General Management Control vs Application Controls
A well- designed set of control is required for the protection of the information resources. The information systems can be safeguarded by a combination of automated and manual measures which will also ensure its performance in accordance with the management standards. Controls comprise of all the policies, methods and organizational procedures through which the reliability and accuracy of the accounting records, safety of the organizational assets and operational adherence of the management standards can be ensured. Earlier, the control of information system was addressed only after the end of implementation and before the installation of the system.
However, with the passage of time, the dependency on the information systems has increased to a great extent which, in turn, has necessitated the identification of the threats and vulnerabilities as early as possible (Peltier, 2016). The control of an information system is considered to be the most essential part of its design. The builders and users of the system are required to pay greater attention to controls throughout the life span of the system.
This essay focuses on the types of information system control and analyses the difference between the general management control and application controls. This essay also evaluates the security and risk management techniques that are needed for the purpose of ensuring the confidentiality, reliability, integrity, availability and security of digital business processes. At the end, the essay demonstrates how data quality can be supported by auditing.
A combination of general and application controls are responsible for controlling the computer systems. General controls can be defined as those controls that perform the function of controlling the security, design and usage of the computer programs along with managing the security of data files throughout the organization. In other words, general controls consist of a combination of manual procedures and system software that are responsible for creating an overall control environment and are applied to all computerized applications.
On the other hand, application controls can be defined as the specific controls such as accounts receivable, payroll and order processing that is unique to every computerized application. They comprise of both controls applied from programmed procedures and from user functional area of a specific system (Nazareth & Choi, 2015).
Software controls, control over the implementation process of the system, computer operations control, physical hardware controls, administrative controls and data security controls are included in the general controls. On the other hand, application controls include input controls, output controls and processes controls. There are different types of general controls.
Some have control over the network operations and data centre which are responsible for dealing with the main data storage of the system while some other have access to the security which are responsible for the protection of the computer from any fraudulent actions. There are also some general controls which performs the function of securing the efficiency of asset, equipment or property while some controls ensures the security of the file for its reliability in order to make it highly authenticated (Safa, Von Solms & Furnell, 2016).
Types of General Controls
As far as the application controls are concerned, input controls are designed for assuring the validity, completeness and accuracy of the information processed by the computer. The designing of processing controls is done for the purpose of assuring the accurate processing of the data that is input into the system. Output controls perform the function of assuring the accuracy, validity and completeness of the data generated by the computer. There are also some application controls which are capable of controlling the information belonging to the master file (Webb, Ahmad, Maynard & Shanks, 2014).
Therefore, the comparison of general management controls and the application control provides that the application of general control is possible to all the areas of the organization including support services and IT infrastructure. The objective of general control is to ensure the proper implementation and development of applications along with the integrity of the data files, programs and computer operations. On the other hand, the application controls refers to the data and transactions that relate to the every computer- based application system and are specific to every application. The objective of application control is to ensure the accuracy, validity, maintenance and completeness of information along with its update from time to time (Mayer, Aubert, Grandry & Feltus, 2016).
With the digitalization in the business processes, there is greater need for setting certain security and risk management techniques which have the ability of ensuring confidentiality, reliability, security and integrity of the processes. The term risk management can be defined as the process which assists in the identification of the threats and vulnerabilities to the information resources that are utilized by an organization for the achievement of the business objectives. The process further helps in making decisions regarding the countermeasures which can be used for the purpose of reducing the risk to an acceptable level on the basis of the value of the information resource to the business (Aven, 2016).
The techniques adopt should be capable of making the identification of specific risks to information, people and assets, the level of risk tolerance supported by the businesses, appropriate protection for the reduction or removal of risks and accepting the responsibility for the residual risk which still remains untreatable (Dashti, Giorgini & Paja, 2017). The security and risk management technique to be adopted should be such which provides that security risk management is the business of each and every member of the staff and should be undertaken as the part of day- to day business.
The technique should involve the security risk management process which is systematic and logical and should take into account the changes taking place in the threat environment though the adoption of continuous monitoring. The technique should also make the required adjustments for the purpose of maintaining the acceptable level of risk and a balance between security and operational needs (Agrawal, Campoe & Pierce, 2014).
Data integrity and confidentiality can be ensured with the help of cryptography. Other methods that are commonly used for the protection of data integrity include hashing of the data received and making its comparison with the hash of original message. Existing schemes such as GPG can also be used as a security technique for digitally signing the data. The confidentiality of data can be ensured through the enforcement of access control lists and file permissions so that the access to sensitive information can be restricted (Alles, Brennan, Kogan & Vasarhelyi, 2018).
Types of Application Controls
Confidentiality can also be protected through encryption of the data. With the help of encryption, the information will be read only by the right people. Moreover, availability of data can be ensured through backup. Site back- ups can be taken from time to time which can work in the times when the hard drive suffers from any damage. The organizations should also have an off- site location where the data is stored so that it is ready to be restored in cases any damage occurs to the primary data (Soomro, Shah & Ahmed, 2016).
The risk management technique should involve security governance where the term security is considered as an enterprise wide issue and the leaders are held accountable for the security of the information and data. The risk to security can be reduced when its management is viewed as the basic requirement of business and there is proper segregation of the roles, responsibilities and duties of each and every individual in the organization.
The staff of the organization should be trained and made aware from time to time regarding the security needs of the organization and regarding the manner in which the risks can be properly addressed. Moreover, the effective security governance should ensure proper reviewing and auditing of the data so that the data quality is enhanced (Aven & Zio, 2014).
