Information Systems in Accounting and Finance - Essay Example

INFORMATION SYSTEMS IN ACCOUNTING AND FINANCE Introduction As the systems accounting officer heading theinformation security system for an online retail organization selling household electrical appliances, such institution would require protection against the interference of information, unauthorized disclosure, and unauthorized access to the system. Some of the resources that would need protection are the resources (channels of communication, hardware, software, operating environment, people, and the documentation) and the data (that includes the message in transit, databases and files). Security measure involves curbing the imminent attacks from the vulnerabilities of the system. Security controls help in controlling attacks, these attacks maybe passive or active in nature. In passive attack, the information is not interfered with, however, for the active attack it involves interfering with the traffic, flow of messages. These may include the destruction and the deletion of important information by attackers masquerading as employees or impersonating other employees. The system accountant must apply some controls to ensure these risks are controlled. The ever-growing need to improve service delivery and storage of information has an equal measure of challenges. For instance, most retail organizations must ensure their pricing, product codes, and another confidential information is safe from malicious personnel (Hall, 2013). The retail organization will build a system that captures the price list of all the household appliances in their stores. The system will also have unique codes for each item on sale. This makes the organization have the potential to empower their customers to make online purchase. Customers can log into their website and make involve, and payment for their household items. The company must have measures to deliver the item either through courier delivery or alternative shipment strategy. The main challenge is lost or theft of such information thereby denting the credibility of the organization (Boczko, 2012). A retail organization involved in selling of home appliance must have proper working accounting systems that safeguard the customer information from individuals who may attempt to misuse the information. Therefore, such organizations must have strategies that identify possible risks and security threats to enable institution of audit procedures aiming at mitigation of the type of risks (Grande et al., 2011; Colbert, 2002). The essay looks at the types of risks and security threats a retail organization may face and the possible control measures and ways to circumventing them. The type of risks and security threats for online retail company The nature and types of threats depend on several factors. These factors are organized into four main categories. These are deliberate actions, technical failures, human errors, and organizational deficit (Kay and Ali, 2012). Retail organizations have contact with their customers through either the person-to-person contact or communication through emails. These strategies of communication are the main sources of risks occurring from human errors. When contacting customers, if the retail organization lacks proper mechanisms of emailing specific details to the required individuals, it risks exposing confidential information to the wrong party. Human errors are likely to originate from the mistakes by the staffs who stick passwords on the appliances. All the appliances must have the relevant information required for its transaction, but should not have information that is likely to jeopardize operations of the company. When staff sticks passwords or important codes on the house appliances, the buyers may use the information to launch the attack. Some of the attacks related to such issues may involve making false payments and ordering delivery of similar products that makes the organization lose the revenue. Accountants are also prone to human errors that involve deleting files accidentally (Ismail and King, 2005). Protection of customer data and the entire organization should be a concern for the employees tasked with the storage of the information. The organization deficit is another source of threat. When the organization has undefined responsibilities, employees and other contracted staff may not pay attention to sources of threats (Vaassen et al., 2009). Protection of data and other confidential information and transactions begins with the organizations structural strategies that aim to enforce these strategies. Organizations should institute a sense of responsibility among its employees so that data and other confidential information are not accessible to every employee (Alles, et al., 2008). Such measures ensure specific employees endorse measures to protect and store confidential information. However, these cannot be attained if organizations lack well-defined responsibilities. Technical failures form another type of threat to the retail organization. This form of threat may include cases like crashing of the hardware, short-circuiting, or failure of the hardware. These risks impact negatively on the operation of the organization. Most accounting processes use accounting information systems that stores pricing and product codes. Lack of functional hardware will affect service delivery, access to information, and execution of important activities (Romney and Steinbart, 2012). When the systems are down, the employer may direct the employees to use manual procedures to serve few customers. However, manual processes expose the business to enormous loss and theft especially from mischievous employees. When the hardware crashes, the organization will have to restart afresh to install programs that contain product codes and pricing, hence making it very expensive (Hall, 2013). Besides, the loss of customer information will affect the retail organization attempts to maintain contact with its customers. The most common form of security threat is through deliberate action. The deliberate actions involve using malicious codes to access crucial information of the retail organization. Other forms of deliberate threat include fraud, phishing, and hacking of the website to access organization information. Some of the prone information includes pricing, product codes, customer information, mailing systems, financial information, and other important data (Alles et al., 2008). When malicious individuals hack the