|
Business Information Intensity as a Construct in Assessing Control Risk
Akhilesh Chandra,
The University of Akron
Thomas Calderon, The University of Akron
ABSTRACT. This paper examines the concept of business information intensity (BII) and discusses a control risk (CR) assessment model that organizations might use to facilitate IT security investment decisions. BII measures and assesses the extent to which an organization uses information technology in its products and value chain. Our analysis of the survey data from a cross-section of CFOs and internal auditors indicates that organizations with high BII and high CR spend substantially more on IT and IT security than their counterparts. Organizations can use the BII-CR model for making trade-offs between IT investments and rigorous control mechanisms in designing secure information systems. The model also highlights the need to revisit the concept of materiality and its link to control risk. Specifically, activities that support critical business processes are themselves critical. This is an important departure from traditional approaches to evaluating materiality.
Full-Text is no longer available online. Please contact the author(s) for more information about this manuscript.
Back to Session Listing
|