August 3, 2011

Strategy Planning for Organizational Control

To be successful, management must define a strategy and provide for effective corporate governance. Strategy is defined as "an adaptation of behavior or structure with an elaborate and systematic plan of action." Another more specific definition of strategy is "to create a fundamental change in the way the organization conducts business." Obviously, the Second definition indicates that there are only a handful of people with that much authority. Corporate governance is often defined by ISACA as "ethical behavior of corporate executives toward shareholders and stakeholders to maximize the return of a financial investment." To clarify who is responsible for corporate governance, we could use this definition: "to lead by position or authority."
Three high-level management objectives to be verified by the auditor are as follows:
  • A strategic alignment between IT and the enterprise objectives (formal strategy). Proper planning is required to deploy resources in the right place for the right reason. Management is always responsible for getting it done (corporate governance, preventive controls).
  • A process of monitoring assurance practices for executive management. The senior executives need to understand what is actually occurring in the organization (staying involved by using detective controls).
  • An intervention as required to stop, modify, or fix failures as they occur (corrective action). Everyone has some kind of problem. Management should be working to resolve the issue immediately rather than covering it up by hiding the truth.
Each organization needs to develop their directional strategy. What direction should the business take to fulfill its goals? The strategy selected progresses to focus on client needs and how to fulfill that market. Critical success factors are selected. Marketing initiatives are designed to generate revenue with plans for fulfillment to the buyer. Figure 1 demonstrates the path of organizational requirements in conjunction with the IT requirements.

Figure 1: IT alignment with organizational objectives
The revenue process entails a significant amount of administrative overhead and record keeping. The expectation in every business is to make money and not be hampered by a particular technology nor tied to a particular vendor.
The IT department is looking for a clearly stated purpose that IT is expected to fulfill. The department looks at the demands and requirements necessary to be successful. A structured service-level agreement can be generated with this data, complete with staffing and technology growth plans.
Technology plans have to fulfill a business objective. For instance, take This very successful bookseller isn't necessarily hung up on using Microsoft Windows, Macintosh, or Unix. What the executives want to know is that all the money is processed and the product arrives on time to fulfill their customers’ expectations. Systems management and auditing on the back end will verify that all their bookkeeping and internal controls are functioning effectively. In an industry-leading move, Amazon added same-day shipping as a $5 option on select stock for customers geographically located near the Amazon warehouses. The bookseller downloads the daily courier route schedules and then compares the pickup and delivery schedule to the buyer's address. Orders placed in the morning can arrive the same afternoon in select major cities. A same-day delivery option is automatically added to the shopping cart for eligible purchases. Amazon demonstrates excellent integration of the business and IT strategy.
The top side of Figure 1 is motivated by gains in revenue. Executives take calculated risks to exploit new opportunities for their business to make more money. Conversely, IT is expected to prevent service failures that hurt revenue. IT may also be expected to focus on activities that enable revenue and concurrent activities to prevent loss based on risk management planning. This can make it difficult to determine which problem or goal is the priority.
Auditors can gain insight by looking into the IT reporting structure. The CEO is solely responsible for revenue-generating functions, and other revenue functions may be delegated to an underlying chief operating officer (COO). IT functions reporting to the COO provide services that generate revenue. If the IT operation does not generate revenue, it's a support function (aka cost center) reporting to the chief financial officer (CFO). Refer to Figure 2.

Figure 2: Reporting structure demonstrates IT's purpose
The principal mechanism for ensuring IT alignment is an IT steering committee. The business unit executives identify operating challenges in their workflow, priorities, and desired technical direction.

