Management Control

Page 1
Risk and Control Associated with ICT Architecture

Komputer Aplikasi

Data Sistem Komunikasi

The IT Audit
(James A. Hall, Information Technology Auditing,2011)
• Focus of IT Control is on the computer base aspects of an
organization’s information system.
 Control Over IS Functions
 Management Control • Application Control
 Top Management • Boundary
 IS Management • Input
 System Development
Management • Communications
 Programming Management • Processing
 Data Administration • Database
 Quality assurance • Output
Management
 Security Administration
 Operation Management

IS Constrol and AUdit, ROn Weber. CISA review Manual, ISACA,

9/28/11 4
2003
 Control Over IS functions
IS Constrol and AUdit, ROn Weber. CISA review Manual, ISACA,
9/28/11 5
2003
 Assessing information technology risk

 TOP Management
 Must ensure the IS function is well managed. It
is responsible primarily for long-run policy
decisions on how information systems will be
used in the organization
 IS Management
 Has overall responsibility for the planning and
controls of all information system activities. It
also provides advice to top management in
relation to long-run policy decision making and
translate long-run policy into short-run goals and
objectives

9/28/11 IS Constrol and AUdit, ROn Weber. CISA 6

review Manual, ISACA, 2003
 Assessing information technology risk
 System Development Management
 Responsible for the design,
implementation and maintenance of
application systems
 Programming management
 Is responsible for programming new
system, maintaining old systems and
providing general system supports
software

9/28/11 IS Constrol and AUdit, ROn Weber. CISA 7

review Manual, ISACA, 2003
 Assessing information technology risk
 Data administration
 Responsible for addressing planning and
controls issue in relation to use an
organization data
 Quality assurance management
 Responsible for ensuring information system
development, implementation, operation, and
maintenance conform to establish quality
standard

9/28/11 IS Constrol and AUdit, ROn Weber. CISA 8

review Manual, ISACA, 2003
 Assessing information technology risk

 Security administration
 Responsible for access control and physical
security over the IS function.
 Operation Management
 Responsible for planning and controlling of
the day-to-day operations of IS

9/28/11 IS Constrol and AUdit, ROn Weber. CISA 9

review Manual, ISACA, 2003
Management Control: Top Management
Control
 Must ensure the IS function is well managed. It is responsible
primarily for long-run policy decisions on how information systems
will be used in the organization.
 Mendiskusikan peran manajemen dalam perencanaan, pengorganisasian,
kepemimpinan, dan pengendalian fungsi sistem informasi

IS Constrol and AUdit, ROn Weber. CISA review Manual, ISACA,

9/28/11 10
2003
Management Control: Top Management
Control
• Evaluating the Planning Function
• Type of Planning Function
• Contingency Approach Planning
• Role of steering Committee
• Evaluation the Organization Function
• Resources the IS Function
• Centralization VS Decentralization
• Internal Organization of IS Function
• Evaluation the Leading Function
• Motivating IS Personnel
• Matching Leadership Style win IS System
• Effective Communication with IS personnel
• Evaluation the controlling function
• Overall Control of the IS Function
• Technology diffusion and control of the IS Function
• Control over IS Activities
• Control over the user of IS Services
Management Control: Information System
Management
 Has overall responsibility for the planning and controls of all
information system activities. It also provides advice to top
management in relation to long-run policy decision making and
translate long-run policy into short-run goals and objectives
Management Control: System Development
Management Control
 Responsible for the design, implementation and maintenance of
application systems
 Provide a contingency perspective on the models of the IS system
development process that auditor can use as a basis for evidence collection
and evaluation
Management Control: System Development
Management Control
 Approach of system development
 Normative Model of the System development
 System Development Life-Cycle (SDLC)
 Sociotechnical Design Approach
 Political approach
 Prototyping approach
 Contingency approach
 Evaluation the major phases in the System development process
 Problem/opportunity definition
 Management of the change process
 Entry and feasibility assessment
 Analysis of the existing system
 Formulating strategic requirements
 Organizational and job design
 Information Processing system Design
Management Control: System Development
Management Control
 Approach of system development
 Normative Model of the System development
 System Development Life-Cycle (SDLC)
 Sociotechnical Design Approach
 Political approach
 Prototyping approach
 Contingency approach
 Evaluation the major phases in the System development process
 Problem/opportunity definition
 Management of the change process
 Entry and feasibility assessment
 Analysis of the existing system
 Formulating strategic requirments
 Organizational and job design
 Information Processing system Design
Management Control: Programming
Management Control
• Is responsible for programming new system, maintaining old systems and
providing general system supports software
• Discusses major phases in the program life cycle and the important control should
be exercised in the each phase.
• Program development life cycle
• Planning
• Control
• Design
• Coding
• Testing
• Operation and maintenance
• Organizing Programming Team
• Chief Programmer Teams
• Adaptive team
• Controlled-decentralized teams
• Managing the system programming group
Management Control: Data Administration
Control
• Responsible for addressing planning and controls issue in relation to use an
organization data
• Motivation toward the Data Administrator and Database Administrator Roles
• Function of DA and DBA
• Defining, creating, redefine, and retiring data
• Making the database available to users
• Informing and servicing users
• Maintaining database integrity
• Monitoring operation
Management Control: Data Administration
Control
• Some Organization Issues
• Placement of the DA and DBA
• Effect of decentralization of the IS Function
• Data repository System
• Basic function of DRs
• Some problem with DRs
• Audit Aspect of a DRs
• Control over DA and DBA
• Some exposure
• Some Remedial Measure
Management Control: Quality assurance
Management
 Responsible for ensuring information system development,
implementation, operation, and maintenance conform to establish
quality standard.
 Motivation of QA role
 QA function
 Developing Quality goals
 Developing, promulgating and maintenance standard for the IS Function
 Monitoring Compliance with QA standard
 Identifying area for improvement
 Reporting to Management
 Training in QA standards and procedures

