Business Process Library Q Business Process Management

General Control

From Q-BPM
Jump to: navigation, search

General Control is to establish and maintain the environment in which control over business execution is effectively done through appropriately maintaining and operating information systems using IT. IT General Control.

Contents

Overview of General Control

In Internal Control, General Control is establishing the foundation on which the control works effectively. General Control establishes and maintains the environment in which Application Control, which is a framework to manage business execution itself by appropriately establishing and maintaining information system environments using IT, can work effectively. More specifically, the environment is maintained and controlled from the following four perspectives.

  • System development: Appropriate applications are to be introduced. When it is committed to some external party, the contract management is required.
  • System modification: Modification of IT infrastructure, applications, and data must be done appropriately.
  • System operation: The entire system must be operated appropriately.
  • Access to system: Only the appropriate participants must be allowed to access the data and applications.

System development, modification, operation, access management, etc., on which General Control is focusing, are the routine tasks of an IT department, so, in that sense, practicing General Control implies to visualize and maintain the tasks of the IT department.

Position of General Control in Japan

General Control is defined in "Execution criteria of evaluation and supervision concerning internal control over financial reports" by Financial Service Agency.

In other words, "adaptation to IT," which is one of "six elements of Internal Control" is achieved by practicing the following two.

  • "Adaptation to IT environment"
  • "Use of IT and control over it"

Furthermore, "Use of IT and control over it" is guaranteed by "five perspectives concerning the use of IT" and "two perspectives about the control over IT." General Control is defined in "Establishment of IT Control," which is one of the perspectives about "the control over IT."

<Use of IT>

  • "Use of IT to guarantee the effectiveness of control environment"
  • "Use of IT to guarantee the effectiveness of risk evaluation and response"
  • "Use of IT to guarantee the effectiveness of controlling activities"
  • "Use of IT to guarantee the effectiveness of information and communication"
  • "Use of IT to guarantee the effectiveness of monitoring"


<Control over IT>

  • "Goal of IT Control to accomplish the organizational goals"
  • "Establishment of IT Control"

In addition, in "Establishment of IT Control," two activities shown below are explained in detail.

  • "Application Control concerning IT"
  • "General Control concerning IT"

The former is defined as "an activity to manage each business process system so that the data input, processing, and output are correctly done," and the latter is defined as "an activity to establish the environment and foundation on which application control works soundly and effectively." Sometimes the former is simply called "Application Control," and the latter is called "General Control."

Practice of General Control

What is COSO?
COSO is the abbreviation of the Committee of Sponsoring Organization of the Treadway Commission. In Japanese, it is called “Treadway-Iinkai-Soshiki-Iinkai.” It is an organization in the U.S., which devises measures to prevent fraudulent financial reporting.

COSO is often used as a framework for Internal Control in general, but COBIT is frequently used for General Control. COBIT defines an IT management process by using the four domains, "planning and organization," "procurement and introduction," "delivery and support," and "monitoring and evaluation," and multiple processes that are derived from the domains by subdividing them. In the U.S., it is introduced upon the enforcement of SOX Act and is used as a framework to establish the internal control of IT. Moreover, a framework called "COBIT for SOX" is also created by improving COBIT to adapt to SOX Act in such a way that goals of IT Control are extracted and organized from the perspective of "Internal Control concerning financial reports." The specific procedure for the execution is shown below.

Planning Phase of General Control

What is Framework?
Framework is a fundamental structure for concepts. When you try to understand a target issue, it is better to arrange it from a certain viewpoint, rather than to display it vaguely.

In this phase, we need to identify business processes related to financial reports and then identify application systems that support the business processes. Based on them, application systems to be controlled and infrastructure on which the systems are operated can be identified. In addition to identifying "software," "databases," "OS," and "hardware," we should also grasp the following.

  • Business process used
  • Package / In-house development
  • Necessity and unnecessity of customization
  • Participant in charge
What is COBIT?
COBIT stands for Control Objectives for Information and related Technology and is a standard of the organizational IT governance practice.


By taking them into consideration, we must evaluate "General Control" in the company and plot a concrete plan about the degree to which the control should be done. To do that, we can use the criteria of "evaluation phase" described later.

Execution Phase of General Control

System Development and Modification

The reliability of the system must be tested and approved before it is used in the production environment.

  • Development and procurement of software
  • Establishment of IT infrastructure
  • Modification management
  • Test
  • Planning and maintenance of procedures concerning development and maintenance
  • Contract with external contractors
  • Service Level Agreement with external contractors and management of it

System Operation

System operation prevents unauthorized processes and dishonest processes.

  • Operation management
  • Architecture management (Maintenance of software and IT infrastructure)
  • Data management

Access to System

  • Information security (countermeasures against virus etc.)
  • Secure access control: Only participants authorized in advance are granted the access privilege (Proactive control). Then, monitoring the access violation enables us to prevent programs and data from being tampered (Heuristic control).

Evaluation and Improvement Phase of General Control

In this phase, General Control is evaluated from the four perspectives shown below and improved when problems are detected.

  1. System development
    Evaluate whether the purchase process and development process of information systems are appropriately managed or not
    Evaluate selection criteria of a contractor, acceptance inspection procedure of outcomes, and control done by the contractor in case the system development is committed to an external party
  2. System modification
    Evaluate whether modification management, including system upgrade, information update, and so on, are appropriately done or not
  3. System operation
    Evaluate whether the appropriate data are processed by appropriate programs to obtain correct processing results or not
    Evaluate whether the developer and manager are different or not
  4. Access to system
    Evaluate whether there are appropriate access control mechanisms to prevent dishonest usage and tampering of data, software, hardware, and related equipments and measures (control) to prevent financial information from being lost owing to natural disaster etc. or not

The scale of the evaluation is as follows

  • Level 0 = None (No process)
  • Level 1 = Primitive (Ad hoc)
  • Level 2 = Repeatable (Standardized pattern)
  • Level 3 = Defined (Documented and announced)
  • Level 4 = Managed (Monitored)
  • Level 5 = Optimized (Best practice, automated)

In SOX Act compliance in the U.S., the level 3 status is targeted.

Related Articles

References

Retrieved from "http://en.q-bpm.org/mediawiki/index.php/General_Control"
Search

 
Toolbox
What links here
Related changes
Upload file
Special pages
Printable version
Permanent link
Questetra BPM Suite
Workflow Sample:Hints on Defining Workflows for Business Analysts and Managers.

Catetory
General nouns | Proper nouns | General-purpose business process | Core business process | Business process for support administration
Q-BPM This website was started by Questetra, Inc. for businesspeople all over the world, who are interested in BPM, but spend a great amount of time on the search of a lot of books, documents, and difficult terms. By saving the trouble of looking up a number of related terms or the time of searching documents, Questetra, Inc. hopes to contribute to businesspeople, interested in BPM, all over the world. Questetra Inc. Q-BPM exemplifies various Sample Processes regarding Business Flow in companies, and support Business Flow Diagram making. (* Business Flow Diagram: Business Flow Chart/Business Diagram/Business Process Diagram) This is Cloud-Source type information sending website that invites collaborators all over the world. In principle, contents in this website are public on the basis of the license called “CC-By SA,” which means “possible to copy under specific conditions.”

Powered by MediaWiki CreativeCommons By SA