website, their main intention is to compromise the business operations. Cyber crime is the main challenge of most retail businesses, especially for most organizations adopting technology to improve the efficiency of service delivery. Adoption of authentic measures ensures that the clients can make transactions from the comfort of their personal computers without the virus attack (Alles et al., 2008). Theft of information belonging to the customer and using the data to carry out fraudulent transactions will have immense ramification for both the customer and the entire organization. The account section should ensure the customer information is safe from malicious individuals. The regime of safe custody of customer information is a common phenomenon for both the brick and motor institutes and the online retail businesses. The accounting section must ensure there is safe storage of customer’s personal data to avoid the institution of remedies that are likely to jeopardize the cost. When the data information of a retail company is breached, it welcomes negative publicity that could jeopardize the organization’s image (Romney and Steinbart, 2012). The retail organization will have to come up with measures of rebranding its image and reputation hence increasing the cost of operation. The customers affected by such breach will lose not only the confidence in the retailing company but also their product. For that reason, when organizations information is breached, the cost can be enormous and affect the normal operation and credibility of the organization hence the need prevent fire to avoid measures that would aim to extinguish that fire. During a regular maintenance of the retail information system, contracted engineers who possess laptop from the retail organization will have access to the price list, customer information, and the entire product sold by the retail company. These engineers intermingle with different people in the public and non-business people that may turn to be potential competitors. Competitors may also plot schemes to contact such engineers without their knowledge hence exposing the retail organization contracting the services from the engineer at the mercy of the competitors. Besides, the engineers may be using the same laptop in the public domains like hotel and offices hence increasing the chances of releasing confidential information to the wrong people. These examples expose risk to information from both the customer and the organization. The examples of threats are the possible loss of the laptop hence making the information available for fraudulent activities. The engineers may lose the laptop to individuals with the capacity to use the information to harm both the retailer and the customer in equal measures. When such an engineer losses the laptop, the company’s confidential information becomes a matter of concern. The same example exposes vulnerability resulting from the storage of confidential information as plain text on the engineer’s laptop. When the engineer leaves the laptop unattended to and forgets to lock the screen or forgets to activate the password protection, the information is at the mercy of the public. The retail organization will experience challenge in replacing the asset (hardware) after the loss or theft. Besides, the retrieval of the confidential information becomes the main challenge. The cost of these assets will depend on the potential impact the lost data may have, the level of confidentiality, and the cost of reconstruction. Internal control measures to the security threats Control of personnel Perhaps, the most appropriate strategy to control internal threats is to institute training measures that seek to raise the awareness to take full responsibility for the confidential information (Alles, et al., 2008). For instance, the contracted engineers, who possess a retailer’s laptop with crucial information, should understand the need to protect the information from the unwanted clients. Such engineers should take full responsibilities for events happening after their careless storage of the laptop. The best approach is to ensure they have protected passwords for every screen shot and should only active a particular window when necessary. Besides, they should carry the information they need for the trip and keep the backups at an alternative laptop. The engineers should also get insurance to cover the loss and theft of hardware (Alles et al., 2008). The organization control may also apply to such engineers. Applying organizational control involve having limited data stored on a laptop when making trips. However, the management must ensure that every process aiming to offer protective controls against the external and internal risks follows the law and regulatory frameworks. It is the duty of the accountants to harmonize the relationship between the IT security personnel and the management (Bodnar and Hopwood 2010). Therefore, accountants should ensure they work with the management to set up efficient security strategy that commensurate with the organization. Enhancing training and communication to raise security awareness would play pivotal roles in attaining tangible results. Logical controls Securing confidential information falls under the logical control. Securing data using the security fraud management policy would play a significant role in storing and keeping confidential information (Kaplan and Norton 2004). The policy requires that the organization adopt a payment system that uses card industry data securities (PCI-DSS) (Alles, et al., 2008). The card has a special design to assist in the protection of customer’s personal information. Main security threats relate to breaching of customer information either from internal or external sources. Internal breaching occurs when one of the employees takes part in the breach while external happens when non-employees takes part in breaching customer information. The main sources of security threats are the storage of data, how the stored information is accessed and the handling of that information by the business. Retail organizations that store customer information must comply with the payment card industry (PCI) certification standards (Grande, et al., 2008). Although the standardization process is time-consuming and expensive, it helps in circumventing any future threats relating to breaching of the customer’s information. Compliance with PCI by the retailer focuses on safe storage of data (Bodnar and Hopwood 2010). It does