The aim of this research was to prescribe a set of functions that constitutes the necessary functions in the static structure of effective computer controls. A knowledge of a control's static structure is important to researchers, practitioners, and educators. Researchers will be better able to develop theories concerning internal controls and to understand how expert auditors structure their knowledge of controls. Practitioners will be assisted in designing controls for new situations and in evaluating the effectiveness of existing controls. Educators will know better how to teach students to design and evaluate controls.
The control structure proposed in this thesis prescribes a set of five functions as necessary for an effective control. These functions are authorization, standard generation, a comparison of the standard with the system states, the abort of unlawful transactions, and a review of rejected transactions. The need for an effective computer control to perform these functions was tested in two experiments.
In the first experiment, twelve expert and twelve novice EDP auditors recalled twenty randomly-presented functions needed in four controls. The objective of this experiment was to determine whether the pattern exhibited in expert recall matched the five functions that the theory prescribes as needed for an effective control. The memory pattern of expert auditors was the empirical indicator for an effective control. Novice auditors provided the experimental control.
Two complementary techniques were used to analyze the data obtained in this experiment. First, multidimensional scaling was used to determine the overall structure of expert and novice recall. Second, hierarchical cluster analysis was used to determine the intra-control structure. The recalls of expert auditors supported the five-function control structure prescribed by the theory.
In the second experiment, sixteen expert auditors judged four control configurations. The purpose of the experiment was to assess whether a control with less than five functions is as effective as one with five functions. Subjects judged four sets of controls. Each set comprised one five-function and two four-function control configurations. The subjects' judgments were made on semantic differential scales that were developed using one hundred and sixty-seven subjects. A further fourteen subjects assessed the reliability of the scales. The empirical indicator for an effective control was a vector calculated from subjects' scores on the semantic differential scales. The results of the analysis showed that the five-function control structure was judged as significantly more effective than controls with less than five functions.
In summary, the research has contributed to a theory of control structure and to the methodologies for assessing a control's effectiveness. An effective control must execute the following five functions:
* An authorization function.
* A standard generation function.
* A comparison between the standard and the system states.
* A function to prevent the processing of mismatches.
* A review function to ascertain the cause of the unlawful transaction.