Using case-based reasoning for the design of controls for internet-based information systems

The internal auditors and IS managers should obtain understanding of internal control structure in internet-based information systems (IIS) to be established in their organizations. This paper suggests IISCBR (The design of controls for IIS using case-based reasoning), a case-based reasoning model for generating recommendations of IIS controls. The case base of IISCBR consists of slots that include system environments and IIS controls. IIS controls which are most demanded in certain system environments can be suggested by the following two steps. First, the most probable level of controls is suggested from the cases retrieved. Second, the level of controls that have the highest values in performance among the retrieved case is determined. IIS auditors can retrieve similar cases and provide control recommendations using past cases in IISCBR. In order to evaluate the effectiveness of IISCBR, this paper compares the predictive power of the system with that of multivariate discriminant analysis (MDA). The results indicate that the case-based reasoner outperforms MDA in predictive accuracy.