Clifton Gunderson IT Oversight

537
-1

Published on

In a recent survey of executives by the IT Governance Institute, half of those surveyed indicated that IT is very important to their organization, but yet noted that IT issues were only discussed on an ad hoc basis at the senior management level.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
537
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • There are six objectives that aim to align the goals of the business with the goals of IT, these goals do not include:Alignment of organizational and IT strategiesEffective management and responsible use of IT resourcesRealization of non-IT related opportunities
  • Those of you that have been through a financial audit know the topic well.The IT function has its own segregation needs, but can also help with duty segregation in other non-IT areas.
  • Rights management is what enforces segregation of duties within information systems.Accounting system  what good are user credentials unless different users have different rights?
  • Often turned over to the IT group  between HR & ITData owners need to take responsibility  IT doesn’t know what department heads doNetwork: Can circumvent application rights  interface export locations!Applications: Control and reporting of those who can create users. - change parameters should mirror those of the network.
  • Problem with having the same person handle both: they could circumvent other segregation of duty controls.Controls should also include documentation between HR, IT & App management groups: forms, email, other tracking mechanismsAnnual audit cannot be an IT Only exercise.
  • Compensating controls: Requires appropriate use of the mentioned items. If approvals can be overridden through loose rights assignments, then there is no value.Reporting: Only useful if reports are reviewed: system logs, 3rd party applications.Approval & override reporting.
  • The management and auditing of rights to the network and applications shouldBe handled solely by the IT groupInvolve the data owners and those responsible for implementing the systemsMainly focus on application security which overrides network security
  • Software applications: same basic intentions of controlling O/S updates. Additional concerns over interfaces with other applications or modifications to basic application.Reporting Systems: Controls and approvals over changes to customized reports – as essential as application changes. Could hide transactions, account groups, etc.
  • Also referred to within a system development lifecycle.Formalization is key!Reporting – requestor is same as developer – changes outside of production system.Changes at same time of period by same developer.
  • Which statement is most accurate about companies that should implement change controls?Only companies that have internally developed applications need change controlsChanges to reporting tools are not normally part of the change control processChange controls should cover system update procedures
  • Internal: Monitoring and understanding of system plans and changes (same for both). Supervisory roles!Physical access to servers, backup media, laptops  data or equipment theftCan be influenced by other departments  knowingly or unknowingly part of fraudOutsourced: Remote access control (OFF UNLESS REQUESTED!) Access logging reports.Communication is harder – not part of culture, planning meetings, etc. Details on activities not always expressed or understood by organization. Little dialog with data owners to help meet system needs.Consultant storage of credentials, sharing with other consultants, changes in consultant organization (fired employees) could lead to security problems.
  • These will potentially be people with access to all of the organization’s IT assets – treated like those in finance or HR. Criminal background checks are a necessity.Credit checks not enough.State court system check not always enough – work in other states.Google searches – message board postings, news stories, etc.Social media content – twitter posts, blogs, facebook wall items, etc. 3rd Party Hiring Procedures part of vendor selection - What are the procedures for consultantsDue diligence on consultants assigned to the account.
  • At the backend of the hiring process is the review process.Equally important for Internal and Outsourced IT Resources.For the internal IT group – who handles the Technical review? The review doesn’t need to be highly technical – are projects getting done? Are the department heads satisfied with the project?
  • You don’t have to understand the systems to understand the log information.The key is information that is easy to access and easy to understand.
  • Remote access sessions – could indicate an attempt to hide activities. Look for patterns – always before and after reporting events.Failed login attempts – trying to break other user credentialsChanges to system level rights – temporarily granting access to items
  • Standardized form to help track from period to period. Helps to divide up the review process – open communication channels with managers.
  • Communication at all levels – distributed to managers.One group/person in control, but input and help from department heads is key to getting true integration.
