| Article ID: | iaor19932 |
| Country: | United Kingdom |
| Volume: | 20 |
| Issue: | 2 |
| Start Page Number: | 139 |
| End Page Number: | 148 |
| Publication Date: | Mar 1992 |
| Journal: | OMEGA |
| Authors: | Walls J.G. |
| Keywords: | cost benefit analysis, risk |
This paper presents a methodology for deciding what controls should be included in a computer based information system (IS). While the paper takes the perspective of the manager responsible for effective resource allocation and who is supported by the IS, the approach it provides is intended for use by the software engineer responsible for system development. The issue of IS controls is most often addressed in documents containing checklists of controls intended to be used for after-the-fact information system audits. The methodology presented here looks at the problem from the front-end of the system development process. It takes into account auditor concerns as well as the cost of including controls in an IS. The approach consists of a quantitative model which facilitates analysis of cost-benefit tradeoffs and methods which can be used to obtain information required by the model. It employs a variety of well-known techniques which have not previously been applied in this context. The major contribution of the paper is that it brings different techniques together into a coherent and feasible methodology which addresses the problem in its entirety.