Accounting information systems (AIS) have experienced vast changes in several decades, improving from paper-based journals and ledgers to completely automated, paperless systems. However, the migration from paper to computer has its risks to the company.
It contains the confidential information which becomes compromised if it is unprotected. The unauthorized use of the accounting system can be misused and involved in risking loss of the information, disastrous and bad data input. Security of accounting systems is a priority in many companies. In recent decades, the changing environment has posed a threat to the company. As a system accountant of a large established UK based Retail Company specialising in the sale of household electrical appliances, it is necessary to consider the risks and the security threats that the company would face in today’s business environment.
According to Tony Boczko, risk is related to the likelihood of loss, the probability of mischance and the possibility of hazard or harm. Moreover, risk can be defined in several ways such as the chance of bad consequences, the exposure to mischance and the probability of loss. These risks and threats can lead an undesirable impact on both the present and future of the company’s financial activities and stability.
Type and nature of both the risks and the security threats
Nature of risk
The nature and source of the risks can be distinguished into two primary sources of risk which can be categorized as the event/activity-based risk and resource/asset-based risk. By referring to Tony Boczko 2007 (pp. 681), he mentioned that event/activity-based risk is defined as the risk which is associated with the particular event/ activity or the group of activities/ events. The resource/ asset- based risk is the subsidiary primary source which can be defined as the risk which is associated with the possession and use of the resource/ asset or the group of recources/ assets.
In addition, Tony Boczko 2007(pp. 681) mentioned that the source of risk can be categorized into four associated secondary sources of risks such as authorized internal employee and external agent-based risk, unauthorized persons-based risk and nature-based risk. The case of the authorized internal employee/ external agent-based risk is the possible loss which can be resulted from the unintentional or deliberate errors. Unauthorized persons-based risk is most likely involved in the risk of possible loss which can be resulted in the possible breaches of security and misappropriation of assets and information. The nature based risk is involved in the risk of possible loss which is resulted from the geographical disaster or meteorological conditions.
Type of Risk
What are the different types of risksThere a number of differing types of risk that can affect the household electrical appliances company in today’s business environment. One of the risks is unintentional error. Unintentional error is the error which is related to the inadvertent mistake and erroneous actions attributable to the bad judgement in decision making, ignorance and inattention. The unintentional errors that happened through computerized systems are always at of risk power failure of the computer, viruses attack and end up with losing the important information of the company such as financial documents. Furthermore, problems with computerized system could lead to a standstill in usage of the database. When the household electrical appliances company is focus and reliant on the accounting information system, the unintentional error due to the power and computer outage could lead to a work disruption. Work disruption can disable the input of the information of the company can access to the stored information. Additionally, if the data is not backed up properly, the company will end up lost its important data.
Risk such as deliberate errors can cause the company with the bad and serious implications. According to Tony Boczko 2007(pp. 682), deliberate errors can be explained as the conscious erroneousness and incorrectness whose occurrences are designed to damage, destroy and defraud a person, group of persons and organization. Such errors are intentional and premeditated. What if there is ‘someone’ else hosting its precious and valuable data‘Someone’ refers to the hacker. Hacking is the illegal action which involved in gaining unauthorized access to the company accounting information system to steal and get the data illegally. The big news of the hacking system is NASA’s system. ‘In 2002, Gary McKinnon was arrested by the UK’s national high-tech crime unit, after being accused of hacking into NASA and the US military computer networks.’ (BBC NEWS, 2006) Besides that, the hacker ‘The hacker has also denied that he had made Washington’s computer system inoperable, although he did admit he may have deleted some government files by accidentally pressing the wrong key’. (Jo Best, 2005). Deliberate errors brought a serious implication to the company.
Besides that, natural disaster is also counted as the serious type of risk in today’s business environment. ‘A natural disaster is the effect of a natural hazard (e.g., flood, tornado, hurricane, volcanic eruption, earthquake, or landslide). It leads to financial, environmental or human losses. The resulting loss depends on the vulnerability of the affected population to resist the hazard, also called their resilience’. (Wikipedia, 2011) As a household electrical appliances company, if it is suffered from the natural disaster such as floods. Floods can destroy drainage computer system and cause the raw sewage to spill with water. Besides that, building and company’s equipments can be also damaged due to the floods. It will lead to the catastrophic effects on the environment as the toxic such as gasoline will be released and caused pollution. Floods can cause a huge amount of money losses to the business.
Type of Security Threats
In today’s business environment, there are many computer frauds and computer crimes through computerized accounting information systems. Fraud can be defined as ‘deceit, trickery, sharp practice, or breach of confidence, perpetrated for profit or to gain some unfair or dishonest advantage. In the broadest sense, a fraud is an intentional deception made for personal gain or to damage another individual’. (Wikipedia, 2011) As a household electrical appliances company, the internal employees or managers as well as the shareholders can be also fraud through the computerized accounting information system. The information stored electronically can be manipulated and accessed if proper controls and security measures are not taken place. This will affect the operation of the business. Fraud such as account takeover is a serious activity which always happens in today’s business environment. ‘An account takeover can happen when a fraudster poses as a genuine customer, gains control of an account and then makes unauthorized transactions’. (Action fraud) The information of account holders such as credit card can be taken over by those fraudsters.
