System Change Controls: A Prioritization Approach Using Analytic Hierarchy Process

Information attacks are a constant threat to every organization. To protect their sensitive information, organizations implement general information technology controls. An example of such controls includes system change controls (or change management controls), which are critical in ensuring the integrity, completeness, and reliability of financial information. The literature points to various evaluation methods of these controls to determine which ones to implement. The literature further shows how traditional assessment methods do not necessarily promote an effective evaluation, prioritization, and, therefore, implementation of system change controls in organizations. Alarming facts within the literature trigger analyses and identification of additional methods to assist organizations in protecting their sensitive and critical information. This research proposes a quantitative approach to assist management in evaluating system change controls using the Analytic Hierarchy Process. Through a case study, the approach is proven successful in providing a way for measuring the quality of system change controls in organizations.

Table of Content [Hide]
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

 
 
 
 
 
 

©Center for Promoting Education and Researchwww.cpernet.orgInternational Journal of Business and Applied Social ScienceEISSN: 2469-6501VOL: 5, ISSUE:8August/2019DOI: 10.33642/ijbass.v5n8p4https://ijbassnet.com/34System Change Controls: A Prioritization Approach Using Analytic Hierarchy ProcessAngel R. Otero1Nathan M. Bisk College of BusinessFlorida Institute of Technology150 West UniversityBlvd.Melbourne, FL 32901Email: [email protected]Office: 321-674-8782USAAbstractInformation attacks are a constant threat to every organization. To protect their sensitive information, organizations implement general information technology controls. An example of such controls includes system change controls (or change management controls), which are critical in ensuring the integrity, completeness, and reliability of financial information. The literature points to various evaluation methods of these controls to determine which ones to implement. The literature further shows how traditional assessment methods do not necessarily promote an effective evaluation, prioritization, and, therefore, implementation of system change controls in organizations. Alarming facts within the literature trigger analyses and identification of additional methods to assist organizations in protecting their sensitive and critical information. This research proposes a quantitative approach to assist management in evaluating system change controls using the Analytic Hierarchy Process. Through a case study, the approach is proven successful in providing a way for measuring the quality of system change controls in organizations.Keywords: System change controls, change management, general IT controls, analytic hierarchy process, quality, evaluation, pairwise comparisons1. IntroductionThe increasing complexity of information technology (IT) environments, attacks on sensitive information, and the implementation of new laws and regulations have all shifted the focus of internal controls in organizations. Nowadays, organizations require internal controls to be designed and implemented effectively and in compliance with laws and regulations (Lavion, 2018). Internal controls refer to the activities and procedures put in place by the organization to mitigate risks that could prevent a company from achieving its business objectives (Deloitte, 2018; GTAG 8, 2009).Business goals and objectives, such as the reliability of the entity’s financial reporting, the effectiveness, and efficiency of its operations, and the compliance with pertinent laws and regulations are common and constantly threatened (Otero, 2018; Otero, Ejnioui, Otero, & Tejay, 2011). Internal controls should be implemented and monitored to ensure business goals and objectives are achieved, and potential concerns regarding the organization’s going concern is reduced or eliminated (Otero, Tejay, Otero, & Ruiz, 2012). Internal controls related to IT (also known as General IT Controls (GITC)) aid in the safeguarding of business operations, particularly, by securing the integrity, completeness, and reliability of financial information, as well as of any other system functionality underlying business processes (Deloitte, 2018; Otero, 2015). GITC refer to policies and procedures that support the effective functioning of applications, including the operation of automated controls embedded in the applications, the integrity of reports generated from the applications, and the security of data hosted within the applications. Based on Deloitte (2018) and Cooke (2019), effective operation of GITC is 1Angel R. Otero, Email: [email protected](Corresponding Author)

 
 

©Center for Promoting Education and Researchwww.cpernet.orgInternational Journal of Business and Applied Social ScienceEISSN: 2469-6501VOL: 5, ISSUE:8August/2019DOI: 10.33642/ijbass.v5n8p4https://ijbassnet.com/35critical and of utmost importance to major company’s stakeholders (e.g., owners, investors, regulators, audit committees, management, auditors, etc.) for the following reasons:Business processes and controls over financial information are constantly relied upon by stakeholders to manage the business and make strategic decisions.The effective operation of controls around the company’s IT environment ensures adequate processing and reporting of financial data, as well as compliance with applicable laws and regulations. Reliance on automation of business processes and financialtransactions is becoming increasingly important.·Cybersecurity is a broad business risk which extends to financial information.Deficiencies in GITC may prevent organizations from generating complete and accurate financial reports (Masli, Richardson, Watson,&Zmud, 2016; Krishnan & Visvanathan, 2007). The deficiencies, if not timely addressed, may also impact the overall functioning of internal controls, resulting in delayed financial closing processes, increase audit costs, and impact internal decisions and/or public disclosures, ultimately affecting the reputation and brand of the organization.GITC commonly include controls over (1) data center and network operations; (2) access security; and (3) change management. Change management includes controls around the areas of system software acquisition, change and maintenance, program change, and application system acquisition, development, and maintenance (Otero, 2018). These controls altogether are collectively referred to as system change controls (SCC). SCC is critical in ensuring the accuracy and completeness of financial information (Keef, 2019; Otero, 2015; GTAG 2, 2012; Otero, Tejay, Otero, & Ruiz, 2012; Ejnioui, Otero, Tejay, Otero, & Qureshi, 2012). They help minimize the likelihood ofdisruption, unapproved changes, and errors (ITIL,2016). SCC include controls over each of the relevant technology elements within an entity’s IT environment: application system, database, operating system, and network. Examples of SCC include change request approvals; application and database upgrades; and network infrastructure monitoring and security; among others. Given the significance and rapid integration of IT systems with business processes, SCC must be implemented to maintain the completeness andaccuracy of the information, as well as the reliability of business processes within the organization. 1.1 Current IT EnvironmentThroughout the years, organizations have suffered numerous system losses, directly impacting one of their most valuable asset, information. Schwartz (1990) predicted that losses related to confidential and sensitive information will continue to occur with a devastating effect on organizations. Examples of information losses suffered by organizations result from corporate fraud (i.e., white-collar crime), from altering and/or acquiring unauthorized access, from injecting malicious code, and from the inappropriate implementation of changes. The aforementioned likely triggers unreliable processing, incomplete recording of data,lost data, inaccurate calculations, cutoff errors, and other misstatements of the accounting records (ISACA, 2011; Otero, 2015). To that effect, the American Institute of Certified Public Accountants (AICPA) estimates that cybercrime's global cost, which includes financial information losses, will reach $6 trillion by 2021 (Morgan, 2017).According to the Federal Bureau of Investigation’s (FBI) (2019), white-collar crime continues to be one of the highest criminal priorities. Corporate fraud results in significant financial losses to companies and continues causing immeasurable damage to the U.S. economy and investor confidence. FBI (2019) states that the majority of corporate fraud cases pursued mostly involve accounting schemes like false accounting entries; misrepresentations of financial condition; fraudulent trades designed to inflate profits or hide losses; and/or illicit transactions designed to evade regulatory oversight.The above schemes are designed to deceive investors, auditors, and analystsabout the true financial condition of a business entity. Through the manipulation of financial data, share price, or other valuation measurements, the financial performance of a corporation may remain artificially inflated based on fictitious

 
 
 
 
 
 
 
 
 
 
 
 

Cite this article

International Journal of Business and, Applied Social Science. System Change Controls: A Prioritization Approach Using Analytic Hierarchy Process, Encyclopedia, 2019, v1, Available online: https://encyclopedia.pub/288