354 Part III • Acquiring Information Systems
govern each process and on the usability and adequacy of
all data inputs and information outputs. The builders of
the system are usually not the same persons who will use
the system and conduct the organizational tasks being
supported by the information system, so the builders have
to be told explicitly what to build. (Alternatively, as we
will see in Chapter 10, these specifications are necessary
to evaluate possible purchased solutions, as well.) New
regulations such as the Sarbanes-Oxley Act (SOX) or
Basel II require that systems and system changes be
thoroughly documented so there is transparency and
controls in place that will allow executives to sign
financial statements and stay out of jail! The design
documentation also makes subsequent design work more
efficient, just as having blueprints of a home makes it
easier to build an addition by knowing the capacity of the
furnace to support the added space, where the plumbing
and wiring might be in a wall to be exposed, and what
building codes have to be followed. Fortunately, managers
will be asked to review specifics of the diagrams and
documentation, not all of the gory details. But, the
diagrams are shared by the many business and technical
people working on a systems development project, so they
have many uses and must have much detail.
Information Systems Controls to Minimize Business Risks
Suppose you and your partner with whom you have a
joint savings account separately go to the bank one day to
withdraw the same $500 in savings. Or suppose an
inventory clerk enters a wrong part number to record the
issue of an item from the storeroom, which results in an
out-of-stock status, which automatically generates a
purchase order to a supplier, who then begins production,
and so on. These situations illustrate just some of the
ways in which potential human errors when interacting
with information systems can create business risks.
However, they are only a small part of the potential risks
associated with the use of IT.
Other common system security risks include the
following: (1) risks from criminal acts, (2) risks due to
staffing changes and project management deficiencies, and
(3) risks from natural disasters. All these risks have the
potential for not only dissatisfied customers but also
considerable business expenses for error correction. There
is also the risk of potential losses due to lawsuits and
negative publicity, which even the world’s largest software
vendors don’t want to receive (see the box entitled
“Regaining Customer Trust at Microsoft“).
Because of the importance of this subject,
elsewhere in this textbook we will also provide discus-
sions of potential IT-related business risks and how to
manage them. For example, in Chapter 11 we provide
some guidelines for managing the risks of IT projects,
and in Chapter 14 we discuss information security issues
to help ensure compliance with the Sarbanes-Oxley
(SOX) Act and other recent laws.
What is your data quality ROI? No, we don’t mean
return on investment. Rather, we mean risk of incarcera-
tion. According to Yugay and Klimchenko (2004), “The
key to achieving SOX (Sarbanes-Oxley) compliance lies
within IT, which is ultimately the single resource capable
of responding to the charge to create effective reporting
mechanisms, provide necessary data integration and
management systems, ensure data quality and deliver the
required information on time.” Poor data quality can put
executives in jail. Specifically, various sections of the SOX
act yields requirements for organizations to measure and
Regaining Customer Trust at Microsoft
Computer users worldwide raced to protect themselves from a malicious electronic “worm” designed
to allow hackers to gain access to infected PCs. Whatever the origin of the worm, one thing is clear: The
outbreak increases pressure on Microsoft to make its Windows software more reliable and secure. In
2002, Bill Gates launched an initiative, called “Trustworthy Computing,” to change the way the
company designs and builds software. Among other actions, Microsoft added 10 weeks of training for
8,500 of its software engineers. The company also reportedly spent more than $200 million in 2002 to
improve the security of its Windows program for corporate servers.
But experts give Microsoft mixed grades for its follow-through, saying the company hasn’t
changed its methods enough to avoid the kinds of flaws that make attacks by viruses and worms possi-
ble in the first place. Ultimately, that could hurt Microsoft where it matters most—in the corporate wallet.
[Based on Guth and Bank, 2003]