Wednesday, November 14, 2012

IT CONTROLS EVALUATION AUDIT PROGRAM

Topic: IT Controls Audit Program
Message:

IT CONTROLS EVALUATION AUDIT PROGRAM

Here is an audit program you may use if you want to manage and improve your IT operations.

The objective of the checklists contained in this audit program is to support, enable and facilitate IT managers in establishing better the IT function and its components and auditors in evaluating the organizational, security and performance aspects of the IT function of the organization.

T Terms of Reference Checklist

1. Is the CIO/IT Manager reporting to the official / organizational responsibility centre of the IT unit?
2. Are the Terms of Reference detailed enough and tailored to the specific activities of each IT function/department and responsibility centre?
3. Are the Board members and/or executive management of the Company/Organization familiar with these terms of reference and have they been ratified at the appropriate executive / board level?
4. Are the IT department managers familiar with these terms of reference?
5. Are the IT department personnel familiar with these terms of reference?
6. Are the IT user managers familiar with these terms of reference?
7. Are the IT users familiar with these terms of reference?
8. Are these terms of reference aiding the IT managers and staff in discharging their duties?
9. Are these terms of reference known to the external stakeholders of IT (maintenance vendors, society interest groups, community groups, regulatory agencies, etc.)?
10. Is the IT function structured effectively to serve the Organization and its divisions / functions: as a separate division, or as a part of another division, or interfacing with an outsource entity, or shared service among several departments, or a combination of above, or a separate company with its own Board of Directors, and at the right organizational and responsibility level?



IT Performance Assessment Checklist

1. IT Performance Policy: Obtain a copy of the IT performance policy and review with IT management.
2. Assess validity of this policy and usage and up to what level (criteria, user satisfaction etc. ).
3. Operational Statistics: Obtain machine statistics for systems running in the data centre
4. Performance Reporting: Assess how IT management records operational statistics on equipment and systems availability and down -time and how these processing problems (and their resolution) are communicated to end-user and Top Management.
5. Carry out, if possible, a comparison cost analysis of this IT Dept. with other IT units of the Group.
6. Hardware Capacity Planning: Assess computer performance and capacity planning process, especially for computer hardware upgrades.
7. Review the IT Governance Framework.
Consider the following issues: The IT Governance framework should be established and communicated to all. Examine if the IT Governance framework is aligned with a standard model such as COBIT/ISACA, or the ITIL model.
8. Review Key Performance Indicators and their effectiveness for the particular IT function audited.
Consider the following IT performance measures:
Development / maintenance activity (Functions developed worth to users, No. of lines coded / tested / changed, Hours spent on maintenance (person, program)
Operational performance (Timely delivery of reports to users, Average response time, Average availability time, Volume of data stored, Mean time between failures, No. of lines printed, Volume of data maintained, No. of on-line transactions processed)
Financial performance (Adherence to budget, Expenditures on maintenance vs. new development, Expenditures on preventative maintenance, Ratio of administrative (staff)) costs to production (line) costs
Human resource management (Turn over ratios, Training per employee (amounts, hours), Average tenure within the company).


IT Security Assessment Checklist

Basic Management Issues

1. Determine who has responsibility for IT Security for the organization and assess whether it is the right level of management.
2. Ensure that procedures for the preparation, approval, and monitoring of IT strategic plans are implemented and these plans are in alignment with the strategic plan of the organization.
3. Examine the organizational security policy and compare it to the IT security policy to ensure that both of these serve the same purpose and needs.
4. Ensure that the IT security policy contains at least data classification and security penetration testing for all critical IT systems and services.
5. Assess the IT management reporting method to ensure that all IT issues are reported and monitored.
6. Assess the operation of the IT review mechanisms between end-users and IT, such as: Ι.Τ. Steering Committee, User Liaison Group, και Project Steering Committee, etc.
7. Review the resolution procedures for security problems and ensure that these resolve all reported security incidents satisfactorily.
8. Ensure that all security issues are made known via written reports and discussions to higher levels of management, including the board members.
9. Ensure that the evaluation of information security status is executed on the basis of: self-assessments, onsite audit reviews, penetration testing, onsite technical evaluations, ethics assessments, data quality testing, and best practice benchmarking.

