Information Systems & its Component: Notes (Part - 2) | Financial Management & Strategic Management for CA Intermediate PDF Download

 Page 1


3.31 
INFORMATION SYSTEMS AND ITS COMPONENTS 
 
 
 
 
 
 
  
 
  
 
3.4 INFORMATION SYSTEMS’ CONTROLS 
The increasing use of IT in organizations has made it imperative that appropriate 
information systems are implemented in an organization. IT should cover all key 
aspects of business processes of an enterprise and should have an impact on its 
strategic and competitive advantage for its success. The enterprise strategy 
outlines the approach, it wishes to formulate with relevant policies and 
procedures to achieve business objectives. The basic purpose of information 
system controls in an organization is to ensure that the business objectives are 
achieved; and undesired risk events are prevented, detected and corrected. This is 
achieved by designing and effective information control framework which 
comprise policies, procedures, practices, and organization structure that gives 
reasonable assurances that the business objectives will be achieved.  
Whenever a threat exploits a vulnerability, it gives rise to a risk. However, risk can 
never be completely eliminated, but only mitigated as there is always a 
component of inherent risk. Some of the critical control lacking in a computerized 
environment are as follows: 
? Lack of management understanding of IS risks and related controls; 
? Absence or inadequate IS control framework; 
Page 2


3.31 
INFORMATION SYSTEMS AND ITS COMPONENTS 
 
 
 
 
 
 
  
 
  
 
3.4 INFORMATION SYSTEMS’ CONTROLS 
The increasing use of IT in organizations has made it imperative that appropriate 
information systems are implemented in an organization. IT should cover all key 
aspects of business processes of an enterprise and should have an impact on its 
strategic and competitive advantage for its success. The enterprise strategy 
outlines the approach, it wishes to formulate with relevant policies and 
procedures to achieve business objectives. The basic purpose of information 
system controls in an organization is to ensure that the business objectives are 
achieved; and undesired risk events are prevented, detected and corrected. This is 
achieved by designing and effective information control framework which 
comprise policies, procedures, practices, and organization structure that gives 
reasonable assurances that the business objectives will be achieved.  
Whenever a threat exploits a vulnerability, it gives rise to a risk. However, risk can 
never be completely eliminated, but only mitigated as there is always a 
component of inherent risk. Some of the critical control lacking in a computerized 
environment are as follows: 
? Lack of management understanding of IS risks and related controls; 
? Absence or inadequate IS control framework; 
 
 
ENTERPRISE INFORMATION SYSTEMS 
3.32 
? Absence of weak general controls and IS controls; 
? Lack of awareness and knowledge of IS risks and controls amongst the 
business users and even IT staff; 
? Complexity of implementation of controls in distributed computing 
environments and extended enterprises; 
? Lack of control features or their implementation in highly technology driven 
environments; and 
? Inappropriate technology implementations or inadequate security 
functionality in technologies implemented. 
Internal controls can be classified into various categories to illustrate the 
interaction of various groups in the enterprise and their effect on information 
systems on different basis. These categories have been represented in the Fig. 
3.4.1: 
 
 
 
 
 
 
 
 
 
Fig. 3.4.1: Classification of IS Controls 
3.4.1 Classification based on “Objective of Controls”
The controls per the time that they act, relative to a security incident can be 
classified as under: 
(A) Preventive Controls: These controls prevent errors, omissions, or security 
incidents from occurring. They are basically proactive in nature. Examples 
include simple data-entry edits that block alphabetic characters from being 
entered in numeric fields, access controls that protect sensitive data/ system 
resources from unauthorized people, and complex and dynamic technical 
Preventive 
Detective 
Corrective 
 
Environmental 
Physical Access 
Logical Access 
 
Managerial 
Application 
Page 3


3.31 
INFORMATION SYSTEMS AND ITS COMPONENTS 
 
 
 
 
 
 
  
 
  
 
3.4 INFORMATION SYSTEMS’ CONTROLS 
The increasing use of IT in organizations has made it imperative that appropriate 
information systems are implemented in an organization. IT should cover all key 
aspects of business processes of an enterprise and should have an impact on its 
strategic and competitive advantage for its success. The enterprise strategy 
outlines the approach, it wishes to formulate with relevant policies and 
procedures to achieve business objectives. The basic purpose of information 
system controls in an organization is to ensure that the business objectives are 
achieved; and undesired risk events are prevented, detected and corrected. This is 
achieved by designing and effective information control framework which 
comprise policies, procedures, practices, and organization structure that gives 
reasonable assurances that the business objectives will be achieved.  
Whenever a threat exploits a vulnerability, it gives rise to a risk. However, risk can 
never be completely eliminated, but only mitigated as there is always a 
component of inherent risk. Some of the critical control lacking in a computerized 
environment are as follows: 
? Lack of management understanding of IS risks and related controls; 
? Absence or inadequate IS control framework; 
 
