205
JOURNAL OF INFORMAITON SYSTEMS
Vol. 20, No. 1
Spring 2006
pp. 205–219
Research Opportunities in Information
Technology and Internal Auditing
Marcia L. Weidenmier
Mississippi State University
Sridhar Ramamoorti
Grant Thornton LLP
ABSTRACT: This paper presents research opportunities in the area of information tech-
nology (IT) within the context of the internal audit function. Given the pervasive use of
IT in organizations and the new requirements of the Sarbanes-Oxley Act of 2002, in-
ternal audit functions must use appropriate technology to increase their efficiency
and effectiveness. We develop IT and internal audit research questions for three
governance-related activities performed by the internal audit function-risk assessment,
control assurance, and compliance assessment of security and privacy.
Keywords: IT / IS auditing; internal auditing; information technology; research oppor-
tunities; Sarbanes-Oxley; corporate governance; risk management; secu-
rity; privacy.
Data Availability: Please direct all comments and suggestions to Dr. Marcia
Weidenmier.
I. INTRODUCTION
T
his paper develops information technology-related research questions within the con-
text of the internal audit function. The internal audit function (IAF) is one of the
cornerstones of corporate governance along with the external auditor, executive man-
agement, and the audit committee of the Board of Directors (Gramling et al. 2004). The
Board of Directors determines the overall governance process, which senior management
implements and internal and external auditors evaluate, under the watchful eye of the audit
committee (Blue Ribbon Committee 1999; Treadway Commission 1987).
The IAF occupies a unique and pivotal role in corporate governance. First, the IAF is
an information gathering and reporting resource for the three other governance parties
(Gramling et al. 2004). Second, the IAF is an integral part of the organization’s internal
control structure. In fact, Rule 303A of the New York Stock Exchange requires listed
companies to have an IAF. Third, the IAF executes important governance-related activities
including risk assessment, control assurance, and compliance assessment, which are critical
We thank JIS editor Dan Stone for suggesting and encouraging us to write the supplemental technology chapter
to the Research Opportunities in Internal Auditing (2003) monograph. We remain grateful to the IIA Research
Foundation for granting us permission to reproduce, paraphrase, and / or use copyrighted materials in preparing this
paper for the Journal of Information Systems. (Copyright 2004, The Pervasive Impact of Information Technology
on Internal Auditing, by the Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte
Springs, Florida 32701-4201 U.S.A. Reprinted with permission.) The views expressed in this paper are the personal
views of Dr. Sridhar Ramamoorti and do not reflect the views of, nor endorsement by, Grant Thornton LL ...
Case Study on Effective IS Governance within a Department of Defense Organiza...Chris Furton
This case study develops influencing factor that should be considered when developing an effective information security governance program with a Department of Defense weapons system test and evaluation organization. The influencing factors are then incorporated into an existing governance framework developed by A. Da Veiga and J. H. P. Eloff (2007). The result is a unique framework tailored to the organization which can be used as the foundation to building a holistic information security program.
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...IJNSA Journal
For organizations, the protection of information is of utmost importance. Throughout the years, organizations have experienced numerous system losses which have had a direct impact on their most valuable asset, information. Organizations must therefore find ways to make sure that the appropriate and most effective information security controls are implemented in order to protect their critical or most sensitive classified information. Existing information security control selection methods have been employed in the past, including risk analysis and management, baseline manuals, or random approaches. However, these methods do not take into consideration organization specific constraints such as costs of implementation, scheduling, and availability of resources when determining the best set of controls. In addition, these existing methods may not ensure the inclusion of required/necessary controls or the exclusion of unnecessary controls. This paper proposes a novel approach for evaluating information security controls to help decision-makers select the most effective ones in resource-constrained environments. The proposed approach uses Desirability Functions to quantify the desirability of each information security control taking into account benefits and penalties (restrictions) associated with implementing the control. This provides Management with a measurement that is representative of the overall quality of each information security control based on organizational goals. Through a case study, the approach is proven successful in providing a way for measuring the quality of information security controls (based on multiple application-specific criteria) for specific organizations.
The Significance of IT Security Management & Risk AssessmentBradley Susser
The Significance of IT Security Management & Risk Assessment
An overview of IT Security Management, which is comprised of standards, policies, plans, and procedures as well as risk assessment and the various techniques and approaches to minimize an organization’s financial impact due to the exploitation of numerous organizational assets.
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxMargenePurnell14
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
28
Addressing Information Security Risks by Adopting
Standards
Walid Al-Ahmad*‡, Bassil Mohammad**
*Computer Science Department, Faculty of Arts and Science, Gulf University for Science & Technology, Kuwait
**Ernst & Young, Amman, Jordan
‡
P.O.Box 7207 Hawally, 32093 Kuwait, Tel: +96525307321, Fax: +965 25307030, e-mail: [email protected]
Abstract- Modern society depends on information technology in nearly every facet of human activity including, finance,
transportation, education, government, and defense. Organizations are exposed to various and increasing kinds of risks,
including information technology risks. Several standards, best practices, and frameworks have been created to help
organizations manage these risks. The purpose of this research work is to highlight the challenges facing enterprises in their
efforts to properly manage information security risks when adopting international standards and frameworks. To assist in
selecting the best framework to use in risk management, the article presents an overview of the most popular and widely used
standards and identifies selection criteria. It suggests an approach to proper implementation as well. A set of recommendations
is put forward with further research opportunities on the subject.
Keywords- Information security; risk management; security frameworks; security standards; security management.
1. Introduction
The use of technology is increasingly covering
most aspects of our daily life. Businesses which
are heavily dependent on this technology use
information systems which were designed and
implemented with concentration on functionality,
costs reduction and ease of use. Information
security was not incorporated early enough into
systems and only recently has it started to get the
warranted attention. Accordingly, there is a need to
identify and manage these hidden weaknesses,
referred to as systems vulnerabilities, and to limit
their damaging impact on the information systems
integrity, confidentiality, and availability.
Vulnerabilities are exploited by attacks which are
becoming more targeted and sophisticated.
Attacking techniques and methods are virtually
countless and are evolving tremendously [1, 2].
In any enterprise, information security risks
must be identified, evaluated, analyzed, treated and
properly reported. Businesses that fail in
identifying the risks associated with the
technology they use, the people they employ, or
the environment where they operate usually
subject their business to unforeseen consequences
that might result in severe damage to the business
[3]. Therefore, it is critical to establish reliable
information security risk assessment and treatment
frameworks to guide organizations during the risk
management process.
Because risks cannot be complete.
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxbagotjesusa
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
28
Addressing Information Security Risks by Adopting
Standards
Walid Al-Ahmad*‡, Bassil Mohammad**
*Computer Science Department, Faculty of Arts and Science, Gulf University for Science & Technology, Kuwait
**Ernst & Young, Amman, Jordan
‡
P.O.Box 7207 Hawally, 32093 Kuwait, Tel: +96525307321, Fax: +965 25307030, e-mail: [email protected]
Abstract- Modern society depends on information technology in nearly every facet of human activity including, finance,
transportation, education, government, and defense. Organizations are exposed to various and increasing kinds of risks,
including information technology risks. Several standards, best practices, and frameworks have been created to help
organizations manage these risks. The purpose of this research work is to highlight the challenges facing enterprises in their
efforts to properly manage information security risks when adopting international standards and frameworks. To assist in
selecting the best framework to use in risk management, the article presents an overview of the most popular and widely used
standards and identifies selection criteria. It suggests an approach to proper implementation as well. A set of recommendations
is put forward with further research opportunities on the subject.
Keywords- Information security; risk management; security frameworks; security standards; security management.
1. Introduction
The use of technology is increasingly covering
most aspects of our daily life. Businesses which
are heavily dependent on this technology use
information systems which were designed and
implemented with concentration on functionality,
costs reduction and ease of use. Information
security was not incorporated early enough into
systems and only recently has it started to get the
warranted attention. Accordingly, there is a need to
identify and manage these hidden weaknesses,
referred to as systems vulnerabilities, and to limit
their damaging impact on the information systems
integrity, confidentiality, and availability.
Vulnerabilities are exploited by attacks which are
becoming more targeted and sophisticated.
Attacking techniques and methods are virtually
countless and are evolving tremendously [1, 2].
In any enterprise, information security risks
must be identified, evaluated, analyzed, treated and
properly reported. Businesses that fail in
identifying the risks associated with the
technology they use, the people they employ, or
the environment where they operate usually
subject their business to unforeseen consequences
that might result in severe damage to the business
[3]. Therefore, it is critical to establish reliable
information security risk assessment and treatment
frameworks to guide organizations during the risk
management process.
Because risks cannot be complete.
2 days agoShravani Kasturi DiscussionCOLLAPSETop of Form.docxlorainedeserre
2 days ago
Shravani Kasturi
Discussion
COLLAPSE
Top of Form
IT governance refers to the procedures implemented to manage information technology and the increasing value obtained from investing in information and technology (Joshi, Bollen, Hassink, Haes & Grembergen, (2018). It is made up of frameworks whose aim is to increase the management of risks arising due to the use of information technology. It aims at ensuring that information technology is used to increase the likelihood of achieving objectives for the business. IT governance is essential in allowing companies to be compliant with legal guidelines; for instance, those contained in companies act. It provides a likelihood of an increase in the investments made by a company regarding information technology.
Many factors fueled the need for adoption of IT governance. The first factor is the increase in the number of risks facing information technology. The increased legal risks due to the lack of compliance of guidelines is another critical factor that contributed to a need for IT governance. The ability of IT governance to reduce the costs used in coming up with new inventions increased its adoption. Many companies make use of a lot of resources for discovery.
ISO provides guidelines meant to increase security (Santi, 2018). Its primary role is the provision of guidance concerning aspects of security. It offers advice on how to operate manage and make use of the networks effectively. It also provides guidelines on how the systems can be used effectively to increase security. The ISO also provides guidelines regulating the implementation of controls. Therefore, ISO has dramatically affected the standards of network security by increasing the protection of the networks. It is through the guidelines it provides that aims at expanding the manner at which the network security is designed. It also provides an outline of how the implementation should be carried out to increase network security. It increased standards by developing secure communications interconnecting networks. It is through the provision of very secure gateways.
References
Joshi, A., Bollen, L., Hassink, H., Haes, S. D., Grembergen, W. V., (2018). Explaining IT Governance disclosure through the constraints of IT governance maturity and IT strategic role. Information & Management, 55(3), 368-380
Santi, P. (2018). A design network model for information security management standards depends on ISO 27001. GSTF Journal on Computing, 5(4), 1-11
Bottom of Form
19 hours ago
Rahul Reddy Kallu
Discussion 6
COLLAPSE
Top of Form
IT governance and data governance are subset of Information Governance (IG), which defines set of policies and procedures to concentrate more on how to effectively manage information. These policies include managing structured (records) and unstructured data (e-mails, e-documents). IT governance policies are aimed towards protecting sensitive data such as Protected Health Information (PHI), ensuring privac ...
Case Study on Effective IS Governance within a Department of Defense Organiza...Chris Furton
This case study develops influencing factor that should be considered when developing an effective information security governance program with a Department of Defense weapons system test and evaluation organization. The influencing factors are then incorporated into an existing governance framework developed by A. Da Veiga and J. H. P. Eloff (2007). The result is a unique framework tailored to the organization which can be used as the foundation to building a holistic information security program.
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...IJNSA Journal
For organizations, the protection of information is of utmost importance. Throughout the years, organizations have experienced numerous system losses which have had a direct impact on their most valuable asset, information. Organizations must therefore find ways to make sure that the appropriate and most effective information security controls are implemented in order to protect their critical or most sensitive classified information. Existing information security control selection methods have been employed in the past, including risk analysis and management, baseline manuals, or random approaches. However, these methods do not take into consideration organization specific constraints such as costs of implementation, scheduling, and availability of resources when determining the best set of controls. In addition, these existing methods may not ensure the inclusion of required/necessary controls or the exclusion of unnecessary controls. This paper proposes a novel approach for evaluating information security controls to help decision-makers select the most effective ones in resource-constrained environments. The proposed approach uses Desirability Functions to quantify the desirability of each information security control taking into account benefits and penalties (restrictions) associated with implementing the control. This provides Management with a measurement that is representative of the overall quality of each information security control based on organizational goals. Through a case study, the approach is proven successful in providing a way for measuring the quality of information security controls (based on multiple application-specific criteria) for specific organizations.
The Significance of IT Security Management & Risk AssessmentBradley Susser
The Significance of IT Security Management & Risk Assessment
An overview of IT Security Management, which is comprised of standards, policies, plans, and procedures as well as risk assessment and the various techniques and approaches to minimize an organization’s financial impact due to the exploitation of numerous organizational assets.
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxMargenePurnell14
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
28
Addressing Information Security Risks by Adopting
Standards
Walid Al-Ahmad*‡, Bassil Mohammad**
*Computer Science Department, Faculty of Arts and Science, Gulf University for Science & Technology, Kuwait
**Ernst & Young, Amman, Jordan
‡
P.O.Box 7207 Hawally, 32093 Kuwait, Tel: +96525307321, Fax: +965 25307030, e-mail: [email protected]
Abstract- Modern society depends on information technology in nearly every facet of human activity including, finance,
transportation, education, government, and defense. Organizations are exposed to various and increasing kinds of risks,
including information technology risks. Several standards, best practices, and frameworks have been created to help
organizations manage these risks. The purpose of this research work is to highlight the challenges facing enterprises in their
efforts to properly manage information security risks when adopting international standards and frameworks. To assist in
selecting the best framework to use in risk management, the article presents an overview of the most popular and widely used
standards and identifies selection criteria. It suggests an approach to proper implementation as well. A set of recommendations
is put forward with further research opportunities on the subject.
Keywords- Information security; risk management; security frameworks; security standards; security management.
1. Introduction
The use of technology is increasingly covering
most aspects of our daily life. Businesses which
are heavily dependent on this technology use
information systems which were designed and
implemented with concentration on functionality,
costs reduction and ease of use. Information
security was not incorporated early enough into
systems and only recently has it started to get the
warranted attention. Accordingly, there is a need to
identify and manage these hidden weaknesses,
referred to as systems vulnerabilities, and to limit
their damaging impact on the information systems
integrity, confidentiality, and availability.
Vulnerabilities are exploited by attacks which are
becoming more targeted and sophisticated.
Attacking techniques and methods are virtually
countless and are evolving tremendously [1, 2].
In any enterprise, information security risks
must be identified, evaluated, analyzed, treated and
properly reported. Businesses that fail in
identifying the risks associated with the
technology they use, the people they employ, or
the environment where they operate usually
subject their business to unforeseen consequences
that might result in severe damage to the business
[3]. Therefore, it is critical to establish reliable
information security risk assessment and treatment
frameworks to guide organizations during the risk
management process.
Because risks cannot be complete.
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxbagotjesusa
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
28
Addressing Information Security Risks by Adopting
Standards
Walid Al-Ahmad*‡, Bassil Mohammad**
*Computer Science Department, Faculty of Arts and Science, Gulf University for Science & Technology, Kuwait
**Ernst & Young, Amman, Jordan
‡
P.O.Box 7207 Hawally, 32093 Kuwait, Tel: +96525307321, Fax: +965 25307030, e-mail: [email protected]
Abstract- Modern society depends on information technology in nearly every facet of human activity including, finance,
transportation, education, government, and defense. Organizations are exposed to various and increasing kinds of risks,
including information technology risks. Several standards, best practices, and frameworks have been created to help
organizations manage these risks. The purpose of this research work is to highlight the challenges facing enterprises in their
efforts to properly manage information security risks when adopting international standards and frameworks. To assist in
selecting the best framework to use in risk management, the article presents an overview of the most popular and widely used
standards and identifies selection criteria. It suggests an approach to proper implementation as well. A set of recommendations
is put forward with further research opportunities on the subject.
Keywords- Information security; risk management; security frameworks; security standards; security management.
1. Introduction
The use of technology is increasingly covering
most aspects of our daily life. Businesses which
are heavily dependent on this technology use
information systems which were designed and
implemented with concentration on functionality,
costs reduction and ease of use. Information
security was not incorporated early enough into
systems and only recently has it started to get the
warranted attention. Accordingly, there is a need to
identify and manage these hidden weaknesses,
referred to as systems vulnerabilities, and to limit
their damaging impact on the information systems
integrity, confidentiality, and availability.
Vulnerabilities are exploited by attacks which are
becoming more targeted and sophisticated.
Attacking techniques and methods are virtually
countless and are evolving tremendously [1, 2].
In any enterprise, information security risks
must be identified, evaluated, analyzed, treated and
properly reported. Businesses that fail in
identifying the risks associated with the
technology they use, the people they employ, or
the environment where they operate usually
subject their business to unforeseen consequences
that might result in severe damage to the business
[3]. Therefore, it is critical to establish reliable
information security risk assessment and treatment
frameworks to guide organizations during the risk
management process.
Because risks cannot be complete.
2 days agoShravani Kasturi DiscussionCOLLAPSETop of Form.docxlorainedeserre
2 days ago
Shravani Kasturi
Discussion
COLLAPSE
Top of Form
IT governance refers to the procedures implemented to manage information technology and the increasing value obtained from investing in information and technology (Joshi, Bollen, Hassink, Haes & Grembergen, (2018). It is made up of frameworks whose aim is to increase the management of risks arising due to the use of information technology. It aims at ensuring that information technology is used to increase the likelihood of achieving objectives for the business. IT governance is essential in allowing companies to be compliant with legal guidelines; for instance, those contained in companies act. It provides a likelihood of an increase in the investments made by a company regarding information technology.
Many factors fueled the need for adoption of IT governance. The first factor is the increase in the number of risks facing information technology. The increased legal risks due to the lack of compliance of guidelines is another critical factor that contributed to a need for IT governance. The ability of IT governance to reduce the costs used in coming up with new inventions increased its adoption. Many companies make use of a lot of resources for discovery.
ISO provides guidelines meant to increase security (Santi, 2018). Its primary role is the provision of guidance concerning aspects of security. It offers advice on how to operate manage and make use of the networks effectively. It also provides guidelines on how the systems can be used effectively to increase security. The ISO also provides guidelines regulating the implementation of controls. Therefore, ISO has dramatically affected the standards of network security by increasing the protection of the networks. It is through the guidelines it provides that aims at expanding the manner at which the network security is designed. It also provides an outline of how the implementation should be carried out to increase network security. It increased standards by developing secure communications interconnecting networks. It is through the provision of very secure gateways.
References
Joshi, A., Bollen, L., Hassink, H., Haes, S. D., Grembergen, W. V., (2018). Explaining IT Governance disclosure through the constraints of IT governance maturity and IT strategic role. Information & Management, 55(3), 368-380
Santi, P. (2018). A design network model for information security management standards depends on ISO 27001. GSTF Journal on Computing, 5(4), 1-11
Bottom of Form
19 hours ago
Rahul Reddy Kallu
Discussion 6
COLLAPSE
Top of Form
IT governance and data governance are subset of Information Governance (IG), which defines set of policies and procedures to concentrate more on how to effectively manage information. These policies include managing structured (records) and unstructured data (e-mails, e-documents). IT governance policies are aimed towards protecting sensitive data such as Protected Health Information (PHI), ensuring privac ...
2 days agoShravani Kasturi DiscussionCOLLAPSETop of Form.docxRAJU852744
2 days ago
Shravani Kasturi
Discussion
COLLAPSE
Top of Form
IT governance refers to the procedures implemented to manage information technology and the increasing value obtained from investing in information and technology (Joshi, Bollen, Hassink, Haes & Grembergen, (2018). It is made up of frameworks whose aim is to increase the management of risks arising due to the use of information technology. It aims at ensuring that information technology is used to increase the likelihood of achieving objectives for the business. IT governance is essential in allowing companies to be compliant with legal guidelines; for instance, those contained in companies act. It provides a likelihood of an increase in the investments made by a company regarding information technology.
Many factors fueled the need for adoption of IT governance. The first factor is the increase in the number of risks facing information technology. The increased legal risks due to the lack of compliance of guidelines is another critical factor that contributed to a need for IT governance. The ability of IT governance to reduce the costs used in coming up with new inventions increased its adoption. Many companies make use of a lot of resources for discovery.
ISO provides guidelines meant to increase security (Santi, 2018). Its primary role is the provision of guidance concerning aspects of security. It offers advice on how to operate manage and make use of the networks effectively. It also provides guidelines on how the systems can be used effectively to increase security. The ISO also provides guidelines regulating the implementation of controls. Therefore, ISO has dramatically affected the standards of network security by increasing the protection of the networks. It is through the guidelines it provides that aims at expanding the manner at which the network security is designed. It also provides an outline of how the implementation should be carried out to increase network security. It increased standards by developing secure communications interconnecting networks. It is through the provision of very secure gateways.
