IT Governance, Risk, and Compliance » Systems

What Every IT Manager Should Know About Service Delivery and Support – Part XII

Robert Davis — Tue, 12 Jun 2012 21:46:21 +0000

Audit professionals have a significant role in supporting an adequate control environment when providing contributions to strategic, tactical, and operational value through governance improvement recommendations. Consistent with entity oversight responsibilities, board of directors should insist on utilizing perceptive IT auditors to permit control environment enrichment. In particular, an entity’s audit committee should proactively ensure IT service delivery and support are subject to periodic audits, reviews, as well as agreed-upon procedures by highly qualified auditors so individuals responsible for governance can advance entity oversight goals with IT enhancement triggers. Furthermore, a robust IT audit function can usually render superior performance when requested to assist management with operational control issues that may arise.

Lastly, external factors often influence an entity’s environment. Specific external influencers affecting an entity’s ability to achieve objectives include: economics, communities, governments, technologies, competitors, suppliers, and customers. Therefore, it is crucial that the external environment be accurately assessed prior to proceeding with a course of action impacting the entity’s system of controls.

“View Part I of the What Every IT Manager Should Know About Service Delivery and Support series here“

What Every IT Manager Should Know About Service Delivery and Support – Part XI

Robert Davis — Fri, 08 Jun 2012 22:32:17 +0000

Foundationally, the IT control environment should assist in enabling the governing body, management and all other staff in providing reasonable assurance regarding achievement of the following general objectives:

 Operational Efficiency
 Operational Effectiveness
 Operational Economy
 Management Reliability
 Laws and Regulations Compliance
 Internal Policies Compliance

General entity objectives increase in significance when they are collectively considered in relation to operations, management and compliance fiduciary responsibilities. Categorically, these distinct general objectives can be achieved through various criteria establishment that frame aligned focus on meeting entity-centric needs. For instance, IT related information criteria (i.e. effectiveness, efficency, confidentiality, integrity, availability, compliance and availability) can be utilized to satisfy entity-level objectives that have specific fiduciary responsibilities.

“View Part I of the What Every IT Manager Should Know About Service Delivery and Support series here“

What Every IT Manager Should Know About Service Delivery and Support – Part X

Robert Davis — Tue, 05 Jun 2012 21:55:12 +0000

Management’s control methods over compliance with laws and regulations should ensure appropriate measures are deployed to ascertain whether entity personnel understand implemented governance practices, and governance processes are being followed as intended. Legal compliance procedures for ethical control standards should be set by top management and promoted through exemplary behavior.

The importance of responsibilities of those charged with governance is recognized in codes of practice and other regulations or guidance produced for the benefit of oversight committee members. Documented primary responsibilities of those charged with governance include oversight of the design and effective operation of procedures and the process for reviewing the effectiveness of the entity’s control system. Consequently, the entity’s oversight committee should direct IT management to achieve measurable service and support value.

“View Part I of the What Every IT Manager Should Know About Service Delivery and Support series here“

What Every IT Manager Should Know About Service Delivery and Support – Part IX

Robert Davis — Fri, 01 Jun 2012 21:54:00 +0000

Human resources policies are definite courses or methods of action selected by management from alternatives, considering the environment, that guide as well as determine present and future employment decisions. For example, training policies that communicate prospective roles and responsibilities with prerequisite educational attainment illustrate expected performance and behavior levels.

Human resources practices relate to recruiting, orientating, training, evaluating, counseling, promoting, compensating, and remediating entity personnel. For example, a standard for recruiting the most qualified individual reflecting morally acceptable traits from a candidate pool conveys an entity’s commitment to competent and trustworthy personnel. Furthermore, promotions driven by objective periodic performance appraisals support the entity’s dedication to advancing qualified individuals to higher responsibility levels.

“View Part I of the What Every IT Manager Should Know About Service Delivery and Support series here“

What Every IT Manager Should Know About Service Delivery and Support – Part VIII

Robert Davis — Tue, 29 May 2012 22:55:22 +0000

Knowledge management activities and initiatives enable competence. Commitment to competence is required to ensure adequate leadership and workmanship when engaged in entity endeavors. Therefore, well qualified, capable and fit individuals should be employed to ensure sufficient means to meet an entity’s needs. Conversely, compromising commitment to employee competence for financial burden relief can lead to the demise of an entity. Minimally, within the entity, commitment to employee competence requires fostering strategic, tactical and operational recruiting, hiring, knowledge reviews, skills reviews, training, team development, document management, collaborative communication systems as well as ‘knowledge-base’ development systems.

“View Part I of the What Every IT Manager Should Know About Service Delivery and Support series here“

What Every IT Manager Should Know About Service Delivery and Support – Part VII

Robert Davis — Fri, 25 May 2012 21:20:04 +0000

Authority is the power or right to give commands, enforce obedience, take action, or make final decisions. How operating activities are assigned as well as how reporting relationships and authorization hierarchies are established reflect authority status. Managerial authority invokes leadership responsibilities for activities within the assigned authority domain. An entity’s policies and/or procedures for assigning authority for activities affect the understanding of established reporting relationships and designated authorization authority.