 
ENTERPRISE INFORMATION SYSTEMS 
3.32 
? Absence of weak general controls and IS controls; 
? Lack of awareness and knowledge of IS risks and controls amongst the 
business users and even IT staff; 
? Complexity of implementation of controls in distributed computing 
environments and extended enterprises; 
? Lack of control features or their implementation in highly technology driven 
environments; and 
? Inappropriate technology implementations or inadequate security 
functionality in technologies implemented. 
Internal controls can be classified into various categories to illustrate the 
interaction of various groups in the enterprise and their effect on information 
systems on different basis. These categories have been represented in the Fig. 
3.4.1: 
 
 
 
 
 
 
 
 
 
Fig. 3.4.1: Classification of IS Controls 
3.4.1 Classification based on “Objective of Controls”
The controls per the time that they act, relative to a security incident can be 
classified as under: 
(A) Preventive Controls: These controls prevent errors, omissions, or security 
incidents from occurring. They are basically proactive in nature. Examples 
include simple data-entry edits that block alphabetic characters from being 
entered in numeric fields, access controls that protect sensitive data/ system 
resources from unauthorized people, and complex and dynamic technical 
Preventive 
Detective 
Corrective 
 
Environmental 
Physical Access 
Logical Access 
 
Managerial 
Application 
 
 
3.33 
 
INFORMATION SYSTEMS AND ITS COMPONENTS  
 
controls such as anti-virus software, firewalls, and intrusion prevention 
systems. In other words, Preventive Controls are those inputs, which are 
designed to prevent an error, omission or malicious act occurring. Any 
control can be implemented in both manual and computerized environment 
for the same purpose. Only, the implementation methodology may differ 
from one environment to the other.  
Example 3.6: Some examples of preventive controls are as follows: 
Employing qualified personnel; Segregation of duties; Access control; 
Vaccination against diseases; Documentation; Prescribing appropriate books 
for a course; Training and retraining of staff; Authorization of transaction; 
Validation, edit checks in the application; Firewalls; Anti-virus software 
(sometimes this acts like a corrective control also), etc., and Passwords. The 
above list contains both of manual and computerized, preventive controls.  
The main characteristics of Preventive controls are given as follows: 
• A clear-cut understanding about the vulnerabilities of the asset; 
• Understanding probable threats;  
• Provision of necessary controls for probable threats from 
materializing. 
Example 3.7: The following Table 3.4.1 shows how the purpose of 
preventive controls is achieved by using manual and computerized controls.  
Table 3.4.1: Preventive Controls 
Purpose  Manual Control Computerized Control 
Restrict unauthorized 
entry into the 
premises. 
Build a gate and post a 
security guard. 
Use access control 
software, smart card, 
biometrics, etc.  
Restrict unauthorized 
entry into the 
software 
applications. 
Keep the computer in a 
secured location and allow 
only authorized person to 
use the applications. 
Use access control, viz. 
User ID, password, 
smart card, etc. 
(B) Detective Controls: These controls are designed to detect errors, omissions 
or malicious acts that occur and report the occurrence. In other words, 
Detective Controls detect errors or incidents that elude preventive controls. 
They are basically investigative in nature. For example, a detective control 
may identify account numbers of inactive accounts or accounts that have 
Page 4


3.31 
INFORMATION SYSTEMS AND ITS COMPONENTS 
 
 
 
 
 
 
  
 
  
 
3.4 INFORMATION SYSTEMS’ CONTROLS 
The increasing use of IT in organizations has made it imperative that appropriate 
information systems are implemented in an organization. IT should cover all key 
aspects of business processes of an enterprise and should have an impact on its 
strategic and competitive advantage for its success. The enterprise strategy 
outlines the approach, it wishes to formulate with relevant policies and 
procedures to achieve business objectives. The basic purpose of information 
system controls in an organization is to ensure that the business objectives are 
achieved; and undesired risk events are prevented, detected and corrected. This is 
achieved by designing and effective information control framework which 
comprise policies, procedures, practices, and organization structure that gives 
reasonable assurances that the business objectives will be achieved.  
Whenever a threat exploits a vulnerability, it gives rise to a risk. However, risk can 
never be completely eliminated, but only mitigated as there is always a 
component of inherent risk. Some of the critical control lacking in a computerized 
environment are as follows: 
? Lack of management understanding of IS risks and related controls; 
? Absence or inadequate IS control framework; 
 
