Controls for Information Technology
Risk is a necessary undertaking for any business. Success in business is determined by effectively managing the risk. Effective risk management helps to protect the company from losses because of poor accounting practices and fraud. Good controls also protect company management from the liability when they certify the financial statements issued in the annual report because they are also certifying the internal controls. The internal control process begins with management and the attitude that management portrays through the company. From this attitude, management gives direction, and the direction becomes policies and procedures. The policies and procedures build the structure of the internal controls environment. Automated information systems have expanded a business’s ability to accomplish more work with fewer people; however automated information systems have also increased the risks business’s face that use them. Automated information systems, specifically the IT infrastructure that supports the systems, have created a whole new group of threats and vulnerabilities to the internal control system. To manage the risks of the automated information system, several standards have been developed to provide guidance on the implementation of controls. This paper provides an assessment of these control standards, and which options each standard provides. Vulnerabilities and Threats
Automated information systems have become a critical component in the operation of modern business. The widespread use of personal computers and server infrastructure that had become prevalent over the last 50 years has fundamentally altered the way business is conducted. This optimization has allowed more work to be done with fewer people and a much higher level of detail to be incorporated into the work through the algorithmic computational abilities of computers. However, these new systems have also provided new vulnerabilities to business operation. A vulnerability is any weakness in the accounting information system that exposes the business to additional risk (Raval & Fichadia, 2007). Vulnerabilities can come from different places. These places can be the design of the infrastructure itself, the policies and procedures that support the infrastructure, and the users of the infrastructure.
The first type of vulnerability in an accounting information system is the system architecture itself. Modern applications are usually composed of thousands of lines of code, which interface with other applications, other computers, and process information. With the scale of modern computer applications, it is nearly impossible to produce an application that is free from errors in the code, in which can expose the business to risk. The applications that support the structure come from two different classifications. The applications can be custom built or off the shelf. Each of these types of applications has a different set of risks. Off the shelf applications are written to be robust enough that individual users can adapt the application to their specific business need. This robust nature of the application means that the code that composes the application is much more complicated then the code of an application tailored specifically for the business. This increased complication provides additional opportunities for coding errors to create a weakness in the system. Custom built applications are simpler and streamlined to the specific business need, but as the business that creates the application is working on a project that will not be widely distributed, there is a risk that the business will not be in place to support the application once it is launched.
The second component of vulnerabilities to an automated information system is the policies and procedures that the system implements for system security....