会计信息系统的风险和威胁Risks and threats of accounting information system在最近的过去，会计信息系统(AIS)的领域发生了很多变化,预示着改变从纸质期刊和账本完全自动化,无纸化系统。然而,迁移从纸到电脑不无困难。技术的进步一直伴随着一个新的安全问题。这篇文章启示了AIS的感知威胁安全风险。它专门寻求评估的类型和性质的风险和安全威胁公司的会计信息系统,对系统会计建立的大型英国零售公司专门从事家用电器的销售。(Davis, C. E. 1996)
The field of accounting information systems (AIS) has witnessed many changes in the recent past, heralding the changes from paper-based journals and ledgers to having a purely automated, and paperless systems. Nevertheless, the migration from paper to computer has not been without its difficulties. Advancement in technology has been accompanied by a new security issue. This essay sheds new light on the perceived threats to AIS security risks. It specifically seeks to evaluate the type and nature of both the risks and the security threats to the company's accounting information system, with regard to a systems accountant of a large established UK based Retail Company specializing in the sale of household electrical appliances. (Davis, C. E. 1996)
As a system accountant of the electrical retail shop in the UK some of the threats and risks to the firm's accounting information system are down to both internal and external forces and also categories as natural or human causes.In most cases these risks and threats to the accounting information system can be attributed to internal sources and are caused by human beings and not natural. A good example is the accidental entry of bad data by the employees. In this instance the various members of the employees may be attributed to causing risks of huge losses by their carelessness in entering data to the system. A case in point which is relevant to the case is when the clerks stationed at the sale outlets fail to capture the correct prices while posting the sale of electronic appliances. This is bound to be repeated on various occasions in the year leading to unaccounted losses as a result of miss posting.
The intentional entry of bad data by employees is another human nature of risks to the accounting information system. This is attributed to fraudulent and malicious employees who might harbor thoughts of sabotaging the accountant or to embezzle the retail shop. This risk can be attributed to demoralized staff and would eventually pose a challenge to the accounting systems as the accounts are bound not to balance regardless of the inventory system being used by the electronics retail shop. This is treated as a crime and is a form of computer fraud which calls for the prosecution of the culprits.
Accidental destruction of data by employees is another frequent human nature type of risk and a threat to the accounting information system. This occurs when an employee accidental deletes or distorts data in the accounting system leading to the complete destruction of such data hence can no longer be relied on to make economic decisions. This could occur rarely in the electronics retail shop in the UK because most of the staffs are well versed in the operations of the accounting information system. This calls for continuous training of new employees every year to make them skilled to avoid accidental destruction of data. Furthermore, the presence of a back up data system minimizes to risks and threats posed by the accidental destruction of data by employees.
Intentional destruction of data by employees is another threat faced by system accountant in the electronic retail shop. This might occur rarely as it is subject to unethical behavior and embezzlement which can be eliminated at the recruitment process of the employees and subsequent ethical standards in the organization. (Abu-Musa, A. A. 2003)
The unauthorized access to the data and/or system by employees is also a risk and threat to the accounting information system. This would rarely happen in many organizations especially the electronic retail shop. When it does it could be as a result of insecure password systems.
The unauthorized access to the data and/or system by outsiders is the other risks of human nature although it is attributed to external forces. This risk increases with the use of electronic services such as e-business and electronic fund transfers and is as a result of hackers. This risk to the accounting information system increases with the advent of information technology.
Employees' sharing of passwords can be a source of risk and threat to the accounting information system. This is a very common threat because over time most employees become friends and hence would not hesitate to share passwords with their colleagues although it is prohibited. This would increase the risks associated with theft and improper transactions as one password can be used by several people to access data which is restricted and could furthermore, lead to exposure of trade secrets to rivals.
Natural disasters are also viewed as potential risks and threats to the accounting information system. Such disasters are infrequent in occurrence but are devastating which they do. Examples are thosecaused by fire, water, wind, power outages, lightning and earthquakes which lead to the destruction of computer facilities.
Disasters of human origin on the other hand which can pose a risk and threat to accounting information system include fires, floods and explosions. Furthermore, man-made disasters could be accounted to intentional or accidental human actions. Most of the intentional acts which are a threat to the accounting information system are crimes ranging from fraud, theft, embezzlement, extortion, larceny to mischief. (Wood, C.Â ; Banks, W. 1993)
The introduction (entry) of computer viruses to the systems is one of the most vicious threats to the accounting information system in the present times. This risk and threat which is caused by humans can be carried out by both internal and or external members of an organization. This occurs as a result of hacking and the subsequent introduction of viruses or worms which are able to interfere with the program code of the accounting information system. Such viruses and executable programs could be attached to e-mails and other files during the process of electronic transactions. An example in the electronics retail shop is where a potential customer sends an enquiry to the system with attached viruses which when opened distorts the accounting system program hence destroying the system. This is possible when anti-virus utility programs are not installed; are not be updated on a regular basis to enable it detect newer viruses. This also could occur when anti-virus software is not set to automatically scan computer files when the system is first turned on. The employees also might not be trained well to scan any external media they introduce to the system on their daily operations.
Suppression or destruction of output is also a threat to the operations of an accounting information system. This is whereby employees who are suspected of corrupt mal- practices in the organization enter the system and destroyed any traces of their illegal activity leading to the destruction of the output.
The creation of fictitious or incorrect output is another internal generated risk and threat to the accounting information system. This would occur rarely when periodic checks and monitoring are done. This is also as a result of unethical employees who would want to cover up some ills or to benefit from some perceived outputs. An example in the electronic retail store is when a line manager wants to get a pay raise or promotion and hence create fictitious output which shows that he exceeded targets yet in reality it is a mirage.
