Reducing the Threat Levels for Accounting Information Systems
By Deborah Beard and H. Joseph Wen
کاهش سطوح تهدیدات(مخاطرات)سیستمهای اطلاعات حسابداری
MAY 2007 - One of the early actions of the U.S. Department of Homeland (Security (DHS
was to develop the now-familiar color-coded security alert system: Red signaled a “severe” threat to national security, orange a “high” threat, yellow an “elevated” threat, blue a “guarded” threat, and green a “low” threat. In the wake of the recent scandals at Enron, Arthur Andersen, WorldCom, Tyco, and others, one can imagine a similar security alert system for threats to our financial reporting system.
Two possible security risk levels for financial reporting are detailed in Exhibits 1 and 2. First, consider the “Severe Security Alert Level: Code Red.” At this risk level, there are serious attacks possible against our financial reporting system, financial markets, and economy. Scarce resources, including time and money, are being embezzled, misappropriated, or diverted. Investor confidence has been shaken and management has become pessimistic about the future. The government has responded with costly regulation and increased oversight of the executive management and the accounting profession. Information security is experiencing dramatically increased threats.
Now, consider the lower “Guarded Security Alert Level: Code Blue” of Exhibit 2. This risk level recognizes the importance of strong corporate governance and information security in utilizing scarce resources to increase shareholder wealth and to regain the confidence of market participants. Financial decisions are based on accurate, transparent, and timely information that is both relevant and reliable. Investors, creditors, and other users can safely rely on financial reports to assist them in assessing the amounts, timing, and uncertainty of future cash flows, in identifying the resources and claims to those resources, and in evaluating performance. The appropriate “tone at the top” with respect to business and ethical conduct is being demonstrated. Management, audit committees, accountants, and auditors are working together to continuously improve internal control and strengthen information security.
Certainly, there is reason to believe that the business environment has experienced many of the threats consistent with a Code Red. Many of these threats have provided challenges for corporate governance, accountants, auditors, and academicians. One goal businesses hopefully have in common is reducing the threat level to our accounting information system closer to Code Blue.
Security Threats to Internet Commerce and Technology
The growth of the Internet has been fueled by its potential for conducting business. The Internet has removed physical barriers to commerce, tapping previously uneconomical markets. The power of the Internet to facilitate business can be severely offset by users’ concern over security. The website problems occasionally experienced by major e-commerce providers such as Yahoo, eBay, E-Trade, and Amazon.com have provided evidence of some of the risks of Internet-based attacks.
The use of Internet technologies has substantially increased the vulnerability of information systems. One of the fastest-growing threats on the Internet is the theft of sensitive financial data. Failure to include basic information security unwittingly creates significant business and professional risks. For example, without effective security, a hacker may be able to access user passwords, providing entree to an array of system capabilities and information. Such breaches can have serious legal consequences. Or, trade secrets may be uncovered and disseminated, diminishing competitive advantage and profits.
Inadequate information security increases the opportunity for manipulation, falsification, or alteration of accounting records. Unauthorized or inappropriate access to the accounting information system, or the failure to establish and maintain separation of duties as part of a system of internal control, may make it difficult to ensure that valid and accurate transactions are recorded, processed, and reported. There are a number of threats to accounting information systems, especially for those systems used in conjunction with the Internet. These threats represent challenges to management, accountants, auditors, and academicians.
Threats to Accounting Information Systems
Threats to accounting information systems come from a variety of sources. If ignored, they can destroy the relevance and reliability of financial information, leading to poor decisions by various stakeholders. (For specific examples, the Sidebar lists the top 10 concerns identified by a 2006 AICPA survey.)
At the point of data collection, it is important to establish security controls that ensure that transaction or event data are valid, complete, and free from material errors. Masquerading (pretending to be an authorized user) and piggybacking (tapping into telecommunications lines) are examples of hacker activities that can seriously impact valid data collection.
Threats to accounting information systems can also occur during the data processing phase. Creating illegal programs, accessing or deleting files, destroying or corrupting a program’s logic through viruses, or altering a program’s logic to cause the application to process data incorrectly all represent threats. Threats to database management might include unauthorized access that allows altering, deleting, corrupting, destroying, or stealing data. The failure to maintain backup files or other retrieval techniques represents a potentially devastating loss of data. Threats to the information generation and reporting phase must also be considered. For example, the theft, misdirection, or misuse of computer output could damage the competitiveness or reputation of the organization.
Advances in information technology and increased use of the Internet require that management, accountants, auditors, and academicians become more knowledgeable and conversant in the design, operation, and control of accounting information systems.
