Chapter 4: Information Technology ▸Objectives, in turn, help shape the

Development Risks articulation of a formal strategy.

▸Finally, the strategy is used to develop
Developing Strategic Plans a set of policies.
▸Serves as primary guideline for ●​ VISION – represent what “might
allocating resources. be” , based on a set of goals and
▸Keeps the organization headed in a objectives the organization would
profitable direction. like to achieve.
▸Begins with a vision. ●​ OBJECTIVES – serve as the
foundation for setting an explicit
STRATEGIC PLANNING – is one of IT strategy, which details how the
the most important responsibilities of IT function will achieve its
management, as this process serves as objectives through its
the primary guideline for allocating organizational structure,
scarce resources throughout the firm relationship with others, and IT
and keeping the organization headed in configuration.
a profitable direction. ●​ POLICIES – are specific
strategies which are designed to
Strategic Planning Components enact the realization of the
1.Vision strategy.
2.Mission
3.Objectives The IT Auditor & Strategic Plans
4.Strategy ▸The IT auditor should look for evidence
5.Policies of a prescribed, documented IT
strategic planning process.
▸The existence of an ongoing process of
this nature indicates that the company
is constantly and diligently seeking an
optimal “fit” between the information
technology infrastructure and the
organization’s overall goals.

Example:
Developing Strategic Plans
Ben & Jerry’s Mission Statement
▸Strategic planning begins with a vision,
Ben & Jerry’s is dedicated to the
or an image of the future.
creation & demonstration of a new
▸The vision is translated into mission,
corporate concept of linked prosperity.
which serves as the guiding light for
Our mission consists of three
developing a set of objectives.
 interrelated parts. Underlying the three-part mission
mission is the determination to seek statement—comprised of product,
new and creative ways of addressing economic and social components.
all three parts while holding a deep
respect for individuals inside and IT Objectives might be:
outside the company, and for the 1.Create an atmosphere that embraces
communities of which they are a part. innovation and change.
2.Apply computer hardware and
▸Product: To make, distribute, and sell software technologies to opportunities
the finest quality all natural ice cream that promote prosperity.
and related products in a wide variety of 3.Incorporate an enterprise-wide
innovative flavors from Vermont dairy information system to facilitate the
products. intra-company coordination of business
▸Economic: To operate the Company activities.
on a sound financial basis of profitable 4.Develop a technology-based
growth, increasing value for our communications network capable of
shareholders, and creating career linking suppliers, customers, and
opportunities and financial rewards for employees into a seamless, virtual and
our employees. extended enterprise.
▸Social: To operate the company in a
way that actively recognizes the central IT Objectives might be:
role that business plays in the structure 1.Create an atmosphere that embraces
of society by initiating innovative ways innovation and change.
to improve the quality of life of a broad 2.Apply computer hardware and
community—local, national, and software technologies to opportunities
international. that promote prosperity.
3.Incorporate an enterprise-wide
Ben & Jerry’s IT Mission Statement information system to facilitate the
Might Be: intra-company coordination of business
The Information Systems function activities.
intends to offer high-quality, innovative 4.Develop a technology-based
information processing and communications network capable of
management services to internal and linking suppliers, customers, and
external information consumers, while employees into a seamless, virtual and
providing a reliable, responsive, and extended enterprise.
leading-edge technology infrastructure
throughout the entire organization IT Strategy might be:
aimed at supporting new and creative The IT function will utilize a
ways of addressing the company’s decentralized, organic form of
 organization that is adaptable and A.​ Structure (what is the
responsive to the dynamic nature of organizational form of the IT
the Company. The IT function will function?)
