Abstract The objectives of the report are to investigate the perceived threats of computerized accounting information systems (CAIS) and to discuss how the impact of these threats can be reduced. The report covers the 19 perceived threats of CAIS, preventive controls, detective controls, corrective controls and auditors’ attestation of internal controls.
Examples of controls given are authentication, authorization, physical access control, host and application hardening, encryption, training, log analysis, intrusion detection system (IDS), security testing, computer emergency response team (CERT), the role of Chief Security Officer (CSO) and patch management. The types of analysis used in the report are historical and qualitative analysis.
The most important and significant findings are that the perceived threats of CAIS can generally be categorized into 19 threats and the impact of all these threats can be reduced through the application of effective and unique preventive, detective, corrective controls particular to a business organization and auditors’ attestation of internal control. 1. Introduction
The report is written to investigate the perceived threats of computerized accounting information systems (CAIS) and to discuss how these threats can be reduced. In doing so, there are a number of limitations encountered including the lack of recent research in the area of perceived threats to CAIS and its corresponding solutions to the problems in Australia.
In general, the report lists the 19 perceived threats of CAIS and the fastest growing threats among these 19 threats, covers the discussion of preventive controls, detective controls and corrective controls which includes authentication, authorization, physical access control, host and application hardening, encryption, training, log analysis, intrusion detection system (IDS), security testing, computer emergency response team (CERT), the role of Chief Security Officer (CSO), patch management and covers the discussion of auditors’ attestation of internal control. 2. The perceived threats of CAIS
Computerized accounting information systems (CAIS) have become the essential tools for conducting business as well as for bringing those in charge to account e. g. General Purpose Financial Report. Without the internet, they are already exposed to risks that may compromise the relevance and reliability of financial information, affecting the decisions made by various stakeholders. With the advent and advancement of internet, CAIS face additional threats that need to be addressed by not only auditors and IT personnel but also management and accountants (Beard & Wen 2007).
One important study in this area has identified 19 perceived threats or risks of CAIS: accidental entry of bad data by employees, intentional entry of bad data by employees, accidental destruction of data by employees, intentional destruction of data by employees, unauthorized access to the data and/or system by employees, unauthorized access to the data and/or system by outsiders, employees’ sharing passwords, natural disasters, disasters of human origin, introduction of computer viruses to the system, suppression or destruction of output, creation of fictitious or incorrect output, theft of data or information, unauthorized copying of output, unauthorized document visibility, unauthorized printing and distribution of data or information, directing prints and distributed information to people not entitled to receive, sensitive documents are handed down to non-security cleared personnel for shredding and interception of data transmission (Loch, Houston & Warkentin 1992). Internal control can be classified according to its purpose: preventive, detective and corrective controls. Preventive control is designed to prevent security incidents from happening.
Detective control is device, technique and/or procedure to detect harm and security breaches in a timely manner whereas corrective control involves action to reverse the effects of harm and security breaches (Considine et al. 2008). 3. Preventive controls Several important examples of preventive control are authentication, authorization, physical access control, host and application hardening, encryption and training. Authentication is about verification of the identity of the person or device attempting to access the system e. g. passwords, PINs, smart cards, ID badges, fingerprints and voice recognition. Authorization is about restricting access of authenticated users to specific portions of the system and specifying the type of actions they are permitted to perform e. g. access control matrix.
Good physical access control should include stationing a receptionist or a security guard at the main entrance while locking the other entrances to the building, visitor sign-in form, monitoring all entry/exit points through CCTV, locking rooms with important servers with card readers, numeric keypads or biometric devices and storing encrypted sensitive data on removable media (Romney & Steinbart 2006). Firewalls, antivirus software, user account management, sound software design to prevent buffer overflow attack i. e. an attacker sends a program more data than it can handle and disabling of unnecessary programs and features to reduce potential point of attack due to flaws contained in the programs and features are typical examples of host and application hardening. Encryption protects sensitive accounting data by transforming plaintext into ciphertext in which the intruder needs to decrypt to understand the data. It is important to store a copy of the encryption keys which are used to decrypt the ciphertext in a secure location.