Implications for Management
With the expansion of computer technology, traditional business processes have been restructured and unique internal control techniques are required to address exposure to many new dangers. The responsibility for establishing and maintaining a system of effective internal controls resides with management. Management’s responsibilities include the documentation, testing, and assessment of internal controls, including relevant general IT controls (e.g., program development, program changes, computer operations, and access to programs and data) and appropriate application-level controls designed to ensure that financial information generated from an organization’s information system can be reasonably relied upon (see www.sec.gov).
The Foreign Corrupt Practices Act of 1977 and the Sarbanes-Oxley Act of 2002 (SOX) assign important legal responsibilities to management. Management and other personnel are expected to provide reasonable assurance annually regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with GAAP. Management is expected to establish, evaluate, monitor, and provide written assessments of internal controls, which include policies and procedures that—
- pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and disposition of the assets of the registrant,
- provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the registrant are being made only in accordance with authorization of management and directors of the registrant; and
- provide reasonable assurance regarding the prevention or timely detection of any unauthorized acquisition, use, or disposition of the registrant’s assets that could have a material effect on the financial statements (www.sec.gov).
Section 404 of SOX mandates a statement of management’s responsibility for establishing and maintaining adequate internal controls over financial reporting and an assessment of the effectiveness of those internal controls: preventive controls, which include techniques designed to reduce the frequency of undesirable or devastating actions; detective controls, which include devices, techniques, and procedures designed to expose undesirable or devastating actions that elude preventive controls; and corrective controls, which involve actions to reverse the effects of undesirable or potentially devastating actions.
SOX does not mandate a single particular form of documentation of internal control compliance; the extent of documentation may vary, depending upon the size and complexity of the organization. Documentation might be paper or electronic, and can include a variety of information, including policy manuals, process models, flowcharts, job descriptions, documents, and forms. Inadequate documentation of the design of controls over relevant assertions related to significant accounts and disclosures is, however, considered a deficiency in the company’s internal control system. COSO (www.coso.org), COBIT (www.isaca.org), ISO (www.iso.org), and SysTrust (www.systrustservices.com) have provided useful frameworks and principles for documenting controls.
Management must ask important questions and be able to rely on the answers with confidence:
- Did assets, liabilities, and other elements shown on financial statements actually exist?
- Did recorded transactions included in the financial statements actually occur?
- Did the financial statements include all transactions and accounts that should be presented?
- Were accounts included in the financial statements at appropriate values?
- Are the assets shown on the balance sheet rights of the company?
- Are the liabilities shown on the balance sheet obligations of the company?
- Are elements of financial statements appropriately classified and disclosed?
How much reliance can be placed on the answers if a significant information security threat exists and management has not taken appropriate measures to protect the organization from internal and external attacks?
Implications for Accountants and Auditors
Accountants—as users, managers, designers, and evaluators of information systems—should be knowledgeable of security threats and appropriate control techniques in order to protect their own information systems and to advise businesses about security risks. A company’s use of information technology and the security of the accounting information system affect the company’s internal control over financial reporting. System processes and system-generated entries for valid transactions and events are an integral part of financial reporting. Since the advent of computer systems that capture, verify, store, and report the data used in financial reports, new security issues involving technology have developed.
Although SOX prohibits auditors from offering information system design and implementation services to audit clients, SOX mandates that every independent audit report include an auditor attestation report relating to the internal control assessments made by management. Specific notation of any significant defects or material noncompliance must be included in that report. In addition, the New York Stock Exchange now requires all listed companies to maintain an internal audit function to provide management and the audit committee with ongoing assessments of the company’s risk management processes and system of internal control.
Auditors are also facing increased challenges from several recent Statements on Auditing Standards (SAS), especially SAS 94 and the new audit risk standards (SAS 104–111) that have been issued by the AICPA’s Auditing Standards Board (ASB). These SASs establish standards and provide guidance concerning the auditor’s assessment of the risk of material misstatement (whether caused by error or fraud) in a financial statement audit, and the design and performance of audit procedures whose nature, timing, and extent are responsive to the assessed risks. Auditors are required to gain a better understanding of the entity and its environment, including internal controls, in order to identify the risks of material misstatement in the financial statements and what the entity is doing to reduce the risks; conduct a more rigorous assessment of the risks of misstatement of financial statements based on that understanding; and improve the linkage between assessed risks and the nature, timing, and audit procedures performed in response to those risks. The auditor must plan and perform the audit to obtain sufficient evidence that audit risk will be limited to a level that is, in his or her professional judgment, appropriate for expressing an opinion on the financial statements with “reasonable assurance.”
