Formality and informality in internal control systems : a comparative study of control in different social and cultural environments in a global bank
This thesis examined the relationship between formal systems and informal norms in internal control systems in a global bank. The thesis argues that the global policies and standardised manuals and procedures of multinational firms cannot be internalised and interpreted in the same way as anticipated by the management in every branch. This assumption confirms the importance of the need for this study to increase an understanding of the issues and concerns in the management of internal control systems among different organisations in different cultural and social environments. A broad range of literature has been reviewed and it was found that little research in information systems security had previously focused on the internal control systems. As such, this research presents a new area in information systems security study. This research aimed to provide a qualitative approach to increase an understanding of the relationship between formal and informal systems. The main objective was to analyse in depth the interaction between these two systems. More focus was placed on the study of people who played a significant role in the control systems. In pursuing this aim, the interpretive case study of a global bank in two branches was conducted. The findings from this research suggest that there are problems in implementing internal control systems globally across the bank. The internal control systems should be examined with respect to both formal and informal analysis. The considerations should be focused more at the informal level where pragmatic and semantic concerns should be addressed. The thesis concludes that qualitative approach is an appropriate way to conduct research in cross-cultural studies in information systems security, also that semiotics theory is an appropriate approach in this area of study.