These are policies and procedures that relate to the computer environment and which are therefore relevant to all applications. They support the effective functioning of application controls by helping to ensure the continued proper operation of information systems. General IT controls that maintain the integrity of information and security of data commonly include controls over the following:
? Data centre and network operations. A data centre is a central repository of data and it is important that controls there include back-up procedures, anti-virus software and firewalls to prevent hackers gaining access. Organisations should also have disaster recovery plans in place to minimise damage caused by events such as floods, fire and terrorist activities. Where IT is critical to an operation’s business these plans might include having a parallel system operating at a remote location that can be switched to immediately.
? System software acquisition, change and maintenance. System software refers to operating systems, such as Windows or Apple’s OS. These systems often undergo updates as problems and vulnerabilities are identified and it is important for updates to be implemented promptly.
? Access security. Physical access to file servers should be carefully controlled. This is where the company keeps it data and it is essential that this is safeguarded: data will usually endow companies with competitive advantage. Access to processing should also be restricted, typically through the use of log-on procedures and passwords.
? Application system acquisition, development, and maintenance. Applications systems are programs that carry out specific operations needed by the company – such as calculating wages and invoices and forecasting inventory usage. Just as much damage can be done by the incorrect operation of software as by inputting incorrect data. For example, think of the damage that could be done if sales analyses were incorrectly calculated and presented. Management could be led to withdraw products that are in fact very popular. All software amendments must be carefully specified and tested before implementation.
Example: Royal Bank of Scotland
A software update was applied on 19 June 2012 to RBS's system which controls its payment processing. The update had been corrupted by RBS technical staff so that customers' wages, payments and other transactions were disrupted. Many customers were unable to withdraw cash using automatic teller machines and were not able to see their bank account details. Others faced fines and surcharges for late payment of bills because the system could not process direct debits. For many customers the disruption lasted for around a week.
Application controls are manual or automated procedures that typically operate at a business process level, such as the processing of sales orders, wages and payments to suppliers.
These controls help ensure that transactions are authorised, and are completely and accurately recorded, processed and reported. Examples include:
Edit checks of input data
Checks on input data are very important because once data has been input it is often automatically processed thereafter without the further chance of human scrutiny. Methods include:
? Range tests can be applied to reject data outside an allowed range. For example, when accepting orders through a website, the system could be programmed to prevent, or at least query, unusually large quantities being ordered.
? Format checks ensure that data is input in the correct format (credit card numbers should be 12 digits long).
? Dependency checks, where one piece of data implies something about another (you have probably had a travel booking rejected because you inadvertently had a return date earlier than the outward date).
? Check digits, where a number, such as an account number, is specially constructed to comply with mathematical rules. For example, UK and European VAT numbers use this method:
VAT number = GB 2457193 48 (the last two digits, here 48, are the check digits)
The first seven numbers are multiplied by the weighting factors 8, 7, 6, 5, 4, 3, 2:
So 2 x 8 + 4 x 7 + 5 x 6 + 7 x 5 + 1 x 4 + 9 x 3 + 3 x 2 = 146
Subtract 97 until the result is zero or negative:
146 – 97 – 97 = -48
The resulting number is the check digit. The chances of someone incorrectly typing in a VAT number which accidentally followed these rules are very small.
? Numerical sequence checks to ensure that all accountable documents, such as cheques, have been processed.
? Drop down menus which constrain choices and ensure only allowable entries can be made. For example, constraining delivery choices to ordinary post or express delivery, or presenting a list of allowable account codes.
? Batch total checks. Here, the data is first added up to create a control total, which is subsequently compared to the total of the data actually submitted.
Online, real time systems can pose particular risks because any number of employees could be authorised to process certain transactions. Anonymity raises the prospect of both carelessness and fraud so it is important to be able to trace all transactions to their originator. This can be done by requiring users to log-on and then tagging each transaction with the identity of the person responsible. Logging on should require passwords and it is important that members of staff keep these confidential. Many business systems enforce a rule that requires passwords to be changed every few months. This is fine in theory, but to remember their changing passwords many users start to write them down – a potential breach in security. Increasingly, biometric measurement, such as fingerprint or retina recognition, can be used to control access.
Log-in security, whether through passwords or biometrics, also helps to control both processing and access to data. Each user is provided with tailored rights that allow them to see only certain data, change only certain data and to carry out only specified processing.
This article has mentioned encryption, firewalls authentication and access controls. It is important to realise that even with these measures in place that organisations can be damaged by lapses in computer security. For example:
? November to early December 2013, Target Corporation (turnover around $70bn) announced that data from around 70 million credit and debit cards was stolen.
? April 2011, Sony experienced a data breach within their Playstation Network that the information of 77 million users was compromised.
? May 2014, Ebay announced that three months earlier that information (including passwords, email addresses, birth dates, mailing addresses and other personal information) relating to 145 million users had been stolen. Ebay states that the information was encrypted and there is no evidence that is has been decrypted (yet).
Cyber-espionage is also a growing threat. Governments, competitors and criminals attempt to steal intellectual property or information about customers and contracts. Quite obviously the theft of valuable know-how will undermine a company’s competitive advantage and it is essential that for organisations to defend themselves as far as possible against these threats.