References
Joshi, A., Bollen, L., Hassink, H., Haes, S. D., Grembergen, W. V., (2018). Explaining IT Governance disclosure through the constraints of IT governance maturity and IT strategic role. Information & Management, 55(3), 368-380
Santi, P. (2018). A design network model for information security management standards depends on ISO 27001. GSTF Journal on Computing, 5(4), 1-11
Bottom of Form
19 hours ago
Rahul Reddy Kallu
Discussion 6
COLLAPSE
Top of Form
IT governance and data governance are subset of Information Governance (IG), which defines set of policies and procedures to concentrate more on how to effectively manage information. These policies include managing structured (records) and unstructured data (e-mails, e-documents). IT governance policies are aimed towards protecting sensitive data such as Protected Health Information (PHI), ensuring privac.
Perceived significance of information security governance to predict the info...Irfaan Bahadoor
Abstract
Purpose – Information security is a growing concern in society, across businesses and government. As the offshore IT services market continues to grow providing numerous benefits, there are also perceived risks with respect to the quality of information security delivered in the supply chain. This paper aims to examine, as a case, the perceptions of Indian software services provider (service provider) employees with respect to information security governance and its impact on information security service quality that is delivered to customers.
Design/methodology/approach – The paper provides a framework built upon the existing
dimensions and instruments for total quality management and service quality, suitably modified to reflect the context of information security. SmartPLS, a structural equation modelling technique, has been used to analyse field survey data collected from across various Indian cities and companies.
Findings – Significant finding is that information security governance in an IT outsourcing company providing software services has a highly significant impact on the information security service quality,which can be predicted.The paper also establishes that there is a positive relationship collectively between elements of information security governance and information security service quality.
Research limitations/implications – Since data used in this study were taken solely from the responses of employees of outsourced service companies in India, it does not show if this translates into service improvements as perceived by the customer.
Practical implications – Information security governance should be made an integral part of corporate governance and is an effective strategic technique, if software outsourcing business enterprises want to achieve a competitive edge, provide client satisfaction and create trust.
Originality/value – The paper presents empirical data validation of the connection between information security governance and quality of service.
2/17/2020 Originality Report
https://ucumberlands.blackboard.com/webapps/mdb-sa-BB5a31b16bb2c48/originalityReport/ultra?attemptId=eb5800fc-c244-4b4d-88b8-038202f12d6b&course_id=… 1/4
%34
%7
SafeAssign Originality Report
Spring 2020 - InfoTech Import in Strat Plan (ITS-831-0… • Week 6 Research Paper: COSO Framework
%41Total Score: High risk
Vikeshkumar Dipakkumar Desai
Submission UUID: e820677a-7610-9ad7-18b2-99cfcb3c15b2
Total Number of Reports
1
Highest Match
41 %
COSO Framework.docx
Average Match
41 %
Submitted on
02/16/20
02:54 AM GMT+5:30
Average Word Count
1,404
Highest: COSO Framework.…
%41Attachment 1
Institutional database (8)
Student paper Student paper Student paper
Student paper Student paper Student paper
Student paper Student paper
Internet (3)
squarmilner ijeba protiviti
Top sources (3)
Excluded sources (0)
View Originality Report - Old Design
Word Count: 1,404
COSO Framework.docx
1 2 11
7 4 6
10 3
5 9 8
1 Student paper 2 Student paper 11 Student paper
Running head: COSO FRAMEWORK 1
COSO FRAMEWORK 2
COSO Framework
Name: Vikesh Desai
University of the Cumberland’s
Info Tech Import in Strat Plan (ITS-831-02) Date: February 15, 2020
COSO Framework
In 1985, five largest finance, accounting, and auditing oversight committees in the U.S established the Committee of Sponsoring Organizations
(COSO) to patron National Committee on Fraudulent Financial Reporting. The National Committee established a guide to guide tackle internal con-
trols, fraud prevention, and enterprise risk, management. This paper focuses on internal controls. The COSO framework expresses internal control
as an approach intended to offer practical assurance of objective attainment, including operations efficiency and effectiveness, financial reporting
dependability, and pertinent laws and regulations compliance. The COSO framework comprises of five components which affect these objec-
tives, the core of internal control. The control environment is the initial constituent. This component encompasses a set of ideals, structures, and
processes, offering a footing for the implementation of internal control throughout an organization (Pearlson, Saunders & Galletta, 2019). The board
of directors and executives in an organization set the tone with regard to internal control significance in the organization. Senior management
reinforces expectations at various organizational levels. Control environment entails organizational ethics and integrity, organizational structure and
authority and responsibility assignment, the parameters to empower the board of directors to fulfil its responsibility of governance oversight, and
1
2
2
3
2
4
5
https://ucumberlands.blackboard.com/webapps/mdb-sa-BB5a31b16bb2c48/originalityReport?attemptId=eb5800fc-c244-4b4d-88b8-038202f12d6b&course_id=_113940_1&download=true&includeDeleted=true&print=true&force=true
2/17/2020 Originality Report
https://ucumberlands.blackboard.com/webapps/mdb-sa-BB5.
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docxhealdkathaleen
Running Head: CYBERSECURITY FRAMEWORK 1
CYBERSECURITY FRAMEWORK 5
Integrating NIST CSF with IT Governance Frameworks
Nkengazong Tung
University of Maryland University College
29 AUGUST 2019
IT governance is the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals. In the eCommerce industry, IT governance develop structure by characterizing hierarchical detailing lines, oversight advisory groups, standards, approaches, and procedures. A well-characterized structure viably sets the working limits for the association (Moeller, 2017). It additionally sets guidelines by making or lining up with the corporate procedure and characterizing the short and long haul objectives for the association. In the eCommerce industry, it is important to note how the regulations are followed, how standards are followed by the process managers, how planning for the capacity of servers should be done, ensure all the IT assets are tracked, etc. This internal function that is self-checking the “health status” of the various process to ensure the smoother function is Governance. Comment by Michael Baker: Recommend subtitles that match rubric
IT management is overseeing IT services or innovation in an organization. It has several elements, all of which focus on aligning IT goals with business objectives in a way that creates the most value of an organization. These components are IT strategy, IT service and IT asset. Some of IT management issues faced by an eCommerce company include ways to secure customers information, providing value to the company, as well as supporting business operations. To address IT management challenges faced in eCommerce, IT policies must be put in place to define various processes within the organization. A policy is a set of guidelines that define how things are done within an organization. With a well-defined policy, activities in the eCommerce industry are well outlined and making it easy to operate.
Risk Management is the process used to identify, evaluate and respond to possible accidental losses in situations where the only possible outcomes are losses or no change in the status. It is an overall administration function that tries to evaluate and address the circumstances and end results of vulnerability and threat to an association (Susmann & Braman, 2016). The aim of threat management is to empower an association to advance towards its objectives and goals in the most immediate, proficient, and viable way. Risk management issues faced by an eCommerce company are loss of data, unauthorized access of data as well as system failure. To address risk management in the eCommerce industry, a comprehensive risk management plan must be developed to address possible risks that might cause harm to the system. A good risk management plan provides procedures as well as guideline on how to respond to threats and also unforeseen incidents. By having a well-laid plan, the ...
A DECISION-MAKING MODEL FOR REINFORCING A CORPORATE INFORMATION SECURITY SYSTEMIAEME Publication
Recently, information security incidents such as personal information leakage have been regarded as serious risk factors that directly affect corporate sales reduction and corporate image loss. In order to manage information security systematically, enterprises have been introducing information security systems more than ever before. This study aims to derive major items of the information security system mainly for corporate organizational management, with a focus on the technology-organizationenvironment (TOE) framework, and suggests a direction for system build-up and management. To this end, the Analytic Hierarchy Process (AHP) was conducted on 20 items derived from previous studies. A survey was conducted among 24 individuals, including 12 corporate internal administrators and 12 corporate external consultants. As a result, it turned out that environmental factors affected the information security system more significantly among technical, organizational, and environmental factors. Notably, 'compliance with legal requirements,' 'protection of information subjects' rights,' and 'increase of the information security awareness' affected the operation of the information security system or related decision-making processes. This finding suggests that although technical and organizational management is also essential when it comes to corporate information security system operation, the system needs to respond swiftly to rapid market changes and legal and administrative changes concerning information security.
Comparative Analysis of Information Security Governance FramLynellBull52
Comparative Analysis of Information Security Governance
Frameworks: A Public Sector Approach
Oscar Rebollo1, Daniel Mellado2, Luis Enrique Sánchez2 and Eduardo Fernández-
Medina2
1Social Security IT Management, Ministry of Labour and Immigration, Madrid,
Spain
2GSyA Research Group, University of Castilla-La Mancha, Spain
[email protected][email protected][email protected][email protected]
Abstract: Security awareness has spread inside many organizations leading them to tackle information security not
just as a technical matter, but from a corporate point of view. Information Security Governance (ISG) provides
enterprises with means of dealing with the security of their information assets in a comprehensive manner, involving
every stakeholder through the whole governance and management processes. Boards of Public Entities cannot
remain unaware of this development and should make efforts to include ISG in their business processes. Realizing
this relevant role, scientific literature contains a variety of proposals which define different frameworks to foster ISG
inside any corporation. In order to facilitate the adoption of any of them by the public sector, this paper compiles
existing approaches, highlighting the main contributions and characteristics of each one. Senior executives and
security managers may need support on their decisions about adopting one of these frameworks, so a comparative
analysis is performed. Although some comparative reviews are found in literature, they lack a systematic and
repeatable methodology, ignore recently published contributions or focus on specific areas, making results biased
and inappropriate for general use in corporations and the public sector. This paper tries to guarantee an objective
comparison through a set of comparative criteria that have been defined and applied to every proposal, so that
strengths and weaknesses of each one can be pointed out. These criteria have been selected from a deep analysis
of existing ISG papers, including both governance and management aspects. As results show, each proposal
focuses on different aspects of ISG giving priority to some of the defined criteria, and none of them covers the entire
required spectrum. Most of the selected frameworks can be used by any public organization as a starting point
towards integrating security into their processes, but this paper helps managers to be aware of their limitations and
the gaps which need to be covered in order to achieve a complete integration. Consequently, more investigation is
needed to fulfill detected gaps and define an ISG framework that organizations can rely on, and which offers security
guarantees of covering every information asset of the company. Public sector´s idiosyncrasy must be taken into
account in this development, resulting in a general framework eligible for adoption by both public and private
companies.
Keywords: information security governance, security governance, com ...
Information Assurance Framework for Web Services .docxjaggernaoma
Information Assurance Framework for Web Services 12
Information Assurance Framework for Web Services
Running head: Information Assurance Framework for Web Services 1
Table of Contents
Proposal14
Visual Representation16
Iteration -116
Understanding IA Challenges Plan16
Action17
Observation20
Reflection21
Iteration -2Conducting Survey22
Plan22
Action23
Observation25
Reflection27
Iteration -3 Structuring the Information28
Plan28
Action29
Observation30
Reflection32
Iteration-4 Developing Framework33
Plan33
Action34
Observation35
Reflection36
Summary of Learning37
References39
List of Tables
Table 1 Elements Considered in Quesionnaire23
Table 2 Standard Security Features24
Table 3 Security Elements28
List of Figures
Figure 1 Web Security Compromises3
Figure 2 Information Assurance Model5
Figure 3 Key Components of IA Implementation6
Figure 4 Action Research Process8
Figure.5 IA Reference Model Framework10
Figure 6 Web Frameworks12
Figure 7 Visual Representation14
Figure 8 IA for Web Applications Search16
Figure 9 Keyword Search Results18
Introduction
Internet based solutions, and web based services that are offered to the customers has become a common practice in the businesses. Right from B2B segment, to B2c and C2C, there are many web services and web based applications that are predominantly used in the business environment (Kahonge, 2013).
Adaptation and implementation of web based application systems has certainly supported the stakeholders of business in improving the ease of business communication, transaction processing and other such key business functions. However, one of the critical challenges that are envisaged in the business process are about issues pertaining to the information assurance issues in the web based application systems and processes that are adapted by the organizations (Al-hamami & et.al, 2012).
Globally, web based applications systems has become an integral part of the organizational requirements that could support in managing the business process in more effective ways. With the emergence of contemporary web technologies like Web 2.0, cloud based solutions and many other such developments emerging, there are potential developments that are taking place in the environment (DAN J KIM & et.al, 2004).
An organizational website that is poorly designed security features can open the door to security vulnerabilities. IT professionals may be put in a compromising position to prioritize system administrative tasks that are beneficial to a company’s bottom line over evaluating and proactively defending against security risks.
According to a research report that is published in the recent past on website security solutions and features, the study emphasize the key elements that impact the web security solutions and the need for companies to focus on improving the perform.
IT security controls are a result of protecting information system resources against unauthorized attempts that seek to access them. In an empirical view, this establishes a logical dichotomy between protecting the inside from the outside - not too terribly different than what we do when we lock the doors in our homes at night. This inside/outside approach has matured greatly, and continues to do so in todays information systems environment. Traditionally, most of the observed research and its results have produced technical measures in the forms of controls and best practices, which act as templates to “secure” information systems from those not authorized access to it. As a natural result, many guides primarily outline technical controls that prevent external access to internal information systems.
The landscape of the information technology (IT) security controls has widened significantly over the past few decades, especially since the adoption of the public internet, and proliferation of internet service providers. Even today further fueled by the rise of connectedness via mobile means, whether smart phones or tablet devices, or even publicly available wifi frequently available any time and nearly anywhere.
This shift has transitioned the philosophical approach to IT security to information security - information being the actual asset that is being protected though IT security controls. With this understanding, we must further recognize, accept, and conclude that information has value, and within markets of competition, within and between the same or different industries, unauthorized attempts to access information systems are no longer just external configuration issues. They are also internal behavioral issues, which also drive not just technological implementations traditionally spawned by vendor configuration anomalies, but organizational structure, policies, vigilance, and training.
GOVERNING INFORMATION SECURITY IN CONJUNCTION WITH COBIT AND ISO 27001IJNSA Journal
In this paper, after giving a brief definition of Information Security Management Systems (ISMS), ISO 27001, IT governance and COBIT, pros and cons of implementing only COBIT, implementing only IS0 27001 and implementing both COBIT and ISO 27001 together when governing information security in enterprises will be issued.
RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...ijcsit
Information security against hacking, altering, corrupting, and divulging data is vital and inevitable and it requires an effective management in every organization. Some of the upcoming challenges can be the study
of available frameworks in Enterprise Information Security Architecture (EISA) as well as criteria
extraction in this field. In this study a method has been adopted in order to extract and categorize
important and effective criteria in the field of information security by studying the major dimensions of
EISA including standards, policies and procedures, organization infrastructure, user awareness and
training, security base lines, risk assessment and compliance. Gartner's framework has been applied as a
fundamental model to categorize the criteria. To assess the proposed model, a questionnaire was prepared
and a group of EISA professionals completed it. The Fuzzy TOPSIS was used to quantify the data and prioritize criteria. It could be concluded that the database and database security criteria, inner software security, electronic exchange security and supervising malicious software can be high priorities.
Sarbanes-Oxley Compliance and the RFI/RFP ProcessCXT Group
Sarbanes-Oxley compliance and the RFI/RFP development process set an international standard in the industry. This article clearly states the happenings.
Read More...
http://goo.gl/7cfs5T
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
Information security necessitates the implementation of safeguards to guarantee an adequate defense against attacks, threats, and breaches from occurring. Nonetheless, even with “adequate” defensive efforts, the taste for accessing sensitive and confidential financial information is too tempting, and attacks continue to escalate. Organizations must plan ahead so that identified attacks, threats, and breaches are appropriately managed to a successful resolution. A proven method to address information security problems is achieved through the effective implementation of access security controls. This paper proposes a quantitative approach for organizations to evaluate access security controls over financial information using Analytic Hierarchy Process (AHP), and determines which controls best suit management’s goals and objectives. Through a case study, the approach is proven successful in providing a way for measuring the quality of access security controls over financial information based on multiple application-specific criteria.
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
Information security necessitates the implementation of safeguards to guarantee an adequate defense against attacks, threats, and breaches from occurring. Nonetheless, even with “adequate” defensive efforts, the taste for accessing sensitive and confidential financial information is too tempting, and attacks continue to escalate. Organizations must plan ahead so that identified attacks, threats, and breaches are appropriately managed to a successful resolution. A proven method to address information security problems is achieved through the effective implementation of access security controls. This paper proposes a quantitative approach for organizations to evaluate access security controls over financial information using Analytic Hierarchy Process (AHP), and determines which controls best suit management’s goals and objectives. Through a case study, the approach is proven successful in providing a way for measuring the quality of access security controls over financial information based on multiple application-specific criteria.
Challenges to the Implementation of Information Technology Risk Management an...theijes
The International Journal of Engineering & Science is aimed at providing a platform for researchers, engineers, scientists, or educators to publish their original research results, to exchange new ideas, to disseminate information in innovative designs, engineering experiences and technological skills. It is also the Journal's objective to promote engineering and technology education. All papers submitted to the Journal will be blind peer-reviewed. Only original articles will be published.
Business UseWeek 1 Assignment #1Instructions1. Plea.docxfelicidaddinwoodie
Business Use
Week 1: Assignment #1
Instructions
1. Please read these two articles:
· Using forensics against a fitbit device to solve a murder: https://www.cbsnews.com/news/the-fitbit-alibi-21st-century-technology-used-to-help-solve-wisconsin-moms-murder/
· How Amazon Echo could be forensically analyzed! https://www.theverge.com/2017/1/6/14189384/amazon-echo-murder-evidence-surveillance-data
2. Then go around in your residence / dwelling (home, apartment, condo, etc) and be creative.
3. Identify at least five appliances or devices that you THINK could be forensically analyzed and then identify how this might be useful in an investigation. Note - do not count your computer or mobile device. Those are obvious!
4. I expect at least one paragraph answer for each device.
Why did I assign this?
The goal is to have you start THINKING about how any device, that is capable of holding electronic data (and transmitting to the Internet) could be useful in a particular investigation!
Due Date
This is due by Sunday, May 10th at 11:59PM
Surname 6
Informative speech on George Stinney Jr.
A. Info research analysis
The general purpose of the speech was to inform people about the civil injustice being done against the African American community in the United States. The specific purpose of the speech was to portray to the audience how an innocent 14-year old black boy suffered in the hands of the South Carolina State law enforcing officers. He was falsely accused of killing two white girls and electrocuted within two months after conviction.
I decided the topic of my speech after perusing through all the suggested topics ad found that the story of George Stinney Jr. was touching and emotional entirely.
This topic benefits the audience and the society in general by giving them an insight of the cruelty that the American law system has against the African American community. The audience gets to know how the shady investigations were done with claims that George had pleaded guilty to the charges of murder when there was no real evidence tying him to the crime or a signed plea agreement.
The alternative view that I found in the research was the version of the investigating officer of the case who claimed that the 14-year old boy managed to kill two girls aged 11 and 7 with a blunt object and ditch them in a nearby trench. This alternative point of view did not make sense because it is hard for a 14-year old boy to use the force that was reported by postmortem results to kill the girls. Therefore, I knew everything was a lie and I had to take the point of view of George’s innocence.
B. informative outline
Introduction:
George Stinney Jr. was an African American boy born on October 21, 1929 in Pinewood, South Carolina, U.S. He is considered as the youngest person to be executed by the United State government in 20th century.
Main body
Investigations of the alleged crimes (Bickford, 05)
The investigations concerning the alleged crimes of George S.
Business UsePALADIN ASSIGNMENT ScenarioYou are give.docxfelicidaddinwoodie
Business Use
PALADIN ASSIGNMENT
Scenario:
You are given a PC and you are faced with this scenario: you don’t know the password to the PC which means you can’t login so you can use a forensic tool like FTK IMAGER to capture the hard drive as a bit-for-bit forensic image AND/OR
1. The hard drive is either soldiered onto the motherboard (there are some new hard drives like this!) or cannot be removed because the screws are stripped (this has happened to me);
2. Even if you figured out the password or got an admin password the PC may have its USB ports blocked via a GPO policy (this is very common in corporations now);
3. Even if you can get the GPO policy overridden you may have some concerns about putting it on the network (which is true especially if you are dealing with malware).
So what you can you do? The best solution is to boot the PC up into forensically sound environment that lets you bypass the password aspect; GPO policy; etc and take a bit-for-bit image. One software that has done the job very well for me is Paladin.
How to get points
If you can send me a screenshot showing me that you had installed Paladin .ISO and made your USB device a bootable device with Paladin using Rufus then you get 10 points.
