3.

System Infrastructure

c. Describe Common IT Control Framework

Information technology controls (or IT controls) are particular activities carried out
by individuals or systems intended to guarantee the achievement of company goals. They
are a subset of the internal control of an enterprise. IT control goals relate to data
confidentiality, integrity and accessibility and the general management of the company
enterprise's IT function.

COBIT is an IT management framework developed by the ISACA to help

businesses develop, organize and implement strategies around information management
and governance. The acronym COBIT stands for Control Objectives for Information and
Related Technology, and the most recent iteration is COBIT 5.

Information is a key resource for all enterprises, and from the time that information
is created to the moment that it is destroyed, technology plays a significant role.
Information technology is increasingly advanced and has become pervasive in
enterprises and in social, public and business environments.

As a result, today, more than ever, enterprises and their executives strive to:

 Maintain high-quality information to support business decisions.

 Generate business value from IT-enabled investments, i.e., achieve
strategic goals and realize business benefits through effective and
innovative use of IT.
 Achieve operational excellence through the reliable and efficient
application of technology.
 Maintain IT-related risk at an acceptable level.
 Optimize the cost of IT services and technology.
 Comply with ever-increasing relevant laws, regulations, contractual
agreements and policies.
  Over the past decade, the term ‘governance’ has moved to the
forefront of business thinking in response to examples demonstrating
the importance of good governance and, on the other end of the
scale, global business mishaps.

Successful enterprises have recognized that the board and executives need to
embrace IT like any other significant part of doing business. Boards and management—
both in the business and IT functions—must collaborate and work together, so that IT is
included within the governance and management approach. In addition, legislation is
increasingly being passed and regulations implemented to address this need.

COBIT 5 provides a comprehensive framework that assists enterprises in

achieving their objectives for the governance and management of enterprise IT. Simply
stated, it helps enterprises create optimal value from IT by maintaining a balance between
realizing benefits and optimizing risk levels and resource use. COBIT 5 enables IT to be
governed and managed in a holistic manner for the entire enterprise, taking in the full
end-to-end business and IT functional areas of responsibility, considering the IT-related
interests of internal and external stakeholders. COBIT 5 is generic and useful for
enterprises of all sizes, whether commercial, not-for-profit or in the public sector.

COBIT 5 Principles
 COBIT 5 is based on five key principles for governance and management of
enterprise IT:

Principle 1: Meeting Stakeholder Needs—Enterprises exist to create value for

their stakeholders by maintaining a balance between the realization of benefits and the
optimization of risk and use of resources. COBIT 5 provides all of the required processes
and other enablers to support business value creation through the use of IT. Because
every enterprise has different objectives, an enterprise can customize COBIT 5 to suit its
own context through the goals cascade, translating high-level enterprise goals into
manageable, specific, IT-related goals and mapping these to specific processes and
practices.

Principle 2: Covering the Enterprise End-to-end—COBIT 5 integrates

governance of enterprise IT into enterprise governance:

 It covers all functions and processes within the enterprise; COBIT 5 does not focus
only on the ‘IT function’, but treats information and related technologies as assets
that need to be dealt with just like any other asset by everyone in the enterprise.
 It considers all IT-related governance and management enablers to be enterprise
wide and end-to-end, i.e., inclusive of everything and everyone—internal and
external—that is relevant to governance and management of enterprise
information and related IT.

Principle 3: Applying a Single, Integrated Framework—There are many IT-

related standards and good practices, each providing guidance on a subset of IT
activities. COBIT 5 aligns with other relevant standards and frameworks at a high level,
and thus can serve as the overarching framework for governance and management of
enterprise IT.

