Information Technology Reference
In-Depth Information
Many companies have established strong policies to prevent employees from wasting time
using computers inappropriately at work. A survey of 304 U.S. companies determined that
over one-fourth of bosses have fired employees for inappropriate use of e-mail and one-third
and another 26 workers for the Collier County, Florida government were given unpaid sus-
pensions for inappropriate use of county computers.
8
After companies have planned and developed policies and procedures, they must consider
how best to implement them.
Implementing Policies and Procedures
Implementing policies and procedures to minimize waste and mistakes varies according to
the business conducted. Most companies develop such policies and procedures with advice
from the firm's internal auditing group or its external auditing firm. The policies often focus
on the implementation of source data automation and the use of data editing to ensure data
accuracy and completeness, and the assignment of clear responsibility for data accuracy within
each information system. Some useful policies to minimize waste and mistakes include the
following:
•
Changes to critical tables, HTML, and URLs should be tightly controlled, with all
changes authorized by responsible owners and documented.
•
A user manual should be available covering operating procedures and documenting the
management and control of the application.
•
Each system report should indicate its general content in its title and specify the time
period covered.
•
The system should have controls to prevent invalid and unreasonable data entry.
•
Controls should exist to ensure that data input, HTML, and URLs are valid, applicable,
and posted in the right time frame.
•
Users should implement proper procedures to ensure correct input data.
Training is another key aspect of implementation. Many users are not properly trained in
using applications, and their mistakes can be very costly. When business intelligence tools
were first installed at the Maryland Department of Transportation, inexperienced users began
executing queries unrelated to their jobs. The large number of queries and report requests
led to system performance problems, with excessive run times and slow response time to
queries. The department implemented new policies for running requests and provided train-
ing to show users why it was important to access only the data required to do their work.
System performance was improved through the implementation of these policies.
9
Because more and more people use computers in their daily work, it is important that
they understand how to use them. Training is often the key to acceptance and implementa-
tion of policies and procedures. Because of the importance of maintaining accurate data and
of people understanding their responsibilities, companies converting to ERP and e-commerce
systems invest weeks of training for key users of the system's various modules.
Monitoring Policies and Procedures
To ensure that users throughout an organization are following established procedures, the
next step is to monitor routine practices and take corrective action if necessary. By under-
standing what is happening in day-to-day activities, organizations can make adjustments or
develop new procedures. Many organizations implement internal audits to measure actual
results against established goals, such as percentage of end-user reports produced on time,
percentage of data-input errors detected, number of input transactions entered per eight-
hour shift, and so on.
The Société Générale scandal in France is a classic example of an individual employee
circumventing internal policies and procedures. A low-level trader on the arbitrage desk at
the French bank created a series of fraudulent and unauthorized investment transactions that
collapsed, causing the bank to lose over $7 billion—even though a compliance officer at the
bank had been alerted months in advance not once, but twice that something unusual was
going on.
11
