Escolar Documentos
Profissional Documentos
Cultura Documentos
By Richard E. Cascarino
Copyright © 2012 by Richard E. Cascarino
15 CHAPTER FIFTEEN
Governance Techniques
T
H IS C H A P T ER COV ER S the need for, and use of, techniques such as change-
control reviews, operational reviews, and International Standards Organization
(ISO) 9000 reviews.
CHANGE CONTROL
Periodically the necessity arises to modify an existing hardware and/or software con-
figuration as a result of:
179
critical that during periods of change, the production versions of software are protected
against unauthorized changes, untested changes, or even malicious changes.
Change control’s objective is to ensure risk is controlled, not introduced, during a
change. This means ensuring that:
implementation has been authorized, the change controller will normally copy the
amended source code into the production library. For this to be effective, access to pro-
duction libraries must be restricted to the change controller only. This access control is
intended to prevent both accidental and malicious amendments to production software
occurring without appropriate authorization.
Updating software on personal computers and local area networks would appear
more straightforward because they normally involve installation of purchased pack-
ages. Unfortunately, not all purchased packages function immediately as intended.
In the smaller environment of personal computers it is common that backups are not
taken prior to system changes and that the introduction of a new version of software
or even new software altogether may result in significant damage to the production
environment.
Personal computers and local area networks also require careful control over
changes made. The change-control processes may be different for the surrounding
mainframe computers; nevertheless appropriate change-control procedures must be
implemented.
PROBLEM MANAGEMENT
The changes thus controlled are known and planned changes. The procedures involve
ensuring prior authorization for all changes, supervision of the change process, ade-
quate testing of all changes, and user sign-off on all changes.
Periodically things will go wrong with a system, which necessitates an urgent
repair. Such changes are not known in advance and are commonly executed and per-
mission sought retrospectively. Such changes are controlled using Problem Management.
Problem Management’s objective is to control systems during emergency situations
arising from unforeseen changes. Typically this will involve bypassing normal control
mechanisms and may require direct programmer access to live data. This must be con-
trolled separately and must involve user authorization, even retrospectively.
From an audit perspective, the IT auditor will seek assurance that change-control pro-
cedures are in place and effective over changes to hardware, software, telecommuni-
cations, or anything that affects the processing environment. Sources of evidence for
the auditor would include minutes of change-control committee meetings, software
movement reports, access-control logs, and system-failure records.
The auditor will typically seek to ensure that:
OPERATIONAL REVIEWS
▪ Internal controls
▪ Compliance with laws, regulations, and company policies
▪ Reliability and integrity of financial and operating information
▪ Effective and efficient use of resources
PERFORMANCE MEASUREMENT
provide the feedback used to assess the effectiveness of an organization from a vari-
ety of viewpoints. Using this feedback, it is possible to ensure continued excellence of
programs and services in response to changes within both the internal and external
environments.
The process commences with the setting of business objectives and the development
of strategies and plans to achieve these objectives within an overall control framework.
This is followed by the development of appropriate performance measures to assess prog-
ress toward the objectives.
Performance-measurement systems provide the feedback information required
to determine if executive management strategies have been effectively converted into
operational decisions.
Performance measurement provides a balanced, methodical attempt to assess the
effectiveness of an organization’s operations from multiple vantage points—financial,
client satisfaction, internal business, and innovation/learning.
The Balanced Scorecard approach can give the auditor well-structured measure-
ment criteria if it has been appropriately implemented. The mechanics of performance
measurement are complex and the development and deployment of the process may be
painful. Typically many measures will be evaluated before a key set will emerge. Many
choices will involve industry best-practice measures so that a competitive benchmark
can be established.
Improving performance measurement involves the development of integrated per-
formance-measurement systems that are built around a strategic theme such as busi-
ness strategy or value creation. They involve measuring those aspects of the IT structure
that relate the activities of people and processes in the IT organization to the intended
outcomes for the IT stakeholders.
Integrated performance measurement systems are a significant improvement
over prior evaluation structures but still do not eliminate some of the basic dif-
ficulties of performance measurement. IT can be a complex organization offering
considerably more opportunities for measurement than management can effectively
employ. The difficulties lie in reducing the required number of measures to a sig-
nificant few.
Managers generally understand how effective measurement provides key support
in the pursuit of organizational goals when the consequences of performance results
are communicated and understood. Within IT they tend to support the concept of per-
formance measurement because their experience has shown it to be effective in helping
to achieve success. Managers who use performance measurement on a regular basis
understand the difficulties inherent in the process. Many measurement criteria form an
imperfect definition of the underlying idea and can result in rewarding “bad” behavior
and punishing “good” behavior.
Most IT managers understand the shortcomings of measurement systems. They
are fully aware that distortions may be introduced through cost and asset allocations.
They recognize that there may be an inclination to measure the things that are easy to
measure, and to avoid measures that are more difficult with the subsequent distortions
this creates.