IT in Control
Summary + notes
1
,Inhoud
Lecture 1 Notes .............................................................................................................................................................. 4
1.1 Introduction ......................................................................................................................................................... 4
1.2 Strategy ................................................................................................................................................................ 5
Selig - Chapter 1: Introduction to IT/Business Alignment, Planning, Execution and Governance .................... 5
Selig - Chapter 3: Business/IT Alignment, Strategic Planning and Portfolio Investment Management
Excellence (Demand Management) .................................................................................................................... 11
Henderson, J.C.; Venkatraman, N. (1993) .......................................................................................................... 14
Sabherwal, R.; Hirschheim, R.; Goles, T. (2001) ................................................................................................. 17
Henderson, J.C.; Venkatraman, N. (1993). Strategic Alignment, Leveraging Information technology for
transforming organizations ..................................................................................................................................... 18
Strategic alignment: the emerging concept ....................................................................................................... 18
Four dominant alignment perspectives.............................................................................................................. 20
Key issues and management challenges ............................................................................................................ 23
Sabherwal, R.; Hirschheim, R.; Goles, T. (2001). The Dynamics of Alignment, Insights from a Punctuated
Equilibrium Model ................................................................................................................................................... 25
Abstract ................................................................................................................................................................ 25
Theoretical development .................................................................................................................................... 25
1.3 Governance ........................................................................................................................................................ 29
Selig - Charter 2: Overview of Integrated IT Governance and Management Framework and Selection of
current and emerging Best Practice Frameworks, Standards and Guidelines ................................................. 31
Selig - Chapter 6: IT Service Management (ITSM) Excellence (Execution Management) ................................ 37
Hardy, G. (2006). Using IT Governance and COBIT to deliver Value with IT and respond to Legal, Regulatory
and Compliance Challenges .................................................................................................................................... 43
What is IT governance? ....................................................................................................................................... 43
IT governance and compliance ........................................................................................................................... 44
How does CobiT help? ......................................................................................................................................... 44
Governance via COBIT ......................................................................................................................................... 44
Creating value through IT governance and COBIT ............................................................................................. 45
Kerr, D.; Murthy, U.S. (2013). The importance of the COBIT Framework IT Processes for Effective Internal
Control over Financial Reporting in Organizations, an International Survey........................................................ 46
Introduction ......................................................................................................................................................... 46
Background and research questions................................................................................................................... 46
Method ................................................................................................................................................................. 47
Results .................................................................................................................................................................. 48
Summary, implications, and conclusion ............................................................................................................. 49
Lecture 2 Notes ............................................................................................................................................................ 50
2.1 Cybercrime ......................................................................................................................................................... 50
Chapter 5 Computer Fraud Romney & Steinbart ............................................................................................... 50
Chapter 6 Computer Fraud and Abuse Techniques Romney & Steinbart ........................................................ 55
2.2 Security............................................................................................................................................................... 62
Romney & Steinbart, Chapter 7: Control and Accounting Information Systems ............................................. 62
2
, Romney & Steinbart, Chapter 8: Controls for information Security (IC Basics) ............................................... 65
Fanning, K.; Centers, D.P. (2016). Blockchain and Its Coming Impact on Financial Services ............................... 74
Lecture notes 3............................................................................................................................................................. 77
3.1 Outsourcing........................................................................................................................................................ 77
Chapter 7: Strategic Sourcing, Outsourcing and Vendor Management Excellence ......................................... 78
Chapter 9: Cloud Computing, Data Management and Governance Issues, Opportunities, Considerations and
Approaches .......................................................................................................................................................... 81
Julisch, K.; Hall, M. (2010). Security and Control in the Cloud. ............................................................................. 85
Introduction to cloud computing ........................................................................................................................ 85
State of the art in cloud security ......................................................................................................................... 85
The “conventional” ISMS ..................................................................................................................................... 86
Responsibility for controls in cloud computing .................................................................................................. 86
The virtual ISMS ................................................................................................................................................... 88
Lecture 4 ....................................................................................................................................................................... 89
4.1 Privacy ................................................................................................................................................................ 89
Romney & Steinbart - Chapter 9: Confidentiality and Privacy Controls (IC Basics) .......................................... 93
Romney & Steinbart - Chapter 10: Processing Integrity and Availability Controls........................................... 98
4.2 Analytics ........................................................................................................................................................... 100
Romney & Steinbart - Chapter 4: Relational Databases .................................................................................. 101
Romney & Steinbart - Chapter 11: Auditing Computer-Based Information Systems .................................... 105
Chan, D.Y.; Vasarhelyi, M.A. (2011). Innovation and practice of continuous auditing ...................................... 108
Debrecenya, R.; Gray, G.L. (2001). The production and use of semantically rich accounting reports on the
Internet XML and XBRL .......................................................................................................................................... 109
3
, Lecture 1 Notes
Read in the book:
H1: 1.5 & 1.6
H3: 3.2.3, 3.2.4, 3.2.7, 3.3.1 t/m 3.3.3
Both papers important
1.1 Introduction
Course objectives
› Upon completion of the course the student is able to:
- Recognize, distinguish and assess how organizations have organized their IT infrastructure, IT
applications, IT management and IT strategy domain on a strategic, tactical and operational level (B);
- Identify and explain the effects of changes in the IT infrastructure, IT applications, IT management and
IT strategy, related to the reliability of financial reporting, the effectiveness and efficiency of operations
and compliance with relevant laws and regulations (A);
- Design a set of preventive and detective IT controls to mitigate cyber risks and outsourcings risks
(cloud- computing), related to the reliability of financial reporting, effectiveness and efficiency of
operations and compliance with relevant laws and regulations (B);
- Determine the suitability of applied (data) analysis and reporting tools and technics for management
information and external reporting purpose (C);
- Assess and advise about the reliability of automated information (C).
