Page 91 - CITP Review
P. 91

  Budgets
              Change management
              Access controls (physical and logical)
              Information security
              Business continuity planning or disaster recovery planning
              Vendor management (especially third-party providers of IT)
              Data management
              Other general IT function activities

            Obviously not all of these issues will be relevant in all entities, but larger entities will likely have most if not
            all of these areas.

            The other key to P&P is that it addresses the IT risks identified by management in its enterprise risk
            assessment.


            IT strategic plan
            IT plays an important role in achieving the business model, goals, objectives, and strategies of almost all
            entities. Part of controlling IT is to make sure it is not an ad hoc function — where changes are mostly by
            happenstance and the needs of the moment — but rather changes are planned with some due diligence
            of deliberation where IT is selected and managed with a strategic approach. That process would include
            certain management activities, including the following:

              It should include an IT strategic plan. That plan could be a part of the entity’s overall strategic plan or
               as a separate IT strategic plan. Either way, the objective of such a plan is to make sure all of the IT
               function is aligned with the entity’s strategies, goals, objectives, and leveraged to accomplish its
               business model. It would naturally include long-range plans and short-range plans.
              It should include a strategic approach to budgeting of IT. Budgeting for IT is divided into the following
               two parts:
               –  Operational budget (employees, operating expenses, and so on)
               –  Capital budget (funding for major IT capital projects — systems, hardware, software, and so on)

                   The capital budget should be an annual budget where funds are appropriated from the capital
                   budget for IT projects to be awarded on a competitive basis, where decisions revolve around a
                   proposal’s ability to satisfy the IT strategic plan (that is, its alignment with the entity’s business
                   model, goals, objectives, and strategies). It should also include some kind of ROI or investment
                                     5
                   analysis objective.















            5
              It is customary for the IT infrastructure to be considered a “sunk cost” and thus a cost of doing business, thus it
            often does not get scrutinized for ROI or investment.


            © 2019 Association of International Certified Professional Accountants. All rights reserved.    3-7
   86   87   88   89   90   91   92   93   94   95   96