include a Chief Information Officer B.​ Information Architecture (is the
(CIO) who, in coordination with other infrastructure aligned with the
executive officers throughout the firm’s mission?)
Company, will determine the precise C.​ Communication (are the IT
structure of the IT function, which is strategy and policies known by all
expected to change over time affected parties?)
depending on Company needs. The D.​ Compliance (are all external
CIO, along with his/her delegates, will regulations and laws being
strive to cooperate and coordinate with addressed?)
all internal information consumers to E.​ Risk assessment (are IT risks
ensure that the Company’s information identified, measured and
system is fully integrated on an controlled?)
entity-wide basis, as well as listen and 3.Human Resource Policies
respond to external constituents to A.​ Training (what kind of training is
ensure that the Company’s business provided and to whom?)
processes and related information B.​ Travel (what are the travel
technology infrastructure meet the guidelines and priorities?)
ever-changing needs of the broader C.​ Hiring (who determines needs
community of information consumers. and who screens applicants?)
D.​ Promotion (what are the
Important Policy Areas for IT guidelines and how does the
Functions process work?)
1.Planning Policies E.​ Termination (what are voluntary
A.​ Responsibility (who is involved and involuntary termination
with planning?) guidelines?)
B.​ Timing (when does planning take 4.Software Policies
place?) A.​ Acquisition (how is software
C.​ Process (how should planning be acquired from outside vendors?)
conducted?) B.​ Standards (what are the software
D.​ Deliverables (what planning compatibility standards?)
documents are produced?) C.​ Outside contractors (should
E.​ Priorities (what are the most to contractors be used for software
least critical planning issues?) development?)
2.Organizational Policies D.​ Changes (how to control and
monitor the software change
process?)
 E.​ Implementation (how to handle D.​ Firewalls (are they effectively
conversions, interfaces, and utilized?)
users?) E.​ Violations (what happens if an
5.Hardware Policies employee violates security?)
A.​ Acquisition (how is hardware 8.Operations Policies
acquired from outside vendors?) A.​ Structure (how is the operations
B.​ Standards (what are the function structured?)
hardware compatibility B.​ Responsibilities (who is
standards?) responsible for transaction
C.​ Performance (how to test processing?)
computing capabilities?) C.​ Input (how does data enter into
D.​ Configuration (where to use the information system?)
client-servers, personal D.​ Processing (what processing
computers, and so on?) modes are used?)
E.​ Service Providers (should E.​ Error Handling (who should
third-party service bureaus be correct erroneous
used?) input/processing items?)
6.Network Policies 9.Contingency Policies
A.​ Acquisition (how is network A.​ Backup (what are the backup
technology acquired from outside procedures?)
vendors?) B.​ Recovery (what is the recovery
B.​ Standards (compatibility of local process?)
area networks, intranets, C.​ .Disasters (who is in charge and
extranets, and so on?) what is the plan?)
C.​ Performance (how much D.​ Alternate Sites (what types of
bandwidth is needed and is the sites are available for off-site
network fast enough?) processing?)
D.​ Configuration (use of servers, 10.Financial and Accounting
firewalls, routers, hubs, and other Policies
technology?) A.​ Project Management (are IT
E.​ Adaptability (capability to support projects prioritized, managed,
emerging e-business models?) and monitored?)
7.Security Policies B.​ Revenue Generation (should
A.​ Testing (how is security tested?) services be sold inside or outside
B.​ Access (who can have access to the organization?)
what information and C.​ Technology Investments (are the
applications?) investment returns being properly
C.​ Monitoring (who monitors evaluated?)
security?)
 D.​ Funding Priorities (where to most 7.Software applications do not support
effectively allocate resources?) business processes.
E.​ Budgets (are budgets aligned 8.The technology infrastructure is
with funding levels and inadequate.
priorities?) 9.The user community is unhappy with
the level of support.
10.Management’s information needs are
Planning Process not met.

