Information Systems

INFORMATION
YSTEMS
Information Systems Management Audit

REFERENCE MATERIAL COLLECTIONS

@mokua

Information systems management and Audit @mokua all rights reserved 0

 Information Systems

Chapter one
INTRODUCTION TO INFORMATION SYSTEMS
System concepts
The term system is derived from Greek word system, which means an organized relationship
among functioning units or components. A system exists because it is designed to achieve one or
more objectives.
Therefore, system is a set of interacting or interdependent components forming an integrated
whole or a set of elements (often called 'components’) and relationships which are different from
relationships of the set or its elements to other elements or sets. In a system the different
components are connected with each other and they are interdependent.
A component is either an irreducible part or an aggregate of parts, also called a subsystem. The
simple concept of a component is very powerful
Interdependent components may refer to physical parts or managerial steps known as subsystem
of a system. Most systems share common characteristics, including:
 A system has structure, it contains parts (or components) that are directly or indirectly
related to each other;
 A system has interconnectivity: the parts and processes are connected by structural and/or
behavioral relationships.
 A system has behavior, it exhibits processes that fulfill its function or purpose;

The term system may also refer to a set of rules that governs structure and/or behavior.
Systems approach as an organized way of dealing with a problem.
The system takes input from outside, processes it, and sends the resulting output back to its
environment. The arrows in the figure show this interaction between the system and the world
outside of it.
The concept of a system is shown in fig. 5.1 as given below:

.
For example, just as with an automobile or a stereo system, with proper design, we can repair or
upgrade the system by changing individual components without having to make changes
throughout the entire system.

Information systems management and Audit @mokua all rights reserved 1

 Information Systems

The components are interrelated; that is, the function of one is somehow tied to the functions of
the others.
A system has a boundary, within which all of its components are contained and which
establishes the limits of a system, separating it from other systems. A system should be defined
by its boundaries-the limits that identify its components, processes and interrelationships when it
interfaces with another system. Components within the boundary can be changed, whereas
systems outside the boundary cannot be changed.

Environment: The environment is the 'supersystem' within which an organization operates. It

excludes input, processes and outputs. It is the source of external elements that impinge on the
system. All systems have a boundary and operate within an environment.

Categories of Systems
There are two Categories of systems: natural systems and man-made systems

Natural systems
The vast majority of systems are not made by people: they exist in nature and, by and large, serve
their own purpose. It is convenient to divide natural systems into two basic subcategories:
physical systems and living systems.

Physical systems include such diverse examples as:

 Stellar systems: galaxies, solar systems, and so on;

 Geological systems: rivers, mountain ranges, and so on; and
 Molecular systems: complex organizations of atoms.

Living systems, of course, encompass all of the myriad animals and plants around us, as well as
our own human race.

Man-made systems
As we saw from the definition at the beginning of the chapter, a number of systems are
constructed, organized, and maintained by humans. These include such things as:

 Social systems: organizations of laws, doctrines, customs, and so on.

 An organized, disciplined collection of ideas: the Dewey decimal system for organizing
books in libraries
 Transportation systems: networks of highways, canals, airlines, ocean tankers, and the
like.
 Communication systems: telephone, telex, smoke signals, the hand signals used by stock
market traders, and so on.
 Manufacturing systems: factories, assembly lines, and so on.
 Financial systems: accounting, inventory, general ledger, stock brokerage, and the

Information systems management and Audit @mokua all rights reserved 2

 Information Systems

INFORMATION SYSTEM
Information system is the set of devices, procedures and operations designed with the aid of user
to produce desired information and communicate it to the user for decision-making. This system
accepts data, processes it to produce desired information.

Data is a term used to describe base facts about objects / persons or activities of a transaction /
event.
Processing is a range of actions, which may be performed on the data to improve its usefulness to
the users. These actions include; Coding, Summarizing, Calculating, Storing, Selecting e.t.c.
Data processing system is a system, which transforms data into meaningful information. Thus
processing improves the value of the data.
Hence data processing system is a system, which transforms data into meaningful information.
Information is data that has been processed in such a way as to be meaningful to the person who
receives it. It provides context for data and enables decision making processes.

Three activities provide the information that organizations need. These activities are Input,
Processing and Output. 'Input' consists of acquisition of the 'raw data', which is transformed into
more meaningful packets of 'Information' by means of 'Processing'. The processed information
now flows to the users or activities also called as 'Output'. The shortcomings are analyzed and
the information is sent back to the appropriate members of the organization to help them evaluate
and refine the input. This is termed as 'feedback'.

Examples of 'Information Inputs' would be Transactions, events which would undergo

'processing' in the form of sorting, listing, merging and updating resulting in 'outputs' such as
detailed reports, lists and summaries. Another example would be in the manufacturing
environment with 'information inputs' such as design specs material requirements and the SOPs
(standard operating procedures). These would be 'processed' by the information system by
modeling and simulation techniques and would result in standard production models along with
the overall cost of the production process which is calculated by the information system from the
knowledge base containing material costs, hourly labor costs and other indirect costs. Hence
almost totally eliminating a distinct costing function in the scheme of things.

Information systems management and Audit @mokua all rights reserved 3

 Information Systems

However, an information system cannot just be broadly described as an Input-Process-

output mechanism in vacuum. It is required to provide major organizational solutions to
challenges and problems posed in the business environment. Hence a manager needs to be not
just computer-literate but also have a good idea of the organizational structure and functions as a
whole. This concept is illustrated in the figure on the opening page.
Users are the essential ingredients, which convert data to action through the knowledge,
understanding and skills, which they bring to bear on the data provided.
It is only at the level of the user that the information system actually provides benefit or value to
the organization. Users will themselves undertake further processing of the information received.
There are two processing levers:
 Primary processing – involves Processing of data
 Secondary processing – involves interpretation, application to
specific circumstances, Judgment and reasoning.
Data processing system consist of receiving data, processing it according to prescribed rules
with an intension of producing information.
Information the word comes from a Latin word informae, which means “to build from” or to
give structure”.
Hence information is trends, patterns, tendencies (measurement of central tendency) that users
need in order to perform their jobs.
There are two categories of data processing.
 Manual data processing.
 Electronic (Automated) data processing.

