- IT Organizational Structure
- Evaluating Hardware Acquisition, Installation, and Maintenance
- Evaluating Systems Software Development, Acquisition, Implementation, and Maintenance
- Evaluating Network Infrastructure Acquisition, Installation, and Maintenance
- The TCP/IP Protocol Suite
- Routers
- Internet, Intranet, and Extranet
- Evaluating IS Operational Practices
- Evaluating the Use of System Performance and Monitoring Processes, Tools, and Techniques
- Exam Prep Questions
Evaluating IS Operational Practices
As stated in Chapter 2, "Management, Planning, and Organization of IS," the COBIT resources provide a framework for organizations, IT management, and IS auditors to realize best practices to reach business objectives. IS auditors should review the IT organization to ensure the use of formal risk management, project management, and change management associated with the implementation of IT infrastructures.
The COBIT framework provides 11 processes in the management and deployment of IT systems:
-
Develop a strategic plan
-
Articulate the information architecture
-
Find an optimal fit between the IT and the organization's strategy
-
Design the IT function to match the organization's needs
-
Maximize the return on the IT investment
-
Communicate IT policies to the user community
-
Manage the IT workforce
-
Comply with external regulations, laws, and contracts
-
Conduct IT risk assessments
-
Maintain a high-quality systems-development process
-
Incorporate sound project-management techniques
Risks and Controls Related to IS Operational Practices
An IT organization should develop and maintain strategic planning processes (both long and short term) that enable the organization to meet its goals and objectives. The IT organization’s policies, procedures, standards, and guidelines are evidence of a detailed reflection of the strategic plan. The IT organization should have a clearly defined structure that outlines authority and responsibility, and should be documented in an organizational chart. Network devices, applications, and data should be maintained, and proper segregation of duties should be implemented. The IT organization should implement proper segregation of incompatible duties, keeping in mind that segregation between computer operators and security administrators, as an example, might not be possible in smaller environments. The use of compensating controls, such as audit trails, might be acceptable to mitigate the risk from improper segregation of duties. The auditor should review information pertaining to the organization structure, to ensure adequate segregation of duties.
The IS auditor should review policies and procedures because they ensure that organizational objectives are being met. In addition, the IS auditor should review the risk-management process to ensure that the organization is taking steps to reduce risk to an acceptable level (mitigation) and is maintaining that level of risk. The organization’s business plan should establish an understanding of the organization’s mission and objectives, and should be incorporated into the IT strategic plan. Organizational charts should establish the responsibility and authority of individuals, and job descriptions should define the responsibility of and accountability for employee actions. The policies and procedures should incorporate strategic objectives in operational activities.