Course description
› Strategy: Business IT Alignment,the Strategic Alignment Model(SAM) and the Amsterdam Information Model
(AIM), Demand- and Supply Management, the role of the CIO, Business Information Manager and Business
Analyst.
› Governance: Enterprise Governance of IT (COBIT) and other more tactical and operational frameworks like
BiSL, ASL and ITIL.
› Outsourcing: types of outsourcing (IaaS,PaaS,SaaS(cloud- computing) and obtaining assurance (SLA’s, SLR’s,
ISO27001-certifying, ISAE3402-reporting, SOC1, SOC2 and SOC3).
› Cybercrime:types of cyberthreats (ransomware,cryptoware,CEO fraud, identity fraud, man-in-the-middle) and
designing preventive, detective and corrective IT controls for mitigating these cyber risks.
› Security: securing data in motion(end-to-endencryption,SSL,HTTPS, VPN) and securing data at rest
(encryption, MFA, SSO), cryptocurrencies like Bitcoin and FinTech developments like Blockchain.
› Privacy: CIA triad or in Dutch‘BIV-classificatie’,relevant laws and regulations like ‘Wetgeving Meldplicht
Datalekken’ and ‘Europese Algemene Verordening Gegevensbescherming’ (EAVG) or General Data Protection
Regulation (GDPR).
› Analytics: Data Quality, Data Analysis, Standardization (API,EDI,XML, XBRL), Big Data, reporting tools and
technics (CAATS), Continuous Data Assurance.
4
Summary + notes
1
,Inhoud
Lecture 1 Notes .............................................................................................................................................................. 4
1.1 Introduction ......................................................................................................................................................... 4
1.2 Strategy ................................................................................................................................................................ 5
Selig - Chapter 1: Introduction to IT/Business Alignment, Planning, Execution and Governance .................... 5
Selig - Chapter 3: Business/IT Alignment, Strategic Planning and Portfolio Investment Management
Excellence (Demand Management) .................................................................................................................... 11
Henderson, J.C.; Venkatraman, N. (1993) .......................................................................................................... 14
Sabherwal, R.; Hirschheim, R.; Goles, T. (2001) ................................................................................................. 17
Henderson, J.C.; Venkatraman, N. (1993). Strategic Alignment, Leveraging Information technology for
transforming organizations ..................................................................................................................................... 18
Strategic alignment: the emerging concept ....................................................................................................... 18
Four dominant alignment perspectives.............................................................................................................. 20
Key issues and management challenges ............................................................................................................ 23
Sabherwal, R.; Hirschheim, R.; Goles, T. (2001). The Dynamics of Alignment, Insights from a Punctuated
Equilibrium Model ................................................................................................................................................... 25
Abstract ................................................................................................................................................................ 25
Theoretical development .................................................................................................................................... 25
1.3 Governance ........................................................................................................................................................ 29
Selig - Charter 2: Overview of Integrated IT Governance and Management Framework and Selection of
current and emerging Best Practice Frameworks, Standards and Guidelines ................................................. 31
Selig - Chapter 6: IT Service Management (ITSM) Excellence (Execution Management) ................................ 37
Hardy, G. (2006). Using IT Governance and COBIT to deliver Value with IT and respond to Legal, Regulatory
and Compliance Challenges .................................................................................................................................... 43
What is IT governance? ....................................................................................................................................... 43
IT governance and compliance ........................................................................................................................... 44
How does CobiT help? ......................................................................................................................................... 44
Governance via COBIT ......................................................................................................................................... 44
Creating value through IT governance and COBIT ............................................................................................. 45
Kerr, D.; Murthy, U.S. (2013). The importance of the COBIT Framework IT Processes for Effective Internal
Control over Financial Reporting in Organizations, an International Survey........................................................ 46
Introduction ......................................................................................................................................................... 46
Background and research questions................................................................................................................... 46
Method ................................................................................................................................................................. 47
Results .................................................................................................................................................................. 48
Summary, implications, and conclusion ............................................................................................................. 49
Lecture 2 Notes ............................................................................................................................................................ 50