Qualities of Information
 Relevance
The information a manager receives from an IS has to relate to the decisions the manager has to
make

Information systems management and Audit @mokua all rights reserved 4

 Information Systems

 Accuracy
A key measure of the effectiveness of an IS is the accuracy and reliability of its information. The
accuracy of the data it uses and the calculations it applies generally determine the effectiveness
of the resulting information. However, not all data needs to be equally accurate.
 Usefulness
The information a manager receives from an IS may be relevant and accurate, but it is only useful
if it helps him with the particular decisions he has to make. The MIS has to make useful
information easily accessible.
 Timeliness
Management has to make decisions about the future of the organization based on data from the
present, even when evaluating trends. The more recent the data, the more these decisions will
reflect present reality and correctly anticipate their effects on the company.
 Completeness
An effective IS presents all the most relevant and useful information for a particular decision. If
some information is not available due to missing data, it highlights the gaps and either displays
possible scenarios or presents possible consequences resulting from the missing data.

Uses of Information
Businesses and other organizations need information for many purposes: we have
summarized the five main uses in the table below.

 Planning
To plan properly, a business needs to know what resources it has (e.g. cash,
people, machinery and equipment, property, customers). At the planning stage,
information is important as a key ingredient in decision-making.

 Controlling
Once a business has produced its plan it needs to monitor progress against the plan
- and control resources to do so. So information is needed to help identify whether
things are going better or worse than expected, and to spot ways in which
corrective action can be taken

 Measuring
Performance must be measured for a business to be successful. Information is
used as the main way of measuring performance. For example, this can be done by
collecting and analysing information on sales, costs and profits

 Decision-making
i. Strategic information: used to help plan the objectives of the business as a whole and to
measure how well those objectives are being achieved. Strategic information include:
Profitability of each part of the business
and Size, growth & competitive structure of the markets in which a business operates
ii. Tactical Information: this is used to decide how the resources of the business should be
employed.

Information systems management and Audit @mokua all rights reserved 5

 Information Systems

ii. Examples include: Information about business productivity (e.g. units produced per
employee; staff turnover)
iii. Operational: Information: this information is used to make sure that specific operational
tasks are carried out as planned/intended (i.e. things are done properly).
Decision-making process
A decision-making process is a series of steps taken by an individual to determine the best option
or course of action to meet their needs.
In a business context, it is a set of steps taken by managers in an enterprise to determine the
planned path for business initiatives and to set specific actions in motion.
There are many different decision-making methodologies, but most share at least five steps in
common:
 Identify a business problem.
 Seek information about different possible decisions and their likely effect.
 Evaluate the alternatives and choose one of them.
 Implement the decision in business operations.
 Monitor the situation, gather data about the decision's impact and make changes if
necessary.
If designed properly, a systematic decision-making process reduces the possibility that the biases
and blind spots of individuals will result in sub-optimal decisions.
The decisions differ in the following degrees,
 Complexity
 Information requirement for taking the decision
 Relevance
 Effect on the organization
 Degree of structured behavior of the decision-making process.
The different types of decisions require different type of information as without information one
cannot decide.

TYPES OF INFORMATION SYSTEM

Manual data processing

A human being processes given data as directed by the instructions in the procedures manuals or
personal experience. The system which accomplishes this processing is called manual
information system.

Electronic(Automated) data processing.

A machine processes data as directed by the stored programs. The system is largely self-
controlling with people playing a very little role.
A computer-based information system (CBIS) is an information system that uses computer
technology to perform some or all of its intended tasks.

Information systems management and Audit @mokua all rights reserved 6

 Information Systems

Components of electronic information systems

An information system is described as having five components:
Computer hardware
This is the physical technology that works with information. Hardware can be as small as a
smartphone that fits in a pocket or as large as a supercomputer that fills a building. Hardware
also includes the peripheral devices that work with computers, such as keyboards, external disk
drives, and routers

Software
The primary piece of system software is the operating system, which manages the hardware’s
operation. Application software is designed for specific tasks, such as handling a spreadsheet,
creating a document, or designing a Web page.

Telecommunications
This component connects the hardware together to form a network. Connections can be through
wires, such as Ethernet cables or fibre optics, or wireless, such as through Wi-Fi.
Databases /Data
A database is a place where data is collected and from which it can be retrieved by querying it
using one or more specific criteria.

Human resources and procedures

The people that are needed to run the system and the procedures they follow so that the
knowledge in the huge databases and data warehouses can be turned into learning that can
interpret what has happened in the past and guide future action.

Data consists of the raw facts representing events occurring in the organization before they are
organized into an understandable and useful form for humans.

Information is derived from meaningful interpretation of data.

An Information System can be defined technically as a set of interrelated components that collect
(or retrieve), process, store and distribute information to support decision making and control in
an organization. Another definition of an Information system (by Buckingham et al (1987b) is :
A system which assembles, stores, processes, and delivers information relevant to an
organization (or to a society), in such a way that the information is accessible and useful to those
who wish to use it, including managers, staff, clients and citizens.
An information system may be a human activity (social) system, which may or may not involve
the use of computer systems. Also, in addition to supporting decision-making, information
systems help workers and managers to analyze complex problems, to develop new products and
to integrate the various modules and departments. Moreover the 'transmission losses'n inter-

Information systems management and Audit @mokua all rights reserved 7

 Information Systems

departmental communication are reduced considerably leading to better coordination and

improved transparency (information sharing) within the organization as a whole.

Classification
- Organizational
- Fields

Organizsational
Also, at the heart of the issue Information systems should not be confused with information
technology. They exist independent of each other and irrespective of whether they are
implemented well. Information systems use computers (or Information Technology) as tools for
the storing and rapid processing of information leading to analysis, decision-making and better
coordination and control. Hence information technology forms the basis of modern information
systems.

In the early days of computing, each time an information system was needed it was 'tailor made' -
built as a one-off solution for a particular problem. However, it soon became apparent that many
of the problems information systems set out to solve shared certain characteristics. Consequently,
people attempted to try to build a single system that would solve a whole range of similar
problems. However, they soon realized that in order to do this, it was first necessary to be able to
define how and where the information system would be used and why it was needed. It was then
that the search for a way to classify information systems accurately began.

Depending on how you create your classification, you can find almost any number of different
types of information system. However, it is important to remember that different kinds of systems
found in organizations exist to deal with the particular problems and tasks that are found in
organizations.
Consequently, most attempts to classify Information systems into different types rely on the way
in which task and responsibilities are divided within an organization. As most organizations are
hierarchical, the way in which the different classes of information systems are categorized tends
to follow the hierarchy. This is often described as "the pyramid model" because the way in which
the systems are arranged mirrors the nature of the tasks found at various different levels in the
organization.
For example, this is a three level pyramid model based on the type of decisions taken at different
levels in the organization.

Three level pyramid model based on the type of decisions taken at different levels in the
organization
Similarly, by changing our criteria to the different types of data / information / knowledge that are
processed at different levels in the organization, we can create a five level model.