Human Resource Management

1. Review the organizational charts and job descriptions to ensure that there is adequate segregation of duties in terms of security issues.
2. Review the training and education programs and budget to ensure that all personnel have been given the approved training on security related matters.
3. Assess the effectiveness of support provided by IT and other security mechanisms to the end-users on IT security issues.

IT Procurement Procedure

1. Review the IT procurement policy and procedures to ensure that all IT purchases are examined from the security perspective.
2. Review a good sample of IT purchase documentation to ensure that the formal IT policy and procedures are been implemented properly.
3. Review the major IT hardware and software contracts to ensure that the formal IT policy and procedures are been implemented properly.
4. Review the Computer Insurance policy of the organization to ensure that major risks of IT hardware and software systems are covered adequately.

Contingency Planning

1. Review the IT contingency plan and ensure that all critical IT systems are covered.
2. Ensure that this plan is reviewed and tested on a periodic basis.
3. Review the backup policy and procedures to ensure that these are adequately implemented and monitored by IT management.
4. Review the backup register to ensure that this is kept up to date.
5. Review both the onsite and offsite vault procedures.
I.T. Legislation Compliance
1. Determine which national and international laws and regulations pertaining to IT issues are relevant to the organization.
2. Ensure that proper licenses exist for all IT software and hardware purchased.
3. Test compliance with IT legislation, including data privacy and copyright issues.

Physical and Environmental Controls

1. Ensure that physical access controls are enforced in accordance with the corporate security policy and professional practices for the following: Wholly owned buildings, Shared buildings, Central computer room and server rooms, Personal computers and work stations, Peripheral equipment, such as: modems, routers, printers, etc., Magnetic and other digital media, and Technical manuals and documentation.
2. Ensure that management controls are enforced to protect buildings, personnel, equipment and media in accordance with the corporate security policy, vendor guidelines, and professional health and safety practices against the following: Fire, Flood, Power fluctuations, Static electricity, Storms, and Food and beverage accidents, etc..

System Development and Maintenance

1. Assess the system development and maintenance procedures to ensure that they are adequate in terms of security in all phases, such as: Analysis, design, construction, testing, implementation, and support.
2. Review the system development and maintenance procedures to ensure that all phases are signed off by the key end-users.
3. Review the programming standards to ensure that they handle the security issues related to interfacing with other operating system software and application systems.
4. Review the program library maintenance procedures to ensure that all programs are fully tested and their movement to production status approved before they are transferred to the production library.

Data Center Operations

1. Assess the adequacy of controls to ensure that the correct production files are used in all application systems running in the data center.
2. Review all logs to ensure that all events are recorded and monitored.
3. Assess the adequacy of backup and recovery procedures.
4. Assess the adequacy of external party maintenance and support procedures.

Software and data security

1. Ensure that general procedures and specific measures are implemented to protect against illegal access to the system, its utilities, the program libraries, the system and application software, the data files, etc.
2. Assess the adequacy of the general procedures and specific measures implemented to protect against illegal access to the system, its utilities, the program libraries, the application software, the data files, etc.
3. Ensure that passwords are used for each set of users and corresponding applications and for each class of actions (update, delete, read, remote access, etc.) and that these passwords are changed according to the corporate password policy.
4. Ensure that users cannot run their own programs to access production libraries and production data.
5. Ensure that IT personnel cannot access production data without specific authorization.

For more on IT controls, see my books:
IT Strategic & Operastional Controls,
available at Amazon and IT Governance

Regards,

Friday, October 19, 2012

Manage and Improve Your Business Relationships


Manage and Improve your Business Relationships

By John Kyriazoglou*

Managing your professional and business relationships is a very important and critical issue in dealing with your people (staff, partners, customers, authorities, colleagues, etc.) in any business environment. It takes a significant amount of time to build and can be broken in just an instant.

Is it possible to manage, improve and sustain your business relationships?
The answer is YES! But you have to ACT immediately.
Don’t let one or more mistakes in judgment turn into a failure of your character.