  • Clifton Gunderson IT Oversight

    1. 1. IT Oversight: Six Management Strategies for Construction Companies<br />A CFMA KnowledgeNOW Webinar<br />September 29, 2010<br />1<br />
    2. 2. Copyright notice<br />This presentation and all associated materials are copyrighted by CFMA & Clifton Gunderson LLP, and may not be altered, adapted, reproduced, or redistributed in any manner without express written permission from CFMA’s Director of Educational Services & Clifton Gunderson LLP. Unauthorized use of any CFMA copyrighted materials is expressly forbidden by law.<br />2<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    3. 3. This KnowledgeNOW Webinar was produced for CFMA by…<br />And is sponsored by… <br />3<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    4. 4. Where IT fits in the organizational chart<br />The role of IT in strategic planning and decision-making<br />Developing an integrated IT group<br />Security challenges and solutions<br />The role of IT in internal controls<br />Internal versus outsourced IT resources<br />Discussion Topics<br />4<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    5. 5. Today's Presenters:<br />Rodney Almaraz, Senior Manager<br />Clifton Gunderson, Austin, Texas<br />Jeff Lemmermann, Practice Manager<br />Clifton Gunderson, Milwaukee, Wisconsin<br />5<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    6. 6. IT Oversight<br /><ul><li>The Importance of IT Oversight
    7. 7. Harnessing the power of the IT group
    8. 8. Outlining the role of IT in the business
    9. 9. IT governance concepts </li></ul>6<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    10. 10. IT Oversight<br /><ul><li> The Importance of IT Oversight
    11. 11. Budget Overruns
    12. 12. Delivered Late
    13. 13. Death March Projects</li></ul>7<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    14. 14. IT Oversight<br /><ul><li>Ensure IT is part of the decisions, not “making” the decisions
    15. 15. Position IT as a strategic & competitive necessity
    16. 16. Make sure that IT plans, actions, and capabilities are clearly linked</li></ul>8<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    17. 17. IT Oversight<br /><ul><li> IT Governance Concepts
    18. 18. Definition
    19. 19. What are we governing?</li></ul>9<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    20. 20. 10<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    21. 21. IT Oversight<br /><ul><li>Where does IT fit in the Organization Chart?
    22. 22. Alignment of the goals of the business with the goals of IT
    23. 23. Involvement of the IT Group in the Strategic Vision</li></ul>11<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    24. 24. IT Oversight<br /><ul><li>Alignment of the goals of the business with the goals of IT
    25. 25. Six Objectives</li></ul>Alignment of organizational and IT strategies<br />Realization of IT project and operations value<br />Realization of IT-related opportunities<br />12<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    26. 26. IT Oversight<br /><ul><li>Alignment of the goals of the business with the goals of IT
    27. 27. Six Objectives</li></ul>4. Effective management and responsible use of IT resources<br />5. Effective management of IT-related business risks<br />6. Compliance with applicable laws, regulations and corporate standards<br />13<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    28. 28. IT Oversight<br /><ul><li> Involvement of the IT Group in the Strategic Vision
    29. 29. CIO’s want greater role
    30. 30. Classification of project types
    31. 31. Minimize maintenance budget</li></ul>14<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    32. 32. IT Oversight<br />Department leader communication with the IT Group<br /><ul><li> Developing an “Integrated” IT group
    33. 33. Involvement of users in the goal setting process</li></ul>15<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    34. 34. IT Oversight<br /><ul><li>Developing an “Integrated” IT group
    35. 35. Working with the Business
    36. 36. Southwest Example
    37. 37. Campbell Soup Example</li></ul>16<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    38. 38. IT Oversight<br />17<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    39. 39. IT Oversight<br />18<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    40. 40. IT Oversight<br />Involvement of users in the goal setting process<br /><ul><li>Identify the universe of stakeholders
    41. 41. Assess stakeholder importance and influence
