Professional Documents
Culture Documents
Abstract
I. INTRODUCTION
* Talal H. Hayale. Associate Professor. Arab Academy For Banking And Financial Sciences.
Amman Jordan
† Husam Abu Khadra. Assistant Professor. Arab Academy For Banking And Financial
this endeavor, even if it was late, such as AICPA that published SAS No.94‡ in 2001.
However, these initiatives were in the form of general instructions, and nothing
specific viewed to be considered as detailed guidance to the auditors in their work,
Boynton (2001) & Kinusn Tam (2002).
In 2002 The Sarbanes-Oxley act calls for “real time” disclosure of information
on material changes in the financial conditions or operations of publicly held
companies. As a consequence, organizations are more concerned with timeliness and
quality of financial performance information. Uday (2004). Accordingly, the
responsibility has increased dramatically on the accounting profession, to quickly
recognize and assess of the risks that are associated with Control Systems (CS) in the
IT environment and define detailed security controls checklist to be obtained; because
the technology in many cases developed faster than the advancement in CS, Ryan &
Bordoloi (1997).
The objective of this paper is to evaluate Computerized Accounting
Information Systems (CAIS) Control Systems (CS) in the Jordanian banking sector
and to measure their effectiveness. This study also aims to identify whether there are
significant differences among the respondents in the study sample (Internal Auditors
and Heads of Computer Department (HOCD)) in respect of the effectiveness level of
CS. While the issue of creating an overall effectiveness measurement to evaluate the
CAIS Control System has received considerable research attention in North America
and Europe, studies based on international experience, especially in developing
countries, are relatively rare. We are unaware of any studies in evaluating the CAIS
Control System in Jordan that address the issue of the creation an overall
effectiveness measurement to evaluate the CAIS Control System from the points of
view of both the internal auditors of the companies and the IT specialists. Hence the
results of this study can provide valuable insights and lead to a better understanding
of the perceptions of each of these two major groups towards creating an overall
effectiveness measurement to evaluate the CAIS Control System practices in a less
developed country.
This study to the best of the researchers’ knowledge is the first that attempts to
create an overall effectiveness measurement for evaluating the CAIS Control System
through specifying all required components that should exist in the effective control
system in the Jordanian banking sector.
Following consultations with experts in this field, a questionnaire was
developed for the purpose of this study to evaluate the general CAIS control
procedures that would be applied to all CS, which affect all computer applications in
the organization. This questionnaire covers different parts of CS in CAIS.
This research attempts to answer the following questions: (1) What is the actual
practice in the Jordanian domestic banks regarding information CS? In addition, are
these CS adequate to protect the domestic banks against perceived security threats?
(2) Are there significant differences among the respondents in the research sample
‡ AICPA, Auditing Standards Board. “SAS No. 94: The Effect of Information Technology on
the Auditor’s Consideration of Internal Control in a Financial Statement Audit”. April 2001.
This SAS spots the light on the effect of information technology on the auditor’s consideration
in a financial statement audit; moreover, it tries to provide guidance to auditors about the
effect of IT on internal controls which were programmed or built into the software, and
confirms that these controls should be tested and included in the audit strategy.
Talal H. Hayale et al./ Journal of Accounting – Business & Management 13 (2006) 39-68 41
(Internal Auditors and HOCD) regarding the effectiveness level of CAIS that are
implemented in the Jordanian domestic banks?
The concept of internal control or security is as old as accounting itself, Henry,
(1997); however the attention has been paid to it since the beginning of twentieth
century. In early ages, the purpose of accounting was to record the monetary
transactions and then report them in useful and accurate forms, Lee, (1971). However,
that reporting was simple and was only prepared for internal use because most
companies were individual or family companies.
Later, these primary forms of financial reporting developed dramatically to be
in the shape of current financial statements, which became the major or even the sole
source of information for the owners and other related parties such as lenders.
Consequently, the need to ensure the accuracy of these statements leads the
profession to start seeking a control system that guarantees not only accurate
reporting but also achieving the company goals.
The profession reaction to these changes started early in the twentieth century,
where the first formal definition for the Security Controls or Control Systems was in
the 1947 publication by the AICPA entitled “Internal Control” that mentioned three
factors contributing to the expanding recognition of the significance of internal
control, Boynton et al., (2001).
Previous studies also defined the concept of internal control. One of the
earliest was (Grady, 1957) who defined the internal control as the control that
represents “the organization plan and procedures which are used within the business
to (1) safeguard its assets from loss by fraud or unintentional errors (2) check the
accuracy and reliability of the accounting data that use in making decisions (3)
promote operational effectiveness and encourage adherence to adopted policies in
those areas in which the accounting and financial departments have responsibility,
directly or indirectly".
The theory of internal control has undergone major reappraisals and changes
during the last decade. These changes began in 1988, when the AICPA issued SAS
No. 55, which describes internal control in terms of its three major components:
control environments, accounting systems and control procedures. Four years later,
the Committee of Sponsoring Organizations (COSO)§ issued the Internal Control
Integrated Framework, in which internal control was characterized by five
components: control environments, control activities, risk assessment, information &
communication and monitoring. In the mean time, the concept of internal control
evolved from a "structure" into a "process," making it both broader and more
dynamic. Subsequently, in 1995, the American Institute of Certified Public
§ COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent
Financial Reporting, an independent private sector initiative which studied the causal factors
that can lead to fraudulent financial reporting and developed recommendations for public
companies and their independent auditors, for the SEC and other regulators, and for
educational institutions. The National Commission was jointly sponsored by five major
professional associations in the United States, the American Accounting Association, the
American Institute of Certified Public Accountants, Financial Executives International, The
Institute of Internal Auditors, and the National Association of Accountants (now the Institute
of Management Accountants). The Commission was wholly independent of each of the
sponsoring organizations, and contained representatives from industry, public accounting,
investment firms, and the New York Stock Exchange.
42 Talal H. Hayale et al./ Journal of Accounting – Business & Management 13 (2006) 39-68
