Chapter 8 • Basic Systems Concepts and Tools 355improve metadata quality; ensure data security; measure
and improve data accessibility and ease of use; measure
and improve data availability, timeliness, and relevance;
measure and improve accuracy, completeness, and
understandability of general ledger data; and identify and
eliminate duplicates and data inconsistencies.
Here we discuss some of the management controls to
address risks that are specifically associated with the three
phases of the software life cycle. Although the security and
reliability issues will differ somewhat due to the nature of
the software application, this list of control mechanisms
provide a starting point for understanding the role of the IS
professional (including project managers, analysts, and
programmers) in helping to ensure that business risks have
been accounted for. However, the identification of
potential control risks is to a large extent a business
manager’s responsibility.
First we describe different types of control mecha-
nisms that need to be considered. Then we describe
specific examples of control mechanisms for error
detection, prevention, and correction that need to be
addressed during the three life-cycle phases (i.e.,
Definition, Construction, and Implementation). Although
these “proven” mechanisms are recommended responses,
both business and IS managers also need to recognize that
when new information technologies are introduced they
likely will also introduce new control risks.
Types of Control Mechanisms
Control mechanisms include management policies,
operating procedures, and the auditing function. Some
aspects of control can be built into an information system
itself, whereas others are the result of day-to-day business
practices and management decisions. Information system
controls, for example, are needed to maintain data
integrity, allow only authorized access, ensure proper
system operation, and protect against malfunctions,
power outages, and disasters. Throughout the systems
development process, the needs for specific controls are
identified and control mechanisms are developed to
address these needs. Some mechanisms are implemented
during the system design, coding, or implementation.
Others become part of the routine operation of the system,
such as backups and authorization security, and still others
involve the use of manual business practices and manage-
ment policies, such as formal system audits. Figure 8.24
shows some of the control approaches usually employed in
the indicated phases of the system’s life cycle.
Security controls related to the technology infrastruc-
ture—such as backup power supplies, network access
control, and firewall protection—are typically the purview of
the IS organization. In addition, IS developers will include
some standard controls in all applications. However, specify-
ing checks and balances to ensure accurate data entry and
handling is a business manager’s responsibility. Managers
must carefully identify what are valid data, what errors might
be made while handling data, what nontechnical security
risks are present, and what potential business losses could
result from inaccurate or lost data.
Some new technologies, such as advanced software
tools for system testing, have improved an organization’s
control processes, whereas other new technologies (such as
Web applications) have introduced new control risks. The
increase in distributed computing applications over the past
two decades in general has significantly increased a company’s
reliance on network transmission of data and software—
which requires additional technical and managerial controls
(Hart and Rosenberg, 1995). Next we discuss only some of
the most common control mechanisms that apply to a wide
range of application development situations.Controls in the Definition and Construction Phases
In the initial two phases of the system’s life cycle, the accurate
and reliable performance of the system can be assured by the
use of standards, embedded controls, and thorough testing.Life-Cycle Phase Control Mechanism- Methodology Standards
- Validation Rules and Calculations
- System Testing
- Security
- Backup and Recovery
- Auditing Roles
Definition and ConstructionImplementationFIGURE 8.24 Pre- and Post-Installation Controls