 
ENTERPRISE INFORMATION SYSTEMS 
3.32 
? Absence of weak general controls and IS controls; 
? Lack of awareness and knowledge of IS risks and controls amongst the 
business users and even IT staff; 
? Complexity of implementation of controls in distributed computing 
environments and extended enterprises; 
? Lack of control features or their implementation in highly technology driven 
environments; and 
? Inappropriate technology implementations or inadequate security 
functionality in technologies implemented. 
Internal controls can be classified into various categories to illustrate the 
interaction of various groups in the enterprise and their effect on information 
systems on different basis. These categories have been represented in the Fig. 
3.4.1: 
 
 
 
 
 
 
 
 
 
Fig. 3.4.1: Classification of IS Controls 
3.4.1 Classification based on “Objective of Controls”
The controls per the time that they act, relative to a security incident can be 
classified as under: 
(A) Preventive Controls: These controls prevent errors, omissions, or security 
incidents from occurring. They are basically proactive in nature. Examples 
include simple data-entry edits that block alphabetic characters from being 
entered in numeric fields, access controls that protect sensitive data/ system 
resources from unauthorized people, and complex and dynamic technical 
Preventive 
Detective 
Corrective 
 
Environmental 
Physical Access 
Logical Access 
 
Managerial 
Application 
 
 
3.33 
 
INFORMATION SYSTEMS AND ITS COMPONENTS  
 
controls such as anti-virus software, firewalls, and intrusion prevention 
systems. In other words, Preventive Controls are those inputs, which are 
designed to prevent an error, omission or malicious act occurring. Any 
control can be implemented in both manual and computerized environment 
for the same purpose. Only, the implementation methodology may differ 
from one environment to the other.  
Example 3.6: Some examples of preventive controls are as follows: 
Employing qualified personnel; Segregation of duties; Access control; 
Vaccination against diseases; Documentation; Prescribing appropriate books 
for a course; Training and retraining of staff; Authorization of transaction; 
Validation, edit checks in the application; Firewalls; Anti-virus software 
(sometimes this acts like a corrective control also), etc., and Passwords. The 
above list contains both of manual and computerized, preventive controls.  
The main characteristics of Preventive controls are given as follows: 
• A clear-cut understanding about the vulnerabilities of the asset; 
• Understanding probable threats;  
• Provision of necessary controls for probable threats from 
materializing. 
Example 3.7: The following Table 3.4.1 shows how the purpose of 
preventive controls is achieved by using manual and computerized controls.  
Table 3.4.1: Preventive Controls 
Purpose  Manual Control Computerized Control 
Restrict unauthorized 
entry into the 
premises. 
Build a gate and post a 
security guard. 
Use access control 
software, smart card, 
biometrics, etc.  
Restrict unauthorized 
entry into the 
software 
applications. 
Keep the computer in a 
secured location and allow 
only authorized person to 
use the applications. 
Use access control, viz. 
User ID, password, 
smart card, etc. 
(B) Detective Controls: These controls are designed to detect errors, omissions 
or malicious acts that occur and report the occurrence. In other words, 
Detective Controls detect errors or incidents that elude preventive controls. 
They are basically investigative in nature. For example, a detective control 
may identify account numbers of inactive accounts or accounts that have 
  
 
ENTERPRISE INFORMATION SYSTEMS 
3.34 
been flagged for monitoring of suspicious activities. Detective controls can 
also include monitoring and analysis to uncover activities or events that 
exceed authorized limits or violate known patterns in data that may indicate 
improper manipulation. For sensitive electronic communications, detective 
controls can indicate that a message has been corrupted or the sender’s 
secure identification cannot be authenticated. 
 The main characteristics of Detective controls are given as follows: 
• Clear understanding of lawful activities so that anything which 
deviates from these is reported as unlawful, malicious, etc.; 
• An established mechanism to refer the reported unlawful activities to 
the appropriate person or group, whistle blower mechanisms 
• Interaction with the preventive control to prevent such acts from 
occurring; and 
• Surprise checks by supervisor.  
Example 3.8: Some examples of Detective Controls are as follows: 
Review of payroll reports; Compare transactions on reports to source 
documents; Monitor actual expenditures against budget; Use of automatic 
expenditure profiling where management gets regular reports of spend to 
date against profiled spend; Hash totals; Check points in production jobs; 
Echo control in telecommunications; Duplicate checking of calculations; 
Past-due accounts report; The internal audit functions; Intrusion Detection 
System; Cash counts and bank reconciliation and Monitoring expenditures 
against budgeted amount. 
(C) Corrective Controls: It is desirable to correct errors, omissions, or incidents 
once they have been detected. They are reactive in nature. They vary from 
simple correction of data-entry errors, to identifying and removing 
unauthorized users or software from systems or networks, to recovery from 
incidents, disruptions, or disasters. Generally, it is most efficient to prevent 
errors or detect them as close as possible to their source to simplify 
correction. These corrective processes also should be subject to preventive 
and detective controls because they represent another opportunity for 
errors, omissions, or falsification. Corrective controls are designed to reduce 
the impact or correct an error once it has been detected.  
The main characteristics of the corrective controls are as follows: 
• Minimizing the impact of the threat; 
Page 5


