Welcome to Luca!globe
An Assessment of Accounting Information Secu Current Issue!    Navigation Tips!
Main Menu
CPA Journal
Professional Libary
Professional Forums
Member Services

An Assessment of

Security over the processing of accounting
transactions is a major concern.

By Charles E. Davis

In Brief

Accountants Need to Know About Threats to Computer

Security over information in computers has become a major concern to the business and not-for-profit communities. The security risks are changing dramatically as technology moves rapidly through the various phases of use from mainframes to PCs to networks and to more powerful network servers that are beginning to take on the function and personality of mainframe computers. The accelerating pace toward greater and faster telecommunications further magnifies security risk.

Accountants should be familiar with security risks in order to protect their own applications and computer use and, of course, to properly advise clients and others in their organizations about the various security risks to which they are exposed.

Author Davis surveyed a sample of CPAs about security threats that concern them and presents in an accompanying table the top five threats in four computing environments--microcomputers, minicomputers, mainframes, and networks.

Based upon the survey, the author projects the practice and business opportunities that accountants have to advise and protect their public (clients and employers) from security risks.

While providing numerous improvements in business practices, computer technology has also created the potential for disastrous problems. Hollywood has highlighted computer security problems in movies such as Sneakers, Hackers, and The Net. Computer systems, which the average person assumes safe, are now victims of security breaches. Reports reveal that hackers attacked the U.S. Defense Department computer systems nearly 250,000 times in a recent year, with 65% of these attacks resulting in unauthorized access to the systems. These security breaches cost the department millions of dollars and pose a serious threat to national security. Our future, in terms of national and business security, depends on the security of computer systems.

A major product of computer systems is information. For a business, much of this is financial information. Because financial information is typically produced by the accounting information system (AIS), the primary guardian is usually an accountant.

The accounting profession recognizes the need for increased security over AISs. All the technological advancements included in the AICPA Information Technology Division's 1996 hot topics list (see Table 1) represent fundamental changes to business practices with significant system security implications. The division specifically ranked security as the third most important technology issue, up from thirteenth in 1995. The elevated importance of security probably stems from recognition that inadequate security over a system precludes any assurance that an AIS will produce reliable information to meet internal and external reporting requirements. Inadequate AIS security also increases the opportunity for manipulation, falsification, or alteration of accounting records.

The AICPA Technology Division has rightly identified AIS security as a primary technological concern. Knowing what areas of system security need addressing is another story. The following paragraphs report the results of a survey of CPAs designed to assess current concerns about AIS security--management's commitment to system security, the use of alternative systems architectures, and assessments of risks and security threats across those systems architectures. With this information at hand, accountants can better identify and control security threats present in their existing environments.

The Survey Sample

A Threats to Accounting Systems Security Survey was sent to 3,054 members of the AICPA and the Information Systems Audit and Control Association. Usable surveys were returned by 355 persons (11.6%). Since the purpose of this assessment was to determine CPAs' perceptions of AIS security, the findings include only the 208 responses received from CPAs. CPA respondents to the survey consisted of 64.9% in public accounting, and 35.1% in industry and government. The respondents averaged 7.1 years in their current positions and 13.9 years total accounting and auditing experience. Other professional certifications held by the CPA respondents included Certified Information Systems Auditor (26%) and Certified Internal Auditor (5.8%).

Assessment of AIS Security Policies

Management's attitude toward internal control is an important component of the control environment. The presence and enforcement of information system security policies indicate management commitment to information security. To assess top management commitment to AIS security the respondents were asked to indicate their perception of management efforts to implement and enforce AIS security policies. Additionally, the respondents were asked to evaluate the adequacy of the security policies.

Table 2 reports that 84.5% of the respondents generally felt that top management was committed to implementing information system security policies, while 83.6% thought that top management had at least a moderate commitment to enforcing these security policies. About 81% of the respondents deemed the policies to provide at least adequate security. Although these results reflect favorably on the control environment, it is interesting to note that the level of adequate security is felt to be lower than managements' level of commitment to implementing and enforcing information system security policies.

Current System

The proliferation of microcomputers and networks in the last ten years has drastically changed available computing architecture choices. AIS began as mainframe applications. Mini- and microcomputer-based alternatives are now plentiful, and client/server systems are being developed with greater frequency. Because different architectures have different levels and areas of security threats, respondents were asked to assess the current level of use of several architectures. As shown in Table 3, most of the
CPA respondents reported moderate to heavy use of microcomputers, either in a stand-alone or networked environment. Given the relatively low reported usage of mainframe computers, this is likely a result of migrating mainframe legacy systems to microcomputer architectures.

These findings clearly indicate that computers networked both internally and externally are an important feature of today's AISs. Such technologies as electronic commerce, workflow technology, collaborative computing, client/server computing, and telecommuting included on the AICPA Technology Division's top 15 list often make heavy use of networked microcomputers. These technological advancements create new security problems--such as lack of paper audit trails and an increase in the number of authorized users of a system--that require revision of existing security policies to maintain adequate protection against security risks and threats. It is reasonable to expect that accountants and auditors will view policies associated with newer technology as less adequate than those covering more tried and true environments.

