3. Investment center: The providers of information systems services are given responsibility for their investments in information technology and the goal of making an acceptable return on these investments. 4. Hybrid center: Different activities undertaken by the providers of information systems services are given different goals—cost recovery, reasonable profit, or an acceptable rate of return on investment.
- 21. Specific transfer price or charge scheme IS Control & Audit 21 First, they must determine how they wish to view the providers of IS services. Several options are available: 1. Allocated cost: At the end of time period, the costs are charged to users on the basis of the proportion of services consumed by the users. 2. Standard cost: The long-run average cost of providing different services is calculated. Assuming (a)the services are provided effectively and efficiently and (b) reasonable levels of demand exist for the different types of services. 3. Dual price :The prices charged to users and the prices assigned to the providers of IS services are different. 4. Negotiated price: Users of IS services negotiate a price for the provision of IS services directly with the providers of the services. 5. Market price : Users are charged tot the provision of services at current market prices for the services.
- 22. Summary IS Control & Audit 22 To evaluate top management IS auditors must have a sound knowledge of the principles of good management which includes major functions like planning, organizing, leading and controlling. They must first determine what aspects of each function are critical to the organization from a control perspective. They must evaluate top management’s performance of the function against these normative guidelines.
- 23. THANK YOU
Editor's Notes
- #6: The contents of a strategië plan typically include the foLlowing: 1. Current information assessment Existing information systems services provided, current hardware/software platform. existing personnel resources, current technology issues, current strengths and weaknesses, current threats and opportunities. 2. Strategic directions: Future information services to be provided, overall strategies for intraorganizational and interorganizational systems. 3. Development strategy: Vision statement for information technology, future applications and databases, future hardware/software platform. future personnelresources required, future financial resources required, approach to monitor¡ng the implementation of the strategy. The contents of an operational plan typically include the following: 1. Progress ftport: Current plan initiatives achieved and missed, major hardwarelsoftware platform changes. additional initiatives embarked upon. 2. Initiatives to be undertaken, Systems to be developed, hardwarelsoftware platform changes, personnel resources acquisition and development, financial resources acquisition. 3. implementation schedule: Proposed start and finish dates for each major project. milestones, project control procedures to be adopted.
- #7: Support Both existing and proposed information systems have low importance. Only small amounts of planning are needed. Factory Although proposed systems are relatively unimportant, existing systems are critical. Moderate amounts of planning will be needed, primarily focusing on the short-run resource needs of the organization. Turnaround Although existing systema are relatively unimportant. proposed systems are critical. Moderate lo large amounts of planning Will be necdcd, primarily focusing on the long-run application needs of the organization. Strategic Both existing systems and future systcrns arc critical. Substantial planning should be undertaken, focusing on both the short- and long-run resource and application needs of the organization.
- #8: Traditional Low infusioñ and low diffusion of information technology and information systems have occurred. Only small amounts of planning are needed. The planning can be performed by a centralized group. Federation Although tow infusion has occurred, high diffusion exists. Moderate amounts of planning will be needed. Planning activities will be decentralized, primarily focusing on the needs of divisions and end users, Organizationwide planning activities are likely to be resisted. Backbone Although low diffusion has occurred, high infusion exists. Moderate to large amounts of planning will be needed. Planning activities will be centralized, primarily focusing on the needs of the centralized information systems group. Complex Both infusion and diffusion of information technology and systems are substantial. Large amounts of plnnmg will be needed. Planning actIvities will be complex as they try to take into account both the corporate, centralized needs and the needs ol individual divisions and end users. Planning must respect divisional autonomy. At the same time, however, it must establish organizationwide directions.
- #16: Managers who adopt an effective leadership style exhibit certain charactens tics: awareness—they understand the essentials of motivation and leadership: empathy—they can place themselves in the position of others: objectivity— they can examine and evaluate events unemotionally; and self-knowledge— they are aware of the results their actions evoke. They also tend to have a high need for achievement, are self-assured, and possess intelligence and creativity.
- #19: Allocated cost At the conclusion of some period, the costs for the penad are charged to user on the basis of the proportion of services consumed by the users. Standard cost The Long-run. average cost of providing different services is calculated, assuming (a) the services are provided effectively and effectively and (b) reasonable leveIs of demand exist for the different types of services. Dual puce The prices charged to users and the processes assigned to the providers of information systems services are different For example. user might be charged on the basis of average cost, and the providers of information systems services might account for their activities on the basis of average cost plus a markup or market price. Negotiated price User, of information systems services negotiate a price for the provision of information systems services directly with the providers of the services. Market price Users are charged for the provision of services at current market prices for the services.