Division of Research Graduate School of Business Administration The University of Michigan Asset Valuation: A Step in the Direction of Controlling Data Processing Risks Working Paper No. 270 Patrice Delaney Paula Kelly Alan Merten Beth Pomerantz The University of Michigan FOR DISCUSSION PURPOSES ONLY June 1981 None of this material is to.be reproduced without the express of the Division of Research. quoted or permission X! >.

Asset Valuation: A Step in the Direction of Controlling Data Processing Risks by Patrice Delaney, Paula Kelly, Alan Merten, and Beth Pomerantz The University of Michigan Abstract Valuating your company's information assets —including software programs and data —can be a big step forward in increasing internal control consciousness and reducing data processing risks. This paper addresses some of the benefits and implications of such an activity.

-1 - "Our database and software packages are two of the most valuable resources this company has," claimed the EDP manager to his fellow executives in the executive lunchroom. Everyone at the table nodded their heads in agreement. "...And furthermore," he continued, "these resources should be valued, depreciated, and accounted for in the same manner as all other balance sheet assets." The reaction at the table this time ranged from a few bemused "those strange people in EDP" smiles to a number of "hmm, I'll have to think about that" replies. In light of the Foreign Corrupt Practices Actl and moves in Europe to value data for tax purposes, many managers are seriously beginning to think about this concept of broadening the definition of assets to include data and software (Mautz, et. al.). The impact this approach would have on most U.S. corporations would be great, ranging from tax implications to the need to redesign the balance sheet. Such an approach would also impact the whole area of data processing controls. And it is this particular area which we will be exploring in more depth in this paper. Benefits of valuating information assets If software and data were viewed as assets, then it follows that they would be valued and depreciated in the same manner as other assets. It is from this valuation process that a major impact on data processing controls would be exerted. This impact can best be described as creating an increased sensitivity and awareness on the part of managers to the need for controls. We believe that if managers were forced to sit down and think about the value of a specific resource, such as an application program, to their functional area, in R. Mautz, W. Kell, M. Maher, A. Merten, R. Reilly, D. Severance, and B. White, Internal Control in U.S. Corporations, Financial Executives Research Foundation, New York, New York, 1980.

-2 - terms of efficiencies gained, impact of loss, and development costs, their sensitivity to and awareness of the importance of security and controls would be increased. Most managers realize that software, hardware, and data are resources to be protected, but a large gap has existed between this recognition and the actual installation of adequate controls. An awareness of the economic and/or monetary value of software and data would certainly be one step forward in closing this gap. How, exactly, would valuating its information assets benefit a firm? First of all, at present, when applications are first implemented, it is likely that they are subject to extensive study prior to their initiation, in order to determine cost effectiveness and need for various accompanying control procedures. However, it is probably the case that, once operational, applications often assume a momentum of their own; changes and new features are added without any formal recognition that new risks may be resulting with the concomitant need for additional controls. If an asset valuation procedure were applied, management would be forced to view applications as dynamic entities. Constantly being required to reappraise applications' values, they would become increasingly aware of the need to expand and change controls accordingly. Currently we find that adequate control procedures may be lacking because of a naivete on the part of upper management in assuming that because they have competent EDP personnel, adequate control procedures must exist. It would seem that if management required a valuation process, it would have more data by which to grasp the value of its EDP resources, and more ability not only to understand what was being done in the area of controls, but also to ascertain where controls were needed. And a cost/benefit analysis for prioritizing controls implementation could then be developed. In addition to underscoring the dynamic nature of EDP assets and providing a way for determining their relative values, a third benefit would also accrue

-3 - from this heightened awareness of data and software as valuable assets. Having been made conscious of the fact that these are assets, and that they are exposed to risks (natural disaster, human error, hardware/software failure and abuse), managers would realize that data and software should be insured. Insurance is presently provided only to a certain extent by disaster recovery plans and a good system of internal/administrative controls. The need for a secondary line of defense, such as fidelity bonding and disaster insurance, would now become clearer to managers; and furthermore, because of the valuation process, they would now be "allowed" to purchase such insurance. Resources can be insured only if a monetary value has been placed on them. A final, though not inconsequential, benefit which would result from applying a broad approach to asset valuation relates to the company's position in regard to the FCPA. At present, ambiguity exists as to the FCPA's intent when referring to the "safeguarding of assets." By including data and software within its definition of assets, the company is very likely to go beyond the FCPA. How might information assets be valued? Now that we have looked at the benefits that an encompassing asset definition would bring to the area of internal control, we would like to offer some suggestions for how these newly defined assets might actually be valued. In order to conceptualize how information assets might be valued, we can think of them as intangible assets, such as goodwill or patents. A first step, then, would be to establish the initial cost of these data and software. The cost should include the purchase price, if any, plus the costs incurred in enhancing their utility. Examples of purchased data might include mailing lists, market research data, independent laboratory analyses, economic forecasts, and policy studies. Costs of internally developed software programs