CobiT Guidelines
▸Guidelines suggest eleven processes
should be incorporated into IT strategic
plans.
▸Each process is integrated throughout
IT policy areas.
▸Processes designed to manage the key
▸Planning Process increases the IT risks.
likelihood that the company is making
the most efficient & effective use of IT Professional Guidance
throughout the organization As suggested by CobiT, the IT function
should:
Key Planning Risk Indicators: “Red 1.Develop a strategic IT plan.
Flags” for IT Auditors 2.Articulate the information architecture
The following are planning risks 3.Find an optimal fit between IT and the
indicators, which should trigger red flags company’s strategy
for the IT auditor. 4.Design the IT function to match the
1.A strategic planning process is not company's needs.
used. 5.Maximize the IT investment.
2.Information technology risks are not 6.Communicate IT policies to the user
assessed. community.
3.Investment analyses are not 7.Manage IT workforce.
performed. 8.Comply with external regulations,
4.Quality assurance reviews are not laws, and contracts.
concluded. 9.Conduct IT risk assessment.
5.Plans and goals are not 10.Maintain a high-quality systems
communicated. development process.
6.Information technology personnel are 11.Incorporate sound project
disgruntled. management techniques.
Important Policy Areas for IT 4.Organizational Learning and Growth
Function
IT FUNCTION SCORECARD - the Three Layered Structure
balanced scorecard used to plan and ▸3-Layered Structure was devised for
monitor the performance of the IT each of the 4 perspectives:
function.
1.Mission
USER SATISFACTION – customer
satisfaction perspective of the balanced 2.Objectives
scorecard which could be assessed by
3.Measures
periodically surveying user’s attitude.
OPERATIONAL PERFORMANCE –
third balanced scorecard perspective. More than Performance Measure
Measured using indicators such as ▸Scorecard evolved into an
number of security breaches, number of intra-organizational management
backlogged requests, and percentage of system to:
downtime. ●​ Facilitate the establishment of
long-term strategic goals.
Balanced Scorecard ●​ Communicate the goals
▸Concept introduced in 1996 by Kaplan throughout the firm.
& Norton ●​ Align the initiatives and incentives
▸Scorecard measures financial and to the goals.
non-financial performances ●​ Allocate resources to match the
goals.
Kaplan’s Balanced Scorecard ●​ Gain feedback and learn about
the strategy.

IT Function Scorecard
▸Use the balanced scorecard to plan &
monitor IT performance:

1.​ Financial Performance =

Organizational Contribution
a.​ Examples: ROI,
Discounted Cash Flow,
4 Perspectives of Scorecard Before and after
1.Financial transaction costs of IT
Non-financial indicators: projects.
2.Customer satisfaction
3.Internal processes
 2.​ Customer Satisfaction = User ▹Cost overrun
Satisfaction
▹Lack of functions
a.​ Examples: Surveys of user
attitudes for ease of use, ▹Poor quality
system reliability, and ▸IT auditor should check that project
perceptions about the IT management techniques are employed.
staff.
3.​ Internal Process = Project Manager
Operational Performance ▸First step is to assign project to a
a.​ Examples: Number of manager
security breaches, number ▸Needs experience in area
of backlogged requests, % ▸Needs skill at managing projects
of downtime. ▸Must work well with staff on planning
4.​ Learning and Growth = and executing the project.
Adaptability and Scalability
a.​ Examples: Resources Generic Project Life Cycle
expended on developing
interfaces, ease of
integrating new
technology, and ability to
keep pace with
organization’s IT growth.

IT Function Scorecard

Managing Development Projects

5 Phases of Project Life Cycle
1.PLANNING – involves setting time,
scope, and cost parameters for the
entire project.
2.MANAGING – to schedule the
specific sequencing and timing of each
activity and associated resources.
Project Management 3.MONITORING – using benchmarks,
▸Sound Techniques apply to most milestones, and deliverables to track
situations progress.
▸Structure minimizes risk of failure: 4.CONTROLLING – concerns the
development of specific actions aimed
▹Late delivery
at keeping a project moving forward.
5.CLOSING – obtaining client ●​ Chronicle project history
acceptance, release and evaluation.
Key Project Risk Indicators
Project Life Cycle Phase One 1.Management does not use a formal
1.Plan the Project project management methodology.
●​ Set the Time, Cost & Scope 2.Project leaders are not adequate.
●​ Identify resources experienced at managing projects.
●​ Articulate outcome 3.Project leaders have insufficient
●​ Work with specialists domain expertise.
●​ Determine the WBS – Work 4.Project teams are unqualified to
Breakdown Structure handle the project size/complexity.
2.Schedule the Project 5.Project team members are dissatisfied
and frustrated.
▹Create Timetable for each activity.
6.Projects do not have senior-level
●​ Gantt charts executive support.
●​ Critical Path Analysis 7.Projects do not include input from all
●​ Critical Math Method affected parties.
●​ Microsoft Project 8.Project recipients are dissatisfied with
3.Continuous Monitoring project outcomes.
●​ Use benchmarks, milestones, 9.Projects are taking longer to develop
deliverables. than planned.
●​ Frequency varies by project. 10.Projects are costing more than
●​ Rule of Thumb: Determine the budgeted.
maximum percent deviation
allowed & monitor activities at Acquiring Software
the half-way point. ▸IT auditor should determine if the new
4.Controlling application would fit into the company’s
●​ Keep project moving strategic plan.
●​ Adjust to unexpected issues ▸There should be a formal software
●​ Continually adjust the plan application acquisition policy.
5.Closing the Project ▸Needs must be identified and
prioritized.
●​ Obtain client acceptance in
▸Determine which applications can be
writing
developed in-house, and which to
●​ Release and evaluate project
purchase.
personnel
●​ Identify & reassign remaining
Selection Process
project assets
▸Assign a project manager
●​ Evaluations of project
▹Must know the needs of users & 10.Total cost of ownership is not fully
include them in decisions considered.
▸Identify alternatives and compare:
Developing Software Applications
▸Information Systems Development
Proposal – formal documentation of
requested project.
▸Steering Committee reviews each
proposal.
▸Feasibility Group studies potential
projects.

