Division of duties of the Organization and its IT department

Division of duties of the Organization and its IT department

Division of duties
Division of duties is an important issue to be considered in the Organization. A clear division of duties facilitates the effective operation of various functions and provides supervision and control functions. Especially for important systems such as large financial systems, supervisors need to take more responsibilities than their subordinates. It is equally important to be independent from other departments and to have a division of duties within the Information System. The following sections further describe the areas of job Division:
1. Transaction authorization
Transaction authorization is the responsibility of the user department. In fact, authorization also means the degree of responsibility of the authorized person. Management personnel and information system auditors must regularly detect unauthorized transactions.
2. Reconciliation
Reconciliation is the user's responsibility. In some organizations, the Data Control Group also uses the "check total" and the balance sheet for application reconciliation. This independent test gives users more confidence in application operation and data accuracy.
3. Asset Custody
The company must determine and assign an appropriate asset custodian. When a user is assigned as a "data owner", the user shall be responsible in plain text. The data owner is responsible for determining the authorization level to protect data security, while the data security management team is often responsible for the installation and implementation of security systems.
4. Access Data
The physical environment must be secure enough to prevent unauthorized access to various physical devices connected to the host. System and Application Security is another layer of security control that prevents unauthorized access. In addition, obtaining internal company data from external sources is a new problem after the emergence of the Internet. Therefore, system managers need to strengthen their responsibilities for protecting information assets.
5. Use the Authorization Form
User department managers submit formal e-or printed authorization forms, which define employee access permissions, that is, who can access what, the authorization form must be approved by the management. Generally, all users should apply in writing to the supervisor for access to a special system. For a large company or a company with a remote organization, the signature of the authorization and the signature of the application should be archived for verification to ensure that the authorization application is correct. In addition, the procedure should also require the supervisor to regularly check access permissions to confirm that the user's permissions match the work functions and are updated at any time.
6. user authorization table
The IT department uses the data in the authorization table to create and maintain the user authorization table. Defines who is authorized to update, modify, delete, or browse data. These rights are defined at the system, transaction, and other levels. In addition, authorization tables must be protected by passwords or encryption to prevent unauthorized access. Control logs should record all user activities in detail, with appropriate supervisors to check, and all incidents should be investigated.
7. exception report
The exception event should be reported to the management for handling. After proper handling, evidence should be left, that is, the report signature indicates that the exception has been properly handled. The management should also track the handling of exceptions to ensure that all exceptions are resolved in a timely manner.
8. Audit track
The audit track is the "map" of the information system auditor when re-describing the transaction process ". In the audit work, auditors review the relevant economic business and collect audit evidence by tracking the audit track. In traditional business activities, every link of each transaction has a text record (such as a signature by the operator), and the audit track is very clear. Auditors can track transaction items from the original document to the report, or trace from the report to the original document, formed audit methods such as sequential query and reverse query.
For information systems, the audit track is a record of all events that occurred during this period from the time when the data is entered into the system to the time when the data is validated and passed to other subsystems. After the electronic implementation, the traditional audit track completely disappears. Instead of paper-based creden。, books, and reports, the accounting information of Electronic magnetization is replaced. The information on these magnetic media is no longer directly recognized by the naked eye, and may be deleted and modified without leaving any trace, which greatly increases the audit risk. If the system is not designed for weeks, it is possible that only the results of business processing are left during the audit, and the source cannot be traced back. Therefore, the audit track is the tracking and recording of data processing, and it is also an essential component for system design.
The audit track can help IT departments and auditors provide records that trace the transaction process and help information system auditors recreate an actual transaction flow, from the initial status to the updated document. In the absence of job division, the audit track can be used as a compensation control. The information system auditor should be able to determine who executes the transaction, the transaction time, the input data, the input form, the data in which fields the transaction contains, and the updated files.
9. Transaction Log
Transaction logs can be processed manually or automatically. Manual logs are transaction records (grouped or batch) that are manually performed before data processing ). All transaction processing records provided by the log are automatically recorded and retained by the computer system.

Information system responsibilities
The IT department must have an effective division of duties with other departments. At the same time, to ensure successful development and implementation of new systems, key personnel need to be involved in system development methods. The main roles involved in the development process also need to have a clear division of responsibilities, the main participants and responsibilities are as follows:
1. Senior Manager
Approve the resources required to complete the project, and the senior manager can encourage the required personnel to participate and complete the project.
2. User Manager
The owner of the project and final system is responsible for qualified representatives to participate in the requirement analysis in the Information System project team, and finally receive testing and user training. User managers need to define the review criteria when the system is completed and approve the delivery of the system. They are mainly concerned about the following issues:
? Is the function specified by the software available?
? Software Reliability
? Software Efficiency
? Ease of use
? Ease of migrating software to other environments
3. Project Steering Committee
Provide the overall direction for project development and ensure the realization of the interests of all parties. Mainly responsible for all costs and time progress. The Committee is composed of high-level representatives of all departments involved in the new system, and each representative has the right to decide the impact on the system design of their respective departments. The project manager must be a member of the Committee and, in some cases, the person in charge. The Project Steering Committee has the following functions:
? Regular review of project progress (half-month or one month) and emergency meetings as needed.
? As coordinator and creator, Committee members can answer questions and make decisions on systems and programming.
? The Committee may assess progress, take necessary corrective actions, and recommend changes to relevant personnel. You can redesign the goals and planning as necessary to change the system objectives. The Committee is also able to address risks that cannot be addressed at the project level and, in special cases, the Committee may recommend that the project be terminated.
4. project funders
The data and application owner is appointed as the project contributor. The main responsibility is to provide funds for the project and work closely with the project manager to define how to measure the project. The key is to convert the measurement scale into measurable and quantitative indicators. The project contributor is usually a senior manager responsible for the main business functions that the application will support.
5. System Development Manager
Provides technical support for software and hardware environments, including development, installation, and operating systems. Ensure that the system and organization's computing environment are consistent with the strategic direction, and carry out Operation Support and post-installation maintenance activities.
6. Project Manager
Provides routine project management to ensure that the project is consistent with the overall direction, the project complies with local standards, and the deliverables are qualified products. At the same time, it coordinates the interests of all parties, resolves conflicts between departments, and monitors Development Team costs. If all the project personnel are dedicated to the project, the project manager is responsible for the personnel.
7. System Development Project Team
The purpose is to complete the specified task, participate in the development process, work according to local standards, communicate effectively with the user, and suggest necessary plan adjustment and improvement to the project manager.
8. User Project Team
The purpose is to complete the specified task and communicate effectively with system developers. By participating in the development process and following local standards, the project manager is prompted to deviate from the actual development.
9. Security Officer
Ensure that the system control and support process provides effective protection. Based on the Data Classification consistent with the company's security policies, measure the Security metrics and integrate them into the system. Reviews the Security Test Plan, reports before implementation, evaluates security-related documents, reports system security effectiveness, and monitors effectiveness during system operations.
10. Quality assurance
Review whether the implementation results of each phase are consistent with requirements. The review points depend on factors such as the system development lifecycle methodology used, the significance of the system, and the impact of potential deviations. Pay attention to the technical activities related to each process management, or the use of specific software engineering processes, which plays an important role in achieving the maturity of software process capabilities.