Accounting Systems and Assurance - COBIT and the Trust Services - Assignment Example

Name: Instructor: Course: Date: Executive summary The study is engineered to find out how the business and corporations are handling the advance technology in business operations. The key factor is the collection of personal data by the firms for the purposes of better provision of services and understanding the market. However in this process the information security and privacy may land in the wrong hands. With such kind of information it exposes the customers to unknown risks at unknown times. The information from the consumer provides good information for basing a decision but the same information if used for other purposes is very harmful. In this particular case we take a look at the Vodafone Australia where the company exposed consumer database to unauthorised personnel. We review strategies in place from companies like the COBIT and the Trust Services on how such cases can be avoided. Accounting systems and assurance Most businesses have currently recognised information as an asset just like capital and other forms of assets. Then information is then quite hard to control especially in times of advance technology. The company information can change hands very fast through the internet and other means of communication. Information can be moved from one point to the next without necessarily involving the movement of individuals making it quite hard to control. The information can also contain many personal details of the customers provided to the service provider to enhance better service delivery. (COBIT Steering Committee & the IT Governance Institute, 2000) However if this information lands in the wrong hands it can be used against the customers for the wrong purposes. With globalisation and technological advancement the control objectives for information and related technology (COBIT) has been formed to help meet the many needs for management. This is achieved through minimising the business risks involved, control requirement provisions and the technology involved. It is critical that all the involved parties are well informed of their functions to ensure such a program runs smoothly. Another organisation that has been developed is the trust services, the organisation works at trying to help businesses balance between the risks and opportunities that are associated with it. The trust has several criteria for provision of their services; the common ones include the security which control the access of the information whether physical or logical by unauthorised parties. There is also the privacy criteria which protects the consumer information provided to the business during their transactions or intended to be used for provision of quality services. (COBIT Steering Committee & the IT Governance Institute, 2000) Security criteria According to trust services the information in an organisation should only be accessed by authorised personnel only. This information is usually prone to illegal access when in transit or when in storage. The companies should limit the access and controlled access. Several factors are to be observed in maintaining good security for the information. The company security policies have certainly to be established and reviewed at regular intervals. The process should be approved a qualified personnel for the interest of the company. (A.I.C.P.A, Inc. & C.I.C.A., 2006) Most common scenarios involve the documenting all procedures and clearly outlining the access levels of each employee. The officers in charge of security are to present an annual report indicating recommendations to the system. Some recommended security policies by the trust services include; all the authorised users should be well identified and all the security expectations from them be documented. The authorisation of access should be well monitored. The kind of access allowed whether to the level of altering the information or as read only and who has the authority to permit such permission. By all means possible the unauthorised access should not be allowed. (A.I.C.P.A, Inc. & C.I.C.A., 2006) Clear procedures on how to add new users, modification of the access levels of the continuing user and the removal of the users who are not using the system anymore should be put in place. This would ensure smooth transition process when the need arises. Personnel should solely be present to assume accountability and responsibility of the security of the system. This team should also be responsible for any changes and maintenance requirements whenever necessary. The system should at all times be tested, evaluated, authorized before it is implemented. This helps to pre determine the effectiveness the system operates with in respect to the respective company. Creation of a special unit for dealing with complaints requests regarding security details. This may be from the staff, clients or the stakeholders. Procedures on how to handle any security breaches and all forms of related cases should be put in place. There should be training to the staff to keep them to date with the current operating technologies. The company should also take responsibility and accountability of all the security policies that they have. (A.I.C.P.A, Inc. & C.I.C.A., 2006) This should be inclusive to the updates and changes made along the operation line. In many cases the management assigns these duties to the chief information officer, the officer with the supporting staff should oversee effective running of the company. There should be strict restriction to logical access to the data which is in offline storage, the system configuration passwords and functionality should at master levels to prevent access or hacking. The system also advocates for the use of antivirus and firewalls to prevent and control viruses. Information for transmission over the internet and other media should be encrypted to avoid authentification. The COBIT approaches the security issues in a simple but effective high level control objective. The main goal is to satisfy the business aspect of protecting information from illegal access, being modified, loss, disclosure to wrong individuals or destruction. The following factors enables a company maintain their information securely; Maintaining high confidentiality and privacy regarding the company information Creation of user and identification profiles Use of firewalls Use of antivirus software for virus detection and elimination Having a centralised security management Proper training for the staff regarding the information handling Personnel control mechanisms to be used to monitor staff compliance Incident division, this is to receive, handle and make follow ups Cryptographically managing all the available keys Test on intrusion and consequent reporting (COBIT Steering Committee & the IT Governance Institute, 2000) Privacy criteria Privacy can be termed as rights of an individual or an association with regard to