July 30, 2011

Exam Essentials - Secrets of a Successful Auditor

Know the purpose of policies, standards, guidelines, and procedures. Policies are high-level objectives designated by a person of authority, and compliance to policies is mandatory. Standards ensure a minimum level of uniform compliance to a policy, and compliance to standards is mandatory. Guidelines advise with preferred objectives and useful information in the absence of a standard. Guidelines are often discretionary. Procedures are a cookbook recipe of specific tasks necessary to implement a standard. Compliance to procedures is mandatory.
Know the ISACA standards governing professional conduct and ethics. The auditor is expected to perform with the highest level of concern and diligence. Each audit should be conducted in accordance with professional standards and objectivity, and should implement best practices.
Understand the general purpose of the audit and the role of the IS auditor. The purpose of auditing is to challenge the assertions of management and to determine whether evidence will support management's claims.
Understand an audit role versus a nonaudit role. There are only two roles in an audit. The first role is that of the auditor who performs an objective review, and the second is the role of everyone else. A person cannot be an auditor and also involved in the design or operation of the audit subject.
Understand the importance of IS auditor independence. It is unlikely that an auditor could be truly independent if the auditor were involved with the subject of the audit. Auditor independence is an additional assurance of truth.
Know the difference between discretionary and mandatory language. In regulatory language, the word shall designates a mandatory requirement. The word shall indicates that there is no excuse for failing to meet the stated objective, even if compliance would cause a financial loss. The word should indicates a recommendation that could be optional, depending on the circumstance.
Know the different types of audits. The types of audit are financial, operational (SAS-70), integrated (SAS-94), compliance, administrative, and information systems.
Understand the importance of IS auditor confidentiality. The IS auditor shall maintain confidentiality at all times to protect the client. Sensitive information should not be revealed at any time. Your client expects you to protect their secrets whenever legally possible.
Understand the need to protect audit documentation. The data must be protected with access controls and regular backup. Sensitive information is the property of the owner, and its confidentiality shall be protected by the auditor. A document archive is created during the audit and is subject to laws governing record retention.
Know how to use standard terms of reference. The auditor should communicate by using standardized terms of reference to avoid misunderstanding or confusion. The standard terminology should be defined through a mutual agreement at the beginning of the audit.
Understand application of the evidence rule. Audit evidence needs to be confirmed or verified to ensure that it is actually used in the production process.
Identify who the auditor may need to interview. The IS auditor needs to consider the roles of data owner, data user, and data custodian when selecting persons to interview. Data owners specify controls, data users are to follow acceptable usage requirements, and custodians protect the information while supporting data users.
Understand the organizational structure. Officers of an organization are usually persons with the title of vice president or higher, up to the board of directors. Department directors, managers, and staff workers are seldom liable for the organization, unless criminal activity is involved.

July 26, 2011

Identifying Roles in a Consulting Firm Organizational Structure

Now we will look at the structure of a typical consulting firm. A consulting firm is a hybrid organization. Internal clerical and support functions are similar to those in a typical business. The consulting side of the firm uses functional management positions. The staff is allocated according to temporary project assignments. At the end of each engagement, the staff will be reallocated by either returning to the available resource pool or by becoming unemployed until the next engagement.
Figure 1 illustrates the organizational structure of a typical audit firm.

Figure 1: A typical auditing firm organizational chart
We'll review the structure here:
Managing Partner A managing partner refers to a C-level executive in the consulting practice. This could be a position equal to a corporate president. Managing partners have the responsibility and authority to oversee the business divisions. Various partners in the firm will report to the managing partner.
Partner A partner is equivalent to a divisional president or vice president and is responsible for generating revenue. Their role is to represent the organization and provide leadership to maximize income in their market segment. Partners are required to maintain leadership roles in professional organizations and to network for executive clients. Most partners have made financial commitments to produce at least $15 million in annual revenue along with supporting other business management functions. The partner and all lower managers are responsible for professional development of the staff.
Engagement Manager This is a director-equivalent position with the responsibility of managing the client relationship. The engagement manager is in charge of the audit's overall execution and the audit staff. The engagement manager is responsible for facilitating the generation of new income opportunities from the client.
Senior Consultant This is a field manager whose responsibilities include leading the daily onsite audit activities, interacting with the client staff, making expert observations, and managing staff assigned to the audit.
Consultant This is a lead position carrying the responsibility of interacting with the client and fulfilling the audit objectives without requiring constant supervision. A consultant is often promoted by demonstrating an ability to fulfill the job of senior consultant or supporting manager.
Systems Analyst This is usually an entry-level position. Often the individual is selected for their ambition and educational background and may be fresh out of college. Systems analysts perform some lower-level administrative tasks as they build experience.

