Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
Management Information Systems, 13TH ED.
MANAGING THE DIGITAL FIRM
Kenneth C. Laudon ● Jane P. Laudon
continued
Learning Track 4: General and Application
Controls for Information Systems
To minimize errors, disaster, computer crime, and breaches of security, special
policies and procedures must be incorporated into the design and implemen-
tation of information systems. fie combination of manual and automated
measures that safeguard information systems and ensure that they perform
according to management standards is termed controls. Controls consist of all
the methods, policies, and organizational procedures that ensure the safety of
In the past, the control of information systems was treated as an afterthought,
addressed only toward the end of implementation, just before the system was
installed. Today, however, organizations are so critically dependent on infor-
mation systems that vulnerabilities and control issues must he identified as
General controls are those that control the design, security, and use of
computer programs and the security of data files in general throughout the
organization. On the whole, general controls apply to all computerized appli-
cations and consist of a combination of system software and manual proce-
dures that create an overall control environment.
controls All the
methods, policies, and
procedures that ensure
of its records, and
operational adherence
to management
standards
general
controls Overall
controls that establish a
framework for
controlling the design,
security, and use of
computer programs
Chapter 8: Securing Information Systems
Chapter 8 Learning Track 4 2
continued
General Controls
General controls are overall controls that ensure the effective operation of
programmed procedures. fiey apply to all application areas. General controls
include the following:
Controls over the system implementation process
◆ Software controls
◆ Physical hardware controls
IMPLEMENTATION CONTROLS
fie systems development audit should also examine the level of user involve-
ment at each stage of implementation and check for the use of a formal cost/
benefit methodology in establishing system feasibility. fie audit should also
look for the use of controls and quality assurance techniques for program
development, conversion, and testing.
An important though frequently neglected requirement of systems building is
SOFTWARE CONTROLS
Controls are essential for the various categories of software used in comput-
er systems. Software controls monitor the use of system software and prevent
unauthorized access of software programs, system software, and computer
programs.
Chapter 8 Learning Track 4 3
continued
FIGURE 1
Points in the processing cycle where errors
can occur. Each of the points illustrated in this
System software controls govern the software for the operating system,
which regulates and manages computer resources to facilitate execution of
application programs. System software controls are also used for compil-
ers, utility programs, reporting of operations, file setup and handling, and
software
controls Controls to
ensure the security and
reliability of software
Chapter 8 Learning Track 4 4
continued
TABLE 1 Essential User and Technical Documentation for an
Information System
TECHNICAL DOCUMENTATION USER DOCUMENTATION
Hardware/operation system requirements Sample reports/output layouts
Narrative program/module descriptions Security profiles
Source program listings Functional description of system
Module cross references Work flows
Job control language listings
Backup/recovery procedures
Run control procedures
File access procedures
HARDWARE CONTROLS
Hardware controls ensure that computer hardware is physically secure and
check for equipment malfunction. Computer hardware should he physical-
ly secured so that it can be accessed only by authorized individuals. Access
to rooms where computers operate should be restricted to computer opera-
hardware
controls Controls to
ensure the physical
security and correct
performance of
Chapter 8 Learning Track 4 5
continued
COMPUTER OPERATIONS CONTROLS
Computer operations controls apply to the work of the computer depart-
ment and help ensure that programmed procedures are consistently and
correctly applied to the storage and processing of data. fiey include controls
over the setup of computer processing jobs, operations software and comput-
er operations, and backup and recovery procedures for processing that ends
abnormally.
Human-operator error at a computer system at the Shell Pipeline Corporation
caused the firm to ship 93,000 barrels of crude oil to the wrong trader. fiis
one error cost Shell $2 million. A computer operator at Exxon Corporation
headquarters inadvertently erased valuable records about the grounding of
the Exxon Valdez tanker and the Alaskan oil spill that were stored on magnet-
ic tape. Such errors could have been avoided had the companies incorporated
tighter operational safeguards.