I would suggest that you take the actions and that you use the behavioral dimensions noted next:


1. Sensitivity. Show sensitivity by avoiding personal comments and do not criticize, condemn or complain to anyone.

2. Collaboration. Make your goal the habit to work together harmoniously, show patience and maintain good relationships with everyone (colleagues, supervisors, senior management, customers, authorities, etc.).

3. Honesty. Be interested in others (colleagues, supervisors, senior management, customers, etc.) with sincerity, always showing friendship, goodness and love to all.

4. Respect. Remember that it is the sweetest sound in any language when you address the other person with friendship and love.

5. Politeness. Address the other person always in plural terms, unless the other person allows you to speak in the singular.

6. Silence. Use silence appropriately. Be careful how long you talk so that you do not become wordy and boring.

7. Importance. Make the other person feel important to you, and you do that with sincerity.

8. Opinion. Show respect for the opinion of others and do not to tell them that they are wrong.

9. Errors. When you are in error, accept it quickly and emphatically and apologize with honesty.

10. Conversation. Start a conversation in a friendly and pleasant manner.

11. Sympathy. Express your sympathy to the other person.

12. Humor. Keep your humor within acceptable social boundaries while rejecting slander and vulgarities.
13. Appreciation. Relate to the other person by using praise, appreciation and honesty.

14. Time Management. Examine your activities in accordance with the values ​​of love and friendship, and your obligations. Spend 60% of your time in critical non-emergency activities, 30% of your time in critical and emergency activities, and the remaining 10% of your time in uninteresting activities.

15. Rejection. Learn to say a friendly "no" when others attempt to load you with activities that are not aligned with your needs, your vision, your mission and your values​​.

16. Positive Thinking. Use positive and friendly thinking to manage all the events, issues, problems and facts related to your business life and take preventive action when it is required on your part.

17. Priority. Perform your activities based on the priorities set by you and the time requirements of your life, but also reinforcing the values ​​of justice, goodness, fairness, love and friendship.

18. Participation. Participate in social groups, professional societies and corporate volunteering (unpaid) activities on the basis of love and friendship.

19. Ethics. Understand and know your personal limits and the limits of your business organization.

20. Quality. Do not take on more responsibility and tasks that you can do with absolute quality and execute your tasks and deliver your work, studies, services, etc., within well-accepted time and cost limits and best quality, technical and scientific standards.

 
Will these improve your relationships? Yes, if you act with honesty, love, friendship and self-control.

 

*John Kyriazoglou (jkyriazoglou@hotmail.com)

John Kyriazoglou, CICA, B.A (Hon-University of Toronto),

International IT and Management Consultant (with over 35 years of experience),

Editor-in-Chief for the Internal Controls Magazine, www.theiic.org

Author of several books:

(1) ‘IT Strategic and Operational Controls’, Publisher: www.itgovernance.co.uk


(2) ‘Addendum to IT Strategic & Operational Controls’

This book contains over 60 of IT audit programs and checklists in all IT audit areas.

Direct Link: www.itgovernance.co.uk/products/3143

(3) ‘Corporate Strategic and Operational Controls’, Publisher: www.theiic.org

with Dr. F. Nasuti and Dr. C. Kyriazoglou.


(4) ‘Implementing Management Controls for Small and Medium-Size Companies   

AMAZON Kindle Books:www.amazon.com


(5) ‘Business Management Controls: A Guide’, Publisher: www.itgovernance.co.uk

Expected to be published within 2012

(6) ‘Pearls of Wisdom of the 7 Sages of Ancient Greece

AMAZON Kindle Books:www.amazon.com




SSRN Free Publications: http://ssrn.com/author=1315434

Wednesday, October 3, 2012

Business Management Free Material


Business Management Free Materials

 

Please check out my blog and the SSRN site (noted next) for my free posts and articles on business management.


SSRN Free Publications: http://ssrn.com/author=1315434


Regards,

John Kyriazoglou, CICA, B.A (Hon-University of Toronto),

Business Thinker, Consultant and Author

Editor-in-Chief for the Internal Controls Magazine (U.S.A.),

Member of the Board of Directors of Voices of Hellenism Literary Society (U.S.A.)




