Accounting Information System: Security, Privacy and Other AIS Issues - Essay Example

Table of Contents Overview of Accounting Information System 2 Risk Analysis in AIS: 3 Security Issues in AIS: 4 Disaster Recovery: 6 Data recovery strategies 7 HIPPA: 8 Impact of new technologies on AIS: 9 Real Time Vs. Batch wise data processing in AIS: 10 EDI 11 XBRL: 13 Summary: 14 Overview of Accounting Information System Accounting information systems are a vital part of an organization’s day-to-day operations. Every transaction has to be recorded in order to produce financial statements or any type of informal report that management may want to use for analysis. For this reason, accountants were some of the first people to need information systems. The advent of computer technology and the prevalence of e-business capabilities are fostering the accounting system to adapt stringent accounting practices. But organizations are still challenged with implementing new accounting Information systems with high security and unlimited reliance. Just “finding the right accounting software is a time-consuming, tedious job” (Collins, 77). AIS is a “system of collecting and processing transaction data and disseminating financial information to interested parties” (Kieso and Weygandt, 68). Factors that shape the AIS include natures of the business, the size of the firm, volume of data, and the informational demand that management and others place on the system. AIS data is must be “certifiably free of specific type errors” since a firm is subject to data quality control assessment conducted by auditors at anytime during operations (Kaplan & Krishnam, 41). Therefore, it is important that AIS produces relevant and reliable information. In AIS the basic operating functions include, tracking purchases, controlling production and inventories and payroll processing. A firm should be aware of all factors involved in implementing the Accounting Information system. Efficient AIS requires security in order to produce reliable and relevant data. Risk Analysis in AIS: A simple definition of a "risk" is a problem that could cause some loss or threaten the success of our project, but which hasn’t happened yet. "Risk" is the likelihood that a specific threat will exploit a certain vulnerability, and the resulting impact of that event. "Risk analysis," the starting point in an overall risk management process, is a systematic and analytical approach that identifies and assesses risks and provides recommendations to reduce risk to a reasonable and appropriate level. This process will enable senior management to understand their organizations risks to electronic protected information, and to allocate appropriate resources to reduce and correct potential losses. Harmonized methods, inspired by risk management techniques, are needed to address, in a single comprehensive security management model, the existing and emerging threats to critical infrastructures, their vulnerability and criticality, and the defense layers and other cost-effective protective measures that can be implemented. Risk assessment is the process of examining a project and identifying areas of potential risk. Risk identification can be facilitated with the help of a checklist of common risk areas for software projects, or by examining the contents of an organizational database of previously identified risks and mitigation strategies (both successful and unsuccessful). Risk analysis involves examining how AIS project outcomes might change with modification of risk input variables. Risk avoidance is one way to deal with risk: don’t do the risky thing. The Accounting system may avoid risks by not undertaking certain projects, or by relying on proven rather than cutting edge technologies. Risk control is the process of managing risks to achieve the desired outcomes. Risk management planning produces a plan for dealing with each significant risk, including mitigation approaches, owners, and timelines. Risk resolution is execution of the plans for dealing with each risk. Finally, risk monitoring involves tracking the progress toward resolving each risk item. Security Issues in AIS: Security exists in several forms. Physical security of the system must be addressed. In typical AIS, the equipment is located in a locked room with access granted only to technicians. Software access controls are set at several levels, depending on the size of the AIS. The first level of security occurs at the network level, which protects the organizations communication systems. Next is the operating system level security, which protects the computing environment. Then, database security is enabled to protect organizational data from theft, corruption, or other forms of damage. Lastly, application security is used to keep unauthorized persons from performing operations within the AIS. “The viability of security measures depends upon informed and constant monitoring of the system; unfortunately it is often neglected” (Daily and Lueblfing, 62). Inadequate security of the AIS does not provide useful data to external and internal requirements. Manipulation, falsification, and alteration of accounting records increase with risk when security standards are not adequate. “The future, in terms of national business security, depends on the security of computer systems“ (Davis, 28). Loch et al. (1992) developed a list of twelve security threats, which are as follows: 1. Accidental entry of bad data by employees, 2. International entry of bad data by employee, 3. Accidental destruction of data by employees, 4. Intentional destruction of data by employees, 5. Unauthorized destruction of data by employees, 6. Inadequate control over media (disks & tapes), 7. Poor control over manual handling of input/output 8. Access to data/system