Information systems management and Audit @mokua all rights reserved 8

 Information Systems

Five level pyramid model based on the processing requirement of different levels in the
organization

The most common types of information system in an organization

While there are several different versions of the pyramid model, the most common is probably a
four level model based on the people who use the systems. Basing the classification on the people
who use the information system means that many of the other characteristics such as the nature of
the task and informational requirements, are taken into account more or less automatically.

Four level pyramid model based on the different levels of hierarchy in the organization

A comparison of different kinds of Information Systems

Using the four level pyramid model above, we can now compare how the information systems in
our model differ from each other.

Transaction Processing Systems

Transaction Processing System are operational-level systems at the bottom of the pyramid. They
are usually operated directly by shop floor workers or front line staff, which provide the key data
required to support the management of operations. This data is usually obtained through the
automated or semi-automated tracking of low-level activities and basic transactions.
examples of TPS
 Payroll systems
 Order processing systems
 Reservation systems
 Stock control systems
 Systems for payments and funds transfers

Information systems management and Audit @mokua all rights reserved 9

 Information Systems

The role of TPS

 Produce information for other systems
 Cross boundaries (internal and external)
 Used by operational personnel + supervisory levels
 Efficiency oriented

Management Information Systems

For historical reasons, many of the different types of Information Systems found in commercial
organizations are referred to as "Management Information Systems". However, within our
pyramid model, Management Information Systems are management-level systems that are used
by middle managers to help ensure the smooth running of the organization in the short to medium
term. The highly structured information provided by these systems allows managers to evaluate
an organization's performance by comparing current with previous outputs.
examples of MIS
 Sales management systems
 Inventory control systems
 Management Reporting Systems (MRS)
 Personnel (HRM) systems
The role of MIS
 Based on internal information flows
 Support relatively structured decisions
 Inflexible and have little analytical capacity
 Used by lower and middle managerial levels
 Deals with the past and present rather than the future
 Efficiency oriented

Decision Support Systems

A Decision Support System can be seen as a knowledge based system, used by senior managers,
which facilitates the creation of knowledge and allow its integration into the organization. These
systems are often used to analyze existing structured information and allow managers to project
the potential effects of their decisions into the future. Such systems are usually interactive and are
used to solve ill structured problems. They offer access to databases, analytical tools, allow "what
if" simulations, and may support the exchange of information within the organization.
Functions of a DSS
DSS manipulate and build upon the information from a MIS and/or TPS to generate insights and
new information.
examples of DSS
 Group Decision Support Systems (GDSS)
 Computer Supported Co-operative work (CSCW)
 Logistics systems

Information systems management and Audit @mokua all rights reserved 10

 Information Systems

 Financial Planning systems

 Spreadsheet Models?

The role of DSS

 Support ill- structured or semi-structured decisions
 Have analytical and/or modelling capacity
 Used by more senior managerial levels
 Are concerned with predicting the future
 Is effectiveness oriented?

Executive Information Systems

Executive Information Systems are strategic-level information systems that are found at the top of
the Pyramid. They help executives and senior managers analyze the environment in which the
organization operates, to identify long-term trends, and to plan appropriate courses of action. The
information in such systems is often weakly structured and comes from both internal and external
sources. Executive Information System are designed to be operated directly by executives without
the need for intermediaries and easily tailored to the preferences of the individual using them.

Functions of an EIS
EIS organizes and presents data and information from both external data sources and internal MIS
or TPS in order to support and extend the inherent capabilities of senior executives.

Examples of EIS
Executive Information Systems tend to be highly individualized and are often custom made for a
particular client group; however, a number of off-the-shelf EIS packages do exist and many
enterprise level systems offer a customizable EIS module.
The role of EIS
 Are concerned with predicting the future
 Are effectiveness oriented
 Support unstructured decisions
 Use internal and external data sources
 Used only at the most senior management levels

Fields
- Millitary
- Healthcare
- Aviation
Information systems management and Audit @mokua all rights reserved 11
 Information Systems

Information systems management and Audit @mokua all rights reserved 12

 Information Systems

Chapter Two
INFORMATION SYSTEMS INFRASTRUCTURE
Information systems infrastructure refers to a range of devices and technologies, applications
and systems, standards and conventions that the individual user or the collective rely on to work
on different organizational tasks and processes.
The word infrastructure refers to the basic supporting systems that are shared amongst users. In this
context, the information technology infrastructure is a simply shared platform for all business
applications.
There are five major components of the infrastructure:
 computer hardware,
 software,
 networks and communication facilities (including the Internet and intranets),
 databases
 information management personnel.
Infrastructures include these resources as well as their integration, operation, documentation,
maintenance, and management.

How all these components with individual functions work to Deliver an overall IS function
Modern IT infrastructure management is defined by the struggle to keep an increasingly complex
architecture of critical business services running 24/7 without interruption. The ability to maintain
continuous business operations and recover from outages with minimal disruption is known as
network resilience, and it should be the top priority for any organization.

NETWORK MANAGEMENT
The trend is toward larger, more complex networks supporting more applications and more
users. As these networks grow in scale, two facts become painfully evident:
• The network and its associated resources and distributed applications become indispensable to
the organization.
• More things can go wrong, disabling the network or a portion of the network or degrading
performance to an unacceptable level

International Organization for Standardization (ISO) network management framework

The International Organization for Standardization (ISO) network management framework for
classification of network management activities into five broad problem areas:
 fault management
 performance management
 configuration management,
 accounting management
 security management

Information systems management and Audit @mokua all rights reserved 13

 Information Systems

Fault Management
In many enterprise networks, individual divisions or cost centers, or even individual project
accounts, are charged for the use of network services. Furthermore, even if no such internal
charging is employed, the network manager needs to be able to track the use of network
resources by user or user class

To maintain proper operation of a complex network, care must be taken that systems as a whole,
and each essential component individually, are in proper working order. When a fault occurs, it is
important, as rapidly as possible to:
• Determine exactly where the fault is.
• Isolate the rest of the network from the failure so that it can continue to function without
interference.
• Reconfigure or modify the network in such a way as to minimize the impact of operation
without the failed component or components.
• Repair or replace the failed components to restore the network to its initial state.

Faults are to be distinguished from errors. A fault is an abnormal condition that requires
management attention (or action) to repair. A fault is usually indicated by failure to operate
correctly or by excessive errors. For example, if a communications line is physically cut, no
signals can get through. Or a crimp in the cable may cause wild distortions so that there is a
persistently high bit error rate. Certain errors (e.g., a single bit error on a communication line)
may occur occasionally and are not normally considered to be faults.