If you can send me a screenshot showing that you had a chance to boot your computer into Paladin then you will earn an extra 10 points. It is not necessary for you to take a forensic image of your PC but I have included generic instructions here.
Assumptions:
1. You have downloaded Rufus on your computer
2. You have downloaded Paladin on your computer.
Instructions:
1. Make sure you have at least one USB drive.
2. If not down already, download Rufus from https://rufus.ie/.
3. If not done already, download the Paladin ISO image from this website: https://sumuri.com/product/paladin-64-bit-version-7/ which is free. It’s suggested price is $25.00 but you can adjust the price to $0 then order. To be clear – do not pay anything.
4. Insert the USB device in your computer.
5. Run Rufus where you install the Paladin .ISO file on the USB device and make it bootable. Now I could provide you step by step instructions, but this is a Masters class so I want you to explore a bit and figure this out. One good video is this: https://www.youtube.com/watch?v=V6JehM0WDTI.
6. After you are done using Rufus where you have installed Paladin.ISO on the USB device and made it bootable then make sure the USB device is in the PC.
7. Restart your PC. Press F9(HP) laptop) or F12 (Dell laptop) so you can be taken into the BIOS bootup menu.
8. This is where things get a bit tricky e.g. your compute may be configured differently where you have to adjust your BIOS settings. If you do not feel comfortable doing this then stop here. I do not want you to mess up your computer. You have already earned ten extra points!
9. If you still proceed then you will see a list of bootable devices. You may, for example, see a list of devices. Pick the device .
More Related Content
Similar to 205JOURNAL OF INFORMAITON SYSTEMSVol. 20, No. 1Spring .docx
2 days agoShravani Kasturi DiscussionCOLLAPSETop of Form.docxRAJU852744
2 days ago
Shravani Kasturi
Discussion
COLLAPSE
Top of Form
IT governance refers to the procedures implemented to manage information technology and the increasing value obtained from investing in information and technology (Joshi, Bollen, Hassink, Haes & Grembergen, (2018). It is made up of frameworks whose aim is to increase the management of risks arising due to the use of information technology. It aims at ensuring that information technology is used to increase the likelihood of achieving objectives for the business. IT governance is essential in allowing companies to be compliant with legal guidelines; for instance, those contained in companies act. It provides a likelihood of an increase in the investments made by a company regarding information technology.
Many factors fueled the need for adoption of IT governance. The first factor is the increase in the number of risks facing information technology. The increased legal risks due to the lack of compliance of guidelines is another critical factor that contributed to a need for IT governance. The ability of IT governance to reduce the costs used in coming up with new inventions increased its adoption. Many companies make use of a lot of resources for discovery.
ISO provides guidelines meant to increase security (Santi, 2018). Its primary role is the provision of guidance concerning aspects of security. It offers advice on how to operate manage and make use of the networks effectively. It also provides guidelines on how the systems can be used effectively to increase security. The ISO also provides guidelines regulating the implementation of controls. Therefore, ISO has dramatically affected the standards of network security by increasing the protection of the networks. It is through the guidelines it provides that aims at expanding the manner at which the network security is designed. It also provides an outline of how the implementation should be carried out to increase network security. It increased standards by developing secure communications interconnecting networks. It is through the provision of very secure gateways.
References
Joshi, A., Bollen, L., Hassink, H., Haes, S. D., Grembergen, W. V., (2018). Explaining IT Governance disclosure through the constraints of IT governance maturity and IT strategic role. Information & Management, 55(3), 368-380
Santi, P. (2018). A design network model for information security management standards depends on ISO 27001. GSTF Journal on Computing, 5(4), 1-11
Bottom of Form
19 hours ago
Rahul Reddy Kallu
Discussion 6
COLLAPSE
Top of Form
IT governance and data governance are subset of Information Governance (IG), which defines set of policies and procedures to concentrate more on how to effectively manage information. These policies include managing structured (records) and unstructured data (e-mails, e-documents). IT governance policies are aimed towards protecting sensitive data such as Protected Health Information (PHI), ensuring privac.
Perceived significance of information security governance to predict the info...Irfaan Bahadoor
Abstract
Purpose – Information security is a growing concern in society, across businesses and government. As the offshore IT services market continues to grow providing numerous benefits, there are also perceived risks with respect to the quality of information security delivered in the supply chain. This paper aims to examine, as a case, the perceptions of Indian software services provider (service provider) employees with respect to information security governance and its impact on information security service quality that is delivered to customers.
Design/methodology/approach – The paper provides a framework built upon the existing
dimensions and instruments for total quality management and service quality, suitably modified to reflect the context of information security. SmartPLS, a structural equation modelling technique, has been used to analyse field survey data collected from across various Indian cities and companies.
Findings – Significant finding is that information security governance in an IT outsourcing company providing software services has a highly significant impact on the information security service quality,which can be predicted.The paper also establishes that there is a positive relationship collectively between elements of information security governance and information security service quality.
Research limitations/implications – Since data used in this study were taken solely from the responses of employees of outsourced service companies in India, it does not show if this translates into service improvements as perceived by the customer.
Practical implications – Information security governance should be made an integral part of corporate governance and is an effective strategic technique, if software outsourcing business enterprises want to achieve a competitive edge, provide client satisfaction and create trust.
Originality/value – The paper presents empirical data validation of the connection between information security governance and quality of service.
2/17/2020 Originality Report
https://ucumberlands.blackboard.com/webapps/mdb-sa-BB5a31b16bb2c48/originalityReport/ultra?attemptId=eb5800fc-c244-4b4d-88b8-038202f12d6b&course_id=… 1/4
%34
%7
SafeAssign Originality Report
Spring 2020 - InfoTech Import in Strat Plan (ITS-831-0… • Week 6 Research Paper: COSO Framework
%41Total Score: High risk
Vikeshkumar Dipakkumar Desai
Submission UUID: e820677a-7610-9ad7-18b2-99cfcb3c15b2
Total Number of Reports
1
Highest Match
41 %
COSO Framework.docx
Average Match
41 %
Submitted on
02/16/20
02:54 AM GMT+5:30
Average Word Count
1,404
Highest: COSO Framework.…
%41Attachment 1
Institutional database (8)
Student paper Student paper Student paper
Student paper Student paper Student paper
Student paper Student paper
Internet (3)
squarmilner ijeba protiviti
Top sources (3)
Excluded sources (0)
View Originality Report - Old Design
Word Count: 1,404
COSO Framework.docx
1 2 11
7 4 6
10 3
5 9 8
1 Student paper 2 Student paper 11 Student paper
Running head: COSO FRAMEWORK 1
COSO FRAMEWORK 2
COSO Framework
Name: Vikesh Desai
University of the Cumberland’s
Info Tech Import in Strat Plan (ITS-831-02) Date: February 15, 2020
COSO Framework
In 1985, five largest finance, accounting, and auditing oversight committees in the U.S established the Committee of Sponsoring Organizations
(COSO) to patron National Committee on Fraudulent Financial Reporting. The National Committee established a guide to guide tackle internal con-
trols, fraud prevention, and enterprise risk, management. This paper focuses on internal controls. The COSO framework expresses internal control
as an approach intended to offer practical assurance of objective attainment, including operations efficiency and effectiveness, financial reporting
dependability, and pertinent laws and regulations compliance. The COSO framework comprises of five components which affect these objec-
tives, the core of internal control. The control environment is the initial constituent. This component encompasses a set of ideals, structures, and
processes, offering a footing for the implementation of internal control throughout an organization (Pearlson, Saunders & Galletta, 2019). The board
of directors and executives in an organization set the tone with regard to internal control significance in the organization. Senior management
reinforces expectations at various organizational levels. Control environment entails organizational ethics and integrity, organizational structure and
authority and responsibility assignment, the parameters to empower the board of directors to fulfil its responsibility of governance oversight, and
1
2
2
3
2
4
5
https://ucumberlands.blackboard.com/webapps/mdb-sa-BB5a31b16bb2c48/originalityReport?attemptId=eb5800fc-c244-4b4d-88b8-038202f12d6b&course_id=_113940_1&download=true&includeDeleted=true&print=true&force=true
2/17/2020 Originality Report
https://ucumberlands.blackboard.com/webapps/mdb-sa-BB5.
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docxhealdkathaleen
Running Head: CYBERSECURITY FRAMEWORK 1
CYBERSECURITY FRAMEWORK 5
Integrating NIST CSF with IT Governance Frameworks
Nkengazong Tung
University of Maryland University College
29 AUGUST 2019
IT governance is the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals. In the eCommerce industry, IT governance develop structure by characterizing hierarchical detailing lines, oversight advisory groups, standards, approaches, and procedures. A well-characterized structure viably sets the working limits for the association (Moeller, 2017). It additionally sets guidelines by making or lining up with the corporate procedure and characterizing the short and long haul objectives for the association. In the eCommerce industry, it is important to note how the regulations are followed, how standards are followed by the process managers, how planning for the capacity of servers should be done, ensure all the IT assets are tracked, etc. This internal function that is self-checking the “health status” of the various process to ensure the smoother function is Governance. Comment by Michael Baker: Recommend subtitles that match rubric
IT management is overseeing IT services or innovation in an organization. It has several elements, all of which focus on aligning IT goals with business objectives in a way that creates the most value of an organization. These components are IT strategy, IT service and IT asset. Some of IT management issues faced by an eCommerce company include ways to secure customers information, providing value to the company, as well as supporting business operations. To address IT management challenges faced in eCommerce, IT policies must be put in place to define various processes within the organization. A policy is a set of guidelines that define how things are done within an organization. With a well-defined policy, activities in the eCommerce industry are well outlined and making it easy to operate.
Risk Management is the process used to identify, evaluate and respond to possible accidental losses in situations where the only possible outcomes are losses or no change in the status. It is an overall administration function that tries to evaluate and address the circumstances and end results of vulnerability and threat to an association (Susmann & Braman, 2016). The aim of threat management is to empower an association to advance towards its objectives and goals in the most immediate, proficient, and viable way. Risk management issues faced by an eCommerce company are loss of data, unauthorized access of data as well as system failure. To address risk management in the eCommerce industry, a comprehensive risk management plan must be developed to address possible risks that might cause harm to the system. A good risk management plan provides procedures as well as guideline on how to respond to threats and also unforeseen incidents. By having a well-laid plan, the ...
A DECISION-MAKING MODEL FOR REINFORCING A CORPORATE INFORMATION SECURITY SYSTEMIAEME Publication
Recently, information security incidents such as personal information leakage have been regarded as serious risk factors that directly affect corporate sales reduction and corporate image loss. In order to manage information security systematically, enterprises have been introducing information security systems more than ever before. This study aims to derive major items of the information security system mainly for corporate organizational management, with a focus on the technology-organizationenvironment (TOE) framework, and suggests a direction for system build-up and management. To this end, the Analytic Hierarchy Process (AHP) was conducted on 20 items derived from previous studies. A survey was conducted among 24 individuals, including 12 corporate internal administrators and 12 corporate external consultants. As a result, it turned out that environmental factors affected the information security system more significantly among technical, organizational, and environmental factors. Notably, 'compliance with legal requirements,' 'protection of information subjects' rights,' and 'increase of the information security awareness' affected the operation of the information security system or related decision-making processes. This finding suggests that although technical and organizational management is also essential when it comes to corporate information security system operation, the system needs to respond swiftly to rapid market changes and legal and administrative changes concerning information security.
Comparative Analysis of Information Security Governance FramLynellBull52
Comparative Analysis of Information Security Governance
Frameworks: A Public Sector Approach
Oscar Rebollo1, Daniel Mellado2, Luis Enrique Sánchez2 and Eduardo Fernández-
Medina2
1Social Security IT Management, Ministry of Labour and Immigration, Madrid,
Spain
2GSyA Research Group, University of Castilla-La Mancha, Spain
[email protected][email protected][email protected][email protected]
Abstract: Security awareness has spread inside many organizations leading them to tackle information security not
just as a technical matter, but from a corporate point of view. Information Security Governance (ISG) provides
enterprises with means of dealing with the security of their information assets in a comprehensive manner, involving
every stakeholder through the whole governance and management processes. Boards of Public Entities cannot
remain unaware of this development and should make efforts to include ISG in their business processes. Realizing
this relevant role, scientific literature contains a variety of proposals which define different frameworks to foster ISG
inside any corporation. In order to facilitate the adoption of any of them by the public sector, this paper compiles
existing approaches, highlighting the main contributions and characteristics of each one. Senior executives and
security managers may need support on their decisions about adopting one of these frameworks, so a comparative
analysis is performed. Although some comparative reviews are found in literature, they lack a systematic and
repeatable methodology, ignore recently published contributions or focus on specific areas, making results biased
and inappropriate for general use in corporations and the public sector. This paper tries to guarantee an objective
comparison through a set of comparative criteria that have been defined and applied to every proposal, so that
strengths and weaknesses of each one can be pointed out. These criteria have been selected from a deep analysis
of existing ISG papers, including both governance and management aspects. As results show, each proposal
focuses on different aspects of ISG giving priority to some of the defined criteria, and none of them covers the entire
required spectrum. Most of the selected frameworks can be used by any public organization as a starting point
towards integrating security into their processes, but this paper helps managers to be aware of their limitations and
the gaps which need to be covered in order to achieve a complete integration. Consequently, more investigation is
needed to fulfill detected gaps and define an ISG framework that organizations can rely on, and which offers security
guarantees of covering every information asset of the company. Public sector´s idiosyncrasy must be taken into
account in this development, resulting in a general framework eligible for adoption by both public and private
companies.
Keywords: information security governance, security governance, com ...
Information Assurance Framework for Web Services .docxjaggernaoma
Information Assurance Framework for Web Services 12
Information Assurance Framework for Web Services
Running head: Information Assurance Framework for Web Services 1
Table of Contents
Proposal14
Visual Representation16
Iteration -116
Understanding IA Challenges Plan16
Action17
Observation20
Reflection21
Iteration -2Conducting Survey22
Plan22
Action23
Observation25
Reflection27
Iteration -3 Structuring the Information28
Plan28
Action29
Observation30
Reflection32
Iteration-4 Developing Framework33
Plan33
Action34
Observation35
Reflection36
Summary of Learning37
References39
List of Tables
Table 1 Elements Considered in Quesionnaire23
Table 2 Standard Security Features24
Table 3 Security Elements28
List of Figures
Figure 1 Web Security Compromises3
Figure 2 Information Assurance Model5
Figure 3 Key Components of IA Implementation6
Figure 4 Action Research Process8
Figure.5 IA Reference Model Framework10
Figure 6 Web Frameworks12
Figure 7 Visual Representation14
Figure 8 IA for Web Applications Search16
Figure 9 Keyword Search Results18
Introduction
Internet based solutions, and web based services that are offered to the customers has become a common practice in the businesses. Right from B2B segment, to B2c and C2C, there are many web services and web based applications that are predominantly used in the business environment (Kahonge, 2013).
Adaptation and implementation of web based application systems has certainly supported the stakeholders of business in improving the ease of business communication, transaction processing and other such key business functions. However, one of the critical challenges that are envisaged in the business process are about issues pertaining to the information assurance issues in the web based application systems and processes that are adapted by the organizations (Al-hamami & et.al, 2012).
Globally, web based applications systems has become an integral part of the organizational requirements that could support in managing the business process in more effective ways. With the emergence of contemporary web technologies like Web 2.0, cloud based solutions and many other such developments emerging, there are potential developments that are taking place in the environment (DAN J KIM & et.al, 2004).
An organizational website that is poorly designed security features can open the door to security vulnerabilities. IT professionals may be put in a compromising position to prioritize system administrative tasks that are beneficial to a company’s bottom line over evaluating and proactively defending against security risks.
According to a research report that is published in the recent past on website security solutions and features, the study emphasize the key elements that impact the web security solutions and the need for companies to focus on improving the perform.
IT security controls are a result of protecting information system resources against unauthorized attempts that seek to access them. In an empirical view, this establishes a logical dichotomy between protecting the inside from the outside - not too terribly different than what we do when we lock the doors in our homes at night. This inside/outside approach has matured greatly, and continues to do so in todays information systems environment. Traditionally, most of the observed research and its results have produced technical measures in the forms of controls and best practices, which act as templates to “secure” information systems from those not authorized access to it. As a natural result, many guides primarily outline technical controls that prevent external access to internal information systems.
The landscape of the information technology (IT) security controls has widened significantly over the past few decades, especially since the adoption of the public internet, and proliferation of internet service providers. Even today further fueled by the rise of connectedness via mobile means, whether smart phones or tablet devices, or even publicly available wifi frequently available any time and nearly anywhere.
This shift has transitioned the philosophical approach to IT security to information security - information being the actual asset that is being protected though IT security controls. With this understanding, we must further recognize, accept, and conclude that information has value, and within markets of competition, within and between the same or different industries, unauthorized attempts to access information systems are no longer just external configuration issues. They are also internal behavioral issues, which also drive not just technological implementations traditionally spawned by vendor configuration anomalies, but organizational structure, policies, vigilance, and training.
GOVERNING INFORMATION SECURITY IN CONJUNCTION WITH COBIT AND ISO 27001IJNSA Journal
In this paper, after giving a brief definition of Information Security Management Systems (ISMS), ISO 27001, IT governance and COBIT, pros and cons of implementing only COBIT, implementing only IS0 27001 and implementing both COBIT and ISO 27001 together when governing information security in enterprises will be issued.
RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...ijcsit
Information security against hacking, altering, corrupting, and divulging data is vital and inevitable and it requires an effective management in every organization. Some of the upcoming challenges can be the study
of available frameworks in Enterprise Information Security Architecture (EISA) as well as criteria
extraction in this field. In this study a method has been adopted in order to extract and categorize
important and effective criteria in the field of information security by studying the major dimensions of
EISA including standards, policies and procedures, organization infrastructure, user awareness and
training, security base lines, risk assessment and compliance. Gartner's framework has been applied as a
fundamental model to categorize the criteria. To assess the proposed model, a questionnaire was prepared
and a group of EISA professionals completed it. The Fuzzy TOPSIS was used to quantify the data and prioritize criteria. It could be concluded that the database and database security criteria, inner software security, electronic exchange security and supervising malicious software can be high priorities.
Sarbanes-Oxley Compliance and the RFI/RFP ProcessCXT Group
Sarbanes-Oxley compliance and the RFI/RFP development process set an international standard in the industry. This article clearly states the happenings.
Read More...
http://goo.gl/7cfs5T
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
Information security necessitates the implementation of safeguards to guarantee an adequate defense against attacks, threats, and breaches from occurring. Nonetheless, even with “adequate” defensive efforts, the taste for accessing sensitive and confidential financial information is too tempting, and attacks continue to escalate. Organizations must plan ahead so that identified attacks, threats, and breaches are appropriately managed to a successful resolution. A proven method to address information security problems is achieved through the effective implementation of access security controls. This paper proposes a quantitative approach for organizations to evaluate access security controls over financial information using Analytic Hierarchy Process (AHP), and determines which controls best suit management’s goals and objectives. Through a case study, the approach is proven successful in providing a way for measuring the quality of access security controls over financial information based on multiple application-specific criteria.
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
Information security necessitates the implementation of safeguards to guarantee an adequate defense against attacks, threats, and breaches from occurring. Nonetheless, even with “adequate” defensive efforts, the taste for accessing sensitive and confidential financial information is too tempting, and attacks continue to escalate. Organizations must plan ahead so that identified attacks, threats, and breaches are appropriately managed to a successful resolution. A proven method to address information security problems is achieved through the effective implementation of access security controls. This paper proposes a quantitative approach for organizations to evaluate access security controls over financial information using Analytic Hierarchy Process (AHP), and determines which controls best suit management’s goals and objectives. Through a case study, the approach is proven successful in providing a way for measuring the quality of access security controls over financial information based on multiple application-specific criteria.
Challenges to the Implementation of Information Technology Risk Management an...theijes
The International Journal of Engineering & Science is aimed at providing a platform for researchers, engineers, scientists, or educators to publish their original research results, to exchange new ideas, to disseminate information in innovative designs, engineering experiences and technological skills. It is also the Journal's objective to promote engineering and technology education. All papers submitted to the Journal will be blind peer-reviewed. Only original articles will be published.
Business UseWeek 1 Assignment #1Instructions1. Plea.docxfelicidaddinwoodie
Business Use
Week 1: Assignment #1
Instructions
1. Please read these two articles:
· Using forensics against a fitbit device to solve a murder: https://www.cbsnews.com/news/the-fitbit-alibi-21st-century-technology-used-to-help-solve-wisconsin-moms-murder/
· How Amazon Echo could be forensically analyzed! https://www.theverge.com/2017/1/6/14189384/amazon-echo-murder-evidence-surveillance-data
2. Then go around in your residence / dwelling (home, apartment, condo, etc) and be creative.
3. Identify at least five appliances or devices that you THINK could be forensically analyzed and then identify how this might be useful in an investigation. Note - do not count your computer or mobile device. Those are obvious!