by outsiders (hackers/competitors), 9. Entry into system of computer viruses and worms,10. Weak, ineffective, or inadequate physical control 11. Natural disaster: fire, flood, loss of power, communications. According to Parker (1976) "Natural Disasters caused by fire, water, wind, power outrages, lightning, and earthquakes could cause significant disruption of computer facilities. Ryan and Bordoloi (1997) added some other vulnerabilities like, sharing passwords, Single point of failure, uncontrolled user privileges, Viruses and weak or inadequate physical control. But still Ryan and Bordoloi did not clearly distinguish between security threats and the inadequacy of security controls. They treated many inadequate security controls as security threats (such as inadequate audit trail, non existence of log on procedures. loss due to inadequate back ups or log files, etc). Man made disasters like theft, fraud, embezzlement, extortion, larceny, mischief, fire, floods and explosions, some times because of international or accidental human actions. Some of the most commonly thought-of AIS security issues include: a. AIS back-up, contingency, and disaster recovery, b. Data center security planning, c. Security test and evaluation, and d. Security certification and accreditation or interim authority to operate. The Risk Mitigation Approaches allows one to identify the actions that are intended to take to keep the risk item under control. A mitigation strategy that addressed many of those risks was to implement an automated monitoring system that could check the status of the servers and communication functions periodically and alert us to any failures. Other mitigation approaches may include identifying alternatives and options for technical risks, or identifying alternative resource sources for staffing risks. In addition to mitigating the risks, the AIS should be able to prevent them entirely, by developing contingency plans of action to take if the risk materializes into a problem despite the best efforts to control it. Disaster Recovery: The fact that logical environment composed of various bits and pieces of data are ever changing means that there is all the possibility of backup becoming obsolete unless extreme care is taken. This problem of obsolete backup marring the prospects of successful disaster recovery can be avoided only if there is a real time backup. This calls for the right installation of right infrastructure in place, which everybody can afford to, especially small business houses that is willing to set aside only meager sums for data security budget. Disaster recovery plan (DRP) refers to an organizations procedures for preventing data loss after a catastrophic event by copying data to a remote facility.The main aspect of a DRP -- sometimes referred to as a business continuity plan (BCP) -- is the off-site replication of data. There are a number of replication tools, and theyre growing more common as the cost of disk and bandwidth decrease. There are two main types of off-site disaster recovery replication: synchronous (SR) and asynchronous replication (ASR). With synchronous replication, data from site A is backed up simultaneously and continuously at site B. While ideal, synchronous replication is often too expensive for most except the largest companies. Asynchronous replication, in which data from site A is backed up at site B, but not immediately, is available at significantly lower costs and has made DR more accessible to more businesses. Regardless of the specific approach, however, disaster planning is not a one-time academic exercise. In actual practice, Disaster recovery (DR) plans often necessitate changes in the storage infrastructure and impose other overhead tasks that must be addressed. DR plans must also be tested and updated periodically to ensure that disaster plans remain relevant as the business grows or hardware changes. Data recovery strategies The various types of Data recovery strategies in DR as follows: Remote Copy—This refers to the mirroring of data, typically in real time, to provide an I/O-consistent remote copy of that data. The purpose of remote copy is to protect the data in the event of a business interruption at the customer’s production location. PiT Copy—Point-in-Time Copy refers to a copy of data that that is taken at a specific point in time. Ideally, this copy should be I/O consistent. PiT copies are used in many ways, including backups and checkpoints. More recently, PiT copies have been used in architected disaster recovery solutions. Data Duplication—This software duplicates data, as in remote copy or PiT snapshots. Data duplication differs from data migration in that with data duplication, at the end of the process there are two copies of data and with data migration there is only one. Data Migration—This software migrates data from one storage device to another. Data migration differs from data duplication in that at the end of the process there is only one copy of data. The purpose of data migration is to reduce operational complexity and costs for storage subsystem upgrades or equipment refurbishment. HIPPA: The government regulations such as the Sarbanes-Oxley Act require organizations to have the necessary internal controls in place to protect against risk events. Failure to implement acceptable internal controls can leave businesses and their senior executives liable for up to $5 million in fines, 20 years in prison, or both. In short, best-effort measures dont cut it anymore. Whether it is concerned about the Sarbanes-Oxley Act, HIPAA, or other government or industry regulations, unreliable disaster recovery practices can add up to significant non-compliance penalties in todays corporate environment. Implementing effective and efficient controls to