DATA SECURITY CONTROLS
Data security controls ensure that valuable business data files are not subject
to unauthorized access, change, or destruction. Such controls are required for
data files when they are in use and when they are being held for storage. It is
computer operations
controls Procedures to
ensure that
programmed
procedures are
consistently and
correctly applied to
data storage and
data security
controls Controls to
ensure that data files on
either disk or tape are
Chapter 8 Learning Track 4 6
continued
When data can be input online through a terminal, entry of unauthorized
input must be prevented. For example, a credit note could be altered to match
a sales invoice on file. In such situations, security can be developed on several
levels:
◆ Terminals can be physically restricted so that they are available only to
authorized individuals.
◆ System software can include the use of passwords assigned only to
authorized individuals. No one can log on to the system without a valid
password.
◆ Additional sets of passwords and security restrictions can be developed
Systems that allow online inquiry and reporting must have data files secured.
Figure 2 illustrates the security allowed for two sets of users of an online
personnel database with sensitive information such as employees’ salaries,
benefits, and medical histories. One set of users consists of all employees who
perform clerical functions such as inputting employee data into the system.
continued
FIGURE 2
Security profiles for a personnel system. These two examples represent two secu-
rity profiles or data security patterns that might be found in a personnel system.
Depending upon the security profile, a user would have certain restrictions on
access to various systems, locations, or data in an organization.
Although the security risk of files maintained oine is smaller, such data
files on disk or tape can he removed for unauthorized purposes. ‘fiese can
Chapter 8 Learning Track 4 8
continued
ADMINISTRATIVE CONTROLS
Administrative controls are formalized standards, rules, procedures, and
control disciplines to ensure that the organization’s general and application
controls are properly executed and enforced. fie most important administra-
assets. fie individuals responsible for operating systems should not be the
same ones who can initiate transactions that change the assets held in these
program files and end users responsible for initiating input transactions or
correcting errors. Within the information systems department, the duties of
programmers and analysts are segregated from those of computer equipment
operators.
Written policies and procedures establish formal standards for controlling
information system operations. Procedures must be formalized in writing
and authorized by the appropriate level of management. Accountabilities and
responsibilities must be clearly specified.
administrative
controls Formalized
standards, rules,
procedures, and
and assign tasks among
people so that job
functions do not
Chapter 8 Learning Track 4 9
continued
TABLE 2 Effect of Weakness in General Controls
WEAKNESS AREA IMPACT
Implementation controls New systems or systems that have been modified will have errors or
fail to function as required
Software controls (program security) Unauthorized changes can be made in processing. The organization
may not be sure of which programs or systems have been changed.
APPLICATION CONTROLS
Application controls are specific controls within each separate computer
application, such as payroll or order processing. fiey include both automated
and manual procedures that ensure that only authorized data are completely
and accurately processed by that application. fie controls for each application
should take account of the whole sequence of processing, manual and comput-
Not all of the application controls discussed here are used in every infor-
mation system. Some systems require more of these controls than others,
depending on the importance of the data and the nature of the application.
Application controls focus on the following objectives:
1. Completeness of input and update. All current transactions must reach
the computer and be recorded on computer files.
2. Accuracy of input and update. Data must be accurately captured by the
Chapter 8 Learning Track 4 10
4. Maintenance. Data on computer files must continue to remain correct
and current.
TABLE 3 Important Edit Techniques
Edit Technique Description Example
Reasonableness checks To be accepted, the data must
fall within certain limits set in
advance, or they will be
rejected.
If an order transaction is for 20,000
units and the largest order on record
was 50 units, the transaction will be
rejected.
Format checks Characteristics of the contents
A nine-position Social Security
Existence checks The computer compares input
reference data to tables or
master files to make sure that
valid codes are being used.
An employee can have a Fair Labor
Standards Act code of only 1, 2, 3,
4, or 5. All other values for this field
will be rejected.
