Threats to Accounting Information Systems
Underestimation of Risk: Many organisations perceive data breaches as unlikely, leading to complacency.
Shift to Digital Systems: The complexities of transitioning from centralized systems to cloud-based
environments have exposed vulnerabilities.
Lack of Strategic Focus: Information is often undervalued as a strategic asset, leading to insufficient protection measures.
Operational Pressures: Short-term pressures to increase productivity and reduce costs have overshadowed the importance of data security.
Threat
any potential adverse occurrence or unwanted event that could cause harm to either the accounting
information system or the organisation.
exposure/impact
the potential dollar loss from a threat
(e.g. financial/profit loss, repuatational damage, legal consequences, operational distruption)
Cyber-security threats
These include potential cyberattacks such as hacking, phishing, ransomware, and insider threats. The rushed implementation of the cloud-based AIS without robust security measures significantly increased the company’s vulnerability to these threats.
Operational threats
The migration to a cloud-based AIS without adequate access controls
and data encryption compromised the operational integrity of the system, making it easier for
unauthorized access and data breaches.
Fraud/error threats
The breakdown in the segregation of duties and weak password
policies increased the risk of fraud and errors within the financial reporting processes.
Third party vendor threats
Inadequate due diligence on third-party vendors and weak contractual safeguards introduced additional threats related to data security and operational reliability.
Preventive controls
prevent (deter) problems before they occur. These problems or
errors could result in a misstatement of the financial statements.
Detective controls
detect (discover) problems or errors that are not prevented and that
could result in misstatement of the financial statements.
Corrective controls
identify and correct problems; correct and recover from the problems.
General controls (for IT)
ensure an organisation’s information system and control environment is stable and well managed.
What are the examples?
* Major Objectives
- Access to programs and data is limited to authorised users
- Data and systems protected from change, theft, and loss
- Computer programs are authorised, tested, and approved before usage
Application controls
Controls that prevent, detect and correct transaction errors and fraud in application programs.
Input controls
operate as data enters the system. Addresses accuracy, validity and
completeness.
Processing controls
ensure correct handling of data e.g., making sure data is correctly updated in the various data stores.
Output controls
protect outputs generated by the process e.g., how outputs are
prepared.
COSO (Committee of Sponsoring Organizations) framework
provides a comprehensive approach to assessing and improving an organisation’s internal control system, can identify critical areas for improvement and develop strategies to mitigate future risks.
5 elements of COSO (CRCIM)
Control (internal) environment:
* This is the foundation for all other components of Internal Control (or ERM). What’s the tone at the top like? Are management committed to integrity and ethics? What about competence? Operational environment? Any code of conduct that guides employee’s behaviour?
Risk assessment:
* Do the organisation identify, analyse and manage its risks of exposure? What are the threats to the organisation’s business? Risk management is a dynamic process.
Control activities:
* What are the policies and procedures in place to reduce potential threats and risks?
Information & communication:
* How is information communicated?
Monitoring:
* Do the organisation review its internal controls to ensure they are adequate and are working appropriately?
Response to risk
- Reduce the likelihood and impact of risk by implementing an effective system of internal controls.
- Accept the likelihood and impact of the risk.
- Share risk or transfer it to someone else by buying insurance, outsourcing an activity, or entering into hedging transactions.
- Avoid risk by not engaging in the activity that produces the risk. This may require the company to sell a division, exit a product line, or not expand as anticipated.
Segregation of duties
Separating the accounting functions of authorization, custody, and recording to minimize an employee’s ability to commit fraud.
