IS Model For Organizations: Comparison Between General And Application Control Of IS Essay.

General Controls

Discuss about the IS Auditor Characteristics Audit Process Variables.

The study provides the IS model for an organization. In the study, further discussion has been done by comparing the general management control and application control of IS. Later, the evaluation has done on the security and risk management technique of IS. Finally, providing with the information of the importance of IS auditing and safeguarding the data quality.

1. T. Kearney has experience in transforming and improving Management Information System (MIS). The company has the best possible information formats and feature of MIS that provide an accurate and up-to-date information to make a valid decision (Hu 2016). MIS contains the expenses, sales figures, workforce data and investments made by the company for the past five years and provide an accurate report to make a proper decision. Since MIS has the feature to take key decision that is built in, the decision has influenced by changes made in different variables (Arvidsson, Holmström and Lyytinen 2014). The organization can see the changes by reducing the staff levels or by increasing the promotion budgets to see what changes happen to the revenue, profit and expenses. With MIS system the company can make a possible realistic scenario (Dwivedi et al. 2015). Any decision made by the project manager can result in modification to the business strategy and the overall goals of the company. When the company make a decision, it specify a goal in mind from MIS and track the result of the company by analyzing it and ensuring that it has developed as planned. MIS provide data needed by the company to determine the desired effect of the decision that they made and whether any correct action being taken to achieve the goals (Khansa et al. 2017). Whenever the organization goals are not on track, they can use MIS to evaluate and decide to take some additional measures for that situation. The next section discusses about the general management control and application control for IS.

The systems of computer are control by a set of well-designed information resources. This resources are of two type; general controls and application controls. General control is a combination of software, hardware and manual procedure where an overall control environment has created (Peter et al. 2016). The application of general control is on all the computerized applications. Application controls are unique for each of the computerized application (Wonham 2015).

There are several types of General Controls which include physical hardware controls, data security controls, administrative controls, implementation controls, computer operations control, and software controls (Akyol et al. 2015). All this controls will be discussed one by one,

Software controls: It prevents from any unauthorized access to computer program, system software and software program (Mattos and Duarte 2016). It monitors were the system software has been used. The control area of system software is very important because the overall functions of the control has performed for the programs in which the data and the files are process (Fuggetta and Di Nitto 2014).

Hardware controls: It checks the malfunction of the equipment and ensure that the hardware of the computer is physically secure (Kim, Kim and Park 2015). Thus, it is necessary that the equipment of computer should be protected from the extremes of temperature, fires and humidity. Since A. T. Kearney is Computer dependent organizations, it should make continued operation or backup provisions for a constant service.

Computer operations controls: It oversee the computer department work that ensure the procedure of the program that can correctly and consistently applied to the data storage and data processing. In the job of computer processing and computer operation the control has set up for the recovery and backup procedures of the abnormal processing.

Data Security Controls: Business data files that are valuable on either the tape or disk are not a subject that can unauthorized change, access, or destruction when these data are in storage and use (Sundaram 2017).

Implementation controls:  The development process of the systems has audit at various points that ensure the control of the process and properly manage them. The development audit of the systems looks for formal reviews at the development of various stages by the user and management; involvement of level of implementation by the user at each stage; and the methodology of formal cost-benefit that establishes a feasible system. For a complete, thorough system, operations documentation and user the audit must use the technique assuring the quality and control of the program development, testing and conversion.

Software Controls

Administrative controls: Control discipline, formalize standards, rules and procedures that ensure the organization’s application controls and general controls that are enforced and properly executed.

In application controls manual and automated procedures are included to ensure that the application authorized the data that are accurately and completely processed. There are three types of application controls, 1) input controls, 2) output controls, and 3) processing controls.

The data is check by input controls for completeness and accuracy while entering the system. Input controls are specific for data conversion, input authorization, error handling and data editing. In Processing controls, during updating the data are accurate and complete. Run control totals, checks programmed edit and Computer matching, are used in the form of processing controls. In output control, the computer processing results are complete, accurate and distributed properly. Depending on the application nature and data that are important some more types of application controls are discussed below,

Control total (Input, processing): Computer programs count total from simple document to total quantity fields of input or processed transactions.

Edit checks (Input): Programmed routine are performed to edit data for input of errors before processing. Edit criteria that are not met by the transactions are rejected.

Computer matching (Input, Processing): Input data matches with the information for suspense or master files and investigation done for notes that have unmatched items.

Run control totals (Processing, output): Balance the process of total transactions with total number of input or output transactions.