-4 - should be stated as the development costs traceable to them. And the value of internally obtained data should be defined as the collection costs or generation costs associated with that data. The cost of the information assets having been established, the next step would be to determine their useful lives. Like other assets, the information assets are subject to a variety of factors which act to delimit a time period over which their value deteriorates. For example, while the need for generic types of software and data, such as accounting or payroll systems, is likely to exist for as long as the firm does, the individual, specific programs themselves will probably not remain static. Changing business conditions and changes in regulations and internal policies may necessitate program changes. Revision of data may also be required. Installation of new hardward or software may make the current programs suddenly obsolete or incompatible. Shifting to a new data processing policy, such as centralized data administration and/or database, will be accompanied by a revision of data files and programs. Newly discovered program bugs will most often result in untested emergency program patches; and computerized data, like any other form of information, eventually becomes outdated. The cumulative effect of the above modifications and patches is that the original program no longer exists in its original form. It may no longer do what it was originally intended to do, or it may perform less effectively and efficiently and therefore be a less productive asset to the firm. A depreciation schedule based on the useful life of the programs and data should thus be formulated to reflect this fact of economic life. The above factors should be considered in determining such a depreciation schedule; however, the applicability and degree of impact of each of these factors will vary from firm to firm. Until calculation of the depreciation of information assets is more

-5 -widely practiced, a firm's own experience is probably the only means of defining the depreciable lives of its information assets. The past lives of typical similar programs may be the most direct measure of the period of expected benefit. A program's activity level —i.e., the frequency of its use and the volatility of its "subject matter" —should also be included in the useful life estimation. A more frequently used program, or one that operates in a more volatile environment, will be subject to more changes and will therefore have a shorter useful life. Program complexity is another factor which affects life expectancy. As complexity increases, the potential for the production of program bugs increases, also resulting in a shorter productive life. Depreciating the information assets serves several specific control purposes. Most obviously, the information assets' current monetary value can be specified. An anticipated replacement and maintenance schedule can be outlined. Such a schedule can then contribute to effective control by keeping programs healthy —that is, correct, properly documented, and efficient. Additionally, the process of estimating the durability of information assets focuses attention on the nature and life cycle of particular software programs and data. By depreciating such assets, the current phase of their life cycle can be pinpointed and the appropriate control actions taken. For example, because programs in the later phases of their life cycle are likely to be more vulnerable to illicit changes and manipulation, they could be identified, and a more stringent enforcement of controls and more frequent audits could be applied. Or perhaps a corporation might discover, through the use of depreciation, what the most effective control mechanisms are for its information assets, based on their nature and age. In general, then, an understanding of the information assets' life cycle can lead to a more fruitful deployment of control resources.

-6 - While the above conceptualization of value is useful, most particularly for internal management consumption, it does not capture the full impact or essence of the value of the information assets to the corporation. The full economic value goes beyond the notion of an accounting or book value to incorporate the contribution made by the information assets to the continuing successful operation of the firm. By attempting to construct and value this measure, the often overlooked importance of the information assets to the existence of the firm will become readily apparent to management and serve as an impetus to the implementation of controls. In developing this expanded measure of value, an attempt should be made to determine the dollar loss that would result from the unavailability or compromise of software and data, from whatever cause. Added to this loss should be an estimate of costs which would be incurred to restore the programs and data. These amounts can serve as an indication of the ultimate value of the information assets. A "what-if" approach can be used to speculate about the probable ramifications and expected dollar losses resulting from the unavailability of information assets. What is the role of a particular program and data, or class of programs and data? What if these programs are unavailable? Is their role crucial to continued operations or closely related to a fundamental function? If so, dollar losses will probably be immediate and large. What is the ability to recover the functionality provided by a class of programs and data? To measure the value of this capability, we'd have to look at the time and costs required to reconstruct and make operational the programs and data. This estimation should then be further broken down into the time needed to establish the minimum required functionality and the time required to establish full functionality. The ability to quickly recover functionality will reduce the amount of the total loss.