USER REQUIREMENTS
Users expect fast and reliable problem resolution. Most end users will tolerate occasional
outages. When these infrequent outages do occur, however, the user generally expects to receive
immediate notification and expects that the problem will be corrected almost immediately.
Users expect to be kept informed of the network status, including both scheduled and
unscheduled disruptive maintenance. Users expect reassurance of correct network operation
through mechanisms that use confidence tests or analyze dumps, logs, alerts, or statistics.
Accounting Management

Accounting management
USER REQUIREMENTS
The network manager needs to be able to specify the kinds of accounting information to be
recorded at various nodes, the desired interval between successive sending of the recorded
information to higher-level management nodes, and the algorithms to be used in calculating the
charging. Accounting reports should be generated under network manager control.

Configuration Management
Modern data communication networks are composed of individual components and logical
subsystems (e.g., the device driver in an operating system) that can be configured to perform
many different applications. The same device, for example, can be configured to act either as a
router or as an end system node or both. Once it is decided how a device is to be used, the

Information systems management and Audit @mokua all rights reserved 14

 Information Systems

configuration manager can choose the appropriate software and set of attributes and values (e.g.,
a transport layer retransmission timer) for that device.
Configuration management is concerned with initializing a network and gracefully shutting
down part or all of the network. It is also concerned with maintaining, adding, and updating the
relationships among components and the status of components themselves during network
operation.

USER REQUIREMENTS
Startup and shutdown operations on a network are the specific responsibilities of configuration
management. Users often need to, or want to, be informed of the status of network resources and
components. Therefore, when changes in configuration occur, users should be notified of these
changes. Before reconfiguration, users often want to inquire about the upcoming status of
resources and their attributes.
Performance Management

Performance management
Modern data communications networks are composed of many and varied components, which
must intercommunicate and share data and resources. In some cases, it is critical to the
effectiveness of an application that the communication over the network be within certain
performance limits. Performance management of a computer network comprises two broad
functional categories—monitoring and controlling. Monitoring is the function that tracks
activities on the network. The controlling function enables performance management to make
adjustments to improve network performance.
Some of the performance issues of concern to the network manager are as follows:
• What is the level of capacity utilization?
• Is there excessive traffic?
• Has throughput been reduced to unacceptable levels?
• Are there bottlenecks?
• Is response time increasing?

USER REQUIREMENTS Before using a network for a particular application, a user may want
to know such things as the average and worst-case response times and the reliability of network
services.

Security Management
Security management is concerned with generating, distributing, and storing encryption keys.
Passwords and other authorization or access control information must be maintained and
distributed. Security management is also concerned with monitoring and controlling access to
computer networks and access to all or part of the network management information obtained
from the network nodes. Logs are an important security tool, and therefore security management
is very much involved with the collection, storage, and examination of audit records and security
logs, as well as with the enabling and disabling of these logging facilities.

Information systems management and Audit @mokua all rights reserved 15

 Information Systems

USER REQUIREMENTS Security management provides facilities for protection of network

resources and user information. Network security facilities should be available for authorized
users only. Users want to know that the proper security policies are in force and effective and
that the management of security facilities is itself secure

Components network management architecture

Three basic components that form the elements of the management architecture are described
below. All these dimensions are essential to support a successful network management
environment. The following sections provide a brief introduction of the three components and
how they are supported by OSI systems management standards.
• The Information Component
Management information exchanged between the managing and managed systems is dependent
on both the function to be performed as well as the resources to be managed. A major thrust of
OSI systems management is to model the resources being managed. This implies that all the
properties which can be monitored and/or controlled are defined in the model.
• The Communication Component
Communication requirements address support infrastructure capabilities such as reliable transfer
and establishment of associations between application processes prior to management
information exchange
 The Functional Component
This component describes the various activities to be performed in support of management.

Architecture of a Network Management System

A network management system is designed to view the entire network as a unified architecture,
with addresses and labels assigned to each point and the specific attributes of each element and
link known to the system. The active elements of the network provide regular feedback of status
information to the network control center
A network management system is a collection of tools for network monitoring and control that is
integrated in the following senses:
 A single operator interface with a powerful but user-friendly set of commands for
performing most or all network management tasks.
 A minimal amount of separate equipment. That is, most of the hardware and software
required for network management is incorporated into the existing user equipment.

Capacity Planning for Computer Systems

-Capacity Planning Foundations
Capacity planning for computing systems arose out of the need to support critical mainframe
computing and networking. Like many system management disciplines, capacity planning uses
principles and methodologies that are broadly applicable to many types of resource planning
needs.

Information systems management and Audit @mokua all rights reserved 16

 Information Systems

-The Metrics of Capacity Planning

The primary metrics of interest in capacity planning are utilization metrics, that is, a measure of
the percent of time a resource is busy for or in use for a given load level. Utilization may be
expressed as the ratio of busy time to total elapsed time.

- Business Elements and Service Levels

Using a statistical model, estimates of the volume of future business activity may be directly
translated into specific quantities of computer resources. This technique allows business
managers to forecast their requirements in terms that are familiar to them rather than in the
metrics of computer usage or utilization.

- Forecasting, Predictions, and Planning

The capacity planner is expected to be able to forecast based on reasonable assumptions and an
analysis of current and historical patterns. The prediction-realization diagram is a useful graphic
device for monitoring forecasts.

- Capacity Planning and Systems Optimization

There are numerous applications of statistical methods to both computer performance
management and capacity planning.

- Charting and Graphics Presentations for Capacity Planning

One of the important steps in every capacity analysis study is the presentation of the results of
data analyses in such a manner that critical decision support information can be understood and
evaluated by decision makers. Busy managers like clear and expressive graphic summaries that
clearly illustrate the important information that should be examined, evaluated, and acted upon.

- Systems Administration and the Future of Capacity Planning

Capacity planning as a management control discipline is part of a body of techniques and
procedures to plan, organize, operate, measure, and control information systems. System
management strategies are process oriented and are focused on achieving consistent, workable,
controllable, and measurable results. Problem management is the process of detecting, reporting,
and correcting problems that can impact information system services.

Information Systems Operations and Administration

Another group of information-systems professionals are involved in the day-to-day operations and
administration of IT. These people must keep the systems running and up-to-date so that the rest
of the organization can make the most effective use of these resources.

Computer Operator
A computer operator is the person who keeps the large computers running. This person’s job is to
oversee the mainframe computers and data centers in organizations. Some of their duties include
keeping the operating systems up to date, ensuring available memory and disk storage, and
overseeing the physical environment of the computer.