Responsibility is an obligation to account or answer for something or someone and is generally considered a delegated authority corollary. A sufficient responsibility assignment milieu includes policies and communications directed at ensuring that all employees understand the entity’s objectives, knowledge regarding how their individual actions interrelate and contribute to adopted objectives, and recognition of how and for what they will be held accountable. In addition, policies relating to appropriate business practices, knowledge and experience of key personnel, and resources provided for carrying out duties are key components of assigning responsibility.

Considering the preceding discussions, accountability is the obligation to answer for a responsibility conferred or implied. Accountability is required to ensure authority is administered appropriately within the context of assigned responsibilities. Employee accountability affects responsibility for meeting standards. Standards become ineffective measurement tools when accountability is lacking. Lastly, authority without accountability can promote corrupt practices.

“View Part I of the What Every IT Manager Should Know About Service Delivery and Support series here“

What Every IT Manager Should Know About Service Delivery and Support – Part VI

Robert Davis — Tue, 22 May 2012 21:46:38 +0000

An entity’s organizational structure provides the framework within which its activities for achieving entity-wide objectives are planned, executed, controlled, and reviewed. An entity should develop an organizational structure suited to perceived needs. Entity-centric organizational structure appropriateness is dependent, in part, on size and the nature of activities. Furthermore, effective organizational structure establishment includes deploying suitable authority and responsibility with adequate accountability for activities. As regulators, internal control systems are designed and operated in order to achieve the goals set in adopted governance rules or to comply with adopted governance rules.

“View Part I of the What Every IT Manager Should Know About Service Delivery and Support series here“

What Every IT Manager Should Know About Service Delivery and Support – Part V

Robert Davis — Fri, 18 May 2012 23:06:10 +0000

Management’s operating style is usually derived from devotion to tasks, symbolic behavior, and engrained cultural norms. Operating style will typically be reflected, directly or indirectly, in entity-centric imperatives presented in items such as the mission statement, management principles, management plans, ethic codes, and conduct codes. Within this context, the manner of communicating management’s operating style also affects employee behavior. Regarding IT, as stated in ISACA COBIT 4.1, the “control environment should be based on a culture that supports value delivery whilst managing significant risks, encourages cross-divisional co-operation and teamwork, promotes compliance and continuous process improvement, and handles process deviations (including failure) well.”

“View Part I of the What Every IT Manager Should Know About Service Delivery and Support series here“

What Every IT Manager Should Know About Service Delivery and Support – Part IV

Robert Davis — Tue, 15 May 2012 22:28:03 +0000

Management’s philosophy encompasses a broad range of beliefs, concepts, and attitudes that have a significant impact not only on the entity’s basic policies, but also on determining the entity’s culture. Management’s beliefs are the focal point for directing activities. The manner of communicating management’s philosophy affects employee behavior when accomplishing the entity’s mission. Communications rendering the general business method as well as entity and/or IT purpose are usually documented within a ‘mission statement.’

Architecturally, mission statements are how management translates organizational concepts into instructive information enabling consumer and employee primary business driver(s) awareness. Management’s attitude toward information processing determines the approach to taking and monitoring operational or program risks. For example, generally, management’s attitude regarding adequate IT service delivery and support, clearly defining policies and principles to ensure the proper practices, communicating practices to internal and external parties, and establishing appropriate systems to achieve objectives impact information reliability.

“View Part I of the What Every IT Manager Should Know About Service Delivery and Support series here“

What Every IT Manager Should Know About Service Delivery and Support – Part III

Robert Davis — Fri, 11 May 2012 22:37:26 +0000

For most individuals, integrity values are a personal issue that should reflect organizationally enforced edicts. Within an entity’s control environment, managerial integrity should represent “the quality or state of being of sound moral principles.” Specifically, management should demonstrate uprightness, honesty, and sincerity when conducting business, conveying information and interfacing with employees. By acting with integrity, management establishes trust and provides the basis for reliance on decisions affecting the entity. Stakeholders expect managers to maintain integrity values consistent with accepted societal norms and obligations. Managements’ capacity to sustain compliance to laws, regulations, policies, directives, procedures, standards and rules under adverse conditions are litmus tests of adherence to integrity values.

Ethical values, as with integrity values, are a personal issue that should reflect organizationally enforced edicts. There is an expectation that once assigned managerial responsibilities the entity’s ethical values are thoroughly understood and adopted by the manager. Adopting entity-centric ethical values require conformance to a system or code of morals that standardizes acceptable behaviors. However, just because a particular choice is acceptable statutory or regulatory conformance does not automatically qualify behavior as ethical.

“View Part I of the What Every IT Manager Should Know About Service Delivery and Support series here“