2.1 Cybercrime ......................................................................................................................................................... 50
Chapter 5 Computer Fraud Romney & Steinbart ............................................................................................... 50
Chapter 6 Computer Fraud and Abuse Techniques Romney & Steinbart ........................................................ 55
2.2 Security............................................................................................................................................................... 62
Romney & Steinbart, Chapter 7: Control and Accounting Information Systems ............................................. 62
2
, Romney & Steinbart, Chapter 8: Controls for information Security (IC Basics) ............................................... 65
Fanning, K.; Centers, D.P. (2016). Blockchain and Its Coming Impact on Financial Services ............................... 74
Lecture notes 3............................................................................................................................................................. 77
3.1 Outsourcing........................................................................................................................................................ 77
Chapter 7: Strategic Sourcing, Outsourcing and Vendor Management Excellence ......................................... 78
Chapter 9: Cloud Computing, Data Management and Governance Issues, Opportunities, Considerations and
Approaches .......................................................................................................................................................... 81
Julisch, K.; Hall, M. (2010). Security and Control in the Cloud. ............................................................................. 85
Introduction to cloud computing ........................................................................................................................ 85
State of the art in cloud security ......................................................................................................................... 85
The “conventional” ISMS ..................................................................................................................................... 86
Responsibility for controls in cloud computing .................................................................................................. 86
The virtual ISMS ................................................................................................................................................... 88
Lecture 4 ....................................................................................................................................................................... 89
4.1 Privacy ................................................................................................................................................................ 89
Romney & Steinbart - Chapter 9: Confidentiality and Privacy Controls (IC Basics) .......................................... 93
Romney & Steinbart - Chapter 10: Processing Integrity and Availability Controls........................................... 98
4.2 Analytics ........................................................................................................................................................... 100
Romney & Steinbart - Chapter 4: Relational Databases .................................................................................. 101
Romney & Steinbart - Chapter 11: Auditing Computer-Based Information Systems .................................... 105
Chan, D.Y.; Vasarhelyi, M.A. (2011). Innovation and practice of continuous auditing ...................................... 108
Debrecenya, R.; Gray, G.L. (2001). The production and use of semantically rich accounting reports on the
Internet XML and XBRL .......................................................................................................................................... 109
3
, Lecture 1 Notes
Read in the book:
H1: 1.5 & 1.6
H3: 3.2.3, 3.2.4, 3.2.7, 3.3.1 t/m 3.3.3
Both papers important
1.1 Introduction
Course objectives
› Upon completion of the course the student is able to:
- Recognize, distinguish and assess how organizations have organized their IT infrastructure, IT
applications, IT management and IT strategy domain on a strategic, tactical and operational level (B);
- Identify and explain the effects of changes in the IT infrastructure, IT applications, IT management and
IT strategy, related to the reliability of financial reporting, the effectiveness and efficiency of operations
and compliance with relevant laws and regulations (A);
- Design a set of preventive and detective IT controls to mitigate cyber risks and outsourcings risks
(cloud- computing), related to the reliability of financial reporting, effectiveness and efficiency of
operations and compliance with relevant laws and regulations (B);
- Determine the suitability of applied (data) analysis and reporting tools and technics for management
information and external reporting purpose (C);
- Assess and advise about the reliability of automated information (C).
Course description
› Strategy: Business IT Alignment,the Strategic Alignment Model(SAM) and the Amsterdam Information Model
(AIM), Demand- and Supply Management, the role of the CIO, Business Information Manager and Business
Analyst.
› Governance: Enterprise Governance of IT (COBIT) and other more tactical and operational frameworks like
BiSL, ASL and ITIL.
› Outsourcing: types of outsourcing (IaaS,PaaS,SaaS(cloud- computing) and obtaining assurance (SLA’s, SLR’s,
ISO27001-certifying, ISAE3402-reporting, SOC1, SOC2 and SOC3).
› Cybercrime:types of cyberthreats (ransomware,cryptoware,CEO fraud, identity fraud, man-in-the-middle) and
designing preventive, detective and corrective IT controls for mitigating these cyber risks.
› Security: securing data in motion(end-to-endencryption,SSL,HTTPS, VPN) and securing data at rest
(encryption, MFA, SSO), cryptocurrencies like Bitcoin and FinTech developments like Blockchain.
› Privacy: CIA triad or in Dutch‘BIV-classificatie’,relevant laws and regulations like ‘Wetgeving Meldplicht
Datalekken’ and ‘Europese Algemene Verordening Gegevensbescherming’ (EAVG) or General Data Protection
Regulation (GDPR).
› Analytics: Data Quality, Data Analysis, Standardization (API,EDI,XML, XBRL), Big Data, reporting tools and
technics (CAATS), Continuous Data Assurance.
4