IS Constrol and AUdit, ROn Weber. CISA review Manual, ISACA,

9/28/11 19
2003
Management Control: Quality assurance
Management
 Responsible for ensuring information system development,
implementation, operation, and maintenance conform to establish
quality standard
 Organizational Consideration
 Placement of the QA Function
 Staffing the QA function
 Relationship between QA and Auditing

IS Constrol and AUdit, ROn Weber. CISA review Manual, ISACA,

9/28/11 20
2003
Management Control: Security Management
Controls
 Responsible for access control and physical security over the IS
function.
 Conducting security programs
 Preparation of a project plan
 Identification of asset
 Threats identification
 Exposure analysis
 Control adjustment
 Report preparation
Management Control: Security Management
Controls
 Responsible for access control and physical security over the IS function.
 Major security threats and remedial measures
 Fire damage
 Water damage
 Energy variations
 Structural damage
 Pollution
 Unauthorized intrusion
 Viruses and worm
 Misuse of software, data, and services
 Hacking
 Control of last resort
 Disaster Recovery planning
 Insurance
Management Control: Operation
Management
 Responsible for planning and controlling of the day-to-day operations of IS
 Computer operation
 Operation controls
 Scheduling Control
 Maintenance control
 Network Operation
 Wide Area Networks control
 Local Area Network Control
 Data preparation and entry
 Production control
 Input/output Control
 Job scheduling control
 Management of service-level agreement
 Transfer/pricing charge out control
 Acquisition of consumable
Management Control: Operation
Management
 Responsible for planning and controlling of the day-to-day operations of IS
 File Library
 Storage of storage media
 User of storage media
 Maintenance and disposal of storage media
 Location of storage media
 Documentation and program library
 Help desk technical support
 Capacity planning and performance monitoring
 Management of outsource operation
 Financial viability of the outsourcing Vendor
 Compliance with the outsourcing contract’s term and condition
 Reliability of outsourcing vendor's control
 Outsource disaster recovery planning
Management Control: Operation
Management
 Responsible for planning and controlling of the day-to-day operations of IS

Assessing information technology risk
 It is more likely auditor evaluate management control before
application controls.
 After evaluate a management control, auditor usually do not have to
evaluate it again because it should function all across all applications.
 e.g if auditors find that an organization enforces high quality of
documentation standards, it is likely they will have review the quality
of documentation for each application system

IS Constrol and AUdit, ROn Weber. CISA review Manual, ISACA,

9/28/11 26
2003
Identify information technology controls
• Preventive Control
• Instructions are placed on a source document to prevent clerks from
filling it out incorrectly. Notes that the control work only if the
instructions are sufficient clear and the clerks is sufficient trained to
understand the instruction. Both the clerks and instructions are
components of the system that contribute the control. The instruction
themselves are not the control

IS Constrol and AUdit, ROn Weber. CISA review Manual, ISACA,

9/28/11 27
2003
Nature Detective
of Controls
Control
 An input program identifies incorrect data
entered in a system via terminal, again the
control is a system because part of the program
must work together to pinpoint errors
 Corrective Control
 A program uses specials codes that enable it to
correct data corrupted with error-correcting to
rectify the error

IS Constrol and AUdit, ROn Weber. CISA review Manual, ISACA,

9/28/11 28
2003
 Assessing information technology risk

 To asses the level of control risk associated with a segment of

the audit, auditors consider the reliability of both
management and application controls.
 Auditors usually identify and evaluate control in management
subsystem first. Management (subsystem) control are
fundamentals controls because they cover all application
system
 The absence of management control is a serious concern for
auditor

IS Constrol and AUdit, ROn Weber. CISA review Manual, ISACA,

9/28/11 29
2003
Assessing information technology risk
 System Development Management
 Responsible for the design, implementation and maintenance of
application systems
 Programming management
 Is responsible for programming new system, maintaining old systems and
providing general system supports software

IS Constrol and AUdit, ROn Weber. CISA review Manual, ISACA,

9/28/11 30
2003