Another great discussion full of good analysis and some great examples from the real world.  Those of you who work, please continue to bring such good examples to each of our discussions. You illustrate the learnings for all of us since we each have a different point of view.   I will give you my experiences, but that’s only one person who worked primarily in one company.  The more views we have the better.

IT organizations are usually the largest administrative expense in a company.  In manufacturing companies they may be only 1% or 2% of revenue but still be the most expensive support service.  In banks and trading companies IT can get to 50% of revenue.  For this reason the IT organization is a target for cost cutting.  It must be incredibly well run with all of its administrative processes very tight or it will constantly be second guessed.

Some CIO’s and business writers lament that CIO’s should have a greater say in the strategy of the company.  I agree with this outlook but would add that CIO’s need to prove themselves as well.  If my budgeting, procurement or HR practices are a mess why should the owners of the business trust my opinion about other matters.  It really goes beyond this.  If IT’s projects are not being done on time and on budget while producing value for the corporation, why trust IT.  It may be unfair, but by being big and expensive IT puts a spot light on itself and needs to act accordingly.

For much of my career I thought all the administrative controls were nonsense.  Only later did I come to see that they are the table stakes for playing in the game of business leadership.

For this week’s online discussion, I would like you to answer all three of the case questions in a response to this post.  As always, I want you to reply to at least four of your peer’s posts.

Readings

1. What is a compensating control?  When would you use one? Why? Can you give an example?
2. If you had to rank the importance of the basic IT controls, how would you do it?  Which is most important, which least?
3. What is segregation of duties and how does it play into basic administrative controls?  Give an example of two IT roles that should be segregated?

Your Neighborhood Grocer Case

Consider the following questions before class on Tuesday.  Ignore the questions at the end of the case.

1. YNG has grown through acquisition resulting in a mess of systems.  Why did this happen and what controls can Larry put into place to ensure that it doesn’t continue into the future?
2. Business application procurement seems to be a big problem.  IT buys stuff the businesses’ don’t want and many of the business’ purchases have been outright failures.  Why?  What controls can Larry put into place to ensure that it doesn’t continue into the future?
3. The most recent IT Audit will produce a finding about the sorry state of access control in the company.  What controls should Larry be ready to recommend to reduce the impact of this finding?