Principles of IS Organizational Structure and Design

The organizational structure and design of the information systems department should ensure efficient and effective use of IT resources. These resources should have clearly defined duties and the associated policies and procedures. The IT organization needs to ensure proper segregation of duties to reduce the risk of errors or misappropriations associated with the information systems or data.

Evaluating IS Organization and Structure

Both the organization and the IT department should create and maintain an organizational chart. This chart reflects a clearly defined structure and provides a clear definition of the IT department's hierarchy, authority, and responsibility. The organizational chart, combined with job descriptions, provides the auditor with a clear definition of individual responsibilities and the reporting structure. A review of these documents helps the IS auditor ensure that there is proper segregation of duties based on job function and detailed tasks associated with the function. Per ISACA, segregation of duties avoids the possibility that a single person could be responsible for diverse and critical functions in such a way that errors or misappropriations could occur and not be detected in a timely manner during the normal course of business processes. During the development of the department's hierarchy, IT management should consider the following:

• Segregation of incompatible duties

  • Segregation between operations and programming might not be possible in smaller environments.

  • Audit trails might be an acceptable compensating control.

• Vesting in different people

  • Authorizing transactions

  • Recording transactions

  • Maintaining custody of assets

• Accomplishing judicious choices with respect to...

  • Placing the IT function in the organization

  • Integrating programmed controls into computing infrastructures and applications (with IS auditors possibly included in the project team as control advocates and experts)

As stated in Chapter 1, "The Information Systems (IS) Audit Process," each function within the organization should have a clear definition of the duties to perform that function. While performing operational tasks, certain functions act as controls across the IT organization and must be segregated accordingly. A clear example is the role of the security function within the IT organization. This function is responsible for the implementation and maintenance of security controls, to ensure the confidentiality, integrity, and availability of systems and information. As such, security personnel should not be involved in the day-to-day operational administration of information systems. To illustrate this point, consider the following scenario:

Generally, systems administrators are responsible for the operational maintenance of systems and, in most cases, are responsible for the creation, maintenance, and termination of user accounts for the systems. In a properly segregated environment, administrators would create user accounts and the associated profile information but would not assign access rights to systems or data. After the user account and profile information was created, the security administrator, with approval from the application owner(s), would enable access to the systems and data that the users required to perform their jobs.

Although the assignment of access rights is performed by the security administrator, the authorization of access to data is provided by application/data owners. This ensures an adequate segregation of duties between IS and end users. This segregation of duties ensures that no one function or individual can create user accounts and provide access to systems and data. As an example of the improper segregation of duties, consider the ramifications if either the systems administrator or the security administrator could both create accounts and assign access rights. A single person would then have the ability to create a fictitious user account and provide access to payroll information, private employee information, or the organization's intellectual property.

An IS auditor's primary responsibility is to advise senior management of the risk involved in not implementing proper segregation of duties, such as having the security administrator perform an operations function.

In smaller environments, it is often difficult to completely segregate incompatible duties. In these cases, the organization must use compensating controls such as audit trails and specific levels of approval before a task can be completed. IT functions such as systems development, computer operations, and security should be segregated by either function or the use of compensating controls. Keep in mind that functions within organizations can be combined. As an example, a quality-control administrator could be responsible for change control and problem management. Combining these duties does not create a situation in which errors or misappropriations could occur.

Table 2.2 shows example IT functions that should not be combined.

Designing the ultimate structure of the IT function is often determined by cultural, political, and economic forces inherent in the organization. The design process should consider internal controls to reduce errors, misappropriation, or fraud. As an example, IT management should separate systems development, computer operations, and computer security. If these functions cannot be separated, compensating controls should be put in place. The IS auditor should ensure that systems developers and computer operators are segregated and that the IT function forms a separate security specialization, to maintain custody of software applications and corporate data.

Evaluating Use of Third-Party Services

Outsourcing is a contractual arrangement between the organization and a third party for information systems and associated development, processing, or hosting. This contract relinquishes control over part or all of the information processing to an external party. Organizations often use third-party resources as a way to offset IT costs within the organization or if a particular skill set is required that does not exist in the organization.

A variety of reasons exist for outsourcing. Organizations must ensure that IT processing resources achieve the same level of confidentiality, availability, and integrity that they would have if they were located within the organization. The organization's management might decide to outsource functions to focus on core competencies, as a cost-savings measure, or to gain flexibility to the organization. Many organizations choose to outsource data processing to obtain necessary IT expertise from outside sources. This expertise might range from software to data entry monitoring or internal quality assurance processes, to reduce data errors. In data entry, key verification is one of the best controls for ensuring that data is entered correctly. The key verification processes ensure that after data has been keyed once (or recognized), it is keyed again by a second independent operator. As each keystroke is made, the system flags any differences, and these can be immediately verified and corrected. These types of processes might be best provided by a third party instead of being developed in-house.