Adoption of new technologies and new or revamped information systems is an emerging risk in today’s business environment. The proliferation of computer-based information systems has had a tremendous impact on the business environment and the auditing of entities where IT has been integrated into operations and information systems. Internal and external auditors are increasingly involved in IT audits and in assessing the effectiveness of internal control. Auditors must recognize that the increased use of IT requires assessments of the potential impact on internal control and in the planning and completion of the auditing process. Attesting to the integrity of data collection, data processing, database management, and information generation has become more complicated as the fundamental ways in which transactions are initiated, recorded, processed, and reported have changed. Ineffective controls on IT provide serious threats to internal control. For example, unauthorized access to software and data can lead to unauthorized, nonexistent, or inaccurate transactions.
SAS 94 specifically requires auditors to consider the effect of IT on internal control and audit evidence, providing guidance on collecting sufficient, competent evidence and identifying circumstances when the system must be accessed in evaluating controls and assessing control risk. An auditor must understand the design of controls, determine whether the controls are in place, and evaluate the effectiveness of the controls. An entity’s use of IT and manual procedures may affect controls relevant to the audit, and should be considered. An auditor then assesses control risk for the assertions embodied in the account balance, transaction data, and disclosure components of the financial statements. An auditor should obtain evidence of the effectiveness of the design and operation of controls to reduce the assessed level of control risk. An auditor uses the understanding of internal control and the assessed level of control risk in determining the nature, timing, and extent of substantive tests for financial statement assertions. As an entity’s operations and systems become more complex, it becomes more likely that the auditor would need a greater understanding of internal control components to design tests of controls and substantive tests.
SAS 94 clarifies the controls needed to ensure that recurring and nonrecurring entries are authorized, complete, and correctly recorded in an IT environment. The auditor should obtain an understanding of how IT affects control activities relevant to planning an audit. Application controls entail the use of IT to initiate, record, process, and report transactions or other financial data. Examples include edit checks of input data, numerical sequence checks, and manual follow-up of exception reports. General controls are policies and procedures that support the effectiveness of applications controls by helping ensure continued proper operation of information systems. General controls commonly include controls over data center and network operations; system and application acquisition and maintenance; access security; and application system acquisition, development, and maintenance. Examples of general controls include controls that restrict access to programs or data, controls over the implementation of new releases of packaged software applications, and controls over system utilities that could change financial data or records without leaving an audit trail.
SAS 94 identifies potential benefits from IT in the effectiveness of internal controls, including: consistent application of business rules and performance of complex calculations; enhanced timeliness, availability, and accuracy of information; and enhanced ability to achieve effective segregation of duties by implementing security controls in applications, databases, and operating systems. SAS 94 also recognizes, however, that IT poses specific risks to internal control, including the reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both; unauthorized access to data that may result in destruction of data or improper changes to data, including nonexistent or inaccurate transactions; and potential loss of data. SAS 94 also stresses that more-extensive documentation (e.g., flowcharts, questionnaires, or decision tables) may be necessary to support an auditor’s understanding and evaluation of internal controls and IT risk assessments.
SAS 94 provides guidance in assessing when specialized skills are required to consider the effect of IT on the audit, to understand controls, and to design and perform audit procedures. Factors to be considered by an auditor in determining whether a specialist is needed are: the complexity of the entity’s systems and IT controls, and the manner in which they are used in conducting the entity’s business; the significance of changes to existing systems or the implementation of new systems; the extent to which data are shared among systems; the extent of the entity’s participation in electronic commerce; the entity’s use of emerging technologies; and the significance of electronic-only audit evidence. According to SAS 94, procedures that the auditor may assign to an IT professional include: inquiring how data and transactions are initiated, recorded, processed, and reported; how IT controls are designed; inspecting systems documentation; observing the operation of IT controls; and planning and performing tests of IT controls. An auditor should have sufficient IT knowledge to communicate the audit objectives to an IT professional, to evaluate whether procedures will meet the auditor’s objectives, and to evaluate the results of the procedures as they relate to the nature, timing, and extent of other audit procedures.
Information systems auditors, who evaluate how a company’s computer systems safeguard assets and maintain data integrity, are in hot demand. The Wall Street Journal reported in May 2006 that more employers are requesting professional certifications as a way to indicate high skill levels and show SOX regulators that staff are knowledgeable. Effective communication and strategies among management, accountants, and auditors are important in reducing or defending against emerging threats to the accounting information system.