3.31 
INFORMATION SYSTEMS AND ITS COMPONENTS 
 
 
 
 
 
 
  
 
  
 
3.4 INFORMATION SYSTEMS’ CONTROLS 
The increasing use of IT in organizations has made it imperative that appropriate 
information systems are implemented in an organization. IT should cover all key 
aspects of business processes of an enterprise and should have an impact on its 
strategic and competitive advantage for its success. The enterprise strategy 
outlines the approach, it wishes to formulate with relevant policies and 
procedures to achieve business objectives. The basic purpose of information 
system controls in an organization is to ensure that the business objectives are 
achieved; and undesired risk events are prevented, detected and corrected. This is 
achieved by designing and effective information control framework which 
comprise policies, procedures, practices, and organization structure that gives 
reasonable assurances that the business objectives will be achieved.  
Whenever a threat exploits a vulnerability, it gives rise to a risk. However, risk can 
never be completely eliminated, but only mitigated as there is always a 
component of inherent risk. Some of the critical control lacking in a computerized 
environment are as follows: 
? Lack of management understanding of IS risks and related controls; 
? Absence or inadequate IS control framework; 
 
 
ENTERPRISE INFORMATION SYSTEMS 
3.32 
? Absence of weak general controls and IS controls; 
? Lack of awareness and knowledge of IS risks and controls amongst the 
business users and even IT staff; 
? Complexity of implementation of controls in distributed computing 
environments and extended enterprises; 
? Lack of control features or their implementation in highly technology driven 
environments; and 
? Inappropriate technology implementations or inadequate security 
functionality in technologies implemented. 
Internal controls can be classified into various categories to illustrate the 
interaction of various groups in the enterprise and their effect on information 
systems on different basis. These categories have been represented in the Fig. 
3.4.1: 
 
 
 
 
 
 
 
 
 
Fig. 3.4.1: Classification of IS Controls 
3.4.1 Classification based on “Objective of Controls”
The controls per the time that they act, relative to a security incident can be 
classified as under: 
(A) Preventive Controls: These controls prevent errors, omissions, or security 
incidents from occurring. They are basically proactive in nature. Examples 
include simple data-entry edits that block alphabetic characters from being 
entered in numeric fields, access controls that protect sensitive data/ system 
resources from unauthorized people, and complex and dynamic technical 
Preventive 
Detective 
Corrective 
 
Environmental 
Physical Access 
Logical Access 
 
Managerial 
Application 
 
 
3.33 
 
INFORMATION SYSTEMS AND ITS COMPONENTS  
 
controls such as anti-virus software, firewalls, and intrusion prevention 
systems. In other words, Preventive Controls are those inputs, which are 
designed to prevent an error, omission or malicious act occurring. Any 
control can be implemented in both manual and computerized environment 
for the same purpose. Only, the implementation methodology may differ 
from one environment to the other.  
Example 3.6: Some examples of preventive controls are as follows: 
Employing qualified personnel; Segregation of duties; Access control; 
Vaccination against diseases; Documentation; Prescribing appropriate books 
for a course; Training and retraining of staff; Authorization of transaction; 
Validation, edit checks in the application; Firewalls; Anti-virus software 
(sometimes this acts like a corrective control also), etc., and Passwords. The 
above list contains both of manual and computerized, preventive controls.  
The main characteristics of Preventive controls are given as follows: 
• A clear-cut understanding about the vulnerabilities of the asset; 
• Understanding probable threats;  
• Provision of necessary controls for probable threats from 
materializing. 
Example 3.7: The following Table 3.4.1 shows how the purpose of 
preventive controls is achieved by using manual and computerized controls.  
Table 3.4.1: Preventive Controls 
Purpose  Manual Control Computerized Control 
Restrict unauthorized 
entry into the 
premises. 
Build a gate and post a 
security guard. 
Use access control 
software, smart card, 
biometrics, etc.  
Restrict unauthorized 
entry into the 
software 
applications. 
Keep the computer in a 
secured location and allow 
only authorized person to 
use the applications. 
Use access control, viz. 
User ID, password, 
smart card, etc. 
(B) Detective Controls: These controls are designed to detect errors, omissions 
or malicious acts that occur and report the occurrence. In other words, 
Detective Controls detect errors or incidents that elude preventive controls. 
They are basically investigative in nature. For example, a detective control 
may identify account numbers of inactive accounts or accounts that have 
  
