Chapter Four

INFORMATION TECHNOLOGY
DEPLOYMENT RISKS

(Week 5)
 Lecture Outline
 Developing Strategic Plans
 Managing Development Projects
 Acquiring Software Applications
 Developing Software Applications
 Changing Software Applications
 Implementing Software Applications
 Developing Strategic Plans
 Serves as primary guideline for allocating
resources throughout the firm.
 Keeps the organization headed in a
profitable direction.
 Strategic planning begins with a vision
following clearly defined path of
visionmissionobjectivesstrategypolicies
Mission Objectives Strategy Policies

Information
Technology Plans
Must Complement &
Support Company
Plans

Mission Objectives Strategy Policies

 The IT auditor should look for evidence of a
prescribed, documented IT strategic planning process.
 The existence of an ongoing process of this nature
indicates that the company is constantly and
diligently seeking an optimal “fit” between the
information technology infrastructure and the
organization’s overall goals.
 Planning Process increases the likelihood that the
company is making the most efficient & effective use
of IT throughout the organization
Important Policy Areas for IT Functions

1. Planning Policies
a. Responsibility (who is involved with
planning?)
b. Timing (when does planning take place?)
c. Process (how should planning be conducted?)
d. Deliverables (what planning documents are
produced?)
e. Priorities (what are the most to least critical
planning issues?)
Important Policy Areas for IT Functions
2. Organizational Policies
a. Structure (what is the organizational form of the IT
function?)
b. Information Architecture (is the infrastructure
aligned with the firm’s mission?)
c. Communication (are the IT strategy and policies
known by all affected parties?)
d. Compliance (are all external regulations and laws
being addressed?)
e. Risk assessment (are IT risks identified, measured
and controlled?)
Important Policy Areas for IT Functions
3. Human Resource Policies
a. Training (what kind of training is provided and to
whom?)
b. Travel (what are the travel guidelines and priorities?)
c. Hiring (who determines needs and who screens
applicants?)
d. Promotion (what are the guidelines and how does the
process work?)
e. Termination (what are voluntary and involuntary
termination guidelines?)
 Important Policy Areas for IT Functions
4. Software Policies
a. Acquisition (how is software acquired from outside
vendors?)
b. Standards (what are the software compatibility
standards?)
c. Outside contractors (should contractors be used for
software development?)
d. Changes (how to control and monitor the software
change process?)
e. Implementation (how to handle conversions,
interfaces, and users?)
 Important Policy Areas for IT Functions
5. Hardware Policies
a. Acquisition (how is hardware acquired from outside
vendors?)
b. Standards (what are the hardware compatibility
standards?)
c. Performance (how to test computing capabilities?)
d. Configuration (where to use client-servers, personal
computers, and so on?)
e. Service Providers (should third-party service bureaus
be used?)
 Important Policy Areas for IT Functions
6. Network Policies
a. Acquisition (how is network technology acquired from
outside vendors?)
b. Standards (compatibility of local area networks,
intranets, extranets, and so on?)
c. Performance (how much bandwidth is needed and is
the network fast enough?)
d. Configuration (use of servers, firewalls, routers, hubs,
and other technology?)
e. Adaptability (capability to support emerging e-
business models?)
 Important Policy Areas for IT Functions
7. Security Policies
a. Testing (how is security tested?)
b. Access (who can have access to what information and
applications?)
c. Monitoring (who monitors security?)
d. Firewalls (are they effectively utilized?)
e. Violations (what happens if an employee violates
security?)
 Important Policy Areas for IT Functions
8. Operations Policies
a. Structure (how is the operations function structured?)
b. Responsibilities (who is responsibility for transaction
processing?)
c. Input (how does data enter into the information
system?)
d. Processing (what processing modes are used?)
e. Error Handling (who should correct erroneous
input/processing items?)
 Important Policy Areas for IT Functions
9. Contingency Policies
1. Backup (what are the backup procedures?)
2. Recovery (what is the recovery process?)
3. Disasters (who is in charge and what is the plan?)
4. Alternate Sites (what types of sites are available for
off-site processing?)
 Important Policy Areas for IT Functions
10. Financial and Accounting Policies
1. Project Management (are IT projects prioritized,
managed, and monitored?)
2. Revenue Generation (should services be sold inside or
outside the organization?)
3. Technology Investments (are the investment returns
being properly evaluated?)
4. Funding Priorities (where to most effectively allocate
resources?)
5. Budgets (are budgets aligned with funding levels and
priorities?)
 “Red Flags” for IT Auditors
 The following are key planning risks indicators,
should trigger red flags for the IT auditor.
1. A strategic planning process is not used.
2. Information technology risks are not assessed.
3. Investment analyses are not performed.
4. Quality assurance reviews are not conducted.
5. Plans and goals are not communicated.
 Key planning risks indicators
6. Information technology personnel are
disgruntled.
7. Software applications do not support
business processes.
8. The technology infrastructure is inadequate.
9. The user community is unhappy with the
level of support.
10.Management’s information needs are not
met.
 CobiT Guidelines
 Guidelines suggest eleven processes should
be incorporated into IT strategic plans.
 Each process is integrated throughout IT
policy areas.
 Processes designed to manage the key IT
risks.
 11 Processes
1. Develop a strategic IT plan.
2. Articulate the information architecture.
3. Find an optimal fit between IT and the company’s
strategy.
4. Design the IT function to match the company’s needs.
5. Maximize the IT investment.
6. Communicate IT policies to the user community.
7. Manage the IT workforce.
8. Comply with external regulations, laws, and contracts.
9. Conduct IT risk assessments.
10. Maintain a high-quality systems development process.
11. Incorporate sound project management techniques.
 Managing Development Projects
 Regardless of types of projects, there are project
management techniques that apply to most situations.
 Using structured methodology minimizes risk of
failure:
– Late delivery
– Cost overrun
– Lack of functions
– Poor quality
 IT auditor should check that project management
techniques are employed.
 Project Manager
 First step is to assign project to a manager
 Needs experience in domain area
 Needs skill at managing projects
 Must work well with staff on planning and
executing the project.
– Senior management representatives
– IT staff
– Affected users
 Generic Project Life Cycle
Planning Scheduling Monitoring Controlling Closing
Boundary
Conditions