4. I expect at least one paragraph answer for each device.
Why did I assign this?
The goal is to have you start THINKING about how any device, that is capable of holding electronic data (and transmitting to the Internet) could be useful in a particular investigation!
Due Date
This is due by Sunday, May 10th at 11:59PM
Surname 6
Informative speech on George Stinney Jr.
A. Info research analysis
The general purpose of the speech was to inform people about the civil injustice being done against the African American community in the United States. The specific purpose of the speech was to portray to the audience how an innocent 14-year old black boy suffered in the hands of the South Carolina State law enforcing officers. He was falsely accused of killing two white girls and electrocuted within two months after conviction.
I decided the topic of my speech after perusing through all the suggested topics ad found that the story of George Stinney Jr. was touching and emotional entirely.
This topic benefits the audience and the society in general by giving them an insight of the cruelty that the American law system has against the African American community. The audience gets to know how the shady investigations were done with claims that George had pleaded guilty to the charges of murder when there was no real evidence tying him to the crime or a signed plea agreement.
The alternative view that I found in the research was the version of the investigating officer of the case who claimed that the 14-year old boy managed to kill two girls aged 11 and 7 with a blunt object and ditch them in a nearby trench. This alternative point of view did not make sense because it is hard for a 14-year old boy to use the force that was reported by postmortem results to kill the girls. Therefore, I knew everything was a lie and I had to take the point of view of George’s innocence.
B. informative outline
Introduction:
George Stinney Jr. was an African American boy born on October 21, 1929 in Pinewood, South Carolina, U.S. He is considered as the youngest person to be executed by the United State government in 20th century.
Main body
Investigations of the alleged crimes (Bickford, 05)
The investigations concerning the alleged crimes of George S.
Business UsePALADIN ASSIGNMENT ScenarioYou are give.docxfelicidaddinwoodie
Business Use
PALADIN ASSIGNMENT
Scenario:
You are given a PC and you are faced with this scenario: you don’t know the password to the PC which means you can’t login so you can use a forensic tool like FTK IMAGER to capture the hard drive as a bit-for-bit forensic image AND/OR
1. The hard drive is either soldiered onto the motherboard (there are some new hard drives like this!) or cannot be removed because the screws are stripped (this has happened to me);
2. Even if you figured out the password or got an admin password the PC may have its USB ports blocked via a GPO policy (this is very common in corporations now);
3. Even if you can get the GPO policy overridden you may have some concerns about putting it on the network (which is true especially if you are dealing with malware).
So what you can you do? The best solution is to boot the PC up into forensically sound environment that lets you bypass the password aspect; GPO policy; etc and take a bit-for-bit image. One software that has done the job very well for me is Paladin.
How to get points
If you can send me a screenshot showing me that you had installed Paladin .ISO and made your USB device a bootable device with Paladin using Rufus then you get 10 points.
If you can send me a screenshot showing that you had a chance to boot your computer into Paladin then you will earn an extra 10 points. It is not necessary for you to take a forensic image of your PC but I have included generic instructions here.
Assumptions:
1. You have downloaded Rufus on your computer
2. You have downloaded Paladin on your computer.
Instructions:
1. Make sure you have at least one USB drive.
2. If not down already, download Rufus from https://rufus.ie/.
3. If not done already, download the Paladin ISO image from this website: https://sumuri.com/product/paladin-64-bit-version-7/ which is free. It’s suggested price is $25.00 but you can adjust the price to $0 then order. To be clear – do not pay anything.
4. Insert the USB device in your computer.
5. Run Rufus where you install the Paladin .ISO file on the USB device and make it bootable. Now I could provide you step by step instructions, but this is a Masters class so I want you to explore a bit and figure this out. One good video is this: https://www.youtube.com/watch?v=V6JehM0WDTI.
6. After you are done using Rufus where you have installed Paladin.ISO on the USB device and made it bootable then make sure the USB device is in the PC.
7. Restart your PC. Press F9(HP) laptop) or F12 (Dell laptop) so you can be taken into the BIOS bootup menu.
8. This is where things get a bit tricky e.g. your compute may be configured differently where you have to adjust your BIOS settings. If you do not feel comfortable doing this then stop here. I do not want you to mess up your computer. You have already earned ten extra points!
9. If you still proceed then you will see a list of bootable devices. You may, for example, see a list of devices. Pick the device .
Business UsePractical Connection WorkThis work is a writte.docxfelicidaddinwoodie
Business Use
Practical Connection Work
This work is a written assignment where students will demonstrate how this course research has connected and been put into practice within their own career.
Assignment:
Provide a reflection of at least 500 words of how the knowledge, skills, or theories of this course, to date, have been applied, or could be applied, in a practical manner to your current work environment.
If you are not currently working, then this is where you can be creative and identify how you THINK this could be applied to an employment opportunity in your field of study.
Requirements:
Provide a 500 word minimum reflection.
Use of proper APA formatting and citations. If supporting evidence from outside resources is used those must be properly cited.
Share a personal connection that identifies specific knowledge and theories from this course.
You should NOT provide an overview of the assignments given in the course. Reflect and write about how the knowledge and skills obtained through meeting course objectives were applied or could be applied in the workplace.
// Pediatric depressionTherapy for Pediatric Clients with Mood Disorders
An African American Child Suffering From Depression
BACKGROUND INFORMATION
The client is an 8-year-old African American male who arrives at the ER with his mother. He is exhibiting signs of depression.
Client complained of feeling “sad” Mother reports that teacher said child is withdrawn from peers in class Mother notes decreased appetite and occasional periods of irritation Client reached all developmental landmarks at appropriate ages Physical exam unremarkable Laboratory studies WNL Child referred to psychiatry for evaluation Client seen by Psychiatric Nurse Practitioner
MENTAL STATUS EXAM
Alert & oriented X 3, speech clear, coherent, goal directed, spontaneous. Self-reported mood is “sad”. Affect somewhat blunted, but child smiled appropriately at various points throughout the clinical interview. He denies visual or auditory hallucinations. No delusional or paranoid thought processes noted. Judgment and insight appear to be age-appropriate. He is not endorsing active suicidal ideation, but does admit that he often thinks about himself being dead and what it would be like to be dead.
The PMHNP administers the Children's Depression Rating Scale, obtaining a score of 30 (indicating significant depression)
RESOURCES
§ Poznanski, E., & Mokros, H. (1996). Child Depression Rating Scale--Revised. Los Angeles, CA: Western Psychological Services.
Decision Point OneSelect what the PMHNP should do:Begin Zoloft 25 mg orally daily
Begin Paxil 10 mg orally daily
Begin Wellbutrin 75 mg orally BID
.
Business System Analyst
SUMMARY:
· Cognos Business In experience intelligence with expertise in Software Design, Development, and Analysis, Teradata, Testing, Data Warehouse and Business Intelligence tools.
· Expertise in Cognos 11/10.2, 10.1, 8.x (Query Studio, Report Studio, Analysis Studio, Business Insight/Workspace, Business Insight/Workspace Advanced, Metric Studio (Score carding), Framework Manager, Cognos Connection)
· Expertise in Installation and Configuration of Cognos BI Products in Distributed environment on Windows
· Expertise with Framework Manager Modeling (Physical Layer, Business Layer, Packages) and Complex Report building with Report Studio.
· Expertise developing complex reports using drill-through reports, prompts, dashboards, master-detail, burst-reports, dynamic filtering in Cognos.
· Expertise in creating Dashboard reports using Java Script in Report studio.
· Expertise in building scorecard reports and dashboard reports using metric studio.
· Expertise with Transformer models and cubes that were used in Power play analysis and also these cubes were used in various Analysis Studio reports.
· Expertise with MDX Functions in Report Studio using Multi-dimensional Sources.
· Expertise with Cognos security (LDAP, Active Directory, Access manager, object level security, data security).
· Expertise with Tabbed Inter-phases and with Interactive Behavior of value based chart highlighting.
· Sound Skills in developing SQL Scripts, PL/SQL Stored Procedures, functions, packages.
· Expertise on production support and troubleshoot/test issues with existing reports and cubes.
· Experienced with MS SQL Server BI Tools like SSIS, SSRS and SSAS.
· Expertise in creation of packages, Data and Control tasks, Reports and Cubes using MS SQL Server BI Tools.
· Ability to translate business requirements into technical specifications and interact with end users to gather requirements for reporting.
· Good understanding of business process in Financial, Insurance and Healthcare areas.
· Expertise in infrastructure design for the cognos environment and security setup for different groups as per business requirement.
· Creating training material on all the Ad-Hoc training
· Expertise in all the basic administrative tasks like deployments, routing rule setup’s , user group setup , folder level securities etc.
· Have deployment knowledge of IBM Cognos report in Application servers like WAS.
· Have knowledge on handling securities and administration functionalities on IBM Cognos 10.x
· Good work ethics, detail oriented, fast learner, team oriented, flexible and adaptable to all kinds of stressful environments. Possess excellent communication and interpersonal skills.
Technical Skills:
BI Platform
Cognos 11,10.2, 10.1, 8.x (Query Studio, Report Studio, Analysis Studio, Business Insight/Workspace, Business Insight/Workspace Advanced, Metric Studio (Score carding), Framework Manager, Cognos Connection)
Data Base
MS Access, MS SQL Server, Orac.
Business StrategyOrganizations have to develop an international .docxfelicidaddinwoodie
Business Strategy
Organizations have to develop an international Human Resources Management Strategy, when they expand globally. Which do you think is more critical for international Human Resource Management:
Understanding the cultural environment, or
Understanding the political and legal environment?
Please choose 1 position and give a rationale; examples are also a way to demonstrate your understanding of the learning concepts.
.
Business StrategyGroup BCase Study- KFC Business Analysis.docxfelicidaddinwoodie
Business Strategy
Group B
Case Study- KFC Business Analysis
Abstract
Introduced in 1952 by Colonel Sanders
Second largest restaurant chain today in terms of popularity
Annual revenue of $23 billion
Diversified its menu to suit cultural needs of people across different countries
Hindering factors in KFC’s growth are growing consumer health consciousness, animal welfare criticism, environmental criticism
Introduction
KFC was born in 1952 and its founder was Colonel Sanders
First franchise to grow globally over international market
By the 1960s – 1980s the market was booming in countries like England, Mexico, China
Management and ownership transferred over the years to Heublin, Yum Brands and PepsiCo.
Annual revenue of $23 billion in 2013
KFC had expanded its menu to suit cultural needs of people across different countries
Hindering factors in KFC’s growth are growing consumer health consciousness, animal welfare criticism, environmental criticism, logistic management issue in UK, cultural differences in Asian countries towards accepting the fried chicken menu.
Factors contributing to KFC’s global success
The core reason for KFCs success is it’s mandate to follow strict franchise protocols that have continuously satisfied customers demands:
The quality of the chicken cooked in KFC has certain specific guidelines
The size of the restaurant should be 24x60 feet.
The restaurant washrooms and ktichen has certain cleanliness standards
Food that is not sold off needs to be trashed
The workers need to have a specific clothing and uniform.
A certain % of the gross earnings should be used for advertisement and R&D
Air conditioning is mandatory in the outlets
Global number of KFC restaurants in the past decade
Importance of cultural factors to KFC’s sales success in India and China
Culture is the collective programming of the human mind that distinguishes the members of one human group from those of another. Culture in this sense is a system of collectively held values
“Culture is everything that people have, think, and do as members of their society”, which demonstrating that culture is made up of (1) material objects; (2) ideas, values, attitudes and beliefs; and (3) specified, or expected behavior.
Many scholars have theorized and studied the notion of cross-cultural adaptation, which tends to move from one culture to another one, by learning the elements such as rules, norms, customs, and language of the new culture (Oberg 1960, Keefe and Padilla 1987, Kealey 1989). According to Ady (1995),
“Cultural adaptation is the evolutionary process by which an individual modifies his personal habits and customs to fit into a particular culture. It can also refer to gradual changes within a culture or society that occur as people from different backgrounds participating in the culture and sharing their perspectives and practices.”
Cultural factors in India that go against KFC’s original recipe.
.
Business Strategy Differentiation, Cost Leadership, a.docxfelicidaddinwoodie
Business Strategy:
Differentiation, Cost Leadership,
and Integration
Lina Deng
Business Strategy and Competitive Advantage
• A business-level strategy is an integrated and
coordinated set of commitments and actions designed
to provide value to customers and to gain a competitive
advantage by utilizing core competencies in specific
individual product markets.
6–2
Business-Level Strategy:
How to Compete for Advantage?
• Answer the “Who, What, Why, and How”
Ø Who - which customer segments to serve?
Ø What needs, wishes, desires will we satisfy?
Ø Why do we want to satisfy them?
Ø How will we satisfy customers’ needs?
• Details actions that managers take in the quest
for competitive advantage
Ø Single product or group of similar products
6–3
Industry and Firm Effects Jointly Determine
Competitive Advantage
6–4
Business Strategy and Competitive Advantage
• Two fundamental questions:
Ø How do you generate advantage?
Ø How do you sustain advantage?
• Key idea for sustainability is “barriers to imitation.”
Ø How long will it be before the first rival
imitates the first mover?
Ø How fast does new imitation occur
once it starts?
v These two factors determine appropriability.
6–5
Business Strategy and Competitive Advantage
• Does market share generate competitive advantage?
Ø The computer industry is an excellent example of the lack
of correspondence between market share and profit rates.
IBM was a clear market leader in terms of market share
but had only mediocre economic performance relative to its
rivals. High market share is no guarantee of high rates
of profitability.
6–6
Business Strategy and Competitive Advantage
• Does market share generate competitive advantage?
Ø Perhaps high market share causes high profit rates.
Ø But it could equally well be that there is a third factor
(e.g., good service capabilities, such as those of
Caterpillar), either not considered or unobserved by us,
that causes both high profitability and high market share.
v In this case, we would see a correlation
between profitability and market share
but there is no causal explanation.
Business Strategy and Competitive Advantage
• When can market share work to generate and sustain
an advantage?
Ø Scale economies (to generate cost leadership advantage)
combined with high exit costs (to sustain the advantage)
may make market share a defensible advantage.
6–8
Business Strategy and Competitive Advantage
• An organization’s knowledge or expertise can lead to
sustainable advantage if:
Ø The knowledg.
Business RequirementsReference number Document Control.docxfelicidaddinwoodie
Business Requirements
Reference number:
Document Control
Change Record
Date
Author
Version
Change Reference
Reviewers
Name
Position
Table of Contents
2Document Control
1
Business Requirements
4
1.1
Project Overview
4
1.2
Background including current process
4
1.3
Scope
4
1.3.1
Scope of Project
4
1.3.2
Constraints and Assumptions
5
1.3.3
Risks
5
1.3.4
Scope Control
5
1.3.5
Relationship to Other Systems/Projects
5
1.3.6
Definition of Terms (if applicable)
5
1 Business Requirements
1.1 Project Overview
Provide a short, yet complete, overview of the project.
1.2 Background including current process
Describe the background to the project, (same section may be reused in the Quality Plan) include:
This project is
The project goal is to
The IT role for this project is
1.3 Scope
1.3.1 Scope of Project
The scope of this project includes a number of areas. For each area, there should be a corresponding strategy for incorporating these areas into the overall project.
Applications
In order to meet the target production date, only these applications will be implemented:
Sites
These sites are considered part of the implementation:
Process Re-engineering
Re-engineering will
Customization
Customizations will be limited to
Interfaces
the interfaces included are:
Architecture
Application and Technical Architecture will
Conversion
Only the following data and volume will be considered for conversion:
Testing
Testing will include only
Funding
Project funding is limited to
Training
Training will be
Education
Education will include
1.3.2 Constraints and Assumptions
The following constraints have been identified:
The following assumptions have been made in defining the scope, objectives and approach:
1.3.3 Risks
The following risks have been identified as possibly affecting the project during its progression:
1.3.4 Scope Control
The control of changes to the scope identified in this document will be managed through the Change Control, with business owner representative approval for any changes that affect cost or timeline for the project.
1.3.5 Relationship to Other Systems/Projects
It is the responsibility of the business unit to inform IT of other business initiatives that may impact the project. The following are known business initiatives:
1.3.6 Definition of Terms (if applicable)
List any definitions that will be used throughout the duration of the project.
5
A working structure is the fundamental programming that bargains with all the mechanical social affair and other programming on a PC. It other than pulls in us to visit with the PC without perceiving how to talk the piece PC programs language's. A working structure is inside theory of programming on a contraption that keeps everything together. Working systems visit with the's contraption. They handle everything from your solace and mice to the Wi-Fi radio, gathering contraptions, and show. Symbolically, a worki.
Business ProposalThe Business Proposal is the major writing .docxfelicidaddinwoodie
Business Proposal
The Business Proposal is the major writing assignment in the course. You are to create and submit a formal proposal that suggests how to change something within an organization. This organization can be large or small, a place of employment now or in the past, or an organization to which the students belong. From past experiences, it is best to use a business with fewer than 200 employees, and one with which you have personal experience. It could be a place where you currently work or a place you have worked or volunteered in the past.
The change can be specific to a unit or can apply to the whole organization; it can relate to how important information is distributed, who has access to important information, how information is accessed, or any other change in practices the students see as having a benefit. The proposal should be directed to the person or committee with the power to authorize the change. However, if you are working within a large organization, and asking for a small organizational change, communicating with a CEO or president may not make the most sense. You need to think about who within the organization might be the best person for the type of change suggested.
For the submission, you are to follow the guidelines for formal proposals available in Chapter 10 of the text. You can review 10.1, 10.4, and 10.19 for more information about specific components for a well-written formal business proposal. A complete proposal must have all required sections of a formal report excluding the copy of an RFP and the Authorization. The final draft of the proposal should be 1500–2000 words, and include the following necessary formal proposal components:
Letter of transmittal
Executive summary
Title page
Table of contents
List of illustrations
Introduction
Background: Purpose/problem
Proposal: plan, schedule, details
Staffing
Budget
Appendix
Formatting does matter for this assignment, and you are to check the text for details about how to format and draft the different proposal segments. Proposals don't just have text; graphics and charts are necessary, too. In addition, research is important, and footnotes and references must be included. All content should be concise, clear, and detailed. The proposal should be well-written with appropriate grammar, spelling, and punctuation.
This is a scaffolded writing project that consists of four assignments.
.
Business ProjectProject Progress Evaluation Feedback Form .docxfelicidaddinwoodie
Business Project
Project Progress Evaluation
Feedback Form Week 3
Date:
__________________________________________________
Student Name:
__________________________________________________
__________________________________________________
Project Title: Effect Of Increasing Training Budget
Project Type: Business Research
Researchers:
Has a topic been chosen and a problem statement created?
Yes { } NO { }
Was the problem statement submitted in a 1-4 page paper that includes an introduction to the topic with appropriate documentation?
Yes { } No { }
Specifically, if any, needs additional content or rewriting to create more clarity? What specific recommendations do you have to help in this process?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
What is your workable timetable that states specific objectives and target completion dates for completing the final draft of the plan? Write the timetable below:
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
Feedback Form #3 – Project Proposal and Plan
▼
THE UK’S LEADING PROVIDER OF EXPERT SERVICES FOR IT PROFESSIONALS
NATIONAL COMPUTING CENTRE
IT Governance
Developing a successful governance strategy
A Best Practice guide for decision makers in IT
IT Governance
Developing a successful governance strategy
A Best Practice guide for decision makers in IT
The effective use of information technology is now an accepted organisational imperative - for
all businesses, across all sectors - and the primary motivation; improved communications and
commercial effectiveness. The swift pace of change in these technologies has consigned many
established best practice approaches to the past. Today's IT decision makers and business
managers face uncertainty - characterised by a lack of relevant, practical, advice and standards
to guide them through this new business revolution.
Recognising the lack of available best practice guidance, the National Computing Centre has
created the Best Practice Series to capture and define best practice across the key aspects of
successful business.
Other Titles in the NCC Best Practice series:
IT Skills - Recruitment and Retention ISBN 0-85012-867-6
The New UK Data Protection Law ISBN 0-85012-868-4
Open Source - the UK opportunity ISBN 0-85012-874-9
Intellectual Property Rights - protecting your intellectual assets ISBN 0-85012-872-2
Aligning IT with Business Strategy ISBN 0-85012-889-7
Enterprise Architecture - underst.