Information systems management and Audit @mokua all rights reserved 17

 Information Systems

Database Administrator
A database administrator (DBA) is the person who manages the databases for an organization. This
person creates and maintains databases that are used as part of applications or the data warehouse.
The DBA also consults with systems analysts and programmers on projects that require access to
or the creation of databases.

Help-Desk/Support Analyst
Most mid-size to large organizations have their own information-technology help desk. The help
desk is the first line of support for computer users in the company. Computer users who are having
problems or need information can contact the help desk for assistance. Many times, a help-desk
worker is a junior-level employee who does not necessarily know how to answer all of the
questions that come his or her way.

Trainer
A computer trainer conducts classes to teach people specific computer skills. For example, if a new
ERP system is being installed in an organization, one part of the implementation process is to teach
all of the users how to use the new system. A trainer may work for a software company and be
contracted to come in to conduct classes when needed.

CIO
The CIO, or chief information officer, is the head of the information-systems function. This person
aligns the plans and operations of the information systems with the strategic goals of the
organization. This includes tasks such as budgeting, strategic planning, and personnel decisions
for the information-systems function. The CIO must also be the face of the IT department within
the organization. This involves working with senior leaders in all parts of the organization to ensure
good communication and planning.
Interestingly, the CIO position does not necessarily require a lot of technical expertise. While
helpful, it is more important for this person to have good management skills and understand the
business. Many organizations do not have someone with the title of CIO; instead, the head of the
information-systems function is called vice president of information systems or director of
information systems.

Information-Security Officer
An information-security officer is in charge of setting information-security policies for an
organization, and then overseeing the implementation of those policies. This person may have one
or more people reporting to them as part of the information-security team. As information has
become a critical asset, this position has become highly valued.

Emerging Roles
As technology evolves, many new roles are becoming more common as other roles fade. For
example, as we enter the age of “big data,” we are seeing the need for more data analysts and
business-intelligence specialists. Many companies are now hiring social-media experts and
mobile-technology specialists. The increased use of cloud computing and virtual-machine
technologies also is breeding demand for expertise in those areas.

Information systems management and Audit @mokua all rights reserved 18

 Information Systems

Chapter Three
INFORMATION SYSTEM RESOURCE MANAGEMENT
Information System
“An information system (IS) can be defined technically as a set of interrelated components that
collect, process, store, and distribute information to support decision making and control in an
organization.”

Three Fundamental Roles of Information Systems in Business

You may have even realized that one of the roles of information systems is to take data and turn
it into information, and then transform that information into organizational knowledge. As
technology has developed, this role has evolved into the backbone of the organization, making
information systems integral to virtually every business. The integration of information systems
into organizations has progressed over the decades.
• Information Storage and Analysis
Through the adoption of information systems, companies can make use of sophisticated and
comprehensive databases that can contain all imaginable pieces of data about the company.
Information systems store, update and even analyze the information, which the company can
then use to pinpoint solutions to current or future problems.
• Assist with making decisions
An organization’s management team uses information systems to formulate strategic plans and
make decisions for the organization's longevity and prosperity. The business uses information
systems to evaluate information from all sources, including information from external references
such as Reuters or Bloomberg, which provide information on the general economy. This analysis
of and comparison to market trends helps organizations analyze the adequacy and quality of their
strategic decisions.
• Assist with business processes
Adoption of information systems simplifies business processes and removes unnecessary
activities. Information systems add controls to employee processes, ensuring that only users with
the applicable rights can perform certain tasks.

Information systems management and Audit @mokua all rights reserved 19

 Information Systems

THE LOCATION OF IS
Over the past few decades’ information systems have progressed to being virtually everywhere,
even to the point where you may not realize its existence in many of your daily activities. Stop
and consider how you interface with various components in information systems every day
through different electronic devices. Smartphones, laptop, and personal computers connect us
constantly to a variety of systems including messaging, banking, online retailing, and academic
resources, just to name a few examples. Information systems are at the center of virtually every
organization, providing users with almost unlimited resources.

The corporate Information Services (IS) department is the unit responsible for providing or
coordinating the delivery of computer-based information services in an organization. These
services include:
1. Developing, maintaining, and maintaining organizational information systems
2. Facilitating the acquisition and adaptation of software and hardware.
3. Coordinates the delivery of many of these services, rather than providing all of them itself.

Organizations organize their Information Services function in very different ways, reflecting the
nature of their business, their general structure and business strategy, their history, and the way
they wish to provide information services to the business units.

Basically there are two categories of structures:

 Centralized Structure
 Decentralized Structure

I. Centralized Structure
This is an alternative usually found in large business organizations with geographically dispersed
divisions performing identical functions, none of them of such a nature that very large computers
are required.

Information systems management and Audit @mokua all rights reserved 20

 Information Systems

One larger centralized computer plus smaller satellite computers and remote job entry terminals,
and centralized development augmented by small development groups for unique local needs.

Benefits of centralized structures

A centralized server monitoring the complete flow of network data works best for companies that
need greater network control and visibility.
There are many benefits of adopting this type of structure. A centralized IT network can:
 Lower your hardware expenses.
You can reduce hardware costs by keeping all servers and networking equipment in one
place. When distributed across locations, extra or duplicate equipment is needed. In a
nutshell, increasing redundancy increases costs.
 Improve productivity for IT staff.
A centralized structure gives your IT staff better oversight and makes routine tasks easier.
For example, software installations, updates, and security patches can all be performed
from one location. In decentralized IT setups, completing these tasks would require staff to
manage each location separately, which can drive up costs and decrease productivity.
 Increase your purchasing power.
It’s easier to negotiate pricing of software licenses and support contracts for an entire
company rather than for individual departments. This can result in better contract terms
and even complimentary integration or support services.
 Help meet industry regulations.
Companies that store and process user information, such as credit card companies, tend
to find it easier to meet legal data security requirements with centralized IT systems.
 Improve the flow of information.
Centralized IT structures help prevent data silos. Data and information can be easily
shared across departments, leading to better knowledge sharing and collaboration.

Decentralized structure
Centralized IS departments are giving way in many firms to the IS function decentralized to the
business units of the firm. In a decentralized structure:
1. The corporate IS department is principally responsible for the corporate information system
infrastructure - telecommunications network and management of corporate databases.
2. Developing and maintaining corporate information systems standards
3. Supervising systems integrators who perform information services for the firm under
outsourcing arrangements
4. Interacting with vendors to ensure quantity discounts and other benefits of corporate scale.
Example is distributed systems

Benefits of decentralized IS structures

Decentralization is a practical approach when different departments in a company have different
IS needs and strategies. It allows each business unit to maintain a separate server and choose
hardware and applications based on individual needs.