These services can be provided by a third party:

• Data entry

• Application hosting

• Design and development of systems or applications

• Conversion of legacy system

• Help desk support

• Payroll processing

• Check processing

• Electronic bill payment

• Credit card operations

It is important to remember that third-party providers (service organizations) face the same threats to information security and controls that all organizations do. The service provider must manage security and risk well.

Some of the criteria for outsourcing, for example, is if the applications development backlog is greater than three years, if more than 50% of the programming costs is spent on system maintenance, or if duplicate information systems functions exist at two or more sites. In these instances, outsourcing the function can help consolidate duplicate functions or reduce development costs and increase delivery time. Organizations should be concerned with both the security (confidentiality and integrity) of their systems and their availability; they should use legally binding contracts to ensure that third-party service providers perform as expected. The contracts should articulate the roles and responsibilities of each party, services to be performed, service-level agreements, contract duration, services costs, dispute resolution, and dissolution agreements.

The contractual agreement generally includes a service-level agreement (SLA). The SLA outlines the level of service (uptime, downtime, and response time) for the outsourced information systems. The SLA usually outlines a guaranteed level of service, and this is used as a management tool to control the information resources maintained by the service provider. Outsourcing is a long-term strategy, and service-level providers face the same risks as organizations. The organization must ensure that proper contractual agreements provide the necessary level of assurance that the information systems will meet the expectations of the organization.

An IS auditor should always review availability reports when auditing service-level agreements (SLA) for minimum uptime compliance.

Organizations can reduce the risk of outsourcing by doing the following:

• Having clearly defined, measurable shared goals and rewards

• Utilizing multiple vendors for redundancy

• Developing performance metrics

• Requiring external auditing of service providers' facilities, practices, and systems

Organizations might request that third parties provide the results of a recent audit report or implement an SAS 70 audit. A Type I or Type II audit assures the organization of the existence and effectiveness of internal controls relative to the service provided. An SAS 70 Type I audit is a "walkthrough" that describes the service provider's internal controls but does not perform detailed testing of these controls. A Type II provides detailed testing of the controls around the service provided.

The auditor's report generally contains a report of the independent auditors, a description of the relevant policies and procedures, control objectives, and results of the service auditor's tests or the operating effectiveness of the control objectives and any other client control considerations. IS auditors should look for third-party assurance of the service provider's design, implementation, and management of controls. These reports often adhere to auditing standards by a reputable organization, such as SAS 70 (AICPA; United States), Section 5900 of the Handbook of Auditing (CICA; Canada), or FIT 1/94 (FIT; United Kingdom). If the third party does not have or will not allow a third-party audit, the organization should look elsewhere for services.

A typical service auditor report should contain the following information:

• Report of independent auditors

• Description of relevant policies and procedures (provided by client organizational management)

• Control objectives specified by the client organization's management, along with the results of the service auditor's tests of the operation effectiveness of the control objectives

• Client control considerations

  Per ISACA, the auditor should be aware of the following risks associated with outsourcing:

• Contract protectionA contract that adequately protects the company

• Audit rightsThe right to audit vendor operations

• Continuity of operationsContinued service in the event of a disaster

• Integrity, confidentiality, and availability of organization-owned data

• PersonnelLack of loyalty toward customers, or disgruntled customers/employees, over the outsource agreement

• Access control/security administration (vendor controlled)

• Violation reporting and follow-up (vendor controlled)

• Change control and testing (vendor controlled)

• Network controls (vendor controlled)

• Performance management (vendor controlled)

Most risk in outsourcing to third-party providers is the disruption of services through either natural or artificial occurrences, such as natural disasters or security breaches. When auditing a potential third-party service provider, an IS auditor often requests proof of each provider's business continuity plan (BCP). Table 2.3 lists some examples of this risk and mitigation.

When auditing third-party service providers, the IS auditor should be concerned with ownership of program and files, a statement of due care and confidentiality, and the capability of continued service of the provider in the event of a disaster. These should be clearly stated in the contract between the third-party provider and the organization. The contract should have a regular review process to ensure that the third-party provider's contractual obligations are aligned with the IT strategies, procedures, and organizational goals.

As an example, an outsourcing contract for IT facilities should clearly define ownership of intellectual property.

Careful monitoring of the performance of an outsourced service is critical to ensure that services are delivered to the company as required.