Summary
Systems thinking is a hallmark of good management in
general. Systems thinking is also core to many basic
concepts on which modern information systems are
defined, constructed, and implemented. Three systems
characteristics especially important for IS work are deter-
mining the system boundary, component decomposition,
and designing system interfaces.
This chapter also introduced a generic life-cycle
model for software systems as well as some of the process-
es and techniques for systems analysis and design used by
IS professionals for developing software. Procedurally
oriented techniques for structured system development
include notation systems for modeling processes and data
separately. Object-oriented (O-O) techniques, including a
new modeling language (UML), have become more
prevalent as newer software applications have required
graphical user interfaces, multimedia data, and support for
“real-time” transactions. O-O approaches will also be
important in the development of Web services. Common
IS control mechanisms to minimize business risks due to
internal and external threats are described; many of these
controls need to be identified with the help of business
managers and then addressed during the development and
maintenance of an information system.Review Questions
358 Part III • Acquiring Information Systems
1.Define the term system.Give an example of a business
system and use a context diagram to show its boundary,
environment, inputs, and outputs.
2.Define the term subsystem.Give an example of a business
subsystem, and identify some subsystems with which it relates.3.What are the seven key elements of a system, and what role
does each element play in describing a system?
4.What happens at the point where two systems interact?
5.Explain the first two principles of systems analysis and
design.computer systems are working. One approach is to provide
redundant systems and operations that “mirror” the
production system and data located at a distant facility. This
improves the chances of an effective recovery from a
widespread power or network outage or a natural disaster. If
data recovery processing via another location is immediately
available, these locations are known as “hot sites.”
Managers and IS professionals together need to
determine how frequently backup copies are needed, the
business cost of recovering files from backup copies, and
how much should be spent on specialized backup
resources. As with any security procedure, the ongoing
backup and recovery costs need to be in line with the
potential organizational benefits and risks.
AUDITING ROLES Critical business processes are
subject to periodic formal audits to assure that the
processes operate within parameters. Such audits may be
part of the annual accounting audit for a publicly traded
company or part of activities to show compliance with
financial reporting regulations like Sarbanes-Oxley and
Basel II, or with health-care regulations such as HIPAA.
As more and more organizations have become dependent
on information systems in order to operate their
business, the importance of IS auditing has increased.
IS auditing is still frequently referred to as EDP
auditing—a name chosen when the term electronic data
processingwas used to refer to computer operations.
EDP auditors use a variety of methods to ensure the
correct processing of data, including compliance tests,
statistical sampling, and embedded auditing methods.
Compliance tests check that systems builders use
high-quality systems development procedures that lead to
properly functioning systems. Statistical sampling of a
portion of databases can identify abnormalities that indicate
systematic problems or security breaches. Embedded
auditing methods include reporting triggers programmed
into a system that are activated by certain processing
events. The flagged records are then analyzed to determine
if errors or security breaches are occurring in the system.
The most commonly used EDP auditing technique in
the past has been an audit trail. Audit trails trace transac-
tions from the time of input through all the processes and
reports in which the transaction data are used. Audit trail
records typically include program names, user name or user
ID, input location and date/time stamps, as well as the trans-
action itself. An audit trail can help identify where errors are
introduced or where security breaches might have occurred.
Managers need to participate in the identification of
elements that should be captured in the audit trail to detect
errors and assure compliance with all relevant laws and
regulations. Furthermore, the frequency and extent of
formal information system auditing is a management
decision that should take into account the system’s breadth
and role, its relationship to other business processes, and
the potential risks to the firm.