collection, utilisation, storage and sharing of personal information. Personal information is any information that can be used in identification of an individual. Some of this information is considered sensitive like the health, race, sexual preferences and political opinion among others. Such kind of information requires higher level of protection and explicit consent rather than implicit one for its use. The trust services advocate for the use of the privacy rules, there are ten generally accepted rules; Management; it has the responsibility of defining documenting communicating its policies and procedures. Notice; the company is to provide its privacy policies and procedures and clearly state the intent of collection, usage, storage and disclosure of personal information. Consent choice; the company explains the available choices for the individual including the implicit or explicit choice in relation to collection, use and disclosure of information. Collection; the company should only use the gathered data for the stated purpose. Using and retaining data; the use of the data is limited to the consent of the individual and should be retained for the only period the function is being performed. Access; the individual should be provided with access to their data for review and updating. Sharing data with third parties; this should only be done with the consent of the individual and only for purposes stated in the notice. Privacy assurance; the company should ensure the data is protected from unauthorised access at all times. Information quality; the information is at all times be presented in correct details as the individual provided it. It should always remain relevant for the intended purpose. Enforcement and monitoring; it is the company’s obligations to ensure there is complete compliance with the privacy policies and the procedures. Units should be formed to address complains from the data providers. (A.I.C.P.A, Inc. & C.I.C.A., 2006) The COBIT has very similar operation criteria in management of personal dat. The system advocates for the compliance with the external legislations. These are commonly the legal, contractual and regulatory rules. The system advocates for the respect of intellectual property and compliance with the all the privacy provisions. Other points to consider include ergonomics, safety and close checking of the legal and regulation changes or developments along the way. (COBIT Steering Committee & the IT Governance Institute, 2000) Terrible things have become of the company taking for granted such measures. They include damage of company name image, lack of trust from the consumers; legal and business close downs, complete decline of business performance leading to closure and a lot of financial losses arising from payment of charges from deceptive business operations. Recommendations The company seems to have a general take on the level of seriousness the issue can cause to the business. It clear that many issues need to be rectified to bring back the company and hope to gain customer trust over time; Encryption of the information; since the company uses internet as the storage point of its data then the files should be encrypted. The company can use the secure socket layer at all times, this would minimise the information access since decryption of the files needs a lot of work and energy. The account operations are also encrypted after the user log in and in cases of unregistered activity the account logs out automatically. The process should be a success and all users ensure they use the most recent versions after testing and approval. (A.I.C.P.A, Inc. & C.I.C.A., 2006) Restricting access of the system configuration, passwords, security equipment and other utilities; the company having many outlets should ensure that these functions should be operated by the technical staff only. The technical team should always be under direct instructions from the chief information officer. This is very important considering that the utilities program is capable of adding, changing, reading or deleting information in the system. The passwords should be encrypted and a spare printed copy safely stored and only accessible to the authorised personnel. Controlling unauthorised logical access; the first instance is having the system terminate attempts to login in when wrong passwords are presented. This is then followed up by the security group. The company can also use the virtual private network software which allows authorised personnel remote access. The company should also make use of firewall in which it events are logged and reviewed after every three months. All the unneeded network services should also be deactivated from the company’s server. The management should regularly review the usefulness of the operating networks. Intrusion detection should also come in handy to detect any form of security breaches to the company’s network. (A.I.C.P.A, Inc. & C.I.C.A., 2006) Identification and authentification of users; access should only be granted when the user logs in with the assigned user name and identification. It is advisable that the passwords contain more than six characters and a single one should be nonalphanumeric. The passwords should always be changed latest by three months time. Protection of the network from viruses; the company should invest in reliable antivirus software for detection of the viruses worms and other malicious programs. The company has all the consumers’ data online thus these malicious programs could cause total destruction. New virus signatures should be update weekly. In cases of detections it should be reported to the security team to raise an alert over the potential virus threat. Security policies and procedures to be followed strictly; the company should have a procedure to deal with non-compliant staff. In cases where such detections have been made then immediate proper action should be taken. Course relevance Create a scenario for understanding the necessities of good database management. It gives a preview on the importance of personnel control in a company Emphasises the importance of information as a business resource Conclusion The globalisation has created the need for the flow of information from one point to the other. This has in turn resulted to formation of accounting information system to maintain this resource. With such important information at hand comes the great responsibility of keeping the information safe. It has proven for any company to be successful it must very solid mechanisms of keeping it information safe. References A.I.C.P.A, Inc. & C.I.C.A., 2006. “Trust services, principles, criteria and illustrations” retrieved on; 28/4/11 from: http://www.webtrust.org/principles-and-criteria/item27818.pdf COBIT Steering Committee & the IT Governance Institute. 2000. “COBIT Framework” 3rd Ed. retrieved on; 28/4/11 from: http://www.tcontas.pt/eurosai/lisboa_etc-seminar/Documents/Cobit/CobitFramework.pdf Read More