BUSINESS PROCESSES IN THE FUNCTION OF COST MANAGEMENT IN H.docxfelicidaddinwoodie
BUSINESS PROCESSES IN THE FUNCTION OF COST
MANAGEMENT IN HEALTHCARE INSTITUTIONS
1
1
st
IVANA DRAŽIĆ LUTILSKY
Departement of Accounting
Faculty of Economics and Business
University of Zagreb
Croatia
[email protected]
2
nd
LUCIJA JUROŠ
Faculty of Economics and Business
[email protected]
Abstract: This paper is dealing with the importance of business processes regarding costs
tracking and cost management in healthcare institutions. Various changes within the health
care system and funding of hospitals require the introduction of management information
systems and cost accounting. The introduction of cost accounting in public hospitals would
allow the planning and control of costs, monitoring of costs per patient or service and the
calculation of indicators for the analysis and assessment of the economic performance of the
business of public hospitals and lead to the transparency of budget spending. A model that
would be suited to the introduction in the public hospital is full cost allocation model based on
activities or processes that occur, known as the ABC method. Given that this is a calculation
of cost of services provided through various internal business processes, it is important to
identify all business processes in order to be able to calculate the costs incurred by services.
Although the hospital does not do business with the aim to make a profit, they must follow all
the costs (direct and indirect) to be able to calculate the full costs i.e. the price of the service
provided. In addition, the long-term sustainability of business activities in terms of funding
difficulties and the continuous growth of cost of services provided, hospitals must control and
reduce the cost of the program and specific activities. Therefore, the objective of this paper is
to point out the importance of business processes while introducing ABC method.
Keywords: Business Processes, Cost management, ABC method, Healthcare Institutions
1
This work has been fully supported by University of Zagreb funding the project “Business processes in the
implementation of cost management in healthcare system”, Any opinions, findings, and conclusions or
recommendations expressed in this paper are those of the authors and do not necessarily reflect the views of
University of Zagreb.
mailto:[email protected]
1 Introduction
In recent years, the efficiency of the management in health care services and the system of
quality in health care institutions significantly increased. Patients expect more from
healthcare providers and higher standards of care. At the same time, those who pay for
health services are increasingly concerned about the rising costs of health care services, but
also the potential ineffectiveness of the health care system. Consequently, there is a broad
interest in understanding the ways of efficient work of health care management and .
Business Process Management JournalBusiness process manageme.docxfelicidaddinwoodie
Business Process Management Journal
Business process management: a maturity assessment of Saudi Arabian
organizations
Omar AlShathry,
Article information:
To cite this document:
Omar AlShathry, (2016) "Business process management: a maturity assessment of Saudi Arabian
organizations", Business Process Management Journal, Vol. 22 Issue: 3, pp.507-521, https://
doi.org/10.1108/BPMJ-07-2015-0101
Permanent link to this document:
https://doi.org/10.1108/BPMJ-07-2015-0101
Downloaded on: 04 September 2018, At: 00:11 (PT)
References: this document contains references to 26 other documents.
To copy this document: [email protected]
The fulltext of this document has been downloaded 1083 times since 2016*
Users who downloaded this article also downloaded:
(2016),"Process improvement for professionalizing non-profit organizations: BPM approach",
Business Process Management Journal, Vol. 22 Iss 3 pp. 634-658 <a href="https://doi.org/10.1108/
BPMJ-08-2015-0114">https://doi.org/10.1108/BPMJ-08-2015-0114</a>
(2016),"Ownership relevance in aspect-oriented business process models", Business
Process Management Journal, Vol. 22 Iss 3 pp. 566-593 <a href="https://doi.org/10.1108/
BPMJ-01-2015-0006">https://doi.org/10.1108/BPMJ-01-2015-0006</a>
Access to this document was granted through an Emerald subscription provided by emerald-
srm:586319 []
For Authors
If you would like to write for this, or any other Emerald publication, then please use our Emerald
for Authors service information about how to choose which publication to write for and submission
guidelines are available for all. Please visit www.emeraldinsight.com/authors for more information.
About Emerald www.emeraldinsight.com
Emerald is a global publisher linking research and practice to the benefit of society. The company
manages a portfolio of more than 290 journals and over 2,350 books and book series volumes, as
well as providing an extensive range of online products and additional customer resources and
services.
Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the
Committee on Publication Ethics (COPE) and also works with Portico and the LOCKSS initiative for
digital archive preservation.
D
ow
nl
oa
de
d
by
S
A
U
D
I
D
IG
IT
A
L
L
IB
R
A
R
Y
(
S
D
L
)
A
t
00
:1
1
04
S
ep
te
m
be
r
20
18
(
P
T
)
https://doi.org/10.1108/BPMJ-07-2015-0101
https://doi.org/10.1108/BPMJ-07-2015-0101
https://doi.org/10.1108/BPMJ-07-2015-0101
*Related content and download information correct at time of download.
D
ow
nl
oa
de
d
by
S
A
U
D
I
D
IG
IT
A
L
L
IB
R
A
R
Y
(
S
D
L
)
A
t
00
:1
1
04
S
ep
te
m
be
r
20
18
(
P
T
)
Business process management:
a maturity assessment of Saudi
Arabian organizations
Omar AlShathry
Department of Information Systems,
Imam Mohammed Bin Saud University, Riyadh, Saudi Arabia
Abstract
Purpose – Business Process Management (BPM) has become increasingly common among organizations
in d.
Business Plan[Your Name], OwnerPurdue GlobalBUSINESS PLANDate.docxfelicidaddinwoodie
Business Plan[Your Name], Owner
Purdue Global
BUSINESS PLAN
Date
1. EXECUTIVE SUMMARY
1.1 Product
1.2 Customers
1.3 What Drives Us
2. COMPANY DESCRIPTION
2.1 Mission and Vision Statements
2.2 Principal Members at Startup (In Unit 7 you will expand on this section to include medium and long term personnel plans for all team members, including the line staff.)
2.2.1 Using chapter 10 of your text, write the plan, using the section in Chapter 10 that shows how to introduce each team member and describe their background and responsibilities. You will start with the leaders and managers, then discuss other employees as needed for your company to grow.
2.2.2 Use this spreadsheet to show the planning
Leaders/managers (unit 1)
When needed (number of months/years after opening)
Outside Services Needed
Key Functions
Add line staff (Unit 7)
2.3 Legal Structure
3. MARKET RESEARCH
3.1 Industry (from SBA, Business Guides by Industry, and Bureau of Labor Statistics)
3.1.1 Industry description
3.2.1 Resources used
3.2 Customers (from SBA site fill in worksheet, then use text for spreadsheets and follow-up explanations)
Add SBA part here:
Then, fill in spreadsheet using this example from the text:
Housewife:
Married Couple:
Age:
35–65
Age:
35–55
Income:
Fixed
Income:
Medium to high
Sex:
Female
Sex:
Male or Female
Family:
Children living at home
Family:
0 to 2 children
Geographic:
Suburban
Geographic:
Suburban
Occupation:
Housewife
Occupation:
Varies
Attitude:
Security minded
Attitude:
Security minded, energy conscious
Older Couple:
Elderly:
Age:
55–75
Age:
70+
Income:
High or fixed
Income:
Fixed
Sex:
Male or Female
Sex:
Male or Female
Family:
Empty nest
Family:
Empty nest
Geographic:
Suburban
Geographic:
Suburban
Occupation:
White-collar or retired
Occupation:
Retired
Attitude:
Security minded, energy conscious
Attitude:
Security minded, energy conscious
Explain who you are targeting and where they are located. Insert information here using these guidelines:
Information About Your Target Market – Narrow your target market to a manageable size. Many businesses make the mistake of trying to appeal to too many target markets. Research and include the following information about your market:
Distinguishing characteristics – What are the critical needs of your potential customers? Are those needs being met? What are the demographics of the group and where are they located? Are there any seasonal or cyclical purchasing trends that may impact your business?
Size of the primary target market – In addition to the size of your market, what data can you include about the annual purchases your market makes in your industry? What is the forecasted market growth for this group? For more information, see the market research guide for tips and free government resources that can help you build a market profile.
How much market share can you gain? – What is the market share.
Business PlanCover Page Name of Project, Contact Info, Da.docxfelicidaddinwoodie
Business Plan
Cover Page
Name of Project, Contact Info, Date
Picture/graphics
Table of Contents
Executive Summary
The Company
The Project
The Industry
The Market
Distribution
Risk Factors
Financing
Sources
List of sources, specific articles, and websites
I WILL PROVIDE MORE INFORMATION IN CHAT TO COMPLETE PROPOSAL.
.
Business Planning and Program Planning A strategic plan.docxfelicidaddinwoodie
Business Planning and Program Planning
A strategic plan specifies how a particular program will realize its objectives. With a strategic plan, it is possible to focus efforts on the accomplishment of a program's goals. A strategic plan provides a link between what a program seeks to accomplish and the required actions for successful program implementation (Kettner, Moroney & Martin, 2017). A business plan, on the contrary, defines the path of business. It includes a company's organizational structure, marketing plan as well as financial projections (Kettner et al., 2017).
Impact of Business Plan on a Program’s Strategic Plan
The logic model can help understand the impact of a business plan on a program’s strategic plan. The logic model comprises five major elements such as inputs, activities, outputs, outcomes, and impacts. The inputs are the resources such as funding, facilities, staff and volunteers needed for a given program. The activities are the events or actions of a program such as running the program and data collection. Outputs are the direct products and the desired effects of a program. Impact recalls the goals of a program (Hodges & Videto, 2011).
The financial projection element of a business plan can impact the strategic planning process of a program. This medium is because the allocated budget, as well as its parameters, must be assessed to ascertain if the funds available are enough to perform the tasks and activities of a program, which is what amounts to strategic planning. Hodges and Videto (2011) asserted that the resources required to implement a program, including those available and those needed, should be reviewed to determine if there are enough resources to achieve the goals of a program. The budget must include allocations for facilities and space, staff, supplies and materials, marketing resources as well as other operational expenses. An accurate budget is vital for the success of a program, and it is critical to consider all the possible expenses plus income.
The relationship between Business Planning and Program Planning
Programs usually face resource constraints, including the difficulty to attract funding streams. Business planning, according to the United States Small Business Administration (n.d.) is a methodology that can be used to address the challenge of financial constraints systematically. A business plan can demonstrate the link or association between a proposed program and social return. Through a funded plan, it is possible for a program to secure funding sources. As such a program plan must include a budget that specifies the number of revenues needed to achieve the program's goals and objectives. From this medium perspective, a budget is considered as an integral component rather than a stand-alone activity of program planning process (Kettner, Moroney and Martin, 2017).
The program planning process must include areas that require add.
Business Plan In your assigned journal, describe the entity you wil.docxfelicidaddinwoodie
Business Plan: In your assigned journal, describe the entity you will utilize and explain your decision.
Must be:
At required length or longer
Written in American English at graduate level
Received on or before the deadline
Must pass turn it in
Written in APA with references
.
Business Plan Part IVPart IV of the Business PlanPart IV of .docxfelicidaddinwoodie
Business Plan Part IV
Part IV of the Business Plan
Part IV of the business plan is due in week 7. Together with this part, you must show to your instructor that you have implemented the necessary corrections based on the part I feedback.
Part IV Requirements
1. Financials Plan
a. Present an in-depth narrative to demonstrate the viability of your business to justify the need for funding.
b. In this section describe financial estimates and rationale which include financial statements and forms that document the viability of your proposed business and its soundness as an investment.
c. Tables and figures must be introduced in the narrative.
i. Describe the form of business (sole-proprietor, LLC, or Corporation).
ii. Prepare three-year projections for income, expenses, and sources of funds.
iii. Base predictions on industry and historical trends.
iv. Make realistic assumptions.
v. Allow for funding changes at different stages of your company’s growth.
vi. Present a written rationale for your projections.
vii. Indicate your startup costs.
viii. Detail how startup funds will be used to advance your proposed business
ix. List current capital and any other sources of funding you may have
x. Document your calculations.
xi. Use reasonable estimates or actual data (where possible).
2. Continuous Improvement System
a. Present a brief summary of the continuous improvement processes that you will utilize for quality management (Six sigma, TQM, etc).
.
BUSINESS PLAN FORMAT Whether you plan to apply for a bu.docxfelicidaddinwoodie
BUSINESS PLAN FORMAT
Whether you plan to apply for a business loan or not, you need to have a roadmap or plan to get you from where you are to the successful operation of your business. The pages that follow demonstrate the content of a simple business plan which has been found to be successful in obtaining startup funds from banks. You are encouraged to use all or whatever portions of this fit your business.
Please DO NOT write page after page of drivel or copy from someone else’s plan or one of those templates you can find on the Internet. In most cases this will not “sound" like you, nor will it be short and to the point. Those who read these things are busy people and will not be inclined to spend time reading irrelevant paperwork.
Throughout this sample, there are
italicized
comments which are meant to guide you in preparation. If you follow this format it is reasonable to expect a finished document with 15-20 pages plus the supporting documents in the last section.
If you have good quality pictures of your space, products or other items, you might include them as another way to convey just what you plan to do. A map of your location, diagram of floor space, or other illustration is also sometimes helpful. On the other hand, do not add materials simply to “bulk-up” the report.
While content is critical, it is also important to make this presentation look as good as possible. For this course, you will create the business plan in Word and submit the plan and all attachments through the Assignment drop box. That means all attachments have to be in digital form. For a bank loan or an investor, you would normally provide them with a print version. Print the pages in black ink on a high quality tinted letterhead paper. Color is not necessary but would add some interest in headlines, etc. Bind the document in a presentation folder or with a spiral binding. Don’t simply punch a staple in the upper left corner.
If your were going to pursue a bank loan or an investor, it would be normal to take this business plan to your SCORE counselor for a review and critique.
NOTE: Before you begin your inspection of the simple plan outline which follows, take a moment to review the Business Plan Checklist on the next page.
BUSINESS PLAN CHECKLIST
By way of review, here is a concise list of the basic requirements for a Business Plan, as recommended by the MIT Enterprise Forum:
·
Appropriate Arrangement
- prepare an executive summary, a table of contents and chapters in the right order.
·
Right Length
- make it not too long and not too short, not too fancy and not too plain.
·
Expectations
- give a sense of what founder(s) and the company expect to accomplish three to seven years in the future.
·
Benefits
- explain in quantitative and qualitative terms the benefit to the consumer of the products and services.
·
Marketability
- present hard evidence of the mar.
Instructions for Submissions thorugh G- Classroom.pptxJheel Barad
This presentation provides a briefing on how to upload submissions and documents in Google Classroom. It was prepared as part of an orientation for new Sainik School in-service teacher trainees. As a training officer, my goal is to ensure that you are comfortable and proficient with this essential tool for managing assignments and fostering student engagement.
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
Honest Reviews of Tim Han LMA Course Program.pptxtimhan337
Personal development courses are widely available today, with each one promising life-changing outcomes. Tim Han’s Life Mastery Achievers (LMA) Course has drawn a lot of interest. In addition to offering my frank assessment of Success Insider’s LMA Course, this piece examines the course’s effects via a variety of Tim Han LMA course reviews and Success Insider comments.
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
A Strategic Approach: GenAI in EducationPeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
205JOURNAL OF INFORMAITON SYSTEMSVol. 20, No. 1Spring .docx
1. 205
JOURNAL OF INFORMAITON SYSTEMS
Vol. 20, No. 1
Spring 2006
pp. 205–219
Research Opportunities in Information
Technology and Internal Auditing
Marcia L. Weidenmier
Mississippi State University
Sridhar Ramamoorti
Grant Thornton LLP
ABSTRACT: This paper presents research opportunities in the
area of information tech-
nology (IT) within the context of the internal audit function.
Given the pervasive use of
IT in organizations and the new requirements of the Sarbanes-
Oxley Act of 2002, in-
ternal audit functions must use appropriate technology to
increase their efficiency
and effectiveness. We develop IT and internal audit research
questions for three
governance-related activities performed by the internal audit
function-risk assessment,
control assurance, and compliance assessment of security and
privacy.
Keywords: IT / IS auditing; internal auditing; information
2. technology; research oppor-
tunities; Sarbanes-Oxley; corporate governance; risk
management; secu-
rity; privacy.
Data Availability: Please direct all comments and suggestions to
Dr. Marcia
Weidenmier.
I. INTRODUCTION
T
his paper develops information technology-related research
questions within the con-
text of the internal audit function. The internal audit function
(IAF) is one of the
cornerstones of corporate governance along with the external
auditor, executive man-
agement, and the audit committee of the Board of Directors
(Gramling et al. 2004). The
Board of Directors determines the overall governance process,
which senior management
implements and internal and external auditors evaluate, under
the watchful eye of the audit
committee (Blue Ribbon Committee 1999; Treadway
Commission 1987).
The IAF occupies a unique and pivotal role in corporate
governance. First, the IAF is
an information gathering and reporting resource for the three
other governance parties
(Gramling et al. 2004). Second, the IAF is an integral part of
the organization’s internal
control structure. In fact, Rule 303A of the New York Stock
Exchange requires listed
3. companies to have an IAF. Third, the IAF executes important
governance-related activities
including risk assessment, control assurance, and compliance
assessment, which are critical
We thank JIS editor Dan Stone for suggesting and encouraging
us to write the supplemental technology chapter
to the Research Opportunities in Internal Auditing (2003)
monograph. We remain grateful to the IIA Research
Foundation for granting us permission to reproduce, paraphrase,
and / or use copyrighted materials in preparing this
paper for the Journal of Information Systems. (Copyright 2004,
The Pervasive Impact of Information Technology
on Internal Auditing, by the Institute of Internal Auditors
Research Foundation, 247 Maitland Avenue, Altamonte
Springs, Florida 32701-4201 U.S.A. Reprinted with
permission.) The views expressed in this paper are the personal
views of Dr. Sridhar Ramamoorti and do not reflect the views
of, nor endorsement by, Grant Thornton LLP.
206 Weidenmier and Ramamoorti
Journal of Information Systems, Spring 2006
in complying with the new requirements of the Sarbanes-Oxley
Act of 2002 (SOX). Internal
auditors are central figures and function as a key support in
providing assurance for meeting
the requirements of SOX Section 302 (annual certifications of
the completeness and ac-
curacy of the financials by the CEO and the CFO) and Section
404 (external auditor attes-
tation of the effectiveness of internal controls over financial
reporting). As an integral part
4. of corporate governance, internal auditors must now consider
the ‘‘probability of significant
errors, irregularities, or noncompliance’’ (Implementation
Standard 1220.A1 [IIA 2004]) as
they execute their governance-related activities.
As IT and business models become virtually inseparable and
inextricably intertwined,
IT is playing a pivotal role in corporate governance and SOX
compliance. IT both enables
and drives effective governance structures, risk management,
and control processes because
it (1) shapes an organization by influencing the governance
structure selection and the
organization’s level of risk (Boritz 2002; Parker 2001), (2)
helps establish, maintain, and
enforce new governance processes throughout the organization
(Hamaker 2004; Fox
and Zonneveld 2004), and (3) helps integrate the risk
management and compliance proc-
esses—improving reputation, employee retention, and revenue
(by as much as 8 percent),
and lowering costs of capital and insurance premiums
(PricewaterhouseCoopers 2004).
IT’s rapid change is dramatically altering the IAF (Gorman and
Hargadon 2005). Ac-
cordingly, the Institute of Internal Auditors (IIA) requires
internal auditors to understand
how IT is used and should be used in an organization, as well as
key IT risks, controls,
and IT-based audit techniques (Implementation Standard
1210.A3 [IIA 2004]). Thus, given
the new requirements of SOX and the IIA, both the IAF and IT
have risen in prominence
and impact within organizations.
5. In this new era of governance reform, ‘‘IT-internal auditing
research’’ has become a
critical imperative. Surprisingly, however, ‘‘while the role of
assurance practitioners, from
an external perspective, has often been publicly discussed and
debated, the role of the
internal auditor and the resulting changes have not been quite so
publicized’’ (Boritz 2002,
232). Significant prospects exist for academic research in the
areas of internal auditing and
technology from theoretical and practical perspectives. To help
encourage research on IT
and the IAF, we develop research questions for three
governance-related activities per-
formed by the IAF: risk assessment, control assurance, and
compliance work (Hermanson
and Rittenberg 2003).
Our research builds on the following studies, which provide
comprehensive syntheses
of extant literature. Almost 30 years ago, Cash et al. (1977)
reviewed existing studies and
techniques on auditing and electronic data processing (EDP)
(primarily from an external
audit perspective) to encourage future EDP research. More
recently, O’Leary (2000) dis-
cusses the enterprise resource planning systems (ERPs)
literature. The Information Systems
Section of the American Accounting Association published
Researching Accounting as an
Information Systems Discipline (Arnold and Sutton 2002),
which presents research oppor-
tunities in a variety of areas including expert and group support
systems, decision aids,
electronic commerce, continuous and information systems
6. assurance, and knowledge man-
agement. Finally, Ramamoorti and Weidenmier (2004) develop
IT-related research oppor-
tunities in internal auditing for eight different areas, as part of
the Research Opportunities
in Internal Auditing (Bailey et al. 2003) monograph published
by the IIA Research Foun-
dation. We use the chapter by Ramamoorti and Weidenmier
(2004) as our starting point.