protect the privacy and security of protected information involves the coordination and effective use of available technology and products. HIPAA requires the organisation to carry out such a risk analysis and base the new computer security policies and procedures on this analysis, which must be specific to the practice. Second, its the only reasonable way to assess the risk of security breeches in the current systems and protocols. Finally, this exercise can be valuable in the acquisition and use of EHR systems if the practice is moving in that direction. Risk analysis is a key requirement of the HIPAA final Security Rule. The Security Rule requires covered entities (CEs) to "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected information held by the covered entity." The rule further states that "the required risk analysis is also a tool to allow flexibility for entities in meeting the requirements of this final rule." Impact of new technologies on AIS: In 2000, e-commerce generated $59.7 billion in online transactions with consumers as compared to $30.1 billion in 1999. eMarketer projects that business-to-consumer (B2C) global e-commerce revenues could grow to $167 billion in 2002, $250 billion in 2003, and $428 billion in 2004 (eMarketer 2001). Accounting firms are expanding their consulting services into e-commerce, ranging from exploring the benefits of conducting business-to-business (B2B) to developing the infrastructure for e-commerce and establishing internal control activities for e-commerce. And e-commerce has become the most expanded area of public accounting in the past five years (Financial Executive Institute 2000). The amazing popularity, growth and success of business entities such as Amazon.com, ebay.com, and Yahoo, and coinage of such terms as e-commerce (B2B, B2C, and C2C) and e-business in the business lexicon are enough testimony to the widespread use of digital technology in the business place. In fact, it is common knowledge that trillions of dollars worth of business is transacted everyday in the world foreign exchange market using the modern communication technologies, including Internet. Simply stated, Internet is a worldwide network of computer systems. This network provides an electronic medium for delivering, gathering and analyzing information of all kinds and on virtually every subject, worthwhile or otherwise. For instance, a business unit can use this technology to create and report its financial and other business information to varied external user groups. Real Time Vs. Batch wise data processing in AIS: All operational data including Sales Orders, Shipments, Invoicing, Purchasing, Receiving, Inventory Transactions and Production are done on a real time basis. This ensures users have real time credit balances, inventory on hand, costing and delivery due dates. On a periodic basis this information is batched into the accounting system. Advantages of Real Time systems: Single entry into all source documents, Check credit status at order entry level & invoice, Simple, Fewer operator steps, Reliable- Always up to the second Online printing of all documents when created even just after posting, Inventory, Cash receipts sales/service codes, history, etc., always reflect last entry anywhere on the system. No Cumbersome/time consuming END OF Month batch updates that shutdown everything including inquiries and work orders. Statements, up-to-second sales Report, etc., may be run at any time No binders during posting. Everything is on screen. System updates data as entries are confirmed On-Line inquiry for lists of inventory, service codes, repair codes, etc. during data entry processes. Batches offer the following advantages: Users are able to correct errors before posting – less correcting journal entries Better trace ability of transactions with full audit trails Segregation of duties – the person doing the transaction is not the person checking the batches Batch provides a quantifiable document to test, total, approve and file. Finding errors is easier in batch posting – one can quickly determine which batch was the source of the error leading to far fewer transactions to check. Provisional Posting – during year or month end it is common to “try on” adjusting entries and review the financial statements. This process often leads to multiple and reversing entries. EDI (Electronic Data Interchange) The electronic communication of business transactions, such as orders, confirmations and invoices between organizations. Third parties provide EDI services that enable organizations with different equipment to connect. The exchange of information from one company to another using a computer network, such as the Internet. Electronic data interchange involves computer-to-computer exchanges of invoices, orders, and other business documents and therefore effects cost savings and improves efficiency because it minimizes the errors that can occur if the same information has to be typed into computers more than once. At the same time, EDI provides an easily accessible mechanism for companies to buy, sell, and trade information. Benefits of EdI It directly addresses several problems long associated with paper-based transaction systems: Time delays—Paper documents may take days to transport from one location to another, while manual processing methodologies necessitate steps like keying and filing that are rendered unnecessary through EDI. Labor costs—In non-EDI systems, manual processing is required for data keying, document storage and retrieval, sorting, matching, reconciling, envelope stuffing, stamping, signing, etc. While automated equipment can help with some of these processes, most managers will agree that labor costs for document processing represent a significant proportion of their