Controls in business and IT : formalization and application

Controls in business are the means used to ensure business operations comply with a set of given rules, such as legal requirements, standards, and policies. Business compliance with regulations has gained particular importance due to the introduction of legislation to prevent business misconduct, su...

Full description

Bibliographic Details
Main Author: Limonad, Lior
Language:English
Published: University of British Columbia 2013
Online Access:http://hdl.handle.net/2429/45331
Description
Summary:Controls in business are the means used to ensure business operations comply with a set of given rules, such as legal requirements, standards, and policies. Business compliance with regulations has gained particular importance due to the introduction of legislation to prevent business misconduct, such as the Sarbanes-Oxley Act of 2002 in the U.S. One outcome is that controls are more widely used and are often related to Information Technology (IT), because IT systems are used to implement business controls, and because the introduction of IT entails additional control concerns. Thus, control aspects should be an integral part of the analysis and design of information systems. Furthermore, information systems need to be examined for the completeness and correctness of their controls. Despite the importance of controls, no general, well-formalized, framework is available to guide the analysis of control requirements, or the design of controls in systems. This work introduces a conceptual framework for controls, based on an ontological foundation. The framework is built upon the key notion of the control system, from which two complementary views were derived: the Enterprise View (EV) which conceptualizes control as a `thing', and the Process View (PV) which conceptualizes control as an `action'. Based on these views, two concrete applications were developed to evaluate the correctness and usefulness of the underlying conceptual framework. A classification scheme, or a typology, was derived from the EV and can be used to manage control assets. The second application is a process modeling grammar enrichment, which was derived from the PV and is designed to explicitly incorporate control activities in two alternative styles. Both proposed applications were empirically evaluated, concluding their effectiveness in promoting better organizational compliance.