Total Cost of Software Feasibility Study

▸Price of acquisition ▸Recommends to the Steering
▸User training Committee
▸Multiple licenses ▸Provides preliminary assessment
▸Service and support
▸Future upgrades Technical Feasibility: Whether
▸Software modifications current, affordable and reliable
technology can be reasonably applied to
Key Acquisition Risk Indicators the project.
1.Software acquisitions are not mapped ▹Financial Feasibility: Calculates
to the strategic plan. return based on company policy.
2.There are no documented policies
aimed at guiding software acquisitions. ▹Cultural Feasibility: Do the
3.There is no process for comparing the employees have skills to run the
“develop versus purchase” option. system? Will they use it? Are there
4.No one is assigned responsibility for legal or regulatory concerns?
the acquisition process.
5.Affected parties are not involved with ▸Feasibility group prepares report to
assessing requirements and needs. make a recommendation on the project.
6.There is insufficient knowledge of ▸Report is submitted to Steering
software alternatives. Committee.
7.Security features and internal controls ▸Steering Committee assigns project to
are not assessed. Project Leader.
8.Benchmarking and performance tests ▸Project Leader assembles Project
are not carried out. Team.
9. Integration and scalability issues are
not taken into account.
 ▹Includes functional area execute such task in a secured area of
representatives the computer called development library.
Types of Library
▹Includes at least one senior
1.Production library
lever manager
2.Lest library
3.Development library
Additional Systems Development
Issues
BUSINESS PROCESS ANALYSIS – an
integral part of the planning phase of
project management entails conducting
a thorough business process analysis
before starting any technical
development work.

▹Must complete before starting

technical development.
Additional Systems Development
▹Use Various modeling techniques. Issues
▹Develop and consider alternative SECURITY AND CONTROLS
business process designs. ▹Project team must plan security &
▹Look to external sources. control features in development stage.

▹Compare models. ▹Prevents patching program code later.

▹Select best model. ▹Ultimate goal is to design as many

DEVELOPMENT & TESTING automated features as possible to
▸Create Libraries in a secured area of optimize system reliability.
computer. CONVERSIONS AND INTERFACES
▸Create secure places for code and ▹Conversion: Put existing data in
data. correct format for the new system
▸Prevent destruction and/or alterations.
▸Company must have security ■Scrub the data
procedures continuously monitored. ■Correct errors and omissions
before it goes into the new
Development, Test and Production system
Libraries
DEVELOPMENT, TESTING AND ▹Interfaces: Bridge the developed
PRODUCTION – when technical application to related external
activities begin, the project team should applications
 ■Be able to pass data back & •Financial feasibility
forth.
•Cultural feasibility
IMPLEMENTATION TESTING
3.Senior management and users are not
▸Three Phases of Testing before going
involved
live:
4.Business process analyses are not
1.Unit Testing: Tests in isolation for performed
simple tasks 5.Alternative designs are not compared
6.Separate development, test, and
2.String or Module Testing: Test
production libraries are not used
related programs that are joined &
7.Security and control features are not
handle multiple tasks.
designed into the system
3.System Testing: Test related 8.Conversion and interface issues are
modules that join the entire application. not taken into account
9.System testing is inadequate
4.Stress Testing: Test final product
10.Training and documentation is poor
under extreme conditions.