not guarantee safe custody of breached information from other sources. The process has no capacity to prevent the identity of thieves as well. The main mandate is to provide a secure environment for transacting business thereby reducing stealing and circulation of card information. The most appropriate way of ensuring a normal operation is for the retail organization to build a robust website with restricted access to specific information (Alles, et al., 2008). Exercising organizational responsibilities is paramount to ensuring the staff responsibilities for their actions. Corrupting and hacking the vulnerable website is the main external security threat (Romney and Steinbart, 2012). The retail organization lacking a robust website is a potential target for competitors or other fraudulent individuals aiming to interrupt normal operations. Hacking of the website will delay and swindle online transaction like customer payments or delivery of goods. The customer may experience delays in goods delivery because of these practices. Accounting department must ensure the trustworthiness of reported statistics. However, when databases are corrupt, it compromises that trust. It is the role of the accounting department to identify internal measures of controlling such threats (Boczko, 2012). Besides, accounting section must ensure the retail organization retains its commercial proposition by averting competitors aiming to tap their opponents. The strategy has an added advantage of winning public procurement bids (Kaplan and Norton 2004). Measures should be put in place to ensure all information irrespective of their level of confidentiality, gets encryption before existing a laptop or notebook (Alles et al., 2008). These measures help in the protection of the data. Adoption of a strategy that protects the data rather than the perimeter is the most strategy to avoid leaks of confidential information. Most retail organizations attempt solving cybersecurity threats by building sophisticated perimeters. However, motivated individuals may still find areas of vulnerability to launch attacks (Hall, 2013). The threat may originate from within the organization. For instance, when an employee creates an opening inadvertently, it create opening for attacks when they send mail that contains confidential and sensitive customer details (Bodnar and Hopwood 2010). In such cases, the customer becomes the casualty. When the attacker contacts a customer, they may never suspect the authenticity because motivated individuals use every trick to protect their trade. For instance, when the malicious individual, who may quote earlier transaction and requested the customer to make payment for servicing of electronic appliances or even get discounts, contacts a previous customer, it’s a call for trouble. Control measures should assist in the process of identifying risks and threats (Bodnar and Hopwood 2010). The accounting personnel must also devise methods of mitigating such risks through an implementation plan. The implementation plan is the management process that proposes appropriate security controls specific for each risk. A retail organization has several sources of risks. These risks have different mitigation and security control plans hence the need to categorize their occurrence (Romney and Steinbart, 2012). Appropriate implementation of technical security measures must take all the personnel from the IT and the accounting sections onboard. The collaboration of these personnel helps sin the maintenance of the security within the required level. Conclusion Risks and threats originate from human errors, deliberate actions, technical failures, and organizational deficit. However, the most important strategy is to identify the risks to institute appropriate control measure. Instituting personnel control by introducing awareness and training, signing contracts concerning confidential clauses, and the implementation of sanction can work for a retail organization selling household appliances. Implementation of organizational control by using rules that protect information, description of processes, and administration protocols may also be appropriate. Besides, physical controls that enhance surveillance, and access to specific areas with confidential information may work. Last, the logical controls that aim to protect the network asset protect accessibility to the application. Carrying out the audit of security system and monitoring how the entire system responds over time for any changes. Achieving mythological diagnosis of the entire system and identifying major risks and threats to institute controls, and other mitigation strategies supersede other strategies that may help the retail organization protect its system. References Alles, M. G. Kogan, A. and Vasarhelyi, M. A. (2008) Exploiting comparative advantage: A paradigm for value added research in accounting information systems, International Journal of Accounting Information Systems, 9(12): 202- 215. Belfo, F. (2010) The Role of Knowledge Management in the Strategic Alignment of Information Technology with Business: A Graphical and Systemic view, in 11th European Conference on Knowledge Management, Famalicao, Portugal, pp. 1129-1137. Boczko, T., (2012) Introduction to Accounting Information Systems, Pearson, London Bodnar, G., H., and Hopwood, W., S., (2010) Accounting Information Systems. Pearson, London Colbert, J. L. (2002) Corporate governance: communications from internal and external auditors, Managerial Auditing Journal, 17: 147-152. Grande, E. U. Estébanez, R.P. and Colomina, C. M. (2011) The impact of Accounting Information Systems (AIS) on performance measures: empirical evidence in Spanish SMEs, The International Journal of Digital Accounting Research, 11: 25-46. Hall, J., A., (2013) Introduction to Accounting Information Systems, South Western, Cincinnati, Ohio Ismail N. A. and King M. (2005) Firm performance and AIS alignment in Malaysian SMEs, International Journal of Accounting Information Systems,6(12): 241- 259. Kaplan R. S. and Norton D. P. (2004) Measuring the strategic readiness of intangible assets, Harvard Business Review, 82: 52-63. Kay, D., and Ali, O., (2012) Accounting Information Systems: The crossroads of Accounting and IT, Pearson, New Jersey. Romney, M., and Steinbart, P., (2012) Accounting Information Systems, Prentice Hall, New Jersey. Vaassen., E. , Meuwissen, E., and Schelleman, C., (2009) Accounting Information Systems and Internal Control, Wiley, Chichester Read More