overhead. In general, labor-based processes are much more expensive in the long term EDI alternatives. Accuracy—EDI systems are more accurate than their manual processing counterparts because there are fewer points at which errors can be introduced into the system. Information Access—EDI systems permit myriad users access to a vast amount of detailed transaction data in a timely fashion. In a non-EDI environment, in which information is held in offices and file cabinets, such dissemination of information is possible only with great effort, and it cannot hope to match an EDI systems timeliness. Because EDI data is already in computer-retrievable form, it is subject to automated processing and analysis. It also requires far less storage space. Procedure for complying with Legal Rules: Legal rules apply to the documents that accompany a wide variety of business transactions. For example, some contracts must include a signature or must be an original in order to be legal. If documents are to be transmitted via EDI, companies must establish procedures to verify that messages are authentic and that they comply with the agreed-upon protocol. In addition, EDI requires companies to institute error-checking procedures as well as security measures to prevent unauthorized use of their computer systems. XBRL: There is another ‘digital’ language of business called the eXtensible Business Reporting Language (XBRL). The XBRL.ORG (http://www.xbrl.org) has defined XBRL as “… (a) Framework that the global business information supply chain can use to create, exchange, and analyze financial reporting information including, but not limited to, regulatory filings such as annual and quarterly financial statements, general ledger information, and audit schedules. … XBRL ... facilitates the automatic exchange and reliable extraction of financial information among various software applications anywhere in the world.” It may be stated in the passing here that XBRL has been variously hailed as ‘the next wave in the future of financial reporting’ (see www.acountingweb.com), the biggest thing to hit accounting since the invention of the double entry system and ‘the single most important advancement in business reporting since the spreadsheet’ (XBRLLink, 2001). Thus, XBRL is poised to provide companies, the accounting profession, data gatherers and aggregators, the investment community and all other users of financial statements with a new, free, XML-based standard for preparing, formatting, distributing and analyzing financial reports. The traditional reporting process needs data inputs to be re-processed every time it is to be re-used for meeting the informational needs of various external parties. The inputs from the accounting system and other sources are processed, once, for meeting the mandated requirement to supply investors with paper-based annual report. The said data inputs may again be processed for displaying the information on the web site, or for filing with the tax-authorities and so on. On the whole, there is a lot of reworking (re-keying) of the data that translates itself in terms of additional cost, avoidable delays and possible discrepancies. However, with accounting and other inputs formatted as per XBRL code, the same database can be used for meeting the informational needs of practically all the user groups. Notably, the language is so designed that it shall help distributing financial information in any format - HTML documents for the Web, printed financial statements, electronic filing with the securities market regulators like the Securities and Exchange Commission (SEC) etc., Summary: The AIS is becoming more vulnerable to security threats. But an organization provided with a good security controls in measure can prevent such risks of data loss. And the strategic implementation of disaster recovery plan, which is formulated, communicated and updated and executed in place will also help in gaining the control on AIS during the times of hazards. And such disaster recovery through various data recovery models will offer the business continuity to the AIS. The HIPPA regulation offers some insights to the privacy maintenance of information for security of the data. The new trends in B2B, B2C and C2C transactions demand more secured and efficient practices of AIS. Such robustness is offered by technologies like EDI and XBRL that offer seamless accessibility of accounting information to various users at the same time. These tools aid organizations to adapt the Accounting Information System at a faster pace. References: Collier, Paul, Rob Dixon and Claire Marston (1991), " The Role of Internal Auditor in the Prevention and Detection of Computer Fraud", Public Money and Management, (Winter), pp. 53-61. Collins, Carlton J. “How to Select the Right Accounting Software.” Journal of Accountancy. Oct. 1999:67-77. Davis, Charles E (1996), "Perceived Security Threats to Todays Accounting Information Systems: A Survey of CISAs" IS Audit & Control Journal, (Vol. 3), pp.38 -41. Daily, Cynthia and Lueblfing, Michael. “Defending the Security of the Accounting System.” The CPA Journal. Oct. 2000:62-65. Kaplan, David and Krishnam, Ramaya. “Assessing Data Quality in Accounting Information Systems.” Communications of the ACM. 41.2 (1998):72-81. Kieso and Weygandt. Intermediate Accounting. New York, John Wiley and Sons, Inc., 1998. Loch, Karen D., Houston H. Carr and Merill E. Warkentin (1992), "threats to Information Systems: Todays Reality, Yesterdays Understanding", MIS Quarterly, (June), pp.173-186. Parker, Donn B. (1976), Crime By Computer, Charles Scribners sons, New York. Ryan, S. D and B. Bordoloi (1997), Evaluating Security threats in Mainframe and client/Server Environments", Information & Management, (Vol.32, Iss.3), pp. 137 -142. Read More