Page 95 - CITP Review
P. 95

  Qualified IT personnel
               –  Hiring
               –  Professional development
               –  Qualifications
               –  Adjusting to changes in IT
               –  Terminating
              Finances
              Facilities

            Management should maintain a dynamic portfolio of its IT to manage it and to be effective in reaching its
            strategic direction and goals.

            Management will have to decide whether the best structure for the IT function is centralized — with all IT
            resources available for a central unit — or decentralized — with some IT resources in each major business
            unit.

            Another aspect of organizational structure planning is the organization chart. This chart and structure is
            vital to risk, because management could fail to properly segregate incompatible IT functions, thereby
            increasing risk in all associated IT, systems, business processes, and automated controls. Likewise, the
            appropriate segregation of duties (SoD) will decrease risks in those areas. Thus, the CITP will want to
            review the organization chart, possibly job descriptions, and interview key personnel to determine if
            incompatible IT functions are properly segregated.

            One reason this segregation is important is to minimize the opportunity for someone to add malicious
            code to a software application.

            If application development is segregated from application maintenance, the second set of eyes is a
            deterrent to malicious code because the independent second person has a chance of detecting it. There
            is also an operational benefit; given that a different person is going to maintain the application, there is a
            good likelihood that adequate documentation of the original application exists. This specific SoD is also
            valuable in identifying coding errors that might go unnoticed by the original programmer and end users.
            The maintenance programmer has some probability of spotting erroneous code while maintaining it.

            Another key separation is program development from operations. Because the programmer knows so
            much about the program, the programmer is in the position of possibly knowing, or creating, ways
            around controls.

            As mentioned in planning, executive management needs to provide an operational budget. That budget
            should be sufficient to take care of annual resources needed by the IT function. It would include the
            resources necessary for the operations of IT across the entity. Executive management should also
            provide for capital IT projects.

            Actually, executive management has at least two options for major capital outlays for IT:

            1.  Have a formal structure and process for developing a capital budget, and for awarding funding to
               competitive IT projects, that is, those that have a reasonable probability of satisfying the direction,
               goals, and objectives of the strategic plan.



            © 2019 Association of International Certified Professional Accountants. All rights reserved.    3-11
   90   91   92   93   94   95   96   97   98   99   100