Controls Applicable to

Information System

Anchal Mishra
 Concept of Controls in
Information System
Controls in information system also known as
controls in electronic data processing (EDP)
controls in EDP environment, consist of all
policies, procedures, methods that ensure
accuracy, reliability, operational adherence
to standards in information systems,
whether manual or computer based, in
computer-based Information systems, the
need for controls is more prominent.
The computer-based information systems are
more vulnerable as compared to manual
information systems because of the following
reasons:
• Complex computer-based information
systems cannot be replicated manually. Most
information cannot be printed or is too
voluminous to be handled manually.
• There is usually no visible trace of changes
in computer-based information systems
because computer records can be read only
by the computer.
• Computerised procedures are invisible and are
not easily understood and audited.
• The development and operation of computer-
based information systems require specialized
technical expertise which cannot be easily
communicated to end users. Thus, systems are
highly open to abuse by technical staff members
who are not well integrated with the organization.
• In case of disasters, computer-based information
systems have to sustain more losses as
compared to manual systems. In many cases, all
the records of the systems can be destroyed or
lost for ever.
• Most of the computer-based information
systems are accessible by many individuals.
Therefore, information gathering is easier but
controlling information is very difficult.
• Most of the large organizations rely on on-line
information systems, while on-line systems
add to operational efficiency. They are quite
vulnerable as data files can be accessed
immediately and directly through computer
terminals. Thus, the systems are open to
abuse by authorized as well as unauthorized
users.
 Objectives of Information System
Controls

• To ensure that all that all the required data

are processed accurately and efficiently.
• To adhere to operational standards set by
the organization.
• To overcome systems vulnerability.
 Types of Controls

In computer based information systems,

various types of controls are required
which can be broadly classified into two
categories:-
• General Controls
• Application Controls
• General controls are those that control the
design, security and use of computer
programs and security of data in general
throughout the organization. On the whole,
general controls apply to all computerized
application and consist of system software
and manual procedures that create an
overall control environment
• Application controls are specific controls
within each separate computer application,
such as payroll accounting order
processing accounts payable, accounts
receivable. etc
 General Controls
In an organization, general controls consist of the
following types of controls:
   1.  Operating system controls.
  2.  System development controls.
   3.   System maintenance controls.
    4.  Data management controls.
   5.  Organization structure controls..  
  6.  Computer center controls.
  7. Network controls.
8. Personal computer controls.
 Operating System Controls

For running a computer system software is

required which consists of operating system and
operating system-controlled software like
compilers, utility programs, reporting of operations
etc. operating system helps the computer
components to function together smoothly. It
decides which computer resources will be used,
which programs will be run and in which order the
activities will take place.
The operating system performs the following
functions:-
 1.Job management
2.Data management
3.Support for processing
4.Input/output management
5.Data Security
 Types of Threats of Operating System
Control

1. Threat to operating system integrity. 

2. Unauthorized access.
3. Damage from viruses and other destructive
programs.
4. Loss of audit trial.
 System Development Control

System development activities in large

organization are generally decentralized with
several development teams working on
different projects simultaneously. Therefore,
there is a need for system development
control to bring uniformity in different
systems.
 Systems Development Controls
Includes

• System Development Authorization

• System Development Standards
• Control on System Development Process
System Development Authorization

While decentralized system development has its own

advantages, this leads to explosion of system in
organization making it difficult to achieve coordination
among them. In order to overcome this problem, it is
essential that the organization exercises control over
uncontrolled system development. System
development authorization is applied for this purpose.
Accordingly, proposals for all systems that are to be
developed must be forwarded to the appropriate
authority along with their justification and feasibility.
In the light of standards set by the
organization for development of new
systems, permission may be accorded or
with held as the case may be. Through
this process, explosion of unnecessary
system may be controlled.
System Development Standards

The organization can control system development

activities by prescribing system development
standards to be followed through out the
organization. In fact, for controlling any activity,
prescription of some standards is necessary
because the actual result of the activity is
measured against these standards.
These standards thus, work as guidelines
for those who are involved in the
performance of the activity. Same in the
case with system development standards.
These standards may be prescribed in
respect of cost, quality and time at which
the system is made available.
 Control on System Development
Process
Generally, a system development follows a
process consisting of various activities to be
performed in a sequence. Such activities are
1.System analysis,
2.System specification,
3.System design,
4.System testing, and
5.System implementation.
Control is required at each stage of system
development so that a quality system is
available within the time specified and
resources allocated. Using budgetary
controls, Quality controls and time event
network analysis, control can be exercised
over various stages of system
development.
 System Maintenance Control
System maintenance has the longest span of time
in system development life cycle (SDLC). In fact.
system maintenance in some form or the other
continues throughout the life of the system.
During this period. steps are taken to correct
system errors. to keep the system current in view
of the organisational requirements. and to update
the system when required. With the result.
system maintenance activities have great
potential for exposure to misuse.
Therefore. the organisation is required to
develop and operate various maintenance
controls to check system misuse. The basic
objective of system maintenance controls is
to ensure that the system is not misused
during the process of undertaking system
maintenance activities. Broadly. system
maintenance controls are of two types:
1.Maintenance authorisation controls.
2.Source program library controls.
 Maintainer Authorization
Controls
Post system implementation access to the system
through maintenance activities increases the
possibility of system corruption. There may be
several types of corruptions at this stage like
logic corruption. program corruption. data
stealing. and so on. In order to check such
activities. system maintenance controls are
required.
In order to make these controls effective. all
system maintenance activities should have
minimum four controls-
1.Authorisation controls.
2.Technical specification controls.
3.Testing controls. and
4.Documentation controls.
In other words. system maintenance activities should
be given the same treatment as is given to a new
system development. In fact. many maintenance
activities result into drastic changes in a system.
With the result. old and revised systems do not
remain the same. In such a case. extensive controls
are required.
 Source Program Library
Controls
During the process of undertaking system
maintenance activities. there is a need for
source program library (SPL) controls. The need
for SPL controls arises because of the following
reasons:
• Access to programs is almost unrestricted.
Programmers and other persons can access
any of the programs stored in the library
because of lack of provision for detecting
unauthorized access.
• During the maintenance process.
unauthorised changes can be made in any
program. thereby reducing its integrity.
Such changes cannot be verified easily as
many authorised changes take place
during the same period.