Report distribution logs (Output): With documentation authorized recipients specifies that they receive their checks, reports or other critical documents.

The process of Evaluating the security system of information involves identifying, gathering and analyzing the functionality of security. The A. T. Kearney organization follow a process for the security and to manage a risk and identify, mitigate and categorize the risks (Leveson 2015). The organizations have a methodology that ensures a well information security and risk management plan. The company is now going through a process that evaluate the IS security and risk management technique. It is recommended to follow the below steps that help to understand the risk and create a plan accordingly.

1. Evaluate the scope of the infrastructure and information

The first and the foremost thing that has to be done is to identify the scope that the A. T. Kearney organization has about the information systems which include the hardware and software resources with the data (Hackl et al. 2015). While evaluating the infrastructure like the CRM, legal, billing, and many more, it is important for the critical system to get focus on it.

2. Understanding the threats and vulnerabilities

Hardware Controls

The organization may face various threats based on the industry and geographical location.  A particular vulnerability has exploited successfully through this threat-source. The hardware and software vulnerabilities are listed within the existing environment considering the threats that are both intentional and unintentional. Intentional threats are caused by uploading malicious software or network. As a results, a list of threats can be understandable that are associated to the vulnerabilities.

3. Estimation of the impact

Adverse impact of security events could result in actual potential threat which can be describe with the combination of Availability, Integrity and Confidentiality of the security goals. One can classify it with high as immediate impact, medium as critical business impact and low as limited impact.

4. Determining the risk

The risk of threat or vulnerabilities has determined by exploiting the vulnerability of the threat- source successfully, by the magnitude and the security controls adequacy that mitigate, reduce or eliminate the risk.

The matrix below includes example of threats and their possible impact:

Table 1: IS security risk matrix

This is the final step for every controls. It mitigates or eliminate the risks that has identified the control. It reduces the risk level of the IS environment. This final step is the basic process for the IT security risk evaluation. If the result has shared to the A. T. Kearney organization who is the key decision maker. The professional of IS provide risk mitigation as an option for a business decision.

The role of auditing is a critical measure that ensures the IS integrity (Rezaee et al. 2018). At the initial stage, IS auditing is an extension of traditional auditing. Government entities and Professional organization and association recognized the need of IS auditing. Auditors has realized that the ability of the computer has impacted the attestation function. Computer is the key resources for the business environment which is similar to other business of the organization. Therefore, the need of IS auditing is critical.

Earlier IS auditing were drawn from areas like traditional auditing that provides knowledge practices for internal control. Secondly, IS management providing necessary methodologies for system implementation and successful design. Finally, computer science field provides knowledge that control the concepts, theory, discipline and formal models for the software and hardware design to maintain reliability, integrity and data validity.

For the audit function, IS auditing has become an integral part to support the auditor’s judgment that process a quality information through the computer systems (Kim et al. 2017). Initially, with the skills of IS audit, the auditors resource has technologically viewed for the staff of the audit. For any kind of technical assistance, the audit staff look towards them. There are several types of audit within the IS auditing namely technical IS audits, Organizational IS audits, implementation or development IS audits, application IS audits and compliance IS audits that involves the international or national standards. The role of IT auditor’s assures that controls are adequate and appropriate. The primary role of audit’s provides assurance of reliable and adequate internal controls that are operating in an effective and efficient manner (Mustapha and Lai 2017). Thus, auditors will assure and management will ensure.

Computer Operations Controls

Thus, the profession of IS auditing is to conduct, aims, and qualities characterized by technical standards, have a set of rules that are ethical, and a certification of professional program. Most of the IS auditing professional believe that IS auditor will get better empirical and theoretical knowledge by improving their research and education base on the function of IS audit.

For a number of reason data quality are important in the business and government organization. Providing a high-quality data have a competitive advantage which give a unique source to the business asset. But at the same, satisfaction of the customer gets reduce with poor-quality data. It lowers the employee job satisfaction, and results in loss of process knowledge which leads to excessive turnover. Poor quality data lead to improvements that can breed organizational mistrust. However, with poor-quality data financial condition of any business is impossible to determine. All the levels of government, military needs have high quality data for its operations and counter-terrorism efforts. The local level need high-quality data to assess the residence of individual for the real state tax purposes. In a study it was found that an insurance company could not obtain accurate estimation for its insurance-in-force due the poor-quality data. The consequence leads to miscalculation in the premium income and the loss amount that was required for a future insurance claims.