Information systems management and Audit @mokua all rights reserved 21

 Information Systems

Decentralized IT structures provide several benefits, including: The

ability to tailor IT selection and configuration.
• When individual departments have IT decision-making power, they can choose and
configure IT resources as per their specific needs. The decision-making process is quick and
doesn’t require a chain of approvals.
• More fail-safes and organizational redundancy
Decentralization makes IT networks more resilient. As all departments maintain individual
servers, one department’s server can function as a backup server for another department during
network failure.
• Faster response to new IT trends.
As departments in decentralized organizations can make independent decisions, it’s easier for
them to leverage new technology.

Disadvantages of Decentralized Systems

•More difficult to manage and secure Centralized systems are inherently easier to manage
because there’s only one of them Centralized systems are inherently easier to secure -Only have
to have to worry about one point of vulnerability Distributed system introduce complexity
require more resources and cost more to run
•Reduced reliability and availability Centralized systems now benefit from years of experience
and development in terms of physical, operational and environmental conditions usually single
vendor systems Distributed systems are inherently more complex, more to go wrong, usually
heterogeneous systems, unpredictable interoperability
•Staff Shortages Distributed systems suffer from a loss of economies of scale require more staff
to achieve same support require higher “skill-mix” in staff. Vendor support not yet comparable
to centralized systems support from many vendors required no one vendor has “big picture”
systems integrator support also necessary problems often arise at interfaces between sub-systems

Deciding between centralized and decentralized

Primary criteria for deciding between centralized, decentralized or combined policy:
minimum total cost
user satisfaction
 effective utilization of personnel e the ability to attract and retain personnel
 rational selection of development projects
 the opportunity to share common systems
 adaptability to changes in the technical and economic environment Additional factors
influencing the decision are: volume of information to be consolidated
 response time required by operating managers
 availability of reliable and inexpensive data communications the company's
 decentralization or centralization of current operations
 heterogeneity of applications among divisions the degree of uniformity of coding systems,
managerial practices, and operating policies within the corporation

Information systems management and Audit @mokua all rights reserved 22

 Information Systems

How to determine the right degree of centralization or decentralization for your company?
Of course, many factors will influence your decision, but there are also some general
considerations that can help choose what’s best for your business.
 Decentralized IS structures are typically best for companies that rely on technical agility
to remain competitive.
Newer, smaller companies (e.g., startups) and organizations that need to respond quickly
to new IT developments (e.g., software and hardware companies or app development
firms) are most likely to benefit from decentralized IT networks.
 Decentralized IS structures can be difficult to scale.
Organizations that organically develop decentralized IT structures—as a result of having
no oversight in place—might have difficulty scaling. It’s hard and sometimes even
impossible to bring disparate systems together without proper planning.
 Centralized IS structures tend to offer more cost savings, especially for large
organizations.
Centralization makes it possible for entire organizations to act in unison. All departments
can migrate to new and cheaper technologies and negotiate contracts with more leverage.
 Centralized network structures are highly dependent on network connectivity. If the
central server goes down, the entire network loses connectivity. And since there are no
backup servers, chances are high that users will lose their data.

The contribution of information systems to the total quality management

If IS are high quality, it will help to promote overall quality throughout the organization. A quality
system will do the following:
• achieve the business goals articulated by the user department;
• operate at an acceptable cost, commensurate with the value produced for the firm;
• meet carefully defined performance standards (such as response time and system
availability);
• produce accurate, reliable output;
• be easy to learn and use;
• be flexible.

Information systems and organizations have a mutual influence on each other. Information
systems must be aligned with the organization to provide information needed by important
groups within the organization. At the same time, the organization must be aware of and open
itself to the influences of IS to benefit from new technologies.

Information systems management and Audit @mokua all rights reserved 23

 Information Systems

Chapter Four
ACQUIRING INFORMATION SYSTEMS AND SERVICES
Information systems are a major corporate asset, with respect both to the benefits they provide and
to their high costs. Therefore, organizations have to plan for the long term when acquiring
information systems and services that will support business initiatives. At the same time, firms
have to be responsive to emerging opportunities.
The acquisition process should involve the identification and analysis of alternative solutions
that are each compared with the established business requirements. The decision making to
acquire a typical IT application primarily consists of the following stages:

Stage 1: Identifying, planning, and justifying the information and system requirements
Another big challenge in the procuring information systems is to define the system requirements.
System requirements describe the objectives of the system. They define the problem to be
solved, business, and system goals, system process to be accomplished, user expectations, and
the deliverables for the system. Furthermore, the requirements should incorporate information
about system inputs, information being processed in the system, and the information expected
out the system. Each of this information should be clearly defined so that later gaps in
requirements and expectations are avoided. Information system requirements can be gathered
through interviews, questionnaires, existing system derivation, benchmarking with related
system, prototyping, and Rapid Application Development (RAD)
The output of this step is a decision to go with specific application, timetable, budget, and
system expectations.

Stage 2: restructuring information system architecture

IS architecture is the conceptualization of how the organization’s information objectives are met
by the capabilities of the specific applications.[This structural design however describes the flow
of the information, data hierarchy, application functionality, technical feasibility, and
organization architecture in the organization. The output from this phase should be a strategic
planning level on how to develop specific application that meets the constrained defined by the
IS architecture. Therefore, the application portfolio may be changed corresponding to this
structure.

Stage 3: identifying a development alternative

There are several options in procuring software solutions. Some available alternatives
are:
 Developing the system in-house,
 Off-the self solutions (Purchasing commercially available solution),
 Buying a custom made system for a vendor,
 Leasing software from an application service provider (ASP) or lease through utility
computing (contracted development),
 Outsourcing a system from other companies
 Participating in auction, e-marketplace, or a public exchange (consortium) ,  Use a
combination of these listed options.

Information systems management and Audit @mokua all rights reserved 24

 Information Systems

While an organization is in the phase of deciding which alternative being selected, the
management should carefully examine not only the advantages and disadvantages of each
procuring option, but more importantly, the option must be best-fit with the organization
business plan that has been documented in the previous steps.