As expected, the survey found that CPA respondents think that security policies in newer technologies are less adequate than policies for established technologies. As shown in Table 4, microcomputers in general, and specifically microcomputers connected to outside networks, are viewed as presenting the highest level of risk. Not surprisingly, the mainframe environment is deemed the least risky. However, even with the new technologies and risks that have emerged, only 13% of the respondents indicated that AIS security is worse today than it was five years ago.

Top Threats to AIS Security

From a list of 17 potential threats to AIS security, the survey asked the respondents to rank order the top three threats applicable to each of four computing environments--microcomputers, minicomputers, mainframes, and networks. Determining the most prevalent security threats in each computing environment will assist in identifying areas requiring additional control emphasis. Table 5 reports the top five security threats in each of the four computing environments, as determined by the number of times respondents ranked a threat as one of the top three threats. Employees' accidental entry of bad data is the only common threat for the four computing environments.

Respondents viewed the introduction of computer viruses as a major threat to microcomputers and networks. Ernst & Young's "Annual Information Security Survey: Trends, Concerns and Practices," reported that over two-thirds of respondents had encountered a virus in the past year. IBM estimated in 1994 that as many as 2,500 viruses were in circulation, with two or three new viruses being written every day. As companies increase the use of networks, e-mail, and intelligent agents, the threat of virus infections also increases. Adequate preventive and detection control measures, such as virus detection programs and diskette origination policies, must be implemented to reduce the threat of viruses.

Unauthorized access by either employees or outsiders was viewed as a threat to AIS security in all environments except microcomputers. Again, respondents appear to be in tune with the current state of affairs, as the Computer Security Institute's (CSI) 1996 Computer Crime and Security Survey reported that 42% of their respondents had experienced some form of system intrusion or unauthorized system use in the past 12 months. A frightening finding from CSI's survey is that over 50% of the respondents do not have a policy on how to deal with network intrusions. With the current increases in use of distributed information processing such as client/server computing, the Internet, and EDI, this threat will only increase as more points of entry to the system
are created.

Survey respondents recognized unique security issues associated with the microcomputer environments. Stand-alone microcomputer systems are not typically equipped with elaborate physical access controls. The computer sits on a desk in an office and probably does not require a password to gain access to the system. Anyone with a minimum level of computer knowledge could gain unauthorized access to these systems. Additionally, much of the data used in these systems is stored on diskettes that are easily damaged, copied, or stolen.

The absence of particular threats in the different computing environments merits consideration. Poor segregation of IS programming and operating duties, for example, is not seen as a major threat in a microcomputer environment. However, a lack of segregation of duties increases the potential for unauthorized changes to computer programs going undetected. For example, a user could easily alter formulas in a spreadsheet used to calculate sales commissions.

Microcomputer-based systems also often violate proper segregation of accounting duties, as a single user may authorize and record a transaction in addition to maintaining custody of the assets. Such an arrangement would allow an employee to set up phony vendors, submit fake invoices, and produce checks for payment of the fake invoices. Yet this threat appears to be a concern only in a minicomputer environment. Unauthorized access to data/systems by employees does not appear to be a major threat in the microcomputer environment. Yet as noted earlier, physical access control over microcomputers is difficult to maintain, and unauthorized access is often undetected. Respondents may, however, have included this threat under weak physical access controls, which was one of the top five threats in the microcomputer environment.

Great concern for the effect of natural disasters in the mainframe environment was expected. Microcomputers and networks, however, are even more susceptible to damage from natural disasters. While mainframes are generally located in environmentally-controlled windowless computer rooms with special fire extinguishing systems, microcomputers are often located on desks under water-based sprinkler system heads. One false alarm setting off the sprinkler system can ruin the unprotected microcomputer. Additionally, mainframes are usually equipped with uninterruptible power supplies, while microcomputers can experience power surges and blackouts, even when connected to surge protectors. Fluctuations in power supply can permanently damage data stored on a floppy disk or a hard drive.

The Accountant's Opportunity

While technological change presents challenges in terms of adequate AIS security, it also presents accountants with opportunities. Engineers and system designers with little, if any, training in internal control determine technological advances. Accountants can work with these engineers and designers to develop adequate control measures as the technology evolves rather than waiting until after the technology has been implemented.

A second opportunity for accountants lies in educating management concerning information system security. Even though upper management uses information system output, they seldom actually use the system to enter and process data. Management may not be aware of the daily security concerns surrounding the system. Increasing management's awareness of and dedication to system security can enhance the control environment and place system security at the forefront.

Finally, accountants can educate system users in AIS security. Survey respondents frequently ranked a human error factor as one of the top five threats to AIS security. Education can reduce human error. *

Charles E. Davis, PhD, CPA, is an assistant professor at the department of accounting and business law of the Hankamer School of Business, Baylor University. The author gratefully acknowledges the helpful comments
of Del Chesser and Elizabeth Davis,
the assistance of the AICPA and the ISACA in providing access to their
membership, and the financial assistance of the Baylor University Research Committee and Department of Accounting and Business Law.

A list of references related to the preparation of this article is available upon request and in the downloads section of The CPA Journal's home page (www.cpa





The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2009 The New York State Society of CPAs. Legal Notices

Visit the new cpajournal.com.