-7 - Defining the overall importance and impact of the information assets could be very useful in developing a control strategy. Each of the two approaches discussed —characterizing the information assets in terms of which ones are associated with the largest potential losses, or defining an appropriate set of controls given the age and nature of the information asset —can provide the beginnings of a more reasoned approach to the allocation of control resources than presently exists. Weaknesses of an asset valuation procedure We would be remiss if we ended this paper leaving the impression that implementation of an asset valuation process would be a panacea for discovering and controlling all risks associated with EDP and information assets. In fact, while it is a crucial step, especially in the area of raising control consciousness, it is important to understand and examine what such a procedure will not do. In order to determine a little more precisely what an asset valuation procedure will and will not do, we should first try to understand what causes lie behind management's failure to successfully control for risks and then examine which of these areas an asset valuation procedure might fail to address. For purposes of this analysis, we can view the resistances to control awareness, development, and implementation as falling into three categories: *psychological *organizational *educational Psychological resistances: When we speak of psychological blocks to the development of control procedures, we are including such phenomena as: lack of future orientation; protection of turf; and the tendency of human beings to take the easy way out whenever it's available.

-8 - Imagining the future is difficult, and as long as EDP fraud, problems, and risks can be viewed as unlikely possibilities, it's hard to take a long-range view of events. An asset valuation model is not likely to prevent individuals from thinking, "It can't happen to us." Furthermore, even though everyone, at all levels of the organization, may be more aware of the value of the data and software that affect their work, they still may resist the institution of control procedures if there is an accompanying implied criticism of their operations, or if such procedures interfere with their internal affairs, their "turf." And finally, in the area of psychological resistances, we'd have to admit that once countermeasures or controls are in existence, the asset valuation process would not really help to maintain their use. For example, if a control procedure is the addition of control totals to a computer-based application, it is still possible that, after an initial training period, the data entry clerk might just stop computing the totals, because it is easier not to do so. Organizational resistances: An organization's structure can be characterized by the arrangement of its departments (be this a functional, hierarchical, or other arrangement); by the strengths and weaknesses of the various departments; and by the existence or lack of cooperation among departments. It is possible that a particular department may excessively dominate the DP functions, resulting in costly resources being devoted to systems which are relatively unimportant when compared to the total requirements of the organization. Thus other potential users are denied access to the available resources. With an asset valuation procedure in effect, the organization would have a more global and comprehensive picture of the worth of its information assets and would be more likely to prevent their misuse or misallocation. However, we still would not be able to force

-9 - cooperation among users, nor could we guarantee that controls would be implemented through appropriate segregation of duties and responsibilities among users and personnel. If users have been discontent with EDP services provided in the past, and EDP processing fragmentation has become entrenched (i.e., because of dissatisfaction with internal service, users have obtained hardware or other DP facilities outside the organization), even an asset valuation procedure will not make it easy to bring the various DP installations together to formulate a corporate-wide controls policy —a necessary step in controlling risks. One last point should be mentioned in terms of organizational structure. The dynamic nature of organizations —new personnel being hired; departments being created, combined, destroyed; applications being written, modified —all these events present new risks and new control needs. As we have tried to show earlier, in this area an asset valuation model could be useful, since as systems change, their values change, and theoretically, our model should reflect such changes. Educational/information resistances: A final hindrance to the development and installation of controls lies in the fact that managers, users, and others often are simply not adequately educated and informed about computers or the risks they present. However, because control consciousness would be raised by use of an asset valuation model, it is less likely that management would be ignorant of EDP risks. Knowing the value of information assets, they would be less willing to simply assume that "those people in EDP" must be taking care of everything. Management, using our proposed model, would be more likely to take an active interest in seeing that the information assets are adequately protected.

-10 - On the other hand, unless special efforts are made to educate the users, their role in controlling risks through input into systems design, implementation, and subsequent maintenance may not be any more effective then it ever was. Lacking knowledge and/or imagination about the best way to process an application, they may continue to suggest familiar, but still risky, procedures. Education, not asset valuation, is necessary in order to determine what kinds of specific controls are needed in regard to specific transaction flows. But why not? Despite its shortcomings, implementation of an asset valuation model would force management to take a good, close look at its EDP/information assets, and not leave their valuation to intuitive judgment. While placing a monetary value on such assets might be difficult, the act of attempting to account for them would at least direct attention toward their importance and the costly risks of their loss. It is true that human resource accounting, which also deals with hard-toquantify data, has long been a controversial issue and not widely utilized; and research proving that quantifying personnel assets will lead to better management decisions has not been definitive. However, a more formalized valuation of EDP assets appears to be a topic that will receive more attention in the future —from the EDP auditor who says "that which gets measured gets controlled" to the company president who calls for a definition of assets that goes beyond the CPA's dictionary to include the value of information in its totality.