Stage 4: conducting a feasibility analysis

As a part of the assessment in acquiring the solutions, a feasibility analysis is important to
identify the constraints for each alternative from both technical and business perspective.
Feasibility analysis incorporates the following categories:
Economic feasibility analysis provides cost-benefit justification with being regard to the
expenses of a system, which include procurement, project-specific, start-up, and operational
costs.
Technical feasibility assessment analyzes the technical reasonableness of the proposed
solution. Technical feasibility evaluates whether the company has the infrastructure and
resources including hardware, software, and network capability to support the application.
Operational feasibility evaluation reviews the extent of organizational changes required to
accommodate the proposed system. The proposed system should solve the business problems
and provide better opportunity for the business since the business process might be changed.
Legal and contractual feasibility. The proposed solution must pass any related legal or
contractual obligations associated with.
Political feasibility. The nature of the organization most likely will be affected by the
presence of the new system. Therefore, this feasibility analysis evaluates how the internal
organization will accept the new system

Procurement for IS products and service

(a) performing the selection procedure
In this process, the company requests for a proposal from prospective providers, evaluates the
proposal, and selects the best available alternative. There are various ways to solicit responses
from providers. Some of the common methods comprise request for information (RFI), request
for bid (RFB), and request for proposal (RFP).
An RFI is used to seek information from vendors for a specific intention. RFI should act as a
tool for determining the alternatives or associated alternatives for meeting the organization’s
needs.
An RFB is designed to procure specific items or services and used where either multiple vendors
are equally competent of meeting all of the technical and functional specifications or only one
provider can meet them. Furthermore, an RFP specifies the minimal acceptable requirements,
including functional, technical, and contractual aspects. This document offers flexibility to
respondents to further define the requested requirements. RFPs can be a lead to a purchase or
continued negotiation.

(b) Proposal evaluation process

Proposal evaluation is a crucial process in the software acquisition since one of more key
stakeholder’s reviews submitted proposals using a list of objective selection criteria and decide
the best match between the product features and functionality with the identified requirements.

Information systems management and Audit @mokua all rights reserved 25

 Information Systems

six steps in selecting a software vendor with its application package:

(i) Examining potential vendors’ background. Potential software application providers can be
identified from software catalogs, lists provided by hardware vendors, technical and trade
journals, or consultants experienced in the other companies, and Web searches. These
preliminary evaluation criteria can be used to pre-eliminate the unqualified potential vendors
based on the vendor track record, reputation, and some previous feedback.

(ii) Determining the evaluation criteria. One of the most difficult tasks in evaluating the
vendor and a software package is to determine a set of detailed criteria for choosing the best
vendor and package. These criteria can be identified from the RFP feedback sent by the vendors.
Some areas that should be considered: characteristics, of the vendor, functional requirements of
the system, technical requirements, total project costs, scalability of the solution, project time
frame, quality of documentation provided, and vendor support package.

(iii) Evaluating providers and their applications. The objective of this evaluation is to
determine the gaps between the company’s needs and the capabilities of the vendors and their
application packages. Ranking the vendors on each weighted criteria and then multiply the ranks
by the associated weight can be one method to evaluate the vendors and their solution packages.

(iv) Selecting the provider and its solution. Choosing the vendor and its software depends on
the nature of the application. Negotiation can begin with vendors to determine how their
packages might be modified to remove any discrepancies with the company’s IT needs.
Furthermore, feedbacks from the users who will work with the system and the IT staff who will
support the system have to be considered. In general, defined list of criteria for selecting a
software application package are following:
o Usability and functionality
o Upgrade policy and cost
o Vendor reputation
o System flexibility and scalability
o Manageability
o Quality of documentation
o Hardware and networking resources
o Upgradeability
o Required training
o System security
o Maintenance and operational requirements
o User easiness to learn
o Performance measurement
o Interoperability and data handling
o Ease of integration
o Reliability measurement
o Compatibility with other applications

Information systems management and Audit @mokua all rights reserved 26

 Information Systems

(v) Negotiate a contract. Once the vendor and its package selected, then the company can move
to the contract negotiation, in which the company can specify the price of the software and the
type of the support to be provided by the vendor. The contract must describe the detailed
specifications, all the included services provided by the vendor, and other detail terms of the
system. Contract is a legal document so the company should involve the experienced software
purchasing specialists and legal assistance. Since the contract can be very tricky so these legal
counsel should be involved from the beginning of selection process.

(vi)Establishing a service level agreement (SLA). SLA is formal agreement regarding the
distribution of work between the organization and its vendor. Such agreement is created
according to a set of agreed-upon objective, quality tests, and some what-if situations. Overall,
SLA defines: (1) company and vendor responsibilities, (2) framework for designing support
services, (3) company privilege to have most of the control over their system.

(vii) implementing the selected solution

Upon completion of the contract negotiation, an acceptance plan should be agreed by both the
company and the vendor so the new application can be ready to be installed or developed.

ACQUISITION METHODS
Some main alternatives exist in acquiring IS, some major options are:
 buy
 lease
 develop in-house
 outsourcing

1. Buying the Applications (Off-the-Shelf Solution)

Purchasing commercially available solutions requires that the business adapt to the
functionality of the system. Buying an existing package can be a cost effective and time saving
strategy compared with in-house development. The business adaptation process obliges that the
organization could also customize the software product and subsequently maintains those
customizations within the processes that have been modified and changed. Most organizations
are rarely fully satisfied by one software package. Therefore, it is sometimes necessary to
acquire multiple packages to support even one business process.
Note that when selecting a vendor package, organizations should consider the following key
factors:
• Vendor stability
• System upgrades
• Customer support provided by vendor
• Hardware and software requirements
• Required customization of the base software

A ‘buy’ option should be carefully considered to ensure all the critical features of the current and
future needs are included in the package. Buying makes sense if an organization plan to keep
something for a long time, but technology typically becomes outdates every two to three years.

Information systems management and Audit @mokua all rights reserved 27

 Information Systems

When the business is all about cutting-edge technology, buying can make good sense.
Eventually, buying decision typically means picking up something inexpensive to do the job
right now.

Advantages
· Shorter implementation time
· Use of proven technology
· Availability of outside technical expertise
· Easier to define costs
· Frequent software updates
· The price is usually cheaper
· Minimal IT personnel

Disadvantages
· Incompatibility with company needs
· Incompatibility between different applications
· Limitation on the software customization
· Have no control over software improvements
· Long term reliance on vendor support
· Specific hardware or software requirements

2. Leasing the Applications

Lease option can result in substantial cost and time savings compared to buy option or in-house
development. Leasing can be a good choice for small-medium enterprise that cannot afford large
investment in IS services. Moreover, many common features that are needed by most
organizations are usually incorporated in the leased package even though it may not always
exactly include all the required features. Also, regarding a shortage of IT personnel, many
companies choose to lease instead of develop software in-house. Leasing can help you decrease
the total cost of ownership of technology assets. It allows you to track, standardize and regularly
upgrade your practice's technology.
Large companies may also prefer to choose this option since to evaluate the potential IT
solutions before investing a heavy installment, especially in the long run. Therefore, leasing
requires another kind of management skill, too, which is: Lifecycle management. Whereas
buying typically means picking up something inexpensive to do the job right now, leasing means
that a business is looking at the bigger picture, planning for future upgrades and evolving needs.