New auditing techniques for evaluating internal controls and verifying the reliability and credibility of the data from the accounting information system have been and will continue to be needed. To properly evaluate the potential risks, accountants and auditors must be familiar with current and emerging technologies. Controls over unauthorized access to accounting records are important components of internal control. Access and password policies, encryption, digital signatures, disk locks, firewalls, and digital certificates are examples of control measures that should be identified, documented, reported, and subjected to verification in an evaluation of control effectiveness.
Professional development in documenting internal control, compliance, and the impact of IT is available through a number of organizations. Information can be found from the SEC (www.sec.gov), AICPA (www.aicpa.org), IIA (www.theiia.org), IMA (www.imanet.org), COSO (www.coso.gov), and ISACA (www.isaca.org).
Implications for Academics
Are educators providing students with a framework for understanding the need for IT security and the importance of working with others to develop policies, processes, and technology to address the threats? Do future accounting professionals have the opportunity to learn about information security, assurance and compliance applications, business continuity planning, IT governance, privacy management, digital identity and authentication technologies, application and data integration, new wireless and paperless technologies, and spyware detection and removal? Are accounting majors required to demonstrate the knowledge, skills, and ethics that will enable them to understand business environments, make risk assessments, evaluate internal controls, and implement effective and efficient security measures?
Academics, especially teachers of accounting, MIS, IT, and related business topics, should work together to ensure that future professionals have the knowledge, skills, and abilities to work as managers, accountants, or auditors to address continuing threats. Seeking integration of security topics and techniques into accounting curricula is important; working across disciplines appears critical. Recognizing and rewarding faculty activities and accomplishments in cross-functional curriculum development, professional growth, and professional service through promotion and tenure decisions is important.
It should be noted that the CPA, CMA, and CIA certifications have increasingly recognized the importance of IT. On the CPA exam, 12% to 18% of the “Auditing and Attestation” section and 22% to 28% of the “Business Environment and Concepts” section test topics relate to computerized environments and IT implications in the business environment. On the CMA exam, 15% of Parts I and II relates to risk assessment, internal control, systems controls and security, systems development and design, electronic commerce, enterprise resource planning (ERP) systems, and other areas relating to information systems and technology. On the CIA exam, 30% to 40% of Part III covers IT, including control frameworks, data and network communications, electronic data interchange, encryption, and information protection.
Newer professional designations, such as the Certified Information Technology Professional (CITP), Certified Information Systems Auditor (CISA), and Certified Information Systems Security Professional (CISSP), demonstrate the demand for certifications related to information technology, systems auditing, and systems security. For example, ISACA had 31,000 people sign up to take the CISA in 2005, twice the number in 2004.
Informing students of the changing content and growth of professional certifications, as well as providing them with a conceptual understanding of the interrelationship of internal control, information security, financial reporting, and IT-related security and control measures, is important. In addition, academics will need to help future accounting professionals recognize that they must be committed to lifelong learning and staying abreast of these and other issues in the future.
Understanding the Need for Security: A Common Denominator
The security of electronic information has become a critical concern. Academics, managers, accountants, and auditors must all be conversant with emerging threats and security measures that are effective in keeping accounting information systems safe.
Safeguarding personal and proprietary information and ensuring the integrity of the components of the accounting information system in today’s digital environment present many challenges. Implementation of effective information system requirements should provide reasonable assurance that the accounting information system will produce relevant and reliable information to meet internal and external reporting needs.
With or without SOX, internal control must be a top priority. Policies and procedures should require the maintenance of records that accurately detail and fairly reflect transactions and dispositions of assets; provide reasonable assurance that transactions are recorded properly; ensure that receipts and expenditures are made only in accordance with proper authorization; and provide reasonable assurance regarding the prevention or timely detection of unauthorized acquisition, use, or disposition of assets that could have a material effect on the financial statements.
Identifying, implementing, and monitoring some basic system requirements and sustainable solutions for both the general and unique security challenges that can arise in an unbounded electronic enterprise with a technologically rich environment should be undertaken. These include policies and procedures related to e-mail passwords and usage, antivirus and antispyware solutions, firewalls, authorized access, authentication, separation of duties, privacy, encryption, digital signatures and certificates, nonrepudiation, data integrity, storage, backup files and tapes, and other emerging threats and technologies. Finally, the establishment of the right tone at the top with respect to privacy and security, as well as the hiring of vigilant, ethical employees, is essential to securing our information system against dangerous threats.