July 18, 2011

Identifying Roles in a Corporate Organizational Structure

Businesses are focused on generating money for investors. There will always be some type of management hierarchy in order to maintain control. Government and nonprofitorganizations will use a similar control hierarchy; however, the titles will be different. For government and nonprofit organizations, the term mission objectives would be substituted for the term revenue.
Figure 1 illustrates a typical business corporation.

Figure 1: A typical business organizational chart
Let's start at the top of the diagram and work our way down:
Board of Directors The board of directors usually comprises key investors and appointed advisers. These individuals have placed their own money at stake in the hopes of generating a better return than the bank would pay on deposits. Board members are rarely—usually never—involved in day-to-day operations. Some members may be retired executives or run their own successful businesses. Their job is to advise the CEO and the CFO. Most organizations indemnify board members from liability; however, government prosecutors will pursue board members if needed.
Audit and Oversight Committee The members of the board will have a committee comprising directors outside of the normal business operations. Executives from inside the organization can come to the committee for guidance and assistance in solving problems. This committee has full authority over all the officers and executives. They can hire or fire any executive. Each audit committee has full authority with a charter to hire both internal and external auditors. Auditors are expected to discuss their work with the audit committee. An auditor has the right to meet in private to discuss issues with the audit committee once a year without the business executives present. If auditors discover certain matters that stockholders should be informed about, the auditor shall first bring it to the attention of the audit committee. Regulations such as SOX require that all significant weaknesses be disclosed to the audit committee every 90 days.
Chief Executive Officer (CEO) The CEO is primarily focused on generating revenue for the organization. The CEO's role is to set the direction and strategy for the organization to follow. The CEO's job is to find out how to attract buyers while increasing the company's profits. As a company officer, the CEO is liable to government prosecutors. Corporate officers have signing authority to bind the organization.
Chief Operating Officer (COO) The COO is dedicated to increasing the revenue generated by the business. This is a delegate in charge of making decisions on behalf of the CEO with assistance from the CFO. COOs are often found in larger organizations. As a company officer, the COO is liable to government prosecutors.
Chief Financial Officer (CFO) The CFO is in charge of controls over capital and other areas, including financial accounting, human resources, and IS. Subordinates such as the CIO usually report to the CFO. As a company officer, the CFO is liable to government prosecutors.
Chief Information Officer (CIO) The CIO is subordinate to the CFO. The CFO is still considered the primary person responsible for internal control. A CIO might not be a true company officer, and this title may bear more honor than actual authority, depending on the organization. An exception may be a CIO in corporate headquarters. The CIO has mixed liability, depending on the issue and the CIO's actual position in the organization.
President/General Manager The president, sometimes referred to as the general manager, is the head of a business unit or division. As a company officer, the president/general manager is usually liable to government prosecutors. Regulations such as SOX encourage management to require all divisional presidents and controllers to sign integrity statements in an effort to increase divisional officer liability.
Vice President (VP) The vice president is the second level of officer in a business unit or division. As a company officer, the vice president is usually liable to government prosecutors.
Department Directors (Line Management Position) Typically directors are upper-level managers supervising department managers and do not have company officer authority. In large organizations, you may encounter a major-level director and minor-level director.
Managers and Staff Workers Managers are responsible for providing daily supervision and guidance to staff members. Staff members may be employees or contractors working in the staff role. Managers and staff members are seldom held responsible for the actions of a company unless they knowingly participate in criminal activity.