The organizations should ensure the culture of information security by way of bringing the respective changes in the behavior of employees. For the management of the information security culture in the organization, five steps needs to be followed namely pre- evaluation, strategic planning, operative planning, implementation and post- evaluation (Schou & Hernandez, 2014).
The information system audit covers the complete lifecycle of technology under inspection and also involves the accuracy of computer calculations. At the end, the data quality is enhanced and the chances of errors are reduced to minimum. Firstly, the audit approach/ strategy to be adopted is defined in accordance with the given situation along with making the documentation that will be needed for the subsequent phases of the auditing process. The approach adopted will be based on steps such as interviewing of key individuals, reviewing documentation, establishment of audit criteria, conducting visits to the data center, reviewing of high risk areas, documentation of findings and preparation of report (Silva, de Gusmao, Poleto, e Silva & Costa, 2014).
After this, the sources of information are identified for the expansion of understanding of the audit area. The sources of information to be considered include previous audit reports, network maps, system flows and process maps, etc. Then for the purpose of meeting the audit standards, risk assessment is done which considers statutory and compliance regulations, environment in which the enterprise operates, business purpose and technology- specific risk. The identification of risk is then documented by the IS auditor along with its nature, likelihood of occurrence, potential impact and defining of necessary control that have the capability of addressing the risk.
The results of the assessment of identified risks, audit objectives and current internal controls will assist in the determination of final audit scope along with the strategies for the accomplishment of audit goal. The data quality problems that are originated within the applications, source systems and operational processes can also be determined in advance and can be addressed in time (Knechel & Salterio, 2016).
Security and Risk Management Techniques
In other words, the data quality is enhanced due to the identification and removal of out- of- date information which further allows saving budgets and bringing required improvements in customer services. This, in turn, helps in improving the return on investments and response rates. Through the audit of the information system, the risks are minimized and duplicate records are deleted so that it does not lead to any further confusions and complications. Auditing of the data ensures its accuracy, precision, reliability, completeness, integrity, timeliness, and confidentiality along with the quality of data (Barton, Tejay, Lane & Terrell, 2016).
Therefore, it can be concluded that the protection of information resources plays the most important part in a system’s design. The safeguarding of information system can be done with the help of some automated and manual measures. Controls comprise of all the policies, methods and organizational procedures through which the reliability and accuracy of the accounting records, safety of the organizational assets and operational adherence of the management standards can be ensured. The computer systems are controlled by a combination of general and application controls. This essay assisted in making comparison among these two types of controls.
Furthermore, this essay focuses on the security and risk management techniques which can be applied in the digital business processes for the purpose of ensuring its confidentiality, reliability, integrity, availability and security. The techniques include encryption, cryptography, hashing of data, enforcement of access control lists and file permissions, etc. At the end, the essay demonstrated how data quality is enhanced with the help of auditing. Audit assists in the identification and removal of out- of- date information which further helps in reducing costs and bringing required improvements in customer services.
References
Agrawal, M., Campoe, A., & Pierce, E. (2014). Information security and IT risk management. Wiley Publishing.
Alles, M., Brennan, G., Kogan, A., & Vasarhelyi, M. A. (2018). Continuous monitoring of business process controls: A pilot implementation of a continuous auditing system at Siemens. In Continuous Auditing: Theory and Application (pp. 219-246). Emerald Publishing Limited.
Aven, T. (2016). Risk assessment and risk management: Review of recent advances on their foundation. European Journal of Operational Research, 253(1), 1-13.
Aven, T., & Zio, E. (2014). Foundational issues in risk assessment and risk management. Risk Analysis, 34(7), 1164-1172.
Barton, K. A., Tejay, G., Lane, M., & Terrell, S. (2016). Information system security commitment: A study of external influences on senior management. Computers & Security, 59, 9-25.
Dashti, S., Giorgini, P., & Paja, E. (2017). Information Security Risk Management. In IFIP Working Conference on The Practice of Enterprise Modeling (pp. 18-33). Springer, Cham.
Knechel, W. R., & Salterio, S. E. (2016). Auditing: Assurance and risk. Routledge.
Mayer, N., Aubert, J., Grandry, E., & Feltus, C. (2016). An Integrated Conceptual Model for Information System Security Risk Management and Enterprise Architecture Management Based on TOGAF. In IFIP Working Conference on The Practice of Enterprise Modeling (pp. 353-361). Springer, Cham.
Mayer, N., Grandry, E., Feltus, C., & Goettelmann, E. (2015, June). Towards the ENTRI framework: security risk management enhanced by the use of enterprise architectures. In International Conference on Advanced Information Systems Engineering (pp. 459-469). Springer, Cham.
Nazareth, D. L., & Choi, J. (2015). A system dynamics model for information security management. Information & Management, 52(1), 123-134.
Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Auerbach Publications.
Safa, N. S., Von Solms, R., & Furnell, S. (2016). Information security policy compliance model in organizations. Computers & Security, 56, 70-82.
Schou, C., & Hernandez, S. (2014). Information Assurance handbook: Effective computer security and risk management strategies. McGraw-Hill Education Group.
Silva, M. M., de Gusmao, A. P. H., Poleto, T., e Silva, L. C., & Costa, A. P. C. S. (2014). A multidimensional approach to information security risk management using FMEA and fuzzy theory. International Journal of Information Management, 34(6), 733-740.
Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs more holistic approach: A literature review. International Journal of Information Management, 36(2), 215-225.
Webb, J., Ahmad, A., Maynard, S. B., & Shanks, G. (2014). A situation awareness model for information security risk management. Computers & security, 44, 1-15.
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