Changing Software
TRAINING & DOCUMENTATION
▸Change Request
▹Training should:
▹Specifies the change
■Take place early
▹Justifies the need
■Be all-encompassing
▹Approvals given
■Continue throughout project life
■All parties agree change is
cycle
necessary
▹Documentation should:
■Change is congruent with
■Be complete for entire project Strategic Plan
and all programs
▹Submitted to IT
■Include user manuals
Change Requests
▸IT logs in the requests & assigns
▸Key Development Risk Indicators
tracking number
1.Development projects are not aligned
▸Software Change Committee reviews
with the strategic plan
and prioritizes
2.Feasibility studies do not consider the
following areas: ▹May refer to a feasibility group
▸Change is assign to IT staff person(s)
•Technical feasibility
Change design & programming ▸Strategy must be chosen that best fits
▸Follow same structure as in new the situation.
development ▸Consider risks of business interruption,
costs, time, ability of legacy system to
▹Secured procedure of separate
function.
development, test, and
production libraries
Implementing Software
▹Incorporated security & control Applications
procedures Types of Implementation:

▹Tests for integration (Unit, 1.Parallel implementation

module, system tests)
2.Big-bang implementation
▹Documentation
3.Partial implementation

Key System Change Risk Indicators 4.Focused implementation

1.A structured system change Implementation Strategies
methodology is not in place. PARALLEL IMPLEMENTATION
2.A software change request procedure
▹New and Old system process side by
is not used.
side with live data
3.Change requests are not
reviewed/prioritized by a representative ▹Problems can be identified and
group. corrected
4.Feasibility studies are not performed
▹Least risky
when appropriate.
5.Alternative software change designs ▹Heavy resource use:
are not considered.
■Time to input, process, and
6.Separate development, test, and
create reports on two systems
production libraries are not used.
7.Security and controls implications are ■Time for reconciliation of output
not considered.
■Hardware requirements to run
8.Integration issues are not taken into
two systems
account.
9.Testing is inadequately conducted.
BIG-BANG IMPLEMENTATION
10.Application changes are poorly
documented. ▹The old system is discontinued and the
new one becomes live the next instant.
Implementation Strategies ▹Resources are not tied up running the
▸Purchased software needs testing. old system.
▹Staff is focused on success of new ▸Develop a formal change management
system. policy

▹New system failure could interrupt

Change Management
business processes.
▸Establish an open line of
communication among all affected
PARTIAL IMPLEMENTATION
parties.
▹Phase-in strategy starts one application ▸Develop thorough training and
of a system at a time educational programs.
▸Allow all affected parties to provide
▹Problems are resolved before the next
instrumental input into the
application begins.
implementation process as it unfolds.
▹Minimizes risk of business interruption.
Final Testing
▹May take a long time to implement
▸Move object code from development
entire new system.
library to the test library
▸Test built-in security and control
FOCUSED IMPLEMENTATION
features
▹Implements system first with small ▸Effectiveness observed, tested and
user groups (office, departments, approved by qualified overseers
divisions, locations, etc.) ▸Test interface programs
▹Group would use one of the previous
Final Conversion
strategies.
▸Run programs that convert live data
▹Problems would be identified & from old to new format
resolved before larger groups begin.
▹Use archived data up to several
▹Could take a long time for full days prior
implementation to be completed
▹Fix data until programs work
▸Process should be handled as a project
successfully
▸Organize tasks into Work Breakdown
▸Convert last days of data
Structure
▸After successful conversion, move into
▸Develop a formal change management
the production library:
policy
▹Application object code
Implementation Strategies
▹Converted data
▸Process should be handled as a project
▸Organize tasks into Work Breakdown ▹Interface object code
Structure
Application is Live!
▸Team still needs to work with users!

▹Answer questions

▹Fix Problems

▹Monitor performance

▹Performance Tuning

▹User Acceptance
▸Prepare a Post-implementation report

Key Implementation Risk

Indicators
1.Alternative implementation strategies
are not considered:

a)Parallel

b)Big-Bang

c)Partial

d)Focused
2.Formal implementation plans are not
followed.
3.All affected parties are not involved.
4.Implementation teams are
uncoordinated.
5.Implementation processes are rushed.
6.Change management procedures are
not developed.
7.System users are inadequately
trained.
8.Security and control issues are
slighted.
9.Final testing is insufficient.
10.Post-implementation reviews are not
conducted.