When controlling cash flow is critical and you don't have time to worry about your equipment,
leasing can be a great option. Other vendors concur that built-in protections against obsolescence
can encourage leasing. "Even companies that do not have any cash flow issues often take
advantage of technology refresh terms built into a lease," says Richard McCormack, vice
president of product marketing for Fujitsu Computer Systems.

Information systems management and Audit @mokua all rights reserved 28

 Information Systems

Advantages
· Shorter time implementation
· Cost saving (cheaper than buy option)
· Ease to maintain cash flow
· Required only minimum IT staff
· Less risky to anticipate technology updates
· Having most of the required features

Disadvantages
· May not exactly fit with company needs
· Limitation on the software customization
· Have no control over software improvements
· Specific hardware or software requirements
· Include an interest component that a cash purchase would not include

3. Developing the applications in-house

Another strategy of IS acquisition is to build the information systems in-house. This
option works well for the organization that has the resources and time to develop the IT
applications by its own. This approach may be time consuming and somehow costly, but the
company may have a system that meet all the organization objective requirements. Its overriding
advantage was the freedom to create a system that would closely fit the company’s business
processes.
There are two major ways to develop the system in-house:
First, building the IS from the scratch is one of the approaches to match the specific application
with the requirements. Another way of building the in-house application is using the standard
components or features that have been included in some commercial packages (i.e. Java, Visual
Basic, C++) or using available packaged software that can be customized.
Second approach offers greater flexibility, cost and time saving rather than building the software
from the base.

Advantages
· Best fit with the company requirements
· Have control over software improvements
· Have all of the required features
· Main core competencies and maintain level of quality service
· Make a distinction with other companies

Disadvantages
· Required more IT personnel
· High overhead cost
· Time consuming
· Problem with usability of the system
· High switching cost
· Difficult to update to newer technology

Information systems management and Audit @mokua all rights reserved 29

 Information Systems

4. Outsourcing the applications

One of the recent trendsetters in IS acquisition strategy is outsourcing.
As defined by Griffiths, outsourcing is a strategic use of outside resources to perform activities
traditionally handled by internal staff and resources.
As a matter of fact, the organization turns to outsourcing to save money. Decisions as what to
what and whether to outsource should be tied to an identification and understanding of an
organization’s core competencies and its critical success factors.
If a task is a both a core competency and a critical success factor, it should not be considered
outsourcing. Such projects are at the heart of the company.
Some limitations of this strategy include the risk of losing the organizational core
competencies, reduction in the quality of service received by a client, and also some risk of the
rise of unexpected expenses.

Outsourcing IS functions
Traditionally, outsourced IT functions have fallen into one of two categories: infrastructure
outsourcing and application outsourcing. Infrastructure outsourcing can include service desk
capabilities, data center outsourcing, network services, managed security operations, or overall
infrastructure management. Application outsourcing may include new application
development, legacy system maintenance, testing and QA services, and packaged software
implementation and management.
IT outsourcing models and pricing
The appropriate model for an IT service is typically determined by the type of service provided.
Traditionally, most outsourcing contracts have been billed on a time and materials or fixed price
basis. But as outsourcing services have matured from simply basic needs and services to more
complex partnerships capable of producing transformation and innovation, contractual
approaches have evolved to include managed services and more outcome-based arrangements.
The most common ways to structure an outsourcing engagement include:
Time and materials: As the name suggests, the clients pays the provider based on the time and
material used to complete the work. This model can be appropriate in situations where scope and
specifications are difficult to estimate or needs evolve rapidly.

Unit/on-demand pricing: The vendor determines a set rate for a particular level of service, and
the client pays based on its usage of that service. For instance, if you’re outsourcing desktop
maintenance, the customer might pay a fixed amount per number of desktop users supported.
Pay-per-use pricing can deliver productivity gains from day one and makes component cost
analysis and adjustments easy. However, it requires an accurate estimate of the demand volume
and a commitment for certain minimum transaction volume.

Fixed pricing: The deal price is determined at the start. This model can work well when there are
stable and clear requirements, objectives, and scope. Paying a fixed priced for outsourced
services can be appealing because it makes costs predictable. It can work out well, but when
market pricing goes down over time (as it often does), a fixed price stays fixed. Fixed pricing is
also hard on the vendor, which has to meet service levels at a certain price no matter how many
resources those services end up requiring.
Information systems management and Audit @mokua all rights reserved 30
 Information Systems

Cost-plus: The contract is written so that the client pays the supplier for its actual costs, plus a
predetermined percentage for profit. Such a pricing plan does not allow for flexibility as business
objectives or technologies change, and it provides little incentive for a supplier to perform
effectively.
Performance-based pricing: The buyer provides financial incentives that encourage the supplier
to perform optimally. Conversely, this type of pricing plan requires suppliers to pay a penalty for
unsatisfactory service levels. Performance-based pricing is often used in conjunction with a
traditional pricing method, such as time-and-materials or fixed price.

Gain-sharing: Pricing is based on the value delivered by the vendor beyond its typical
responsibilities but deriving from its expertise and contribution. With this kind of arrangement,
the customer and vendor each have skin in the game.

Shared risk/reward: Provider and customer jointly fund the development of new products,
solutions, and services with the provider sharing in rewards for a defined period of time. This
model encourages the provider to come up with ideas to improve the business and spreads the
financial risk between both parties.

Outsourcing benefits and costs

The business case for outsourcing varies by situation, but the benefits of outsourcing often
include one or more of the following:
• lower costs (due to economies of scale or lower labor rates)
• increased efficiency
• variable capacity
• increased focus on strategy/core competencies
• access to skills or resources
• increased flexibility to meet changing business and commercial conditions
• accelerated time to market
• lower ongoing investment in internal infrastructure
• access to innovation, intellectual property, and thought leadership
• possible cash influx resulting from transfer of assets to the new provider

The advantages and shortcomings of the ‘outsourcing' option:

Advantages
Cost Reduction
· Access to word class specialist providers
· Improved focus on core business
· Subcontracting of workload
· Better risk management
Disadvantages
· Loss of organizational competencies
· Reduction in quality of services
· Cost escalation from unforeseen expenses

Information systems management and Audit @mokua all rights reserved 31