Overview of IS Controls

The term information system can be defined as the study of systems with special reference to networks of hardware and software and information utilized by organization and people for collecting, filtering, processing, creating and distribution of data (Falkenberg, Hesse & Olive, 2016). In order to ensure the performance of information systems in accordance with the management standards, certain manual and automated measures are used. The information resources are protected with the help of controls which are a set of methods, policies and organizational procedures. These controls play an important role in ensuring that the operations of the organization are in adherence with the management standards. Moreover, these controls ensure that the accounting records are accurate and reliable, and that the operational assets are safe (Webb, Ahmad, Maynard & Shanks, 2014). The focus of this essay is on the types of information system control along with analyzing the difference between general management control and application control. Certain security and risk management techniques are also highlighted in this essay which can be utilized for ensuring availability, reliability, confidentiality, integrity and security of the digital business processes. Furthermore, this essay provides how auditing supports data quality.

In earlier days, information system controls were not so popular and was addressed only before system installation. Nowadays, the dependency on such controls for information systems have increased for which vulnerabilities and threats are required to be identified in advance. Information system controls are the most important aspect of the design of the system due to which adequate attention is required to be given to these controls throughout the system’s lifespan (Tsohou, Karyda, Kokolakis & Kiountouzis, 2015).  

There are two types of information system controls namely general controls and application controls. General controls are responsible for managing the data files security in the entire organization along with regulating the design, security and use of different computer programs. In other words, general controls aim at the creation of complete control environment by using the mixture of system software and certain manual procedures (Soomro, Shah & Ahmed, 2016). These general controls are applicable in case of every computerized application. General controls include data security controls, software controls, computer operations control, implementation process control, administrative controls and physical hardware controls. Different functions are performed by different types of general controls such as controlling data centre, network operations, protecting computer from the occurrence of fraudulent actions, ensuring file security and securing equipment, asset or property efficiency.

As far as the application controls are concerned, they cannot be generally applied to every computerized application which requires them to be unique.  In other words, application controls are controls that are specific such as payroll, accounts receivable and order processing. Input, output and processing controls are included in application controls. All these controls are responsible for performing different functions (Sadgrove, 2016). Accuracy, validity and completeness of information being processed by the computer is assured with the help of input controls. Similarly, the accuracy, validity and completeness of the computer generated data is ensured with the help of output controls. Processing controls manage the data which is input into the computer by ensuring its accurate processing. Other than this, some other application controls are responsible for the regulation of the information that belongs to the master file.

General Controls

When these two types of information system controls are compared, it can be concluded that the function performed by both these controls is different but ultimately both are responsible for controlling the computer systems. The difference lies in the fact that general controls can be applied in almost every organizational area while application controls are specific to every application. Another difference is in the objectives of both types of control. General control ensures the integrity of computer operations and data programs along with proper application implementation and development. On the other hand, application control ensures information completeness, maintenance, accuracy and validity along with providing timely updates (White, Fisch & Pooch, 2017).

The need for setting up security and risk management techniques has subsequently increased due to the digitalization of the business processes. Such techniques have the capability of ensuring the integrity, confidentiality, security and reliability of such processes. Management of risk plays an integral part in the digital business processes. Risk management process allows identifying the potential risk and threats to the information resources in advance so that proper action can be taken before it actually affects the information resources (Rahman, Islam & Ameer, 2015). Risk management also assists the organization in achievement of the organizational goals and enhances its decision making capabilities regarding countermeasures which can reduce the level of risk to the information resources. With the help of risk management techniques, the risk is not eliminated but is reduced to an acceptable level such that the operational activities of the organization do not get affected. The securities and risk management techniques can easily identify the risks to information, assets and people and can also provide the required protection by reducing or removing the risks along with effectively accepting the responsibility for the risk that still remains untreatable. Such techniques determine in advance the risk tolerance level of the organization which is kept in mind throughout the process of risk management (Nazareth & Choi, 2015). The technique further provides that the security risk management can be effectively undertaken only when it is undertaken by the entire organization through all the staff members. The technique should be developed by the business after properly understanding the current business conditions of the organization and by considering the risk profile and appetite of such organization. The technique should also involve a descriptive annual plan and should adequately identify the capabilities on the basis of input and management guidance (Jang & Kim, 2016).  

Cryptography is the most common method which is used for the purpose of supporting the confidentiality and integrity of data. With the help of enforcing file permissions and access control lists, the confidentiality of the data is protected and sensitive information is secured from any kind of unauthorized access. Hashing of data is also a commonly used technique for protecting the integrity of data (Lee, 2014). While signing of the data digitally, certain techniques can be used so that it remains secured. Encryption technique can also be used for protecting data confidentiality. Encryption of the data will ensure that the data is not accessed by authorized individuals and can be read only by the person who has the key for decrypting the data. Security of the data can be ensured and the data can be protected from potential risks when site back- up is taken o timely basis. It will ensure that back- up data is available even when the system or hard drive suffers from any damage. Such back- up should also be made available on some off- site location so that the damage to the primary data does not affect the operations and functioning of the organization (Feng, Wang & Li, 2014).

Application Controls

Employee behavior plays a key role in establishing an information security culture within an organization, therefore, the organization should aim at bringing the required changes within their behavior. Certain steps are required to be followed for the purpose of establishing an information security culture in an organization which includes proper evaluation, operative and strategic planning, implementation and post evaluation. In most of the organizations, risk management is considered to be an enterprise- wide issue where each and every individual working with the organization is accountable for the security of the data including the leaders (Mayer, Grandry, Feltus & Goettelmann, 2015). Every individual also has their own role within which they have to ensure that security risk is being properly managed. For achieving this, proper training is to be provided to every individual working with the organization so that they can understand the manner in which the security goals can be achieved. Furthermore, data quality will automatically improve when it will get audited by an IS auditor on yearly or half yearly basis (Bulgurcu, Cavusoglu & Benbasat, 2010).

