AIS CHAPTER 8 NOTES

Pervasive Controls
General Controls
COBIT Framework
Segregation of Duties Controls:
Segregation of duties: Separates the four basic functions of event
processing:
Authorizing events, -giving approval to a specific transaction to
move forward in the process
Expense report access-for the cashier to approve a check
too you your supervisor needs to give approval for the next
step
executing events,
Cash disbursement-the process of setting up in the system
for the checks to be cashed and checked-the physical
work, doing of the work
recording events and
entering the transaction into our journals or books, any
activity that records events
safeguarding resources
having physical custody of the asset that is involved,
physical asset for the cash disbursement are the blank
checks
No single employee should be in a position to perpetrate and conceal
fraud, errors or other system failures.
With proper segregation, collusion would need to occur between
departments to exploit the system and conceal abuse.
Personnel Policy Controls:
Selection and hiring control plans:
Candidates should be carefully screened, selected and hired.
Retention control plans:
Create challenging work opportunities as well as channels for
advancement whenever possible.
Idea that you wont do harm if youve gained experience?
Personnel development control plans:
Identify opportunities for promotion, training and personal
growth.
Personnel termination control plans:
When an employee leaves an organization.
Remove access to IT/information
Rotation of duties:
Employee alternates jobs periodically.
Dont get too comfortable?

Forced vacations:
Employee takes leave from the job and substitutes another
employee in his/her place.
Fidelity bond:
Indemnifies a company in case it suffers losses from defalcations
committed by its employees. Employees who have access to
cash and other negotiable assets are usually bonded.
It is like a insurance policy

General Controls and the COBIT 4.1 Framework

Organizational governance is the processes employed by
organizations to select objectives, establish processes to achieve
objectives, and monitor performance.
IT governance is a process that ensures the enterprises IT sustains
and extends the organizations strategies and objectives.
Direction of IT STRATEGY is ALIGNED W/ BUSINESS OBJECTIVE

Provides guidance on the best practices for the management of

information technology.
IT resources must be managed by IT control processes to ensure
organization has information to achieve objectives.

By providing a framework to ensure that IT:

is aligned with the business,
enables the business and maximizes benefits
resources are used responsibly, and
risks are managed appropriately.

The policies, procedures, practices, and organizational structures

designed to provide reasonable assurance that business objectives
will be achieved and that undesired events will be prevented
or detected and corrected.

4 COBIT DOMAINS:
Plan and organize
Acquire and implement
Deliver and support
Monitor and evaluate

PLAN AND ORGANIZE

Develop strategy and tactics for IT (identify ways that IT can best
contribute to the achievement of business objectives)
Plan, communicate, and manage realization of the strategic vision
Put in place the organization (people) and technological infrastructure
(machines)
Do we have the skillset/do we need to hire new people to be able
to conduct and envision this plan
Which ERP system, etc will we use. Do we have the ability to
support it
A lot of cost benefit analysis happens in this space
PLAN AND ORGANIZE CONTROLS
Strategic IT Plan
-is something similar as a vision for the IT division
-allows an organization to say ok we want a more unified IT system
IT Steering Committee
-usually led by the CEO or COO
-a group of the business leaders that can give an idea and discussion
of where the IT is going
-CIO usually the person with responsibility of the IT function, and
usually come into these roles and
Segregation of duties control plan
Organizational Control Plans for IT
Personnel Control Plans

-POWER/SUPER user-individuals with access to a large portion of an IT

system
-make sure that they are not abusing their power
IT GOVERNANCE AND IT GOVERNANCE/STERRING COMMITTEE
CEO or COO should chair IT committee to ensure effective operation
and unbiased decisions
Novells committee has outside directors, monitors major projects,
addresses returns from investments
FedEx committee also includes board members, oversees IT projects
and architecture decisions, advises IT management and board on
technology issues

ACQUIRE AND IMPLEMENT

IT solutions
Identified
Developed or acquired
Implemented
Integrated into the business processes
Change and maintain existing systems (so that they continue to meet
business objectives
ACQUIRE AND IMPLEENT CONTROLS:
Systems development life cycle (SDLC) for applications and technology
infrastructure

Service level agreements

Documentation
Change controls (see Figure 8.6)
Integrate/transition to new system (sudden switch, phased-in, parallel)