Monday, October 1, 2012

Human Factors in EA Implementation


Human Factors in EA Implementation


 

By John Kyriazoglou

 

Enterprise Architecture (EA) is used to align IT systems with your business strategy and objectives (for more details see my book: E-Book: ‘How to Align IT with your Business’, Direct Link: http://www.amazon.com/dp/B009E6U8Z8). It has proven a very difficult and cumbersome process.

 

My experience has taught me that when implementing enterprise architecture for your own company and business environment the most important issue for success is to manage the human aspects (so called ‘soft controls’) permeating any such difficult and cumbersome effort.

 

All of these soft controls relate to tone at the top, understanding of the organization by the board, culture, structure of reporting relationships, morale, integrity and ethical values, operational philosophy, trust, ethical climate, empowerment, etc., and are directly linked to the emotional contracting issue, also referred to as 'the psychological contract'. This is the crucial and powerful link between the organizational performance intent (board and management planning to implement enterprise architecture), and the motivations, values and aspirations of the people (EA coordinator, enterprise architect, IT staff, etc.) instructed to carry out all implementation tasks.

This emotional contracting element is sometimes overlooked by organizations, board members and managers, and that is the reason that may explain why the people have failed to do what the organization expected and asked them to do.

Soft internal controls (trust, integrity, values and beliefs, etc.) should be part of the organizational process of strategy setting and ethical environment establishment. Corporate policies and procedures, vision and mission statements, strategic planning, ethics codes, job descriptions, training and coaching of staff, compliance programs, etc., are the tools and the hard controls that help define whether an organization consistently will do (supposedly ) the right thing.

An organization (private or public) might have written codes of conduct and other value defining type documents (vision, mission, values, social responsibility, etc.) but that does not guarantee whether they are actually followed consistently. Most of the real understanding will not be expressly written in any document but better evidenced in the day-to-day discharge of everyday duties and interactions. For example, the ethical culture can only rise as high as the tone set by the board and the senior executive management. If management distributes the message about ethics poorly or worst yet, delegates the message to subordinate levels, then the effectiveness of the ethical culture is greatly diminished.

The best way to reinforce soft controls and therefore ensure better EA implementation for your business is to (probably) formalize them. I recommend this to be the task of a senior board member of your company. This can be accomplished by Soft Controls Management Action Plan, as described next.

Action 1. Establish and monitor the implementation of an ethics code and a fraud policy and associated procedures.

Action 2. Ensure that your EA process is well communicated to all parties within your company.

Action 3. Interview key organization personnel and select the best for the EA implementation project.

Action 4. Implement training, coaching and mentoring programs for all critical staff involved in your EA implementation.

Action 5. Certify critical personnel (finance, IT, audit, purchasing, etc.) to ensure success of your EA process.

Action 6. Certify, if needed, all your critical functions (finance, IT, audit, purchasing, quality, customer service, etc.) related to EA.

Action 7. Review and improve all soft controls and particularly pay attention to how these are related to your EA project and to the linking of your IT strategy to your business objectives.

 

It is your duty, as a board member or senior executive, to handle all these successfully and therefore avoid any potential failures.

 

 

 

Friday, September 21, 2012

IT-Business Alignment Book


BOOK: ‘How to Align IT with your Business’

 

Publication date: 21 Sept. 2012

Author: John Kyriazoglou


Summary description of the Book

 

This book deals with the issues of linking and aligning your IT application systems and services with your business goals to achieve your business objectives in a more effective and efficient way by the use of the Enterprise Architecture (EA) approach. Its contents describe four processes, several controls, activities, documents, checklists and procedures necessary for an effective EA implementation. Also seven recommendations are offered to streamline your EA efforts.

 

Detail Contents of the Book

 

The contents of this book are:

 

Chapter 1: Current Business Operating Environment

Description of the economic, social and technological factors and conditions (e.g., failure of corporate IT systems to be aligned and linked to the business objectives of the company.) affecting 21st century business organizations. Outline of the need for better business controls in all areas: governance, risk, strategy, IT, production, enterprise architecture (EA), etc.