Auditing is very important for the purpose of enhancing the quality of data as it covers each and every aspect of the information system by way of inspection. When the IS auditor completes the audit process, the chances of errors in the system are reduced to minimum and the data quality is improved. However, this is achieved after following a long process. First of all, the selection of audit approach is made which is followed in the entire audit process for maintain harmony in the results. Moreover, audit approach is selected by keeping in mind the given situation and the requirements of the audit process. The audit process involve a lot of activities such as conducting interviews of the important individuals, visiting data center and different branches, establishing the audit criteria, etc. These points will also be included in the documentation done for the purpose and will assist in making the identification of the high risk areas (Dreyfuss & Giat, 2016). Furthermore, the information sources are also required to be identified on which the audit report will be based. Such information sources include past audit reports of the organization, system flows, network maps, etc. Then the risk assessment is performed with regard to the purpose of the business and the environment in which the operations of the business takes place. Then the IS auditor performs the function of documenting the risk along with its expected outcome, probable occurrence, nature and the controls which can assist in effectively addressing of risk. The scope of final audit is determined on the basis of risk assessment results, currently used internal controls and objectives of the audit. These results are then combined with some strategies with the help of which the audit objectives will be achieved. Therefore, audit help in the determination of any problems faced by the data of the system and allows to take required steps for addressing such problems on time (Bamakan & Dehghanimohammadabadi, 2015).

Comparison between General and Application Controls

In simple words, audit enhances the quality of data possessed by the system by identifying and eliminating all the outdated information and making on- time identification of risks to its security. This allows an organization to save large amount of funds and focusing on offering greater level of satisfaction to the customers. Ultimately, the financial performs of the organization also improves in the market. Information system audit, therefore, assists in the minimization of duplication of data and identifies any threats to its security in advance. Therefore, the data quality is improved when its confidentiality, integrity and accuracy is ensured (Dubois, Heymans, Mayer & Matulevicius, 2010).

Therefore, it can be concluded that information system controls play the most essential role in safeguarding the information resources. Controls ensure that the operations of the organization are in adherence with the management standards. Moreover, they also ensure that the accounting records are accurate and reliable, and the operational assets are safe. General management controls and application controls are responsible for effectively controlling the computer systems. The focus of this assignment was on the types of information system controls i.e. general controls and application controls along with making comparison between them. Moreover, the essay highlighted certain security and risk management techniques which can be utilized for ensuring availability, reliability, confidentiality, integrity and security of the digital business processes. Furthermore, the essay demonstrated how data quality is improved by audit. Data quality can be ensured with the help of early identification of data problems such as duplications and allows to take needed steps on time so that the quality can be ensured.

References

Bamakan, S. M. H., & Dehghanimohammadabadi, M. (2015). A weighted Monte Carlo simulation approach to risk assessment of information security management system. International Journal of Enterprise Information Systems (IJEIS), 11(4), 63-78.

Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS quarterly, 34(3), 523-548.

Dreyfuss, M., & Giat, Y. (2016). Identifying security risk modules in a university’s information system. In Proceedings of Informing Science & IT Education Conference (Vol. 2016, pp. 41-51).

Dubois, E., Heymans, P., Mayer, N., & Matulevicius, R. (2010). A systematic approach to define the domain of information system security risk management. In Intentional Perspectives on Information Systems Engineering (pp. 289-306). Springer, Berlin, Heidelberg.

Falkenberg, E. D., Hesse, W., & Olive, A. (2016). Information System Concepts: Towards a consolidation of views. Springer.

Feng, N., Wang, H. J., & Li, M. (2014). A security risk analysis model for information systems: Causal relationships of risk factors and vulnerability propagation analysis. Information sciences, 256, 57-73.

Jang, J. Y., & Kim, C. N. (2016). An Analysis of the Effects of Knowledge Complementarities on the Performance of Information System Audit: A Perspective of the Resident Audit in the Project Office. Journal of the Korea society of IT services, 15(1), 113-129.

Lee, M. C. (2014). Information security risk analysis methods and research trends: AHP and fuzzy comprehensive method. International Journal of Computer Science & Information Technology, 6(1), 29.

Mayer, N., Grandry, E., Feltus, C., & Goettelmann, E. (2015). Towards the ENTRI framework: security risk management enhanced by the use of enterprise architectures. In International Conference on Advanced Information Systems Engineering (pp. 459-469). Springer, Cham.

Nazareth, D. L., & Choi, J. (2015). A system dynamics model for information security management. Information & Management, 52(1), 123-134.

Rahman, A. A. L. A., Islam, S., & Ameer, A. N. (2015). Measuring sustainability for an effective information system audit from public organization perspective. In Research Challenges in Information Science (RCIS), 2015 IEEE 9th International Conference on (pp. 42-51). IEEE.

Sadgrove, K. (2016). The complete guide to business risk management. Routledge.

Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs more holistic approach: A literature review. International Journal of Information Management, 36(2), 215-225.

Tsohou, A., Karyda, M., Kokolakis, S., & Kiountouzis, E. (2015). Managing the introduction of information security awareness programmes in organisations. European Journal of Information Systems, 24(1), 38-58.

Webb, J., Ahmad, A., Maynard, S. B., & Shanks, G. (2014). A situation awareness model for information security risk management. Computers & security, 44, 1-15.

White, G. B., Fisch, E. A., & Pooch, U. W. (2017). Computer system and network security. CRC press.