Thus, to obtain a high-quality data, it is preferable to keep the bad data out from the list of database. To do this, the system edits data to enter into the database or list. The organizations staffs are encouraged for a wide variety of methods and improve the entire process. The next way is to detect the bad data that has already entered proactively into the database. For this, the data analyst will look for data quality problems. The basic understanding needed for such process are, 1) structure of database or list, 2) subject matter and 3) data analyzing methodology. The data that are collected and are used for an authorized person.

Conclusion

Form the above study it has concluded MIS has the better feature with up-to-date information. The organization can see the changes by implementing the MIS model and track the result of the company by analyzing it and ensuring that it has developed as planned. Secondly, IS auditing has become an integral part to support the auditor’s judgment that process a quality information through the computer systems. Finally, it was understood that the Data quality is a key to safeguard and improve the information system. With considerable analysis and experience, the study provides the way to safeguard and improve the data quality. It identifies the high-quality data and has discuss how an organization can obtain it.

Data Security Controls

References

Akyol, B.A., Haack, J.N., Carpenter, B.J., Katipamula, S., Lutes, R.G. and Hernandez, G., 2015. Transaction-based building controls framework, Volume 2: Platform descriptive model and requirements (No. PNNL--24395). Pacific Northwest National Laboratory (PNNL), Richland, WA (United States).

Arvidsson, V., Holmström, J. and Lyytinen, K., 2014. Information systems use as strategy practice: A multi-dimensional view of strategic information system implementation and use. The Journal of Strategic Information Systems, 23(1), pp.45-61.

Dwivedi, Y.K., Wastell, D., Laumer, S., Henriksen, H.Z., Myers, M.D., Bunker, D., Elbanna, A., Ravishankar, M.N. and Srivastava, S.C., 2015. Research on information systems failures and successes: Status update and future directions. Information Systems Frontiers, 17(1), pp.143-157.

Fuggetta, A. and Di Nitto, E., 2014, May. Software process. In Proceedings of the on Future of Software Engineering (pp. 1-12). ACM.

Hackl, J., Adey, B., Heitzler, M. and Iosifescu-Enescu, I., 2015. An overarching risk assessment process to evaluate the risks associated with infrastructure networks due to natural hazards. International Journal of Performability Engineering, 11(2), pp.153-168.

Hu, Y., 2016. Design and Implementation of Recruitment Management System Based on Analysis of Advantages and Disadvantages of PHP Three-Tier. Romanian Review Precision Mechanics, Optics & Mechatronics, (49), p.74.

Khansa, L., Kuem, J., Siponen, M. and Kim, S.S., 2017. To cyberloaf or not to cyberloaf: The impact of the announcement of formal organizational controls. Journal of Management Information Systems, 34(1), pp.141-176.

Kim, S.L., Teo, T.S., Bhattacherjee, A. and Nam, K., 2017. IS auditor characteristics, audit process variables, and IS audit satisfaction: An empirical study in South Korea. Information Systems Frontiers, 19(3), pp.577-591.

Kim, S.Y., Kim, M.H. and Park, M.G., 2015. A Study on the Information Security Control and Management Process in Mobile Banking Systems. Journal of the Korean Multimedia Society, 18(2), pp.218-232.

Leveson, N., 2015. A systems approach to risk management through leading safety indicators. Reliability Engineering & System Safety, 136, pp.17-34.

Mattos, D.M.F. and Duarte, O.C.M.B., 2016. AuthFlow: authentication and access control mechanism for software defined networking. Annals of Telecommunications, 71(11-12), pp.607-615.

Mustapha, M. and Lai, S.J., 2017. Information Technology in Audit Processes: An Empirical Evidence from Malaysian Audit Firms. International Review of Management and Marketing, 7(2), pp.53-59.

Peter, S., Li, J., Zhang, I., Ports, D.R., Woos, D., Krishnamurthy, A., Anderson, T. and Roscoe, T., 2016. Arrakis: The operating system is the control plane. ACM Transactions on Computer Systems (TOCS), 33(4), p.11.

Rezaee, Z., Sharbatoghlie, A., Elam, R. and McMickle, P.L., 2018. Continuous auditing: Building automated auditing capability. In Continuous Auditing: Theory and Application (pp. 169-190). Emerald Publishing Limited.

Sundaram, A., 2017. Understanding and Protecting Yourself against Threats in the Internet. Asian Social Science, 13(12), p.201.

Wonham, W.M., 2015. Supervisory control of discrete-event systems. Encyclopedia of Systems and Control, pp.1396-1404.