The remainder of the paper develops IT-related research
questions for each governance
activity performed by the IAF. Section II focuses on risk
assessment. Section III explores
control assurance, while Section IV discusses two primary areas
of compliance assess-
ment—security and privacy. Section V concludes.
Research Opportunities in Information Technology and Internal
Auditing 207
Journal of Information Systems, Spring 2006
II. RISK ASSESSMENT
Traditionally, internal auditing used a control-based approach
for planning its activities.
More recently, corporate governance focuses on risk
management, providing the impetus
for the IAF to move to a risk-based approach (McNamee and
Selim 1998). In fact, the IAF,
in the context of organizational risk assessment (Ramamoorti
and Traver 1998), must iden-
tify and assess risks to define the audit universe and to plan its
7. engagements (IIA Perform-
ance Standard 2010.A1). Unfortunately, organizations struggle
with enterprise-wide risk
management and ‘‘conflicting evidence exists regarding what
[enterprise risk management]
means and how common[ly] it actually is’’ implemented
(Kleffner 2003, 66). Moreover, a
lack of risk management frameworks, qualitative and
quantitative risk metrics, and acces-
sible central repository of actuarial data has hampered risk
management efforts (Ozier
2003). To help overcome some of these obstacles, the
Committee of Sponsoring Organi-
zations of the Treadway Commission (COSO) released the 2004
Enterprise Risk Manage-
ment (ERM) Framework that encompasses and expands its 1992
Internal Control-Integrated
Framework. The ERM Framework presents an integrated
framework with practical imple-
mentation guidelines to ensure achievement of organizational
objectives, reliable reporting,
and regulatory compliance.
IT and the IAF are both integral components of ERM. The
Board’s corporate gover-
nance process directs senior management’s development and
implementation of the risk
management process, which the IAF must evaluate for
‘‘adequacy and effectiveness’’ as
well as for ‘‘significant risks that might affect objectives,
operations, or resources’’ (Sobel
and Reding 2004; Implementation Standards 1220.A1 and
1220.A3 [IIA 2004]). IT also
permeates the risk management process as a source of risk and
as a tool to implement the
following eight components of the ERM Framework: internal
8. environment, objective setting,
identification of events, risk assessment, risk response, control
activities, information and
communication, and monitoring (Ramamoorti and Weidenmier
2004). While research op-
portunities exist for each Framework component, we focus only
on the third and fourth
components, identification of events and risk assessment, which
we consider to be the
pinnacle of the ERM Framework. To help the reader understand
the context of our research
questions, Figure 1 presents an overview of the Framework and
its relationship to this
paper. In addition, we now briefly describe how the other ERM
Framework components
relate to risk assessment and IT.
The first two ERM Framework components, the internal
environment and objective
setting, shape the organization’s risk assessment process. The
internal environment reflects
the organization’s risk appetite, or how much risk that
management and the Board are
willing to accept when conducting business, and is the basis for
all other Framework com-
ponents. Objective setting ensures that the organization has a
process to define high-level
strategic objectives as well as detailed operational, reporting,
and compliance objectives
that are consistent with its mission and risk appetite. Based on
their strategic objec-
tives, organizations must identify and assess the risk of events,
which are internal or external
incidents that may negatively affect strategy and the
achievement of objectives.
9. The last four ERM Framework components—risk response,
control activities, infor-
mation and communication, and monitoring—delineate the
organization’s response to the
assessed risk. Organizations can avoid, minimize, share, reduce,
or accept the assessed risk
via their response to identified risks. Control activities ensure
that risk responses are im-
plemented via controls that support strategic, operational,
reporting, and compliance objec-
tives. An information and communication system must identify,
analyze, and respond to
new and existing risks as well as communicate needed
information across the organization.
208 Weidenmier and Ramamoorti
Journal of Information Systems, Spring 2006
FIGURE 1
The Enterprise Risk Management Framework and its
Relationship to this Paper
Internal Environment
Risk Response
Risk Assessment
Identification of Events
Objective Setting
Negative events
10. Positive events
Control Activities
Monitoring
Info & Communication
SECTION II:
Risk assessment
SECTION III:
Control assurance
SECTION IV:
Compliance assessment
The Enterprise Risk Management Components are from COSO
(2004a).
Moreover, in today’s rapidly changing business environment,
the ERM plan requires con-
tinuous monitoring that is real-time, dynamic, and embedded in
the organization (COSO
2004a, 75) to ensure that the ERM plan evolves to effectively
manage the organization’s
risk.
IT is intricately intertwined with the components of the ERM
Framework affecting how
the organization manages risk. For example, the organization’s
risk appetite affects its
choice of IT, level of e-commerce, integration with business
partners, and the use of emerg-
ing technologies—all changing the risk of the organization.
11. While strategic objectives in-
fluence the IT infrastructure, IT can simultaneously help (1)
shape strategy, (2) use oper-
ational assets efficiently and effectively, (3) increase reporting
reliability and regulatory
compliance, (4) communicate information globally, and (5)
ensure that the organization is
operating within established risk tolerances, the acceptable
level of variation around ob-
jectives (PricewaterhouseCoopers 2003; Tillinghast-Towers
Perrin 2001; Leithhead and
McNamee 2000).
Keeping this framework in mind, we turn to the third and fourth
components of the
ERM Framework—the identification of events and risk
assessment. Negative events are
risks that must be assessed. Positive events are opportunities
that may redirect the organi-
zation’s objective setting process. The Framework identifies IT
as an external event and an
internal event. In fact, IT is the only item classified as both
types of events. For external
events, organizations must consider the impact of the changing
e-commerce environment,
the increasing availability of external data, potential
technological interruptions, and emerg-
ing technology (COSO 2004a, 47). For internal events,
organizations must consider how
data integrity, data and system availability, and system
selection, development, deployment,
Research Opportunities in Information Technology and Internal
Auditing 209
12. Journal of Information Systems, Spring 2006
and maintenance may affect their ability to operate (COSO
2004a, 46). IT also enables the
organization to identify other events. As an enabler, IT can help
internal auditors facilitate
interactive group workshops, pinpoint areas of concern via
escalation or threshold triggers,
and identify trends and causes of risks by statistically analyzing
historical data via data
mining and data warehouses (Nehmer 2003; Searcy and
Woodroof 2003; Rezaee et al.
2002).
Once the negative events (i.e., risks) have been identified,
organizations must estimate
the likelihood and timing of the events occurring and their
impact on the organization. To
estimate the financial impact of different time horizons and
probable outcomes, internal
auditors can use a variety of simulation, mapping,
benchmarking, and modeling tools. Data
warehouses and data mining can estimate the likelihood an
event will occur, thereby sup-
plementing managers’ qualitative estimates (Rezaee et al.
2002). Neural networks and data
envelopment analysis (DEA) can also be used to assess risk,
direct internal auditors’ atten-
tion to high risk audit areas, and engage in ‘‘brainstorming’’
and ‘‘scenario building’’ ac-
tivities that seek to track and monitor business risks as they
develop (Kinney 2003,
149; Bradbury and Rouse 2002; Ramamoorti and Traver 1998).
According to
PricewaterhouseCoopers Internal Audit Services Practices, the
13. IAF needs a level of IT
sophistication that matches the level of risk that it is trying to
manage (Heffes 2002); i.e.,
the concept of requisite variety applies to the IAF and the
system it regulates (Weick 1969,
1979). While prior studies examine what tools the IAF uses
(e.g., Hermanson et al. [2000];
annual IAF surveys by the Internal Auditor), we lack evidence
regarding how well the risk
identification and assessment tools used by the IAF match the
organization’s current and
planned level of risk and IT usage.
Understanding the impact of IT on risk assessment is especially
important for organi-
zations with ERPs. O’Leary (2000) and Addison (2001) state
that ERPs expose organiza-
tions to significantly different risks including business
interruption, change management,
process interdependency, privacy and confidentiality, data
content quality, and system se-
curity. Moreover, newly implemented ERP processes potentially
alter and even weaken
traditional segregation of duties, because traditional controls
are often eliminated and not
replaced during implementation (Bae and Ashcroft 2004).
Wright and Wright (2002) de-
lineate additional risks associated with ERP implementations
from customization, process
reengineering, bolt-on software (i.e., software from a different
vendor that adds functionality
to an ERP), and incompatibilities with organizational
requirements. Thus, ERPs may not
reduce control risk if organizations modify key process linkages
and integrated controls are
not fully implemented.
14. In light of these concerns, internal auditors must examine ERP
risk carefully. Given
the large variety of ERPs available, how is risk affected if
organizations implement primary
(manufacturing) versus support (financial and human resource)
software components? Does
risk vary with the specific ERP software (vendor) selected or
with internal audit involve-
ment? How much risk exists if organizations do not convert
from existing legacy systems
to ERPs?
As a starting point in answering these questions, Wright and
Wright (2002) report that
then-Big 5 information systems auditors identify supply-chain
and payroll ERP subsystems
as having the highest control and security risks. Other areas of
concern include interfaces
with legacy systems and non-ERP bolt-ons. Interviewees also
state that the major vendor
ERPs differ in terms of access and encryption controls as well
as input devices and controls.
External information systems auditors also appear not to be
concerned with the security
and control risks of business intelligence systems (Wright and
Wright 2002). To better
understand how organizations manage and control ERP risks,
future research can determine
210 Weidenmier and Ramamoorti
Journal of Information Systems, Spring 2006
15. how the IAF’s perspectives compare to those of external
auditors and whether internal
auditors consider the risks of business intelligence systems and
other areas that are appar-
ently overlooked by external auditors (Wright and Wright
2002). Given that internal au-
ditors work in the same organizational environment with the
same system(s) all year, their
depth-oriented viewpoints are likely to be different than the
breadth-oriented viewpoints of
external auditors who work on multiple clients (and systems). In
addition, future research
could examine the underlying software (O’Leary 2002) to
understand how the actual risks
match those perceived by internal and external auditors.
Kinney (2003, 147) asks, ‘‘How does IT affect risk, risk
assessment, and risk manage-
ment?’’ Answering this question requires a better understanding
of the differential impact
of internal and external factors on the organization’s use of IT
in risk assessment. For
example, organizational structure and its use of IT may affect
the ERM process. Kleffner
(2003) identifies silo (or functional) organizational structure,
resistance to change, lack of
qualified personnel, and need for internal controls and review
systems as deterrents to ERM.
Similarly, Wah (2000) identifies traditional silo structure as
among the top barriers to suc-
cessful ERP implementations. Thus, organizational structure
appears to affect the success
of ERM and ERP implementations. It would be interesting to
investigate whether firms that
have successfully implemented ERP are more likely to
successfully implement an ERM
16. process.
Hunton (2002) suggests that internal auditors may be able to
reduce the risk associated
with the organization’s IT by participating throughout the entire
system’s life cycle. Extant
research also finds that the involvement of information system
(IS) auditors in the systems
development stage reduces future software maintenance costs
(Wu 1992), indicating that
risks (from software and control errors) should be reduced as
well. Unfortunately, despite
the potential to reduce future costs, internal auditors spend the
least amount of their time
on the development, acquisition, and implementation of new
systems (Hermanson et al.
2000).
Why are internal auditors not more actively involved in the
development, acquisition,
and implementation of new systems? Prior research suggests
that this is because of inde-
pendence and objectivity concerns (Boritz 2002). However,
extant literature (generally)
finds that IAF quality depends more on work performance than
independence, objectivity,
and competence (Gramling et al. 2004). Moreover,
Krishnamoorthy’s (2001, 2002) analyt-
ical models suggest that the relative importance of objectivity,
work performance, and
competence varies with audit conditions. On the other hand,
extant literature reports con-
flicting evidence regarding whether internal auditors’ judgments
and decisions are affected
by prior design involvement (Grabski 1986; Gramling et al.
2004). Therefore, more research
17. is needed to determine the net benefits of IAF participation in
each stage of the system’s
life cycle.
Internal auditors, outsourced internal audit service providers,
and external auditors make
risk assessments. Inconsistent evidence exists regarding whether
the risk assessments made
by these various parties are the same. For example, Hunton et
al. (2004) find that external
then-Big 5, IT auditors assess higher risks in ERP than non-ERP
systems when compared
to external Big 5, non-IT auditors. However, Grabski et al.
(1987) report no differences
in the internal control evaluations of EDP and non-EDP internal
auditors. Church and
Schneider (1995) find that internal auditors are more likely to
generate cutoff errors than
external auditors, but Blocher (1993) finds that internal auditors
are less likely to use
analytical procedures compared with external auditors.
Moreover, Caplan and Embry (2003)
find that internal auditors, outsource providers, and external
auditors make similar judg-
ments about the severity of internal control weaknesses; where
there are differences, the
Research Opportunities in Information Technology and Internal
Auditing 211
Journal of Information Systems, Spring 2006
evaluations of outsourced internal auditors tend to fall between
internal and external au-
18. ditors. On the other hand, in a study of the relative importance
of risk factors for fraud,
Apostolou et al. (2001) report that the mean decision models of
Big 5, regional, and internal
auditors are not significantly different.
In light of these mixed results, how do the overall risk
assessments of internal, external,
and outsourced (IT and non-IT) auditors compare? Extant
research does not fully support
the correlation between external auditor’s risk assessments and
audit plans (Zimbelman
1997; Mock and Wright 1999). Do internal auditors incorporate
IT considerations into risk
assessments and their subsequent audit plans (see Church et al.
2001)? The audit committee
now expects the IAF to monitor, evaluate, and report
recommendations for the organiza-
tion’s risk management process (COSO 2004b, 104). Given the
growing importance of risk
management, outsourcing opportunities, and the expanding role
of the IAF, audit commit-
tees need answers to these questions.
III. CONTROL ASSURANCE
Control assurance is another important governance activity
performed by internal au-
ditors. To ensure that risk responses are implemented, audit
committees rely on the IAF to
determine if internal controls effectively support strategic,
operational, reporting, and com-
pliance objectives (Gendron et al. 2004). This task is critical
because ‘‘a strong system of
internal control is essential to effective ERM’’ (COSO 2004c,
slide 22).
19. Traditionally, corporate governance was synonymous with
organizational oversight by
various committees, internal auditors, and external auditors.
This was a costly, misleading,
and disempowering approach because businesses did not make
IT governance (risk and
compliance) investments a high priority (Meyer 2004). An
alternative, and better, approach
makes compliance integral, not incremental, by embedding IT
controls throughout the or-
ganization’s business processes (PricewaterhouseCoopers
2004). Embedded controls ensure
compliance at the time of the business process entry, making
employees systematically
follow governance directives, ultimately changing the
organizational culture (Heffes 2004;
Meyer 2004).
While corporate governance and ERM are rising into
prominence, investors are increas-
ingly IT-literate and sophisticated, now worrying about IT’s
risk to operations, and scruti-
nizing IT investments and system efficiency (Huber 2002).
Together these forces drive the
demand for a new type of governance, ‘‘IT governance,’’ which
coordinates IT with business
objectives to establish effective IT controls efficiently (ITGI
2004). The relationship be-
tween IT and governance exhibits ‘‘reciprocal causation.’’ In
other words, they feed into,
shape, and fuel the demand for each other (Hamaker 2004).
Organizations can also use IT—as an enabler—to help comply
with SOX Sec. 404
requirements that external auditors attest to management’s
20. assessment of the effectiveness
of internal controls relevant to financial reporting. In fact,
PCAOB Auditing Standard No.
2 encourages the implementation of entirely IT automated
application controls by allowing
the external auditor to utilize a benchmarking (and audit
efficiency-increasing) strategy
when there are effective IT general controls. The PCAOB’s
rationale seems to be that
entirely IT automated application controls are not subject to
breakdowns resulting from
human failure (e.g., error, complacency, distraction) and, once
properly defined, should
continue to perform effectively (PCAOB 2005). This new
environment requires controls
that are automatic, dynamic, integrated, preventive, multi-
compensating, real-time, and in-
clude sound authentication procedures and secured audit trails
(Parker 2001), which can
only be accomplished through automated IT controls.
212 Weidenmier and Ramamoorti
Journal of Information Systems, Spring 2006
But, do controls implemented in organizations achieve these
high standards? Despite
the increased demand for IT controls, even the largest
organizations still use manual controls
for compliance processes—increasing the likelihood of
compliance failures considerably
(PricewaterhouseCoopers 2004) and leading to the question:
Why do most companies still
continue to use manual compliance controls? Is it because IT
21. usage has generated significant
operational problems (see ITGI 2004)? Or is IT implementation
too costly? Perhaps senior
management is still wary of utilizing IT for governance-related
activities because they are
unfamiliar with its deployment or unsure of its impact.
IT can automatically monitor control effectiveness and changes
and automatically iden-
tify control weaknesses in ERPs. Organizations can also use IT
for ‘‘corrective control’’
purposes to identify these gaps, e.g., control mapping with
alarms and alerts (Alles et al.
2004) and segregation of duties analysis software (Lightle and
Vallario 2003). How effective
are these monitoring and corrective controls? Are there
systematic differences (e.g., IT
placement in organization, existence of integrated IT
governance process, IAF character-
istics) in the companies that use these IT controls versus those
that do not?
SOX Sec. 404 requires that a control framework be used but
does not specify which
framework. Perhaps the most popular choice is the 1992 Internal
Control-Integrated Frame-
work by COSO. Despite its formal publication and release over
a decade ago, many users
are unfamiliar with the COSO framework, particularly as it
interacts with IT applications.
Few firms showed interest in COSO until SOX’s passage (Alles
et al. 2004; Hermanson
2000). Other potential control frameworks include CobiT
(Information Systems Audit and
Control Foundation, ISACA), e-SAC (IIA), CoCo (Canadian
COSO) and SAS Nos. 55, 78,
22. and 94 (AICPA Professional Standards). (See Hermanson et al.
[2000]; Curtis and Wu
[2000]; Colbert and Bowen [2005] for a comparison of the
frameworks.)1
Because of the new SOX 404 disclosure requirements,
researchers can more easily
identify which control framework organizations use to evaluate
their controls for initial (and
subsequent) annual report filings. Promising research questions
include: Are there system-
atic differences in the framework selection (i.e., industry, size,
IAF characteristics, IT char-
acteristics, external auditor, supply partner integration, or
international presence)? Are there
systematic control weaknesses in certain industries? How does
an organization’s Sec. 404
internal control opinion affect the overall audit opinion?
Carcello et al. (2002) examine
audit committee disclosures and state that future research can
determine (1) whether com-
panies with more complete disclosures have fewer internal
control failures and (2) whether
enhanced disclosures improve internal control effectiveness.
The new SOX 404 internal
control attestation report should help answer these two
questions as well as other gover-
nance questions about the interactions among the audit
committee, the external auditor, the
IAF, management’s assessment of the effectiveness of controls
over financial reporting, and
financial-reporting quality.
Obtaining better internal control effectiveness requires answers
to the following ques-
tions: Which (COSO) control components are the strongest and
23. weakest in organizations?
How does the selected framework affect the (IT) audit? Are
internal controls more effective
when the organization has a well-developed ERM process?
Moreover, PCAOB Auditing
Standard No. 2 does not prescribe the scope or the required
amount of testing of internal
1 CobiT stands for Control Objectives for Information and
Technology. eSAC is the electronic version of the IIA’s
Systems Auditability and Control guidance. CoCo stands for
Criteria of Control developed by the Canadian
Criteria of Control Board. SAS 55 is the AICPA’s Statement of
Auditing Standard No. 55 (SAS No. 55) titled
The Consideration of the Internal Control Structure in a
Financial Statement Audit. SAS No. 78 amends SAS
No. 55. SAS No. 94 is titled The Effect of Information
Technology on the Auditor’s Consideration of Internal
Control in a Financial Statement Audit.
Research Opportunities in Information Technology and Internal
Auditing 213
Journal of Information Systems, Spring 2006
controls (Brady and Postal 2005). How much testing is needed
to be effective? Research
is needed to determine which method(s) might be best for
evaluating controls, how much
testing is needed to be effective, and whether SOX has changed
the IAF’s priorities and
use of resources as well as how it views, evaluates, and
monitors controls? Furthermore, a
survey by ACL Services Ltd. and the Center for Continuous
24. Auditing finds that 67 percent
of organizations do not have a budget for continued compliance
with SOX after the initial
filing deadline, indicating a short-term compliance response
(Anonymous 2004). Research
is needed to determine the long-term effects and effectiveness
of SOX and compliance by
organizations.
