Você está na página 1de 23


Organizing the IT Function
Financing the IT Function
Staffing the IT Function
Directing the IT Function
Controlling the IT Function
Organizing the IT

To whom should IT manager report?

Important ramifications on IT Manager’s
 Ability to acquire needed resources
 Ability to prioritize workloads.

Must Consider segregation of incompatible duties.

Responsibilities vest in different people:
 AuthorizingTransactions
 Recording Transactions
 Maintaining Custody of Assets
Designing the IT
Internal control considerations
within an IT function
Separate from one another :
computer operations
computer security
 In system development
 Staff has access to operating systems, business applications and other key software.
 They are eventually authorized to create and alter software logic, therefore, they
should not be allowed to process information
 They should not maintain custody of corporate data and business applications.
 In computer operation
 Operation staff are responsible for:
 Entering Data, processing information, disseminating Output
 Must segregate duties.
 In computer security
 Responsible for the safe-keeping of resources
 includes ensuring that business software applications are secure.
 responsible for the safety (‘custody’) of corporate information, communication networks and
physical facilities
 Systems analysts and programmers should not have access to the production library.

 IT auditors should ensure that systems developers and computer operators are
 It is also advisable for the IT function to form a separate security specialization to
maintain custody of software applications and corporate data.

Systems Computer Computer User

Development Operations Security Services
Manager Manager Manager Manager
(a) (b) (c)
Systems Data Software Technical
Analysis (a) Input (a) Security Support

Computer Information Information Application

Programming (b) Processing (b) Security Support

Database Information Network User

Administration Output (c) Security Training
Continuity of Physical Help
Quality Operations Security Desk
Financing the IT
 Business risk of under-funding:
 Needs and demands of customers, vendors, employees and other
stakeholders will go unfulfilled.
 can adversely impact the success of the company.

 Audit risk of under-funding:

 Heavy workloads can lead to a culture of ‘working around’ the system
of internal controls
Funding the IT Function

 Two funding approaches: cost & profit center

 Cost Center Approach
 IT manager prepares budget, submit to upper management and justifies
the request for operating funds
 Typically budget request for human resources, materials and supplies,
and overhead.

 Profit Center Approach

 Submit detailed budget to upper management.
 Charge internal users for IT services creating intra-company funding of
the IT function based on the usage.
Staffing the IT
 Business risk with mismanaging HR
 Employees lack sufficient knowledge and experience
 Inefficient and ineffectively used
 Audit risk
 Employees unaware or unconcern about IC
 ex[pose company to computer security threats, information integrity
problems, and asset misappropriation
 Business and audit risks can be effectively controlled via sound
human resource procedures in the areas of hiring, rewarding and
terminating employees.

 Includes recruiting, verifying, testing,

and interviewing prospective
 IT auditor determine if company have
formal procedures that if they are
 Each job should have a substantive
description of responsibilities and
 Recruiting
 Verifying
 Testing
 Interviewing

It is important to continually challenge and motivate

employees – build self-esteem, loyalty and commitment
 The company should strive to compensate employees
at least as well as peer organizations.
 Shouldbe based on merit
 Compensation should be commensurate with the
new job’s role and responsibilities.
A disgruntled employee can disrupt the company’s
systems and controls.
The IT function needs to design and implement
countervailing controls
 backup procedures
 checks-and-balances
 cross-training
 job rotations
 mandated vacations
 immediately separate them from the computing environment
 terminate all computer privileges
Directing the IT
 Overseeing technical projects in alignment with
organizational goals
 Directing the effective delivery of networks,
development, and disaster recovery systems and
 Working with information engineers to find solutions
to manage business activities
 Supervising a team of workers, while working closely
with management, external vendors and advisors
 Preparing financial budgets and presenting
proposals for capital projects to senior
 Researching and recommending new products
 Identifying new market opportunities
 Leading efforts to improve IT processes
Controlling the IT
 To ensure secure operations of information systems and thus
safeguard assets and the data stored in these systems, and to
ensure that applications achieve their objectives in an efficient
manner, an organization needs to institute a set of policies,
procedures, and technological measures, collectively
called controls.