Los Angeles attorney Christopher Painter said: “If you have an explosive growth on the Internet, you’re going to have this great huge growth in fraudulent conduct and crime committed over the internet.” (BBC NEWS, 1999) From this evidence, we can see that there is a security threat on today’s business through the computerized accounting information system. Fraudster can be sued if they found out by people. For example, ‘Bank of America and two of its former bosses have been charged with fraud for allegedly misleading shareholders during the takeover of Merrill Lynch’. (guardian.co.uk, 2010)
There are few types of fraud, such as false billing, financial fraud, advanced fee frauds, identity theft and phishing. In false billing scam, the fraudster will send out a so-called invoice for a particular product or service that are never be ordered, fraudster hope that it will be paid for sure from the victim without any investigation. This activity usually happened in large business organization, it is because large business organization has a billing or payments system which used to pay the invoice of the company, fraudster sends out those fake invoices and hope that this will be unnoticed by the large business organizations.
‘Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication’. (Wikipedia, 2011) It is dangerous for today’s business operation, it is because instead of stealing the personal and business information, ‘phishers’ can affect the computer with the viruses and convince the victim in order to participate in money laundering.
Another security threat is computer crime, according to Tony Boczko 2007 (pp. 691), he mentioned that computer crime can be defined as the deliberate action to gain access to, or steal, damage or destroy the computer data without authorization. Computer crime involves in the activity of dishonest manipulation of computer programs or computer-based data. It also involves in the fraudulent use/abuse of computer access and resources for personal gain.
The types of computer crime such as the inappropriate use of corporate information systems, theft of computer and hardware, unauthorized access and information theft or the fraudulent modification of data and programs, system failure and premeditated virus infection and disruptive software. It is hard to define a computer crime; it is because computer crime is always and easily be happened in the business organization. People might think that fraud is also kind of computer crime. It is a wide context in security threats.
As a household electrical appliances company, premeditated virus infection such as spyware, it gathers the users and client’s information and relays it to the third party such as advertisers. Spyware can monitor operation of the computer, scan the important information and files, snoop on the private applications such as chat programs. By reading the cookies and change the default web browser, spyware can consistently relaying the information from the database. It is dangerous for the business organization, because if their competitors spy into their programs and get the costs and type of materials of the electrical appliances as well as the client’s contact number, the business organization will be easily defeated by competitors.
There is a latest issue about the Sony PlayStation Network which involved in the identity theft. ‘Up to 3 million Britons are believed to be among the 77 million users of Sony’s PlayStation Network, which has been hacked into by criminals who have stolen users’ personal information, possibly including credit card details’. (Charles Arthur and Keith Stuart, 2011)
‘Sony, which shut down the online games, movies and music delivery system last week after it was attacked by hackers, has said that although names, birthdates, e-mail addresses and log-in information were compromised for certain players, it has seen “no evidence that credit data was taken,” but “cannot rule out the possibility’. (Richard Newman, 2011)
Due to the vulnerability of the computerized accounting information system, it is easy to be attacked by internal and external people of the business organization. It is necessary to implement some methods to solve the serious issues. According to American Institute of CPAs In order to protect the business organization from the attack of risk and security threats, , TOP Technology Initiatives Task Force, which is a group of the technologically astute members of the CPA profession and other technology professionals, collaborated in the AICPA’s Top Technology Initiatives project, seeking to identify the most important technology initiatives.
The first method is enhancing the information security such as upgrade the hardware and software in order to protect the information systems from the security threats. Company should implement and upgrade the level of firewall which blocks the intrusion from the internet. Update the anti-virus programs with the logins of password and username to limit access. Besides that, company should hire the experienced network integrator to check whether it is work properly with the security patches. Additionally, company can have a security audit for the independent confirmation on the company’s financial data and client’s information. Through this process, business organization can be protected.
The other method is disaster and business continuity planning. It is an activity which involves in the developing, monitoring and updating of the climate change, accident and other malicious destruction. It can prevent the business organization to loss their important information. It is because having the computerized accounting information system down for few hours or few days due to the natural disaster; could lead a bad impact to the profitability and liquidity of the business organization. So, business organization should plan and design a process to keep the system stable to prevent any losses.
According to Tony Boczko 2007(pp. 729), he mentioned that the internal control which comprises the processes or procedures within a business organization designed to provide a reasonable assurance that business objective- primarily the maximization of shareholder wealth which can be achieved and those undesired events can be prevented or corrected.
The internal control related to the management control. It can be defined as a diverse range of activities designed to conduct, direct and control business activities and ensure the consistency with corporate business objective. For example auditors, their role is to audit the business organization’s internal control policies, to assure that the control within the departments is under controls and adequate, it can help in control the financial statement to prevent the financial loss in order to achieve the mission of business organization.
Furthermore, internal control such as risk assessment is also needed to be taken place in every business organization. It is an effective control procedure helps in protecting company.
According to health and safety executive, the risk assessment, instead of creating the huge amounts of paperwork, but rather about identifying sensible measures to control the risks in the business organization. Risk assessment is help to protect people by putting in place measures to control those risks. As a household of electrical appliances company, risk assessment is a good starting point; manager can actually investigate and look for the hazard which may cause harm to the business organization. Furthermore, a critical thinking about how the accident could happen and who will be influenced could help in noticing and monitoring the risk. Once the managers identify the risk, it will be easily to control and put a suitable measure on it.
As a conclusion, accounting information system brings a lot of disadvantages to the organization in today’s business environment, but accounting information system combines the study and practice of the accounting with the concept of designing, implementing, controlling and monitoring the information systems. It also combines the modern information technology and the traditional accounting system to provide a better financial system to manage and improve the financial performance of the organization.