Employees should be trained to not share passwords, to not allow other people to follow them through restricted access entrances, to lock their laptops to an immovable objects, to direct and distribute relevant accounting information to people entitled to receive them and to hand down sensitive documents to security-cleared personnel for shredding (Romney & Steinbart 2006). 4. Detective controls Preventive controls can never block all attacks, thus detective controls need to be implemented. Logs which form an audit trail of system access and actions that each user performs needs to be analyzed and examined routinely to detect problems. Intrusion detection system (IDS) could be installed to automate log analysis. It is a software and works by comparing logs to patterns of known attacks of CAIS and analyzing those logs for signs of attempted or successful intrusions. Management reports, that monitor the performance of information system controls i. e.
COBIT (Control Objectives for Information and Related Technology) framework that specifies 34 IT-related control objectives and key performance indicators, should be implemented. Another important techniques for effective detective controls are vulnerability scans and penetration test. Vulnerability scans are periodic security tests on CAIS using automated tools to identify any well-known vulnerabilities e. g. ability to crash CAIS by an intruder. Penetration test is an authorized attempt to compromise CAIS by either an external security consulting firm or an internal audit team e. g. authorized hacking, masquerading and piggybacking (Hall 2004). 5. Corrective controls Prevention and detection of attempted and successful intrusions are important but worthless if not followed by corrective controls.
Establishment of computer emergency response team (CERT) to reduce the effects of harm and security breaches through recognition and containment of a problem, recovery of data through backup and reinstallation of corrupted programs and follow-up is essential for an effective corrective control and should involve technical specialists and senior operations management. The appointment of Chief Security Officer (CSO), who works to design, implement, promote sound security policies and procedures, disseminates information about fraud, errors, security breaches and other improper system uses and their consequences, works closely with the building security personnel and reports to the CEO, could be made. Patch management as an important corrective control could be used. Patch is code that fixes the system particular vulnerability and is released by software developers. Thus patch management is the activities that apply patches regularly and update all software used in the organization e. g. ntivirus, firewall, PeopleSoft, Windows 7 software (Jones & Rama 2006). 6. Attestation of internal control In addition, Australian Auditing Standards (ASA) requires external auditors to do test of control for any organization that relies on CAIS for its financial reporting where the entity’s internal control is expected to be effective or where test of control is considered to be cost-effective. Otherwise more substantive tests need to be conducted to obtain sufficient appropriate audit evidence. The use of computer-assisted audit techniques (CAAT) e. g. ACL and IDEA may allow the auditors to perform extensive substantive testing as cheaply as less extensive testing (Leung et al. 2009)
In the US, the emerging trend is for companies to employ information system auditors to examine how a company’s computer systems safeguard assets and maintain the integrity of accounting data, database and financial information. This emerging trend is a direct result of the implementation of the Sarbanes-Oxley Act (SOX) which assigns management and other personnel legal responsibilities to provide reasonable assurance for the reliability of financial reporting and the preparation of external financial statements (Beard & Wen 2007). 7. Conclusion There are 19 perceived threats of CAIS. The impact of these threats can be reduced through the application of effective and unique preventive controls, detective controls and corrective controls to a business organization and auditors’ attestation of internal control of a business organization.
Important devices, tools, techniques and procedures that could be applied are authentication, authorization, physical access control, host and application hardening, encryption, training, log analysis, intrusion detection system (IDS), security testing, computer emergency response team (CERT), the role of Chief Security Officer (CSO) and patch management. 8. References Considine, B, Razeed, A, Lee, M, Speer, D & Collier, P 2008, Accounting Information Systems: Understanding Business Processes, 2nd edition, John Wiley & Sons, Milton, Qld, pp. 277-319. Hall, J. A 2004, Accounting Information Systems, 4th edition, Thomson South-Western, Ohio, USA, pp. 764-852. Jones, F. L & Rama, D.
V 2006, Accounting Information Systems: A Business Process Approach, 2nd edition, Thomson South-Western, Ohio, USA, pp. 103-136. Leung, P, Coram, P, Cooper, BJ & Richardson, P 2009, Modern Auditing & Assurance Services, 4th edition, John Wiley & Sons, Milton, Qld, pp. 314-315. Loch, K. D, Houston, H. C & Warkentin, M. E 1992, ‘Threats to Information Systems: Today’s Reality, Yesterday’s Understanding’, MIS Quarterly, vol. 18, no. 2, pp. 173-186. Romney, M. B & Steinbart, P. J 2006, Accounting Information Systems, 10th edition, Pearson Education Inc, New Jersey, USA, pp. 236-268. Beard, D & Wen, H. J 2007, ‘Reducing the Threat Levels for Accounting Information Systems’, The CPA Journal, May 2007, viewed 8 April 2010, pp. 1-9, .