Scope
Parameters Parameters Parameters Time
Cost

Project Deliverable Deliverable Project

Resources Activity Activity Activity
Outcome
1 2 4

Activity Activity Activity

Resources Resources Resources
Parameters
Deliverable Deliverable

Activity Activity
Resources 3
Beginning End
 Project Life Cycle
Phase1 : Plan the Project
– Set the Time, Cost & Scope
– Identify resources
– Articulate project outcome
– Work with specialists I.e., analysts, programmers, users
– Determine the WBS – Work Breakdown Structure

Phase 2 : Schedule the Project (Create Time Table for each

activity)
– Gantt charts
– Critical Path Analysis
– Critical Math Method
– Microsoft Project
 Project Life Cycle
Phase 3 : Continuous Monitoring
– Use benchmarks, milestones, deliverables to track progress
– Monitoring frequency varies by project depending on sensitivity
of the project to deviation
– Rule of Thumb: Determine the maximum percent deviation
allowed & monitor activities at the half-way point.

Phase 4 : Controlling
– Aimed at keeping the project moving
– Adjust to unexpected issues, delays, and problems arised
– Continually adjust the plan
 Project Life Cycle
Phase 5 : Closing the Project
– Obtain client acceptance in writing
– Release and evaluate project personnel
– Identify & reassign remaining project assets
– Evaluations of project
– Chronicle project history

Key Project Risk Indicators

1. Management does not use a formal project
management methodology.
2. Project leaders are not adequately. experienced
at managing projects.
 Key Project Risk Indicators
3. Project leaders have insufficient domain expertise.
4. Project teams are unqualified to handle the project
size/complexity.
5. Project team members are dissatisfied and frustrated.
6. Projects do not have senior-level executive support.
7. Projects do not include input from all affected parties.
8. Project recipients are dissatisfied with project
outcomes.
9. Projects are taking longer to develop than planned.
10. Projects are costing more than budgeted.
Acquiring Software Applications

 IT auditor should determine if the new

application would fit into the company’s
strategic plan.
 There should be a formal software
application acquisition policy.
 Needs must be identified and prioritized.
 Determine which applications can be
developed in-house, and which to purchase.
 Selection Process
 Assign a project manager
– Must know the needs of users & include them in
decisions
 Identify alternatives and compare:
Ease of use Internal controls
Functionality Integration with existing systems
Reporting Future scalability
Documentation Performance

Security features Cost

 Total Cost of Software
– Price of acquisition
– User training
– Multiple licenses
– Service and support
– Future upgrades
– Software modifications

Key Acquisition Risk Indicators

1. Software acquisitions are not mapped to the strategic
plan.
2. There are no documented policies aimed at guiding
software acquisitions.
 Key Acquisition Risk Indicators
3. There is no process for comparing the “develop versus
purchase” option.
4. No one is assigned responsibility for the acquisition
process.
5. Affected parties are not involved with assessing
requirements and needs.
6. There is insufficient knowledge of software alternatives.
7. Security features and internal controls are not assessed.
8. Benchmarking and performance tests are not carried out.
9. Integration and scalability issues are not taken into
account.
10. Total cost of ownership is not fully considered.