Abstract:

Information attacks are a constant threat to every organization. To protect their sensitive information, organizations implement general information technology controls. An example of such controls includes system change controls (or change management controls), which are critical in ensuring the integrity, completeness, and reliability of financial information. The literature points to various evaluation methods of these controls to determine which ones to implement. The literature further shows how traditional assessment methods do not necessarily promote an effective evaluation, prioritization, and, therefore, implementation of system change controls in organizations. Alarming facts within the literature trigger analyses and identification of additional methods to assist organizations in protecting their sensitive and critical information. This research proposes a quantitative approach to assist management in evaluating system change controls using the Analytic Hierarchy Process. Through a case study, the approach is proven successful in providing a way for measuring the quality of system change controls in organizations.