Management Control Systems (2nd Edition)

Control and Governance of Information Systems : Overview

There are some frameworks that help organizations to implement IT governance. Prominent among them are the IT Infrastructure Library (ITIL), Control Objectives for Information and Related Technology (COBIT), and the Balanced Scorecard (BSC). ITIL addresses skill requirements and organizational structure, and provides detailed information on how to manage IT operations. The ITIL framework is published in a series of eight books called sets - service delivery, service support, planning to implement service management, security management, infrastructure management, business perspective, applications management, and software assets management.

COBIT provides a set of IT control objectives that guide organizations on how to maximize the benefits from IT implementation by developing control and appropriate IT governance in the organization. It describes 34 IT control processes that are covered under four domains - Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitoring. Use of the BSC for IT governance involves creation of an IT scorecard, which aligns the IT strategy and performance management framework with the overall organizational strategy and performance management framework.

Information systems are normally complex in nature. On an ongoing basis, organizations exercise control over information systems through management controls and application controls. Management controls are the managerial functions that have to be performed for ensuring planned and controlled development, implementation, operation, and maintenance of information systems. Application controls refer to the control features in each application system.

There are seven broad categories of information system management controls in an organization - top management controls, systems development management controls, programming management controls, data resources management controls, security management controls, operations management controls, and quality assurance management controls.

Top management controls involve activities like planning, organizing, leading, and monitoring / evaluation. Systems development management controls involve activities like feasibility study and project initiation, system analysis and specifying user requirements, systems design and development, acceptance testing, implementation and maintenance, and auditing the systems development management function. Programming management controls involve activities like planning, control, design, coding, testing, and operation and maintenance. Data resources management controls include defining, creating, redefining, and retiring data; making the database available to the users; informing and servicing users; maintaining the integrity of the database; and monitoring operations and performance. Security management control involves conducting security programs. Operations management controls include control of computer and network operations; maintaining data files, program files, and documentation; help desk and technical support; and management of outsourced operations. Quality assurance management controls include establishing quality goals and standards; checking conformity with QA standards; identifying areas for improvement; reporting to the management; and training employees in QA standards.

The objective of application controls is to ensure that application systems safeguard assets and maintain data integrity. Application controls are exercised by hardware and software and not by people. The different types of application controls are boundary controls, input controls, communication controls, processing controls, database controls, and output controls. Boundary controls include access controls (including cryptographic controls), audit trail controls, and existence controls. Input controls include design of source documents and data entry screens, data code controls, batch controls, validation of data input, audit trail controls, and existence controls.

During the communication of information from one place to another, the information travels from one medium to another, giving rise to three types of exposures - transmission impairments, failure of components, and subversive threats. To prevent, detect, or correct errors caused due to transmission impairment, various controls can be used such as communication architecture and controls, internetworking controls, topological controls, channel controls, link controls, flow controls, and line error controls. Physical component controls are used to address the issue of component failure. Controls are exercised over subversive threats either by providing a physical barrier across the transmission medium or by encrypting the data transmitted through it.

Processing controls include processor controls, real memory controls, and virtual memory controls. Database controls include access controls, integrity controls, application software controls, concurrency controls, cryptographic controls, file handling controls, audit trail controls, and existence controls. Output controls include inference controls, batch output production and distribution controls, batch report design controls, online output production and distribution controls, audit trail controls, and existence controls. Information system auditing can be defined as "the process of collecting and evaluating evidence to determine whether a computer system safeguards assets, maintains data integrity, allows organizational goals to be achieved effectively, and uses resources efficiently." An information systems audit provides the people who rely on a particular information system with an authoritative and objective opinion on the extent to which they can safely rely on that system.

Information systems auditors may audit both financial items such as transactions and balances, and non-financial items such as physical access controls, program change controls, quality control, and password generation. The information systems audit procedures involve tests of controls, tests of transactions, and tests of balances. Tests of controls are done to obtain evidence about the suitability of design and effective operation of the accounting and internal control systems. Tests of transactions are conducted to check the effectiveness and efficiency of the database system. Tests of balances are conducted to make a final evaluation regarding the degree of misstatements that could arise due to any failure of information systems to safeguard assets and maintain data integrity. There are three ways in which computers can be used in the information systems audit - auditing around the computer, auditing through the computer, and Computer Assisted Audit Techniques (CAAT).

Business continuity is the organization's ability to carry out its business operations with negligible disruption or downtime during a natural or manmade disaster. Business continuity management deals with three broad aspects: availability, reliability, and recoverability. Business Continuity Planning (BCP) puts in place those processes and procedures which ensure that there is a continuous flow of the essential business functions before, during, and after the occurrence of any disastrous event. It tackles all the risks and safeguards the systems that are vital for carrying out the business operations. It aims to prevent disruption of the services that are mission critical and ensures restoration of the various functions as quickly and smoothly as possible.

Disaster Recovery Planning (DRP) is narrower in scope than BCP. DRP is a plan that ensures that the organization resumes business after the occurrence of a disruptive event. In order to ensure consistency, the management of the organization needs to make certain that the disaster recovery plan is in tune with the overall business continuity plan. Before drawing up a disaster recovery plan, the organization should identify and prioritize its functions based on whether they are critical, vital, sensitive, or non-critical. The disaster recovery plan consists of an emergency plan, a backup plan, recovery plan, and a test plan.

Chapter 17 : Overview