    42. 42. Determine stakeholder interest and motivation</li></ul>19<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    43. 43. IT Oversight<br />Conflicting<br />Mutual<br />Allies - use as a power base<br />Blockers - isolate & negotiate<br />Resources<br />IT’s Action<br />Source’s of IT’s Needs<br />Degree of interdependence with IT process<br />Political Support<br />Network members - build strong political network<br />Slowers - negotiate<br />Conflicting<br />Mutual<br />Degree of common interest with IT<br />20<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    44. 44. IT Oversight<br /><ul><li>Informative communication from IT to the users
    45. 45. Understanding the security implications of proper oversight
    46. 46. Safeguarding the “keys to the kingdom”
    47. 47. Controls over administrator accounts</li></ul>21<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    48. 48. IT Oversight<br /><ul><li> Understanding the security implications of proper oversight
    49. 49. Benefits of oversight
    50. 50. Avoiding security risks
    51. 51. Case Study - Terry Childs</li></ul>22<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    52. 52. IT Oversight<br />Terry Childs<br />San Francisco - super administrator<br />23<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    53. 53. IT Oversight<br />Safeguarding the “keys to the kingdom”<br /><ul><li>Segregation of duties
    54. 54. Properly approving Administrator access</li></ul>24<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    55. 55. IT Oversight<br /><ul><li>Monitoring high-level changes
    56. 56. Application owners approve users
    57. 57. Reporting outside of IT</li></ul>25<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    58. 58. IT Oversight<br />26<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    59. 59. Survey Poll<br />There are six objectives that aim to align the goals of the business with the goals of IT, these goals do not include:<br />27<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    60. 60. Speaker Transition<br />Financial auditors will refer to this at least five times every year during fieldwork.<br />What is <br />“Segregation of Duties”?<br />28<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    61. 61. Rights Management<br />The Principle of Least Privilege: a user be given no more privilege than necessary to perform a job.<br /><ul><li>Rights to applications
    62. 62. Rights to network resources</li></ul>29<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    63. 63. Rights Management<br /><ul><li>Cannot be controlled by IT only
    64. 64. Data owners need to be involved
    65. 65. New hire events & terminations
    66. 66. Promotions & department changes</li></ul>Application Rights<br />Owners should control!<br />Administrative rights<br />Rights to modules<br />Job change procedures<br />Password parameters<br /><ul><li>Network Rights
    67. 67. Shared directories
    68. 68. User directories
    69. 69. Database locations
    70. 70. Raw data file access</li></ul>30<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    71. 71. Requires internal enforcement and auditing procedures:<br />Internal enforcement<br />Separation of network and application management<br />Annual user audit procedures<br />Participation of department heads (data owners)<br />IT department overdependence<br />Rights Management<br />31<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    72. 72. Rights Management<br /> Using IT Systems to supplement needs for segregation of duties:<br />Small organizations may lack personnel<br />IT Systems can enforce the segregation<br /><ul><li>Rights Controls
    73. 73. Required Approvals
    74. 74. Tracking & Reporting</li></ul>Compensating Controls<br />32<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    75. 75. Survey Poll<br />The management and auditing of rights to the network and applications should:<br />33<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    76. 76. Change Controls<br />Important to all networks:<br />System Maintenance<br />Operating System Updates<br /><ul><li>Ensure Proper Testing - Control Downtime</li></ul>Software Applications<br /><ul><li>Test interfaces and application modifications</li></ul>Reporting System Changes<br /><ul><li>As important as application development changes</li></ul>34<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    77. 77. Change Controls<br />Important to networks with own<br />developers:<br />Application Development<br /><ul><li>Formal request documentation.
    78. 78. Proper approval & assignment process.
    79. 79. Testing methodology and documentation.
    80. 80. Separation of development and production systems.
    81. 81. Project approval and close process.