Finally, large organizations (with over $5 billion in revenues)
are spending approxi-
mately $4.36 million to comply with SOX Sec. 404, which
requires management to assess
the organization’s internal controls only over financial reporting
(Levinsohn 2005). Given
the increased focus on sound corporate governance by SOX,
internal auditors could reduce
organizational risk by expanding the audit scope to include the
entire underlying database.2
In other words, ‘‘substance attestation’’ may shift to ‘‘process
attestation’’ through contin-
uous control monitoring techniques that focus on the process
rather than the financial state-
ment numbers generated (Pacini and Sinason 1999). Are internal
auditors adjusting their
audit procedures (appropriately) for increased IT usage and the
audit of the entire opera-
tional database? What barriers, if any, exist?
IV. SECURITY AND PRIVACY COMPLIANCE ASSESSMENT
Internal controls also help ensure compliance with applicable
laws and regulations
(COSO 2004a, 109), an activity that becomes even more
important in heavily regulated
25. industries such as healthcare and financial services.
Accordingly, yet another significant
governance activity performed by internal auditors is
compliance assessment. We develop
research questions focusing on two increasingly important areas
of compliance—privacy
and security. Privacy and security have been identified as two
of the ‘‘Ethical Issues of the
Information Age’’ (Mason 1986; Sutton et al. 1999). They help
ensure data integrity to
support the governance and risk processes and must be part of
the ERM process. IT acts
as both a driver and enabler for compliance. As a driver, IT
poses additional security and
privacy risks of its own (e.g., cyber-security breaches, or
unauthorized disclosure of con-
fidential consumer information). As an enabler, IT can help
mitigate these risks.
Personal privacy is eroding as IT enables organizations to
collect, store, and ubiqui-
tously retrieve more consumer information than ever before,
e.g., using cookies, web bugs,
and port scans (Spinello 1998; King 2001). IT increases the risk
that information may be
accidentally or maliciously compromised, through hacking or
other forms of ‘‘cyber-
terrorism.’’ Given this environment, several laws have been
passed to protect the privacy
of consumers such as the Health Insurance Portability and
Accountability Act (HIPAA),
the Children’s Online Privacy Protection Act (COPPA), the
Identity Theft and Assumption
Deterrence Act, and the Gramm-Leach-Bliley Act (GLBA).
Noncompliance with these
laws, as well as failure to protect other data, exposes the
26. organization to potential lawsuits,
financial losses, and loss of reputation (cf. Cravens et al. 2003).
International organizations that operate or trade in Europe must
also contend with the
1995 European Union (E.U.) Data Protection Directive
(Directive 95 / 46 / EC) for the strict
privacy of consumer information or personally identifiable
information (PII). The E.U. will
prevent noncomplying organizations from transferring paper and
electronic customer data
2 This discussion of database audits was inspired by Dr. Brad
M. Tuttle’s remarks on January 7, 2005, at the
AAA Information Systems Section Midyear Meeting 2005.
214 Weidenmier and Ramamoorti
Journal of Information Systems, Spring 2006
from European to U.S. operations. To do business in Europe
now, the U.S. Department
of Commerce must certify that an organization complies with
the U.S. Safe Harbor Pri-
vacy Principles (notice, choice, onward transfer, security, data
integrity, access, and
enforcement).3
Internal auditors can assess their organization’s privacy
measures via a privacy impact
assessment (PIA). PIA is a generic framework for mapping data
sources and uses to data
privacy regulations (Kenny 2004). With this framework,
internal auditors can assess the
27. current state of privacy provisions and monitor future
configuration changes. Internal au-
ditors need to understand the laws, how they affect their
organization, and how to mitigate
the risk through proper IT security measures. Given the growing
need for sound privacy
measures, research is needed to better understand the privacy
environment. Jamal et al.
(2003, 2005) examine the privacy policies of high-traffic
websites in the United States and
heavily regulated United Kingdom and find that most
organizations in both countries follow
stated policies. They also state that compliance with U.K.
disclosure requirements is poor,
but regulations appear to reduce the use of cookies.
Unfortunately, they do not have data
on the substantive tests to verify compliance. This leaves
unanswered the issue of how
organizations assure compliance. Do internal auditors actively
assess compliance with ap-
plicable privacy laws? Do websites with lower levels of traffic
ensure compliance? Do
different stakeholders in non-E.U. jurisdictions reward
organizations that conform to the
higher privacy standards of the E.U. Directive?
To help ensure privacy, organizations are implementing a
variety of security measures
to protect themselves from external and internal threats. In fact,
information security has
been the number one technology concern in the United States
for the last three years
(AICPA 2005). The importance of security is unsurprising given
that more than ten new
vulnerabilities are created each day (Cohen 2005). Furthermore,
the importance of security
28. is highlighted by the ERM Framework that states ‘‘[given the]
growing reliance on infor-
mation systems at the strategic and operational level’’ new
security risks ‘‘such as in-
formation security breaches or cyber-crimes ... must be
integrated into the entity’s ERM’’
(COSO 2004a, 69).
Security includes considerations such as system confidentiality
(restricting access to
authorized users), and system integrity as well as ongoing
system availability. Organizations
must establish an enterprise-wide information security program
that uses IT to enforce data
protection rules (Hargraves et al. 2003). Organizations must
also ensure that systems are
not affected by viruses or worms that may unintentionally
distribute personal information
in violation of privacy laws (King 2001). Potential privacy and
security IT tools include
biometrics (Chandra and Calderon 2003), encryption (Friedlob
et al. 1997), and attack
simulation (Cohen 2005).
To prevent becoming victims of cyber-crimes, organizations are
beginning to use ‘‘eth-
ical hacking’’ (also known as penetration testing or
vulnerability testing) to evaluate the
effectiveness of their information security measures (CICA
2003). After a cyber-crime,
computer forensics can preserve, identify, extract, and
document computer evidence for use
in a criminal or civil court of law (Marcella and Greenfield
2002). Properly trained internal
auditors can utilize IT tools and knowledge to collect evidence
from computers, networks,
29. and the Internet to investigate acts that are illegal, unethical, or
against organizational policy
and involve a computer. The use of ethical hacking and
computer forensics are in their
infancy; therefore research should determine the appropriate
level of in-house (and IAF)
3 A list of companies that are Safe Harbor certified can be
found at http: / / web.ita.doc.gov / safeharbor / shlist.nsf
/ webPages / safe�harbor�list.
Research Opportunities in Information Technology and Internal
Auditing 215
Journal of Information Systems, Spring 2006
knowledge of computer forensic techniques. In addition, how
effective and pervasive is
ethical hacking? What is the most effective way for
organizations to obtain forensics ex-
pertise—outsourcing, co-sourcing, or in-house?
The IAF must periodically assess security provisions.
Particularly in the wake of Hur-
ricane Katrina, a viable and tested disaster recovery plan must
be in place to provide for
operational continuity in the face of unforeseen disturbances.
Internal auditors must under-
stand how to mitigate security risk through proper IT security
controls. Surprisingly,
Ivancevich et al. (1998) find that the existence and size of the
IAF is not associated with
(perceived) disaster recovery plan strength. Additional research
can help identify appropri-
30. ate metrics for internal auditors to measure the impact of a
privacy or security breach and
improve disaster recovery plans. What is the best method to
determine the financial impact
of computerized system intrusion (cf. Garg et al. 2003)?
V. CONCLUSION
IT changes and the SOX corporate governance reform
legislation continue to exert a
tremendous impact on how internal auditing evolves as a
profession. Despite these devel-
opments, research in IT and IAF is largely uncharted territory
that promises to become
fertile ground with an abundance of research possibilities. Our
goal in this paper is not to
be exhaustive but rather to stimulate IT-related research in
internal auditing in the areas of
risk assessment, control assurance, and security and privacy
compliance. The IAF and IT
are both integral components of these three areas.
IT plays the dual role as a driver and an enabler in all three
areas. For example,
regarding risk assessment, IT increases organizational risk. At
the same time, IT can be a
tool to implement the eight ERM components to mitigate risk.
Regarding control assurance,
IT’s risk to operations drives the demand for IT governance,
which coordinates IT with
business objectives to establish effective IT controls by
embedding controls into business
processes. IT makes compliance integral, helping organizations
comply with increasing
regulatory requirements like SOX Sec. 404. Regarding security
and privacy compliance, IT
31. increases security and privacy risks because organizations store
more information than ever
before, which can be compromised in violation of privacy laws.
Fortunately, IT can help
mitigate these risks as well.
The IAF must not only understand the IT used by the
organization, but it must also
understand applicable regulatory and privacy laws—how the
laws affect its organization,
and how to use IT to ensure compliance. In addition, the IAF
should use the appropriate
level of IT sophistication to evaluate and monitor organizational
risk, controls, and com-
pliance (i.e., requisite variety). Moreover, understanding how
the IAF should and does relate
to IT will help improve the corporate governance process and
the quality of financial
reporting.
REFERENCES
Addison, S. 2001. Risk and governance issues for ERP
enterprise applications. IS Control Journal
(4): 53–54.
Alles, M., A. Kogan, and M. Vasarhelyi. 2004. The law of
unintended consequences? Assessing the
costs, benefits, and outcomes of the Sarbanes-Oxley Act. IS
Control Journal (1): 17–21.
American Institute of Certified Public Accountants (AICPA).
2005. Information security tops technical
issues for 2005. AccountingWeb (January 4). Available at: http:
/ / www.accountingweb.com / cgi-
bin / item.cgi?id�100297.
32. 216 Weidenmier and Ramamoorti
Journal of Information Systems, Spring 2006
Anonymous. 2004. Continuous monitoring, auditing needed for
Sarbanes-Oxley. Financial Executive
(September): 19.
Apostolou, B. A., J. M. Hassell, S. A. Webber, and G. E.
Summers. 2001. The relative importance
of management fraud risk factors. Behavioral Research in
Accounting (May): 1–24.
Arnold, V., and S. G. Sutton, eds. 2002. Research Accounting as
an Information Systems Discipline.
Sarasota, FL: American Accounting Association.
Bae, B., and P. Ashcroft. 2004. Implementation of ERP systems:
Accounting and auditing implica-
tions. The Information Systems Control Journal (4): 43–48.
Bailey, A. D., Jr., A. A. Gramling, and S. Ramamoorti, eds.
2003. Research Opportunities in Internal
Auditing. Altamonte Springs, FL: The Institute of Internal
Auditors Research Foundation.
Blocher, E. 1993. The Role of Analytical Procedures in
Detecting Management Fraud. Montevale,
NJ: Institute of Management Accountants.
Blue Ribbon Committee (BRC). 1999. Report and
Recommendations of the Blue Ribbon Committee
on Improving the Effectiveness of Corporate Audit Committees.
33. Stamford, CT: BRC.
Boritz, J. E. 2002. Information systems assurance. In Research
Accounting as an Information Systems
Discipline, edited by V. Arnold, and S. G. Sutton. Sarasota, FL:
American Accounting Asso-
ciation Information Systems Section.
Bradbury, M. E., and P. Rouse. 2002. An application of data
envelopment analysis to the evaluation
of audit risk. ABACUS (June): 263–279.
Brady, M., and A. D. Postal. 2005. Tweaking SOX: Regulators
ease up on compliance cost. National
Underwriter Property & Casualty Risk & Benefits Management
Edition (May 23): 31–32.
Canadian Institute of Chartered Accountants (CICA). 2003.
Using Ethical Hacking Technique to
Assess Information Security Risk. Toronto, ON: The Canadian
Institute of Chartered
Accountants.
Caplan, D., and C. Emby. 2003. An investigation of whether
outsourcing the internal audit function
affects internal controls. Working paper, Iowa State University
and Simon Fraser University.
Carcello, J. V., D. R. Hermanson, and T. L Neal. 2002.
Disclosures in audit committee charters and
reports. Accounting Horizons (December): 291–304.
Cash, J. I., Jr., A. D. Bailey Jr., and A. B. Whinston. 1977. A
survey of techniques for auditing EDP-
based accounting information systems. The Accounting Review
(October): 812–831.
34. Chandra, A., and T. G. Calderon. 2003. Toward a biometric
security layer in accounting systems.
Journal of Information Systems (Fall): 51–70.
Church, B. K., and A. Schneider. 1995. Internal auditors’
memory for financial statement errors.
Behavioral Research in Accounting 7: 17–36.
———, J. J. McMillan, and A. Schneider. 2001. Factors
affecting internal auditors’ consideration of
fraudulent financial reporting during analytical procedures.
Auditing: A Journal of Practice &
Theory (March): 65–80.
Cohen, G. 2005. The role of attack simulation in auditing
security risk management. The Information
Systems Control Journal (1): 51–54.
Colbert, J. L., and P. L. Bowen. 2005. A comparison of internal
controls. Available at: http: / /
www.isaca.org /
PrinterTemplate.cfm?Section�Home&CONTENTID�8174&TE
MPLATE� /
ContentManagement / ContentDisplay.cfm.
Committee of Sponsoring Organizations (COSO). 2004a.
Enterprise Risk Management-Integrated
Framework: Executive Summary Framework. Jersey City, NJ:
AICPA.
———. 2004b. Enterprise Risk Management-Integrated
Framework: Application Techniques. Jersey
City, NJ: AICPA.
———. 2004c. Applying COSO’s enterprise risk management-
35. integrated framework. (September 29).
Slideshow. Available at: http: / / www.coso.org /
publications.htm.
Cravens, K., E. Oliver, and S. Ramamoorti. 2003. The
reputation index: Measuring and managing
corporate reputation. European Management Journal 21 (2):
201–212.
Curtis, M. B., and F. H. Wu. 2000. The components of a
comprehensive framework of internal control.
The CPA Journal (March): 64–66.
Research Opportunities in Information Technology and Internal
Auditing 217
Journal of Information Systems, Spring 2006
Fox, C., and P. Zonneveld. 2004. IT Control Objectives for
Sarbanes-Oxley: The Importance of IT in
the Design, Implementation, and Sustainability of Internal
Control over Disclosure and Finan-
cial Reporting. Rolling Meadows, IL: Guidance document:
Information Technology Governance
Institute.
Friedlob, G. T., F. J. Plewa, L. L. F. Schleifer, and C. D. Schou.
1997. An Auditor’s Guide to En-
cryption. Altamonte Springs, FL: The Institute of Internal
Auditors Research Foundation.
Garg, A., J. Curtis, and H. Halper. 2003. The financial impact
of IT security breaches: What do
investors think? Information Systems Security (March / April):
36. 22–32.
Gendron, Y., J. Bedard, and M. Gosselin. 2004. Getting inside
the black box: A field study of practices
in ‘‘effective’’ audit committees. Auditing: A Journal of
Practice & Theory (Spring): 153–171.
Gorman, J. F., and J. M. Hargadon. 2005. Accounting futures:
Healthy markets for a time-honored
profession. Journal of Financial Service Professionals
(January): 74–79.
Grabski, S. V. 1986. Auditor participation in accounting
systems design: Past involvement and future
challenges. Journal of Information Systems (Fall): 3–23.
———, J. H. Reneau, and S. G. West. 1987. A comparison of
judgment, skills, and prompting effects
between auditors and system analysts. MIS Quarterly (June):
151–161.
Gramling, A. A., M. J. Maletta, A. Schneider, and B. K. Church.
2004. The role of the internal audit
function in corporate governance: A synthesis of the extant
internal auditing literature and
directions for future research. Journal of Accounting Literature
23: 194–244.
Hamaker, S. 2004. Principles of IT governance. The Information
Systems Control Journal 2: 47–50.
Hargraves, K., S. B. Lione, K. L. Shackelford, and P. C. Tilton.
2003. Privacy: Assessing the risk.
Altamonte Springs, FL: The Institute of Internal Auditors
Research Foundation.
Heffes, E. M. 2002. PWC’s 10 imperatives for internal audit
37. transformation. Financial Executive
(June): 61.
———. 2004. Is software the solution for Sarbanes-Oxley?
Financial Executive (June): 19–20.
Hermanson, D., M. C. Hill, and D. M. Ivancevich. 2000.
Information technology-related activities of
internal auditors. Journal of Information Systems (Supplement):
39–53.
Hermanson, D. R., and L. E. Rittenberg. 2003. Internal audit
and organizational governance. In Re-
search Opportunities in Internal Auditing, edited by A. D.
Bailey, A. A. Gramling, and S.
Ramamoorti. Altamonte Springs, FL: The Institute of Internal
Auditors Research Foundation.
Hermanson, H. M. 2000. An analysis of the demand for
reporting on internal control. Accounting
Horizons (September): 325–341.
Huber, N. 2002. Business scandals put IT on the spot. Computer
Weekly (September): 16.
Hunton, J. E. 2002. The participation of accountants in all
aspects of AIS. In Researching Accounting
as an Information Systems Discipline, edited by V. Arnold and
S. G. Sutton. Sarasota, FL:
American Accounting Association Information Systems Section.
———, A. M. Wright, and S. Wright. 2004. Are financial
auditors overconfident in their ability to
assess risks associated with enterprise resource planning
systems? Journal of Information Sys-
tems (Fall): 7–28.
38. Institute of Internal Auditors (IIA). 2004. The Professional
Practices Framework. Altamonte Springs,
FL: The Institute of Internal Auditors.
IT Governance Institute (ITGI). 2004. IT Governance Global
Status Report. Rolling Meadows, IL:
The IT Governance Institute.
Ivancevich, D. M., D. R. Hermanson, and L. M. Smith. 1998.
The association of perceived disaster
recovery plan strength with organizational characteristics.
Journal of information Systems
(Spring): 31–40.
Jamal, K., M. Maier, and S. Sunder. 2003. Privacy in e-
commerce: Development of reporting stan-
dards, disclosure, and assurance services in an unregulated
market. Journal of Accounting Re-
search (May): 285–310.
———, ———, and S. Sunder. 2005. Enforced standards versus
evolution by general acceptance: A
comparative study of e-commerce privacy disclosure and
practice in the United States and the
United Kingdom. Journal of Accounting Research (March): 73–
96.
218 Weidenmier and Ramamoorti
Journal of Information Systems, Spring 2006
Kenny, S. 2004. Assuring data privacy compliance. The
Information Systems Control Journal 4: 31–
39. 33.
King, C. G. 2001. Protecting online privacy. The CPA Journal
(November): 66–67.
Kinney, W. R. 2003. Auditing risk assessment and risk
management processes. In Research Oppor-
tunities in Internal Auditing, edited by A. D. Bailey, A. A.
Gramling, and S. Ramamoorti.
Altamonte Springs, FL: The Institute of Internal Auditors
Research Foundation.
Kleffner, A. E. 2003. The effect of corporate governance on the
use of enterprise risk management:
Evidence from Canada. Risk Management & Insurance Review
(Spring): 53–74.
Krishnamoorthy, G. 2001. A cascaded inference model for
evaluation of the internal audit report.
Decision Sciences (Summer): 499–520.
———. 2002. A multistage approach to external auditors’
evaluation of the internal audit function.
Auditing: A Journal of Practice & Theory (March): 95–121.
Leithhead, B. S., and D. McNamee. 2000. Assessing
organizational risk. Internal Auditor (June): 68–
69.
Levinsohn, A. 2005. First-year verdict of SOX 404:
Burdensome, costly, and confusing. Strategic
Finance (June): 67–68.
Lightle, S. S., and C. W. Vallario. 2003. Segregation of duties
in ERP. Internal Auditor (October):
27–31.
40. Marcella, A. J., and R. S. Greenfield, eds. 2002. Cyber
Forensics: A Field Manual for Collecting,
Examining, and Preserving Evidence of Computer Crime. Boca
Raton, FL: Auerbach
Publications, CRC Press LLC.
Mason, R. 1986. Four ethical issues of the Information Age.
MIS Quarterly 10 (1): 5–12.
McNamee, D., and G. M. Selim. 1998. Risk Management:
Changing the Internal Auditor’s Paradigm.
Altamonte Springs, FL: The Institute of Internal Auditors
Research Foundation.
Meyer, N. D. 2004. Systematic IS governance: An introduction.
Information Systems Management
(Fall): 23–34.
Mock, T. J., and A. M. Wright. 1999. Are audit programs risk-
adjusted? Auditing: A Journal of
Practice & Theory (Spring): 55–74.
National Commission on Fraudulent Financial Reporting (the
Treadway Commission). 1987. Report
of the National Commission on Fraudulent Financial Reporting.
Washington, D.C.: Government
Printing Office.
Nehmer, R. 2003. Transaction agents in eCommerce, A
generalized framework. In Trust and Data
Assurances in Capital Markets: The role of technology solution,
edited by S. J. Roohani. Smith-
field, RI: PricewaterhouseCoopers.