 

Chapter 2: Business Controls and Enterprise Architecture

Description of the role of business controls making up a Business Control Framework to improve strategy and operations. Outline of the way enterprise architecture fits into this to satisfy your business needs and expectations in terms of IT systems and services.  

 

Chapter 3: Why is Enterprise Architecture (EA) important?

Description of the importance of EA (e.g., failure of strategic plans for various reasons, IT systems not linked to business strategy, etc.). How the EA approach resolves the ‘flexibility’ issue in business planning. Outline of the terms ‘enterprise’ and ‘architecture’.

 

 

Chapter 4: Definition and Processes of the EA Approach

Description of the role and purposes of the EA approach. Formal definitions of ‘Enterprise Architecture’.  Description of the main types of EA Processes (EA Management Plan, EA Resources, EA Components and EA Improvement) making up the EA approach.

 

Chapter 5: Process 1 - EA Management Plan

Description of the 12 steps (needs analysis, employing resources, selecting an EA framework, etc.), controls and end results (products created) in creating and executing the EA management plan (EA Process 1) for achieving EA and its benefits for your business. Listing out the products of this process: ‘EA Feasibility Study’, ‘EA policy’, ‘EA Communication Plan’, ‘EA Requirements Study’, ‘Business Model Changes’, ‘Enterprise Architecture Repository’, ‘EA Implementation Plan’, etc.

 

Chapter 6: Process 2 - EA Resources

Description of the role and responsibilities of the required corporate human resources (board, management, EA technical, IT, etc.) and the application of segregation of duties (EA Process 2) to implement EA for your company.

 

Chapter 7: Process 3 - EA Components

Description of the technical and procedural components (EA Process 3) which required for the effective establishment, implementation and administration of your EA: EA framework, business model, goals, EA repository, installation procedure, security procedure, etc. Also outline of various examples related to these components: Business process narrative, business strategic plan, strategy, goals and objectives, etc.

 

Chapter 8: Process 4 - EA Improvement

Description of an EA Improvement Plan and examples of performance measures, compliance indicators and EA checklists (Business Processes, Overall Corporate Business Data Management, Overall Corporate Business Strategy, etc.) which may be used to review and improve your EA processes, controls and components (EA Process 4).

 

Chapter 9: Benefits of Enterprise Architecture

Description of the benefits of the EA approach to your business organization, in terms of: Better alignment of your business strategy and business processes with your IT systems, better control of business data and faster and more seamless flow of information, more efficient control of your IT operation (systems, projects, data, etc.) fully supporting your business, etc.

 

Chapter 10: Concluding Remarks

Description of the latest data on how the enterprise architecture approach changes and improves the management and operation of IT systems to serve your business better. Also presentation of seven recommendations related to planning and implementing EA for your business in a more efficient and effective way.

 

Appendix 1: EA Case Study

Description of how enterprise architecture has been implemented to solve real-life business problems related to corporate operational and performance information issues and demands in IT-enabled company operations.

 

Appendix 2: EA Frameworks

Short description of the main standard-industry EA frameworks.

 

Further Resources

Listing of various books related to EA for anyone wanting to delve more into this subject.

Monday, September 10, 2012

Business Data Security Checklist


Business Data Security Checklist

 

John Kyriazoglou*

 

A business data security policy and related procedures should include protection controls and measures that cover the following issues:

1. Comprehensive due diligence of all critical staff, including external parties (outsourcing, external suppliers, sub-contractors, etc.). 

2. Authentication of all customers.

3. Non repudiation and accountability for all on-line transactions.

4. Segregation of duties.

5. Authorization controls.

6. Business data, transactions, records and information integrity.

7. Transactions audit trails.

8. Information confidentiality.

9. Appropriate disclosures for organizational services.

10. Data privacy.

11. Business continuity and contingency planning.

12. Security and other crises incident response planning.

13. Access controls: encryption, passwords, password control devices, tokens, user authentication devices, anti-hacking tools/techniques, digital signals origin identification, anti-tapping tools/techniques.

