IT AUDIT SOLUTIONS MANUAL

CHAPTER FOUR

INFORMATION TECHNOLOGY DEPLOYMENT RISKS

DISCUSSION QUESTIONS
4.1 What could be the consequences if the information systems function of a company does not align its strategy with the overall company vision?

If the IS function does not align its strategy with the companys vision, there is a risk that valuable, scarce IS resources could be misallocated in a way that interferes with the companys current profitability and future growth.

4.2 Why should the information systems function develop policies?

Policies reflect concrete manifestations of the IS functions strategy. As such, guidelines are useful in knowing how to carry out the strategy. You should refer students to the Important

Policy Areas for IS Functions provided in this chapter to illustrate the importance of developing IS policies.

4.3 What is the purpose of the Information Systems Steering Committee?

The steering committee serves as the liaison group that ensures that the proper allocation of IS resources are congruent with the companys vision, mission, objectives, strategy and policies. The steering committee is made up of high-ranking managers from all functional areas of the organization. This way, each functional area, as well as general management, better understands the companys priorities and resource constraints. As such, the committee must make tough decisions regarding who gets what IS resources, when and why.

4.4 Why is it important to understand the boundary conditions (scope, time and cost) of any information systems project?

The scope of a project sets the parameters for time and cost. If the scope is too narrow, the applications may not meet the needs of users and information consumers. If the scope is too wide, the applications may include a plethora of bells and whistles that might be nice to have, but are not necessary. Setting the scope of a project is very difficult, yet of utmost importance. Once the scope has been determined, time and cost estimates can be made. At this point, the company has to decide if the project can be accomplished in a timeframe that meets its needs. Also, the company must decide if the cost considerations are affordable. If either time or cost

estimates are problematic, perhaps the scope needs to be readjusted. This type of feedback loop process continues until the scope, time and cost parameters are in balance.

4.5 When contemplating the acquisition of application software, how would the company determine if the software can handle the information-processing load?

The IS function can perform benchmark tests and performance tests. Regarding benchmark tests, the company can establish minimum guidelines that the software must meet. For instance, the software must be capable of processing X amount of transactions per minute or the software must respond in Y seconds to users during normal daily processing loads. Performance testing can be accomplished by processing archived company data through the system to determine how fast the system is capable of processing, especially at peak times. When the software is pushed to its limit, this is called stress testing.

4.6 Why use three libraries (development, test and production) in the information systems function?

The development library can serve as a sand box for programmers and developers. In this secured space, they can write programs and conduct preliminary testing. Once an application is built, the object code is moved from the development to the test library. In the test library, system users can play with the application, using sample data, to see how it feels and performs. Based on user feedback, the applications may be moved back to the development library for further work. Once the users agree that the applications are working as desired, the

final object code is moved to the production library, where it is used for live processing. This approach keeps programmers out of the production library (incompatible functions), users out of the development library (incompatible functions), and live data from being corrupted until the application is ready for use.

4.7 Why should the steering committee form a separate Feasibility Group for each potential project?

Feasibility Group members are typically interested in, involved with and knowledgeable about the proposed development project. At a minimum, the group should be comprised of representatives from affected functional area(s), general management and IS function management. As such, the Feasibility Group is much closer to the project than the steering committee. Besides, the steering committee is comprised of senior level managers who do not have the time or expertise to determine if a proposed project is technically, financially and culturally feasible. Thus, creating a Feasibility Group is an efficient and effective means of delegating responsibility in this regard.

4.8 What is the objective of a Feasibility Study?

The objective of a feasibility study is to determine if the project is technically, financially and culturally feasible. If so, the Feasibility Group would recommend to the steering committee that the project should move forward to the prioritization and development stages.

4.9 Why should the company be concerned with developing formal procedures for changing existing software applications?

If formal change procedures are not developed and followed, the IS department would be inundated with user requests for all sorts of software changes and have no guidance regarding where to start. Thus, typically the users who complain the most, are most liked by the IS function, yield the most political power and so on will get priority over others, which may be incongruent with the companys profitability and growth strategy. Additionally, a formal change procedure alerts the companys accountants, internal auditors and external auditors to on-going and upcoming application changes that may adversely affect the internal control structure.

4.10

What are the alternative implementation strategies and which one is best?

The four implementation strategies discussed in the chapter are 1) parallel, 2) big-bang, 3) partial and 4) focused. The best strategy is contingent on the circumstances. This question should bring about some interesting discussions regarding such circumstances. Some things to consider are: size of the company, geographic dispersion of the company, scope of the project, critical nature of the software, competency of the implementation team, resources allocated to the implementation strategy, and

user readiness for the implementation.