Theft of data or information from the accounting system is also a big threat to the security of the accounting information system. This occurrence is rare in many organizations but could be prone in industries with intense competition. This is because such intense rivals would go to great lengths to steal data and information from the rivals in order to gain a competitive edge. An example of this threat is when the competitors of the electronic retail store employ hackers to steal accounting information which can be employed to beat them in the electronic markets.
The presence of unauthorized copying of output is the other threat to the security of the accounting information system. This can be used by corrupt official to carry out insider trading as unpublished accounting information can be copied and used to spur own trading in the company's shares.
Unauthorized document visibility of the company's information may be another threat to the security of accounting information systems. This is often low is many organizations due to stringent measures to control visibility. When it happens it is characterized by display on monitors and printed papers and could threaten the public image of an organization.
The unauthorized printing and distribution of data or information is a human nature threat and risk to the security of the accounting information system. This is whereby some part or all of the accounting information are printed or distributed without due authorization resulting in such information falling on the wrong hands hence posing a threat to the operations of the organization. For example in the case of the electrical appliances store some junior staff might print future budget predictions wit out the authority of his supervisor hence compromising the security of the company's budget information.
Directing prints and distributed information to people not entitled to receive is also a threat to the security of the accounting information system and could lead to bad reputation as the customers and other stakeholders involved with a firm lose trust. This is down to carelessness and lack of thoroughness by the employees and it could involve the distribution of invoices and other confidential documents to the wrong recipients. An example of this threat in the electronics retail store is when employees mail invoices to the incorrect addresses leading to distribution of information to people who are not entitled to receive.
Instances where sensitive documents are handled by non-security cleared personnel for shredding is also a threat to the security of the accounting information system. Although technology has reduced paper use in accounts, there are still few instances of its use. The destruction or shredding of such paper calls for security, thus when such documents are handled by non-security personnel is becomes a risk to the accounting information system.
Interception of data transmissions is also a major security threat to accounting information systems which is of a human nature and is credited to external forces to the organization. This occurs were competitors and other criminal elements breach the information system such that they are able to intercept data transmission before reaching the recipients. E-mail for instance could be intercepted by hackers when they figure out a computers IP address.
As part of the second answer of the solutions, is acknowledging that security of the electronic information especially in the retail chain has become a critical concern for the success of the accounting department. This calls for a concerted effort by scholars, managers, accountants and auditors to be aware of the emerging threats thus put in place security measures in order to keep safe the accounting information systems. In order to safeguard proprietary and personal information is a big challenge in today's digital technology and calls for a lot of integrity on the part of the employees and also putting in place a secure accounting information system. The implementation of an effective information system calls for the provision of reasonable assurance so that the accounting information system is able to produce relevant and reliable information to meet both internal and external reporting needs.
Whether a security system exists or not the internal control must be a top priority. The policies and procedures should always require the maintenance of records that accurately detail and fairly reflect transactions and the dispositions of assets; this provide reasonable assurance that transactions are being recorded properly; also ensure that receipts and expenditures are made only in accordance with proper authorization; and finally provide reasonable assurance regarding the prevention or timely detection of unauthorized acquisition, the use, or the disposition of assets that could have a material effect on the company's financial statements.
The most crucial steps that need to be undertaken to secure the accounting system from risks and threats is to identify, implement, and monitoring some of the basic system requirements and custom sustainable solutions for both general and unique security challenges are associated with unbounded electronic enterprise with a technologically rich environment. These would mainly involve policies and procedures related to the security of e-mail passwords and usage, installation of antivirus and antispyware solutions, secure firewalls, authorized access, the authentication, separation of duties, privacy, encryption, digital signatures and certificates, non-repudiation, data integrity, storage, backup files and tapes, and other emerging threats and technologies. More importantly, the establishment of the right tone at the top management with respect to privacy and security, and as well as the hiring of vigilant, ethical employees, would be essential in securing our accounting information system against dangerous threats.
A control procedure or mechanism that can be employed to solve the risks and threats to the accounting information of the retail electronics could be the use of system privileges and the layers of password protection. This would cover the network environment, the operating system for all users, together with its own flaws. This shows that the company will be facing potential threats almost every side, such as the abuse of power by the system personnel, frequent unauthorized personnel carrying out operations and further illegal access outside the system.
Accounting software that needs to be put in place must haveÂ relatively complete authority to approve and have maximum password protection, be able to give full play to its role, allows accountants to publish information in the same time, the better protection of the accounting system. It is essential that it does the following: be able to protect computer equipment, to prevent designated personnel from operating all manner of illegal computer and financial software to ensure the security of the machine's program and data; permit the designated machine operator to work on the operation of accounting software, the content and also permissions, the password to in line with the strict management of operation, have regular change of the operator's password ; the password is meant to limit the operating authority, the operator checks the identity of a defense, be able to manage each person's password, and ensure the security of the whole system. (Haugen, S; Selin, R. 1999), This measure would be able to prevent any unauthorized personnel from operating the accounting software, accounting personnel in preventing unauthorized use of software; in order for the operator to leave machine should prompt him to perform the appropriate accounting software command exit, this ensures that the defense does not lose its role in the password, and will thus give the opportunity to stay independent of personnel to operate. This process when done in the retail company according to the actual situation of units, save on security of the operating records, the records of the operator operating time, the operation content, and software in the log management as compared to the process of carrying out log audit.