14. Data confidentiality.                             

15. Data integrity.

16. Anti-virus and e-crime detection software.

17. Time stamping.

18. Biometrics.

19. Digital signatures.

20. Smart cards.                            

 

 

John Kyriazoglou (jkyriazoglou@hotmail.com)

John Kyriazoglou, CICA, B.A (Hon-University of Toronto)

International IT and Management Consultant, author of several books



SSRN Free Publications: http://ssrn.com/author=1315434

 

 

Sunday, August 5, 2012

Audit Committee Practices


AUDIT COMMITTEE PRACTICES

By John Kyriazoglou


There are several discussions in various professional forums about ‘good’, ‘bad’ or ‘ugly’ practices related to audit committee activities. These terms are not defined at all, so far.

 I think the terms ‘Good’, ‘Bad’, and ‘Ugly’ practices need to be defined and/or specified explicitly, in terms of effectiveness (results-oriented), efficiency (resource-oriented) and morality (according to corporate ethics code, compliance regulations and societal benefits).

 Also these practices should be established in accordance to the pre-defined audit committee’s vision and strategy, which should be aligned and linked to the corporate vision, mission, values, and performance targets.

 And this to avoid a ‘vacuum’ or ‘looking glass’ situation whereby the audit committee is quite off the corporate agenda. 

 Furthermore these practices should relate to the audit committee acting in an oversight and guidance role in respect to various standard-practice ‘red flag’ issues, in order to avoid or protect the company better against fraud and mismanagement.

These ‘red flag’ issues are based on my auditing and consulting experience and on discussions and communications with other consultants, auditors, fraud examiners, accountants, and other professionals.



Issue 1. Policies and Procedures: Inadequate design, development, implementation, annual review and improvement of corporate policies and procedures.  

Issue 2. Board and Management Roles: Ineffective oversight exercised by the board and insufficient discharge of duties and responsibilities by all senior levels of management.

Issue 3. Auditing: Audit (internal and external) findings not acted upon within the time-frame agreed or forgotten all together.

Issue 4. Fines and Legal Breaches: Fines imposed by regulators and government authorities on compliance, tax, customs, accounting, performance results, data privacy, environmental, worker safety and health issues, etc., as well as penal and civic code litigations, breaches, etc.

Issue 5. Training of Staff: Inadequate or ineffective supervision of staff activities by management, including guiding, coaching and training, discussing issues and problems, etc.

Issue 6. Personnel Supervision: Inadequate or ineffective execution of personnel administration controls, including segregation of duties, authorizations and approvals, rotation of duties, hiring and dismissal of personnel, due diligence of all staff, vacation taking, etc.

Issue 7. Personnel Adequacy: Inadequate skills, dexterities, knowledge and experience including professional certifications, for all board members, managers, and critical staff (accountants, auditors, IT resources, etc.).

Issue 8. Corporate Performance: Very high or very low achievement of strategic and operational objectives as evidenced by financial and non-financial performance reports and results.

Issue 9. Morale: Very high or very low morale of board, management and employees.

Issue 10. Turn-over: Very high or very low turn-over of board, management and employees.

Issue 11. Accuracy of Data: Inaccurate data, unsupported or unauthorized transactions, discrepancies and large number of errors in business records, including accounting records, purchase orders, transactions, balances, files, bank accounts, etc.

Issue 12. Conflicts of Interest: Too close relationship with customers, vendors, competitors, regulators and other parties involved in the activities of the organization.



Is this list relevant to you? It is hard to say on an absolute basis. You have to consider these in relation to your operating environment and how you want to implement business management controls to manage these ‘red flag’ issues before disaster strikes you.



Your ‘Good’ practices that are required to get the job of the audit committee done better, and the ‘Bad’ or ‘Ugly’ practices to be avoided need rethinking.



The whole picture would rather be better when you specify your practices, in terms of a purpose-driven approach that incorporates effectiveness (results-oriented), efficiency (resource-oriented) and morality (according to corporate ethics code, compliance regulations and societal benefits).