    82. 82. REPORTING & REVIEW OF CONTROLS</li></ul>35<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    83. 83. Survey Poll<br />Which statement is most accurate about companies that should implement change controls?<br />36<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    84. 84. Internal IT Personnel vs. Outsourced IT Resources<br />Key differences in managing security.<br />37<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    85. 85. Understanding Risks<br />Internal IT Concerns<br />System access levels<br />Greater access to physical items<br />Asset misappropriation<br />Relationships with others<br />More likely to extend rights<br />Collaboration on fraud<br />Outsourced IT Concerns<br />Remote access needs<br />Communication<br />Reporting on activities<br />Understanding of business<br />Dialog with department heads<br />Control of access credentials<br />Personnel changes by consultant<br />Common to both Internal & Outsourced:<br /><ul><li>The need for monitoring!
    86. 86. Who has skill set to monitor?</li></ul>38<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    87. 87. The Review Process<br />Background Checks<br />Trusting these individuals with access and control over the information assets of the entire organization!<br /><ul><li>Criminal Background Checks
    88. 88. Google Searches
    89. 89. Social Media Outlets
    90. 90. Special Procedures for Outsourced Resources
    91. 91. Confidentiality agreements regarding data
    92. 92. Reputation checks for specific consultants</li></ul>39<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    93. 93. The Review Process<br />Internal IT<br />Outsourced IT<br />Periodic employment review<br />Parallels the company’s normal review process<br />The Technical Review<br />Technical performance reflected in project success<br />Are projects getting done?<br />Overall Review<br />Is communication occurring?<br />Is member contributing to success of the organization?<br />Periodic performance review<br />Departments with most interaction – can change<br />Communication Component<br />Are channels open? <br />Project Completion Score<br />Are projects being completed?<br />Are they paying off as expected?<br />40<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    94. 94. Reporting on Activities<br />Key Sources of Information<br />System Logs<br />Resource Access Reports<br />Report Consolidation Utilities<br />Security Monitoring Applications<br />41<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    95. 95. Reporting on Activities<br />What to look for: Key points in log event review to manage the IT function.<br />Remote access sessions<br /><ul><li>Patterns of unexpected access</li></ul>Groupings of failed login attempts<br />Frequent changes to system level rights<br />Manual clearing of log information<br />42<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    96. 96. Progress Reporting<br />Whether internal or external, the IT group should produce timely status reports on current projects.<br /><ul><li>Report review by managers closest to project
    97. 97. Deadlines are essential in the process
    98. 98. Standardized form often most useful:
    99. 99. Current project progress report
    100. 100. Upcoming deadlines, points of concern, resources needed
    101. 101. Priority listing of upcoming projects
    102. 102. Key points of contacts for projects </li></ul>43<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    103. 103. Reporting on Activities<br />Communication will always be the key to successful IT oversight.<br />44<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    104. 104. Contact Information:<br />Rodney Almaraz, Senior Manager<br />Clifton Gunderson, Austin, Texas<br />Jeff Lemmermann, Practice Manager<br />Clifton Gunderson, Milwaukee, Wisconsin<br />45<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    105. 105. CPEs<br />In order to receive your CPE credit for this session, you must complete the electronic evaluation survey on prolibraries.com.<br />To complete this evaluation, stay logged into prolibraries and click on "My Webinars" under "Your Account" on the left hand side of the page.<br />You will see the session title and this link: "Take CPE Evaluation.“ Click on the CPE Evaluation link to complete the evaluation and print your certificate. <br />You may print your certificate from CFMA's Online Library at any time after you complete the evaluation survey. <br />46<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    106. 106. CFMAwould like to thank our Producer…<br />and our Sponsor…<br />47<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />
    107. 107. Thank you for joining us today!Don’t forget to Save the Date for October 13, 2010 as the CFMA’s webinar series continues with a critical update on the FASB Revenue Recognition Proposal for the Construction Industry with FASB representative Ken Bement<br />48<br />© 2010 Clifton Gunderson LLP & CFMA. All rights reserved.<br />

    ×