 
ENTERPRISE INFORMATION SYSTEMS 
3.34 
been flagged for monitoring of suspicious activities. Detective controls can 
also include monitoring and analysis to uncover activities or events that 
exceed authorized limits or violate known patterns in data that may indicate 
improper manipulation. For sensitive electronic communications, detective 
controls can indicate that a message has been corrupted or the sender’s 
secure identification cannot be authenticated. 
 The main characteristics of Detective controls are given as follows: 
• Clear understanding of lawful activities so that anything which 
deviates from these is reported as unlawful, malicious, etc.; 
• An established mechanism to refer the reported unlawful activities to 
the appropriate person or group, whistle blower mechanisms 
• Interaction with the preventive control to prevent such acts from 
occurring; and 
• Surprise checks by supervisor.  
Example 3.8: Some examples of Detective Controls are as follows: 
Review of payroll reports; Compare transactions on reports to source 
documents; Monitor actual expenditures against budget; Use of automatic 
expenditure profiling where management gets regular reports of spend to 
date against profiled spend; Hash totals; Check points in production jobs; 
Echo control in telecommunications; Duplicate checking of calculations; 
Past-due accounts report; The internal audit functions; Intrusion Detection 
System; Cash counts and bank reconciliation and Monitoring expenditures 
against budgeted amount. 
(C) Corrective Controls: It is desirable to correct errors, omissions, or incidents 
once they have been detected. They are reactive in nature. They vary from 
simple correction of data-entry errors, to identifying and removing 
unauthorized users or software from systems or networks, to recovery from 
incidents, disruptions, or disasters. Generally, it is most efficient to prevent 
errors or detect them as close as possible to their source to simplify 
correction. These corrective processes also should be subject to preventive 
and detective controls because they represent another opportunity for 
errors, omissions, or falsification. Corrective controls are designed to reduce 
the impact or correct an error once it has been detected.  
The main characteristics of the corrective controls are as follows: 
• Minimizing the impact of the threat; 
 
 
3.35 
 
INFORMATION SYSTEMS AND ITS COMPONENTS  
 
• Identifying the cause of the problem; 
• Providing Remedy to the problems discovered by detective controls; 
• Getting feedback from preventive and detective controls; 
• Correcting error arising from a problem; and 
• Modifying the processing systems to minimize future occurrences of 
the incidents. 
Example 3.9: Corrective controls may include the use of default dates on 
invoices where an operator has tried to enter the incorrect date. For 
example- “Complete changes to IT access lists if individual’s role changes” is 
an example of corrective control. If an accounts clerk is transferred to the 
sales department as a salesman, his/her access rights to the general ledger 
and other finance functions should be removed and he/she should be given 
access only to functions required to perform his sales job. 
 Some other examples of Corrective Controls are submitting corrective 
journal entries after discovering an error; A Business Continuity Plan (BCP); 
Contingency planning; Backup procedure; Rerun procedures; System reboot; 
Change input value to an application system; and Investigate budget 
variance and report violations.  
3.4.2 Classification based on “Nature of Information System 
Resources” 
These are given as follows: 
(A) Environmental Controls: These are the controls relating to IT environment 
such as power, air-conditioning, Uninterrupted Power Supply (UPS), smoke 
detection, fire-extinguishers, dehumidifiers etc. Tables 3.4.2 (A,B,C,D) enlist 
all the environmental exposures related to Fire, Electrical Exposures, Water 
Damage, and Pollution damage and others with their corresponding 
controls respectively. 
I. Fire: It is a major threat to the physical security of a computer installation. 
Table 3.4.2(A): Controls for Fire Exposure 
? Both automatic and manual fire alarms may be placed at strategic 
locations and a control panel may be installed to clearly indicate this. 
? Besides the control panel, master switches may be installed for power and 
automatic fire suppression system. Different fire suppression techniques