Dependency checks The computer checks whether a
logical relationship is main-
tained between the data for the
same transaction. When it is
not, the transaction is rejected.
A car loan initiation transaction
should show a logical relationship
between the size of the loan, the
number of loan repayments, and the
size of each installment.
Check digit An extra reference number
called a check digit follows an
A product code with the last posi-
tion as a check digit, as developed
Application controls can be classified as (1) input controls, (2) processing
controls, and (3) output controls.
INPUT CONTROLS
input
controls Procedures to
check data for accuracy
Chapter 8 Learning Track 4 11
continued
Input authorization. Input must be properly authorized, recorded, and moni-
tored as source documents ow to the computer. For example, formal proce-
Data conversion. Input must be properly converted into computer trans-
actions, with no errors as it is transcribed from one form to another.
Batch control totals can be established beforehand for transactions grouped
in batches. fiese totals can range from a simple document count to totals for
Edit checks. Various routines can he performed to edit input data for errors
before they are processed. Transactions that do not meet edit criteria will be
PROCESSING CONTROLS
Processing controls establish that data are complete and accurate during
updating. fie major processing controls are run control totals, computer
matching, and programmed edit checks.
input
authorization Proper
authorization,
data
conversion Process of
batch control totals A
type of input control
that requires counting
reconciliation after
processing
edit checks Routines
processing
controls Routines for
establishing that data
are complete and
accurate during
updating
Chapter 8 Learning Track 4 12
continued
Run control totals reconcile the input control totals with the totals of items
that have updated the file. Updating can he controlled by generating control
Computer matching matches the input data with information held on master
or suspense files, with unmatched items noted for investigation. Most match-
OUTPUT CONTROLS
Output controls ensure that the results of computer processing are accu-
rate, complete, and properly distributed. Typical output controls include the
following:
◆ Balancing output totals with input and processing totals
◆ Reviews of the computer processing logs to determine that all of the
Developing a Control Structure: Costs and
Benefits
Information systems can make exhaustive use of all of the control mecha-
nisms previously discussed. But they may be so expensive to build and so
complicated to use that the system is economically or operationally unfeasi-
ble. Some cost/benefit analysis must be performed to determine which control
run control
totals Procedures for
totals before and after
processing
output controls Ensure
that the results of
computer processing
are accurate, complete,
and properly distributed
Chapter 8 Learning Track 4 13
mechanisms provide the most effective safeguards without sacrificing opera-
tional eciency or cost.
One of the criteria that determine how much control is built into a system
is the importance of its data. Major financial and accounting systems, for
example, such as a payroll system or one that tracks purchases and sales on
the stock exchange, must have higher standards of controls than a system to
Standing data, the data that are permanent and that affect transactions
owing into and out of a system (e.g., codes for existing products or cost
centers) require closer monitoring than individual transactions. A single error
in transaction data will affect only that transaction, while a standing data
error may affect many or all trans-actions each rime the file is processed.
A third consideration is the level of risk if a specific activity or process is not
properly controlled. System builders can undertake a risk assessment, deter-
mining the likely frequency of a problem and the potential damage if it were
to occur. For example, if an event is likely to occur no more than once a year,
with a maximum of a $1000 loss to the organization, it would not be feasi-
Chapter 8 Learning Track 4 14
continued
TABLE 4 Online Order Processing Risk Management
Exposure
Probability of
Occurrence
Loss range /
Average ($)
Expected Annual
Loss ($)
Power failure 30 5000-200,000
(102,500)
30,750
In some situations, organizations may not know the precise probability of
threats occurring to their information systems, and they may not be able to
quantify the impact of events that disrupt their information systems. In these
instances, management may choose to describe risks and their likely impact in
a qualitative manner.
To decide which controls to use, information system builders must examine
various control techniques in relation to each other and to their relative
Chapter 8 Learning Track 4 15