Principle 4: Enabling a Holistic Approach—Efficient and effective governance

and management of enterprise IT require a holistic approach, taking into account several
interacting components. COBIT 5 defines a set of enablers to support the implementation
of a comprehensive governance and management system for enterprise IT. Enablers are
broadly defined as anything that can help to achieve the objectives of the enterprise. The
COBIT 5 framework defines seven categories of enablers:

 Principles, Policies and Frameworks

 Processes
 Organizational Structures
 Culture, Ethics and Behavior
 Information
 Services, Infrastructure and Applications
 People, Skills and Competencies

Principle 5: Separating Governance From Management—The COBIT 5

framework makes a clear distinction between governance and management. These two
disciplines encompass different types of activities, require different organizational
structures and serve different purposes. COBIT 5’s view on this key distinction between
governance and management is:

 Governance

Governance ensures that stakeholder needs, conditions and options are evaluated
to determine balanced, agreed-on enterprise objectives to be achieved; setting
direction through prioritization and decision making; and monitoring performance
and compliance against agreed-on direction and objectives. In most enterprises,
overall governance is the responsibility of the board of directors under the
leadership of the chairperson. Specific governance responsibilities may be
delegated to special organizational structures at an appropriate level, particularly
in larger, complex enterprises.

 Management

Management plans, builds, runs and monitors activities in alignment with the
direction set by the governance body to achieve the enterprise objectives. In most
 enterprises, management is the responsibility of the executive management under
the leadership of the chief executive officer (CEO).

Together, these five principles enable the enterprise to build an effective

governance and management framework that optimizes information and technology
investment and use for the benefit of stakeholders.

d. Describe the functional areas of IT operations

IT Governance

IT governance is the responsibility of executives and the board of directors, and

consists of the leadership, organizational structures and processes that ensure that the
enterprise’s IT sustains and extends the organization’s strategies and objectives.
Furthermore, IT governance integrates and institutionalizes good practices to ensure that
the enterprise’s IT supports the business objectives. IT governance enables the
enterprise to take full advantage of its information, thereby maximizing benefits,
capitalizing on opportunities and gaining competitive advantage. These outcomes require
a framework for control over IT that fits with and supports the Committee of Sponsoring
Organizations of the Treadway Commission’s (COSO’s) Internal Control—Integrated
Framework, the widely accepted control framework for enterprise governance and risk
management, and similar compliant frameworks. Organizations should satisfy the quality,
fiduciary and security requirements for their information, as for all assets. Management
should also optimize the use of available IT resources, including applications, information,
infrastructure and people. To discharge these responsibilities, as well as to achieve its
objectives, management should understand the status of its enterprise architecture for IT
and decide what governance and control it should provide.
IT Infrastructure

IT Infrastructure refers to the entire stack of underlying elements required to deliver

technology to an end-user. This includes hardware (servers, data storage, networking,
converged systems), virtualization, management, automation and orchestration and the
means to deliver the applications to the customer in the form of client systems
(smartphones, laptops, tablets, thin clients, etc). Companies can drive real business
results with IT Transformation.

All technology services from applications to business systems, digital records and
smart products, require underlying infrastructure to be able to function. IT Infrastructure
refers to the underlying technology stack that enables this service to be delivered.

The IT Infrastructure stack starts with hardware – compute capabilities provided

by servers, data storage devices to store information and networking capabilities to allow
the data to flow across the IT Infrastructure stack. This hardware layer can be built from
individual components or acquired as a ready-to-run system, referred to as a converged
system.

Most IT Infrastructure is virtualized into IT resource pools from which virtual

machines, storage and networks are carved out for specific applications. These
applications are what provide the end users the ability to perform their functions, from
delivering ERP and payroll systems to running websites, cloud apps and internet
delivered services.

IT Functionality

It is perhaps the most visible task performed by the IT department, and therefore
what they’re most commonly associated with in many workers’ minds. It refers to creating
and maintaining operational applications; developing, securing, and storing electronic
data that belongs to the organization; and assisting in the use of software and data
management to all functional areas of the organization.
IT Network Responsibilities

The IT department oversees the installation and maintenance of computer network

systems within a company. This may only require a single IT employee, or in the case of
larger organizations, a team of people working to ensure that the network runs smoothly.