O’Leary, D. E. 2000. Enterprise Resource Planning Systems:
41. Systems, Life Cycle, Electronic Com-
merce, and Risk. Cambridge, U.K.: Cambridge University Press.
———. 2002. Discussion of information system assurance for
enterprise resource planning systems:
Unique risk considerations. Journal of Information Systems
(Supplement): 115–126.
Ozier, W. 2003. Risk metrics needed for IT security. ITAudit
(April 1). Available at: http: / / www.
theiia.org / itaudit / index.cfm?fuseaction�print&fid�5396.
Pacini, C., and D. Sinason. 1999. The law and CPA Webtrust.
Journal of Accountancy (February):
20–25.
Parker, X. L. 2001. An e-Risk Primer. Altamonte Springs, FL:
The Institute of Internal Auditors
Research Foundation.
PricewaterhouseCoopers. 2003. Technology Forecast: 2003–
2005. Menlo Park, CA:
PricewaterhouseCoopers.
———. 2004. Integrity driven performance. Available at: http: /
/ www.pwcglobal.com / images / gx /
eng / about / svcs / grms / PwC GRC WP.pdf.
Public Company Accounting Oversight Board (PCAOB). 2005.
Staff questions and answers on Au-
diting Standard No. 2—Internal Control. Available at: http: / /
www.pcaob.org / Standards / Staff
Questions and Answers / Auditing Internal Control over
Financial Reporting 2005-05-
16.pdf.
42. Research Opportunities in Information Technology and Internal
Auditing 219
Journal of Information Systems, Spring 2006
Ramamoorti, S., and R. O. Traver. 1998. Using Neural
Networks for Risk Assessment in Internal
Auditing: A Feasibility Study. Altamonte Springs, FL: The
Institute of Internal Auditors Re-
search Foundation.
———, and M. L. Weidenmier. 2004. The Pervasive Impact of
Information Technology on Internal
Auditors. Altamonte Springs, FL: The Institute of Internal
Auditors Research Foundation.
Rezaee, Z., A. Sharbatoghlie, R. Elam, and P. L. McMickle.
2002. Continuous auditing: Building
automated auditing capability. Auditing: A Journal of Practice
& Theory (March): 147–163.
Searcy, D. L., and J. B. Woodroof. 2003. Continuous auditing:
Leveraging technology. The CPA
Journal (May): 46–48.
Sobel, P. J., and K. F. Reding. 2004. Aligning corporate
governance with enterprise risk management.
Management Accounting Quarterly (Winter): 29–37.
Spinello, R. 1998. Privacy rights in the information economy.
Business Ethics Quarterly (October 4):
723–763.
Sutton, S. G., T. D. Arnold, and V. Arnold. 1999. An integrative
43. framework for analysis of the ethical
issues surrounding information technology integration by the
audit profession. Research on
Accounting Ethics 5: 21–36.
Tillinghast-Towers Perrin. 2001. Enterprise Risk Management:
Trends and Emerging Practices. Al-
tamonte Springs, FL: Institute of Internal Auditors Research
Foundation.
Wah, L. 2000. Give ERP a chance. Management Review
(March): 20–23.
Weick, K. E. 1969. The Social Psychology of Organizing.
Reading, MA: Addison-Wesley.
———. 1979. Social Psychology of Organizing. Reading, MA:
Addison-Wesley.
Wright, S., and A. M. Wright. 2002. Information system
assurance for enterprise resource planning
systems: Unique risk considerations. Journal of Information
Systems (Supplement): 99–114.
Wu, R. 1992. The information systems auditor’s review of the
systems development process and its
impact on software maintenance costs. Journal of Information
Systems (Spring): 1–13.
Zimbelman, M. F. 1997. The effects of SAS No. 82 on auditors’
attention to fraud risk factors and
audit planning decisions. Journal of Accounting Research
(Supplement): 75–97.
44. R. Ehrgott 1/6 01/28/01
The format to be used for the laboratory reports consists of
several
sections. Each section has a name, which appears in the
heading, and is
underlined. For example: Introduction
The sequence and description of the elements for the report will
be as
follows:
1. Title Page
All reports require a title page with the name and number of the
experiment, name of the author, date experiment is performed,
and
date report is submitted. A title page is given at the end of this
section.
2. Abstract
One paragraph, approximately 125 to 200 word summary of
what is
contained in the report. The abstract goes on the title page.
Abstracts are important because they give a first impression of
the
document that follows. Electronic databases may only store the
Abstract so it is important to write a complete, concise
description of
your work. The Abstract must include:
• Motivation: Why is it important to do this experiment? Why
do
45. we care about the problem and the results?
• Scope: What problem are you trying to solve?
• Approach: A clear description of what was tested and how.
What were the key variables?
• Result: What were your key results? Key results, for example,
might
be the modulus of elasticity of a material determined or that
stress was
found to be proportional to strain. Avoid presenting too much
data here.
R. Ehrgott 2/6 01/28/01
Example of an 180 word abstract:
ABSTRACT
Numerous joint injuries are reported each year related to the
sport of
running. If runners could reduce the impact forces at their
joints, injuries
could be prevented. This research addresses understanding the
mechanics
related to the impact forces produced while running. Tests were
conducted
on a treadmill at three different speeds, 3, 5 and 7 MPH. Five
different
runners were instrumented with accelerometers located at the
ankle, knee,
and lower back. Using a computer data acquisition system,
acceleration
46. was recorded simultaneously at the three locations. From the
measured
accelerations, estimates of the joint forces were obtained from
Newton’s
Second Law (F = Ma). Fourier transforms or the acceleration
records were
also obtained to determine key frequencies at which the body
vibrates
when leg impact with the ground occurs. Results indicate all
runners have
a similar vibration response at the instrumented locations. It
was observed
that the knee experienced the largest acceleration at all three
speeds. The
knee acceleration measured was approximately 5 G’s or five
times the
acceleration of gravity. Joint forces are also presented for the
different
runners at the various speeds.
3. Introduction
A brief background on the subject to tell the reader why the
experiment was performed (motivation). Also include
background
material that may be required for the reader to follow what you
are
presenting.
4. Theory
The theory is an important part of the report. This is especially
true
if experiments are generally conducted to verify, evaluate, or
illustrate theories. Present all key equations used in the
experiment.
47. Each equation should be numbered and the text should refer to
this
equation number. Derivations of key equations could be
referenced
to and appropriate text. Assumptions and limitations of the
theory
are also important to mention.
Motivation, why do
this Experiment ?
Scope, what problem
are you solving ?
Results, key results
found.
Approach, what was
done and how ?
R. Ehrgott 3/6 01/28/01
5. Test Procedure
In this section describe the test procedure that is not detailed in
the
manual. Do not copy procedures which are described in the lab
manual. However, do describe any variations. Specific
numerical
values used in the test should be presented. The description of
work
should contain sufficient information so that someone who is
familiar with the standard procedures and has access to the lab
manual could duplicate your test.
48. 6. Results
This is the most important section of the report! This is where
you
clearly present your hard work. Review what the objectives of
the
experiment were prior to writing this section. The results you
present
should be in agreement with the goal of the experiment. In this
section clearly describe to the reader each Figure and Table of
results you present. Make sure to use Figure and Table numbers
(Figure 1 shows the …). Never include the raw data, which goes
in
the appendix. Tables and Figures should Include:
a. Tables - Significant experimental results as well as
theoretical
results should be presented in Tables. Tables of raw test data
should be put in the Appendix. Tables should be titled and
numbered consecutively, using Roman numerals (Table I,
Table II, etc).
b. Figures - Graphs are generally the best means of presenting
and visualizing results. Because of their importance, care
should be taken when constructing them. A spreadsheet
program is recommended for creating graphs. Coordinate
axes should be carefully labeled and include the proper units.
Data points should be clearly shown using suitable symbols.
If more than one curve occurs on a graph, each curve should
be clearly distinguished and labeled. The graph should
contain a suitable title and have a Figure number. Number
Figures, consecutively, using Arabic numerals (Figure 1,
Figure 2, etc.).
7. Discussion and Conclusions
49. In this section, briefly summarize what the experiment
demonstrated
and what you have learned. Compare the test results with
standard
or typical values and present possible explanations of any
significant differences. Any unusual or unexpected
observations,
which were made during the experiment, should be noted and
R. Ehrgott 4/6 01/28/01
discussed. Do the experimental results compare favorably with
expected results? If not, why?
8. Appendix
The following should be placed in an appendix at the end of the
report.
a. Sample Calculations - Present a sample of each type of
calculation performed using the experimental data as well as
any other required calculation.
b. Original Data Sheets - Raw data obtained and recorded
during
the experiment.
c. Copies of charts of data which were recorded automatically
would be included in the appendix as well as any tables or
figures not necessarily pertinent to or not referred to in the
Results or Discussion sections.
GENERAL NOTES
50. 1. Use a word processor or type or print clearly in ink.
2. Number all pages, tables and figures, consecutively.
3. A spreadsheet program is recommended for creating graphs
and
performing data reduction. If drawn by hand, curves on graphs
may
be drawn in pencil.
4. Use correct grammar, spelling (use spell checker!),
abbreviations
and punctuation.
5. Folders are not to be used. Staple the report together with a
single
staple in the upper left-hand corner.
6. The experimental test data will be the same for each member
of the
group. However, each student will present the report as
independent
work. All calculations, data presentation, discussion and
conclusions
shall represent your individual effort.
7. FINALLY - remove all unnecessary words!
R. Ehrgott 5/6 01/28/01
Example Title Page
AM 317
51. MECHANICS LAB
EXPERIMENT 1
BEAM DEFLECTIONS
TEST PERFORMED: FEBRUARY 8, 2002
REPORT SUBMITTED: FEBRUARY, 15, 2002
BY
I.T. HARDER
GROUP 3
ABSTRACT
APPROXIMATELY 125 TO 250 WORDS INCLUDE:
• Motivation: Why is it important to do this experiment? Why
do we care about the problem and the results?
• Scope: What problem are you trying to solve?
• Approach: A clear description of what was tested and how.
What were the key variables?
• Result: What were your key results? Key results, for example,
might be the modulus of elasticity of a material determined or
that
stress was found to be proportional to strain. Avoid presenting
too
much data here.
R. Ehrgott 6/6 01/28/01
52. REFERENCES ON REPORT WRITING
Michaelson, Herbert, How to Write & Publish Engineering
Papers and
Reports, Oryx Press, 1990.
Brown, John Fiske, A Students Guide to Engineering Report
Writing, John
Fiske Brown Associates, Solana Beach, Ca 1982.
Eisenberg, Anne, Effective Technical Communication, McGraw-
Hill, NY
1982.
Weiss, Edmond H., The Writing System for Engineers and
Scientists,
Prentice-Hall, Englewood Cliffs, NJ 1982
ABSTRACTGENERAL NOTESExample Title PageAM
317EXPERIMENT 1I.T. HARDERREFERENCES ON REPORT
WRITING
MECHANICS LAB
AM 317
EXP 9
TWO-PINNED ARCH
53. I. OBJECTIVES
I.1 To explore the relationship between the loads and the
horizontal reaction
force in a two-pinned arch.
I.2 To determine the horizontal thrust force and reaction
influence lines for a
point load moving across a two-pinned arch.
I.3 To determine the horizontal thrust force for a uniformly
distributed load on a
two-pinned arch.
Figure 1 St. Louis Arch
II. INTRODUCTION AND BACKGROUND
The main advantage an arch has over a beam, is that it can carry
a much larger
load. Historically arches were important because they could be
constructed
using small, easily carried blocks of brick or stone rather than
using a massive,
monolithic stone beam or lentil. Romans used the semicircular
arch in bridges,
aqueducts, and in large-scale architecture. In most cases they
did not use
mortar, relying simply on the precision of their stone finish.
When an arch is
54. loaded by gravity forces, the pressure acts downward on the
arch and has the
effect of compressing it together instead of pulling it apart. A
free-body diagram
of the arch supports shows the arch requires both horizontal and
vertical reaction
R. Ehrgott (Created) 2/7 03/31/01
T. Hao (Revised) 08/28/16
forces (Figure 2). This horizontal reaction force, called thrust,
can cause the arch
to collapse if it is not properly restrained.
HA
HB
A B
VA VB
Figure 2 Free-Body Diagram of Two Hinged Arch.
One of the disadvantages of the arch resisting loads in
compression is the
possibility that the arch may buckle. Any practical arch design
would include
analysis involving stress, deflection and buckling. To perform
such analysis,
55. reaction forces, shear and moment diagrams are needed for a
given load case.
Since the arch is indeterminate, having more unknown reactions
forces than
equilibrium equations, methods such as the flexibility method
are required to
determine the reaction forces.
III. EQUIPMENT LIST
Structures test frame
Digital force display and power supply
Aluminum arch
Hangers and weights
Scale
R. Ehrgott (Created) 3/7 03/31/01
T. Hao (Revised) 08/28/16
Figure 3 Test Frame and Two Hinged Arch Set-Up
IV. PROCEDURE
• Visually inspect all parts of the test frame (including
56. electrical leads) for
damage or wear.
• Check that electrical connections are correct and secure.
• Check that all components are secured correctly and fastenings
are
sufficiently tight.
• Check the four securing thumbscrews are in the position
shown in Figure 3
and the rolling pivot on the right is gently resting against the
load cell.
• Make sure the digital force display is on and the force
transducer is connected
from the socket marked ‘Force Output’ on the right support, to
the Digital
Force Display ‘Force Input 1’.
R. Ehrgott (Created) 4/7 03/31/01
T. Hao (Revised) 08/28/16
• Carefully zero the force meter using the dial on the right-hand
side support.
Gently apply a small load with a finger to the crown of the arch
and release.
Zero the meter again if necessary.
NEVER apply excessive loads to any part of the equipment.
PART A
57. The first experiment is to measure the horizontal thrust force
HB for a single load
that is placed at increasing distances from the left support. A
theoretical
equation for the horizontal thrust force for a given load P at
location x, is given
below:
)2(
8
5 233
3 LxxLrL
Px
H B −+= 9.1
where:
HB = the horizontal thrust reaction at B (N)
P = the load (N)
L = the span of the arch (m)
x = the load location, distance from the left-hand side support
(m)
r = the Rise of the arch (m)
IV.1A Measure the necessary dimensions of the two-pinned arch
and record the
data.
IV.2A Adjust the “set zero” control on the right support so that
the digital force
reads zero.
58. IV.3A Apply a 100 gm load to the left most hanger and record
the thrust force.
Moving the 100 gm load to the remaining hangers and record
the thrust
force for each location. Repeat the process for a 500 gm load.
The
horizontal thrust shown on the digital force display has units of
Newton.
PART B
The second part of the experiment involves determining the
horizontal thrust
force for a uniform or distributed load w. The equation for the
thrust force is
given in Eq. (9.2).
R. Ehrgott (Created) 5/7 03/31/01
T. Hao (Revised) 08/28/16
r
wL
H B 8
2
= 9.2
where:
HB = the horizontal thrust reaction at B (N)
w = the intensity of uniform distributed loads (N/m)
L = the span of the arch (m)
59. r = the Rise of the arch (m)
IV.1B Adjust the “set zero” control on the right support so that
the digital force
reads zero.
IV.2B Apply 60 gm on each of the nine hangers (total of 540
gm) and record the
thrust force. Repeat the procedure with 120 gm on each hanger
(1080 gm
total).
V. REPORT
V.1 Plot the experimental and theoretical thrust force
determined in Part A of
the experiment.
V.2 Compare the theoretical and experimental thrust force for
the uniformly
loaded arch.
VI. SELECTED REFERENCES
Megson, T.H.G., Structural and Stress Analysis, 2nd edition,
Butterworth-
Heinmann, 2005, pp. 133-149.
Timoshenko, S.P., Young, D.H., Theory of Structures, 2nd
edition, McGraw
Hill Co., New York, 1965.
60. R. Ehrgott (Created) 6/7 03/31/01
T. Hao (Revised) 08/28/16
Table I Arch data
Rise of arch, r (m)
Length of arch, L (m)
Table II Weight data
Added mass 100 gm 500 gm
Hanger mass
Total mass
Total weight (N)
Table III Data for a point load moving across a two-pinned
arch
Load location
x (mm)
Measured thrust force
for 100 gm load (N)
Measured thrust force
for 500 gm load (N)
0 0 0
50
62. thrust force
(N)
Calculated
thrust force
(N)
% Error
540
1080
R. Ehrgott (Created) 7/7 03/31/01
T. Hao (Revised) 08/28/16
MECHANICS LAB
AM 317
EXP 6
SPRINGS IN SERIES AND PARALLEL
I. OBJECTIVES
63. I.1 To study the relationship of springs connected in series and
parallel and
determine the equivalent spring constant.
I.2 To study the unsymmetric loading of parallel springs.
II. BACKGROUND
Springs are devices that can store and release energy. Because
of these
properties, springs are very important in engineering. It is
therefore essential
that engineers understand the different types of spring
combinations behave
when loaded.
Springs can be combined in series, parallel and in a combination
of series and
parallel. Each spring or spring system can be characterized by
its spring
constant k. The spring constant can be determined by use of
Hooke’s Law:
∆= kF 6.1
where:
F = applied force
∆ = the resulting displacement
III. EQUIPMENT
III.1 Assorted springs, hooks, and aluminum bars.
64. III.2 Steel scales
III.3 Steel frame
IV. PROCEDURE
IV.1 Determine the spring constant for each individual spring
using Eq. 6.1.
When determining the spring constant, be sure the spring has an
initial load
sufficient to separate the coils and remove the pretension.
Determine the
deflection due to several loads and take the average value for
the spring
constant, k. You may fit a linear trendline to the force-
deflection data to
R. Ehgott (Created) 2/7 04/07/01
T. Hao (Revised) 08/07/16
obtain the spring constant. k will be the slope m of the
trendline ( bmxy += )
and b is the initial preload required to separate the coils of the
spring.
IV.2 Set up the spring system shown in Figures 1, 2 and 3 to
determine the
equivalent spring constant for each system.
IV.3 Construct the spring system shown in Figure 4 and
determine the
65. equivalent spring constant. You will need to use two pairs of
springs with
matching spring constants to obtain good results.
k1
k2
FT
21 FFFT == 6.2
212
2
1
1
21 k
F
k
F
k
F
k
F TT
T +=+=∆+∆=∆ 6.3
67. ∆
= 6.4
Figure 1 Springs in Series
k1 k2
FT
∆
1
∆
2
a b
L
21 ∆=∆=∆T 6.5
TTT kkkkFFF ∆+∆=∆+∆=+= 21221121 6.6
21
21 kk
kkF
k
T
TT
68. T
T
eq +=∆
∆+∆
=
∆
= 6.7
Location of when TF 21 kk ≠ :
L
kk
k
a
21
1
+
=
Figure 2 Springs in Parallel ( 21 ∆=∆ )
R. Ehgott (Created) 3/7 04/07/01
T. Hao (Revised) 08/07/16
k1 k2
73. Figure 3 Springs in Parallel – Unsymmetric Case ( 21 ∆≠∆ )
k1 k2
FT
k3 k3
k1
33121
11
1
kkkkk
keq
+
+
++
= 6.12
Figure 4 Springs in Series and Parallel
R. Ehgott (Created) 4/7 04/07/01
74. T. Hao (Revised) 08/07/16
V. REPORT
V.1 Plot the force versus deflection for each individual spring
and report the
stiffness for each spring in a table.
V.2 Calculate the theoretical equivalent spring constants given
by Eqs. 6.4, 6.7,
6.11 and 6.12 and compare them to the experimental values
determined.
Report the results in a table with the percent error referenced to
the
experimental values.
V.3 Discuss the results and draw appropriate conclusions.
VI. SELECTED REFERENCES
Thomson, W.T. and Dahleh, M.D., Theory of Vibration with
Applications, 5th
Edition, Pearson, 1997.
Avallone, E., Baumeister, T. and Sadegh, A., Marks’ Standard
Handbook for
Mechanical Engineers, 11th Edition, McGraw Hill, 2006.
Crandall, S.H., Dahl, N.C., Lardner, T.J., and Sivakumar, M.S.,
An
Introduction to the Mechanics of Solids, 3rd Edition, McGraw
75. Hill, 2012.
R. Ehgott (Created) 5/7 04/07/01
T. Hao (Revised) 08/07/16
Table I Spring Data
Spring # Force Reading Deflection Preload k
1
2
3
4
76. 5
6
7
R. Ehgott (Created) 6/7 04/07/01
T. Hao (Revised) 08/07/16
Table II Measured Data
Spring System Force Reading Deflection Preload keq