EXERCISES
4.11 Archetype Technologies, Inc. (ATI) has grown at a phenomenal rate of over 45%

per year for the past five years. Presently, the legacy information system at ATI is laboring under the heavy processing load. Additionally, ATI managers are frustrated because it is extremely complicated and time-consuming for them to get the information they need to make decisions, primarily because the applications are not integrated with each other. The current applications are written in the Cobol programming language and the data is stored in flat files. ATI is contemplating several options for dealing with its information systems problems (below). At this point, ATI has formed a Feasibility Group to examine each alternative.

Required: Develop a checklist of issues that the group should consider for each option. You should look for the following major issues: A. Upgrade the existing applications such that they better integrate with one another. a) Technical Feasibility i) Is the IS function capable of upgrading the existing applications to be more integrative? ii) Is it possible to accomplish the objective of integration using Cobol and flat files? b) Financial Feasibility i) How much will it cost to upgrade the existing systems? ii) Will there be sufficient return on investment to warrant upgrading the current system? c) Cultural Feasibility

i) If the existing applications were more integrative, would they meet the needs of decision makers? ii) Would users be happy with upgrading the existing systems? iii) Can the current system be upgraded in sufficient time so as not to harm the companys profitability and competitive position? B. Develop (in-house) an integrated suite of applications using a relational database. a) Technical Feasibility i) Is the IS function capable of operating in a relational database environment? ii) Is the IS Function capable of programming in a relational database application language? iii) Will the current information technology infrastructure handle a relational database environment? b) Financial Feasibility i) How much will it cost purchase the database? ii) How much will is cost to develop the application software? iii) Will there be sufficient return on investment to warrant the switchover to a relational database environment? c) Cultural Feasibility i) Would a relational database driven system meet the information needs of managers? ii) Would users willing to learn a brand new system? iii) Can the database system be developed in sufficient time so as not to harm the companys profitability and competitive position? C. Purchase an Enterprise Resource Planning (ERP) system from an outside vendor.

a) Technical Feasibility i) Does the ERP system fit with the overall company vision and mission? ii) Is the IS Function capable of implementing and operating an ERP system and the associated relational database? iii) Will the current information technology infrastructure handle the ERP system? b) Financial Feasibility i) How much will it cost purchase the database (which must accompany an ERP system)? ii) How much will is cost to purchase the ERP system? iii) Will there be sufficient return on investment to warrant purchase of an ERP system from an outside vendor? c) Cultural Feasibility i) Would an ERP system meet the information needs of managers? ii) Would users willing to learn a brand new system? iii) Can the ERP system be implemented in sufficient time so as not to harm the companys profitability and competitive position?

4-12 Dogwood Manufacturing, Inc. (DMI) just purchased and implemented a popular and widely used Enterprise Resource Planning (ERP) system. The ERP applications run on a relational database, which is purchased separately. The consultants who installed the ERP system and relational database have advised DMI to incorporate security controls (ID/Password) at the network, database and application levels. Because DMI employs only a few people in its information systems function, whose jobs are primarily oriented at helping users and keeping the information technology infrastructure operating on a daily basis, DMI feels that it does not have the expertise to maintain three levels of security once the consultants are gone. Thus, DMI has decided to rely on the security features that are incorporated into the ERP system, which restricts users to authorized applications based on their ID/Password. Furthermore, the person responsible for maintaining the ID/Password security features will be the company controller, since she is the most computer savvy person of all company managers. Required: A. What are the advantages of relying on the ERP security features only?

The ERP system security features are likely quite strong, since the ERP system is in use at many other companies and many holes in the system have likely been identified and fixed.

B. What are the disadvantages of relying on the ERP security features only?

Savvy users can figure out ways to get around the applications directly into the database. Once in the database, such users have complete access to all data and database tools (such as the query engine, data dictionary, manipulation language and so on). Also, since the network is

10

unsecured, offsite users and/or hackers can penetrate into the companys database, as well as the operating system. While relational databases have many advantages, one major disadvantage is that once an individual is inside the database, all of the companys information is exposed and vulnerable.

C. What are the risks of assigning the security responsibility to the controller?

The major risk is that the controller could perpetrate a fraud, since she has control over the financial information and the database. This is a classic violation of segregation of incompatible functions. Another concern is that the controller stays so busy with her normal workload, that the security responsibilities take a back seat. As a result, user permissions may be too liberal, passwords may not get changed on a regular basis, monitoring of security breaches might not be performed on a regular basis, and so on.

11