The IT department must evaluate and install the proper hardware and software
necessary to keep the network functioning properly. As this involves working within a
budget allocated to the department for network devices and software, the IT department
must make sure that the equipment it invests in will optimally serves the needs of the
company without going over budget.

Networks can be simple or extremely complex depending upon their size and
composition. In addition to staying current on trends within business technology, IT
employees may require college degrees in a computer field to adequately handle the
issues that arise in maintaining such a network.

Network Contingencies

Should a network system go down, the repercussions can be costly -- not just to
the company and its operations, but outside entities that require products or services from
the company. These outside entities could be affected and lose faith in the company's
ability to provide them with what they need. The IT department must put a crisis plan in
place that can be implemented should the system go down. It must be designed to put
the network back up quickly or allow it to switch over to an alternate system until the
necessary repairs are completed.

Through the maintenance and planning of a network system, the IT department

must forge professional relationships with outside vendors and industry experts. This
helps the department employees perform their duties more efficiently as well as stay
current on the latest technology that might be beneficial to the company for which they
work.
Application Development

Quite often, companies see the main role of the IT department as creating the
applications that serve its core business needs. The right applications allow a business
to be innovative, more productive, efficient, and to move ahead of its competitors. In many
ways, this makes the IT department crucial in driving a business forward.

The work necessary to create the applications that can set a business apart from
the others requires an IT department with programmers, analysts, interface designers,
database administrators, testers, and other professionals.

Communication

Most people are aware that the IT department is responsible for the success of
computer operations and other information technologies within a business. However, as
many new forms of electronic communication have become staples of the modern office,
IT departments have been taking on a greater role in the technical side of company
communication. This includes point to point phone calls, conference calls, and video and
web conferences, as well as less direct forms of electronic communication like network
drives, email systems, and secure servers.

The IT department must fully understand how these systems work and interact
with each other, and is responsible for ensuring that these systems remain operational at
all times.

Company Website

The IT department is at least partially responsible for creating and maintaining the
company's website. While the content and design of the site may be handled by another
department – often Marketing – IT typically creates the code and works with other
departments to test the site for usability.
Technical Support

The IT department provides this service for all the users who need access to the
company's computer systems. This might entail installing new software or hardware,
repairing hardware that has become faulty, training employees in the use of new software,
and troubleshooting problems with the system or with an individual's computer.

It's apparent that not all the IT department does is apparent - it creates and
maintains many systems that go unseen or get taken for granted by employees, creates
emergency response plans to protect the business from unforeseen problems, and
constantly works to improve the entire company’s ability to function efficiently and
effectively.

e. Understanding of ERP

ERP, or enterprise resource planning, is a modular software system designed to

integrate the main functional areas of an organization's business processes into a unified
system.

An ERP system includes core software components, often called modules, that
focus on essential business areas such as finance and accounting, HR, production and
materials management, customer relationship management (CRM), and supply chain
management. Organizations choose which core modules to use based on which are most
important to their particular business.

What primarily distinguishes ERP software from stand-alone targeted software --

which many vendors and industry analysts refer to as best-of-breed solutions -- is a
common central database from which the various ERP software modules access
information, some of which is shared with the other modules involved in a given business
process. This means that companies using ERP are largely saved from having to make
double entries to update information because the system shares the data, in turn enabling
greater accuracy and collaboration between the organization's departments.

ERP implementation options include on premises, cloud and a mix of the two,
called hybrid, such as with platform as a service and infrastructure as a service. Although
ERP has historically been associated with expensive, monolithic, end-to-end
implementations, cloud versions now enable easier deployments, which SMBs are taking
advantage of in greater numbers.

Some ERP systems also offer next-generation capabilities, such as AI, IoT and
advanced analytics, to foster digital transformation. Businesses typically turn to an ERP
system when they outgrow spreadsheets and disparate, often siloed software systems
and need the unifying capabilities of an ERP system to enable growth. As with many
technology products, the specific definition of what constitutes ERP can vary widely from
vendor to vendor.

Benefits of ERP systems

ERP offers a plethora of benefits, most of which come from information sharing
and standardization. Because ERP components can share data more easily than
disparate systems, they can make cross-departmental business processes easier to
manage on a daily basis. They can also enable better insights from data, especially with
the newer technologies that many ERP systems are including, such as powerful
analytics, machine learning and industrial IoT capabilities.

In addition, ERP software:

 boosts efficiencies by automating data collection;

 enables business growth by managing increasingly complex business processes;
 helps lower risk by enabling better compliance;
 fosters collaboration using data sharing and integrated information;
 provides better business intelligence and customer service capabilities; and
 improves supply chain management.
Advantages and Disadvantages

Many consider ERP software to be a requirement for enterprises -- especially for

core business functions such as finance -- and the same is arguably true for growing
SMBs. The sheer volume of data that companies generate, along with the complexity of
the global business landscape and modern consumer demands, has made streamlining
business processes and managing and optimizing data increasingly critical. An ERP
software system is typically at the core of such capabilities.

That said, there are advantages and disadvantages to implementing ERP.

Advantages:

 Can save money over the long run by streamlining processes.

 Provides a unified system that can lower IT-related expenses and end-user training
costs.
 Enables greater visibility into myriad areas of the business, such as inventory, that
are critical for meeting customer needs.
 Enables better reporting and planning due to better data.
 Offers better compliance and data security, along with improved data, backup and
the ability to control user rights.

Disadvantages:

 Can have a high upfront cost.

 Can be difficult to implement.
 Requires change management during and after implementation.
 Basic, core ERP modules may be less sophisticated compared to targeted, stand-
alone software. Companies may require additional modules for more control and
better management of specific areas, such as the supply chain or customer
relationship capabilities.
ERP Core Applications

ERP functionality falls into two general groups of applications: core applications
and business analysis applications. Core applications are those applications that
operationally support the day-to-day activities of the business. If these applications fail,
so does the business. Typical core applications include, but are not limited to, sales and
distribution, business planning, production planning, shop floor control, and logistics. Core
applications are also called online transaction processing (OLTP) applications.

ERP SYSTEM

Sales and distribution functions handle order entry and delivery scheduling. This
includes checking on product availability to ensure timely delivery and verifying customer
credit limits. Customer orders are entered into the ERP only once. Because all users
access a common database, the status of an order can be determined at any point. In
fact, the customer will be able to check the order directly via an Internet connection. Such
integration reduces manual activities, saves time, and decreases human error.

Business planning consists of forecasting demand, planning product production,

and detailing routing information that describes the sequence and the stages of the actual
production process. Capacity planning and production planning can be very complex;
therefore, some ERPs provide simulation tools to help managers decide how to avoid
shortages in materials, labor, or plant facilities. Once the master production schedule is
complete, the data are entered into the MRP (materials requirements planning) module,
which provides three key pieces of information: an exception report, materials
requirements listing, and inventory requisitions. The exception report identifies potential
situations that will result in rescheduling production, such as late delivery of materials.
The materials requirements listing shows the details of vendor shipments and expected
receipts of products and components needed for the order. Inventory requisitions are
used to trigger material purchase orders to vendors for items not in stock.

Shop floor control involves the detailed production scheduling, dispatching, and
job costing activities associated with the actual production process. Finally, the logistics
application is responsible for ensuring timely delivery to the customer. This consists of
inventory and warehouse management, as well as shipping. Most ERPs also include their
procurement activities within the logistics function.

References:

https://www.isaca.org/Knowledge-Center/cobit/Documents/COBIT4.pdf
https://cobitonline.isaca.org/publications
https://www.dellemc.com/en-ph/glossary/it-infrastructure.htm
https://www.careerbuilder.com/advice/what-does-the-it-department-actually-do
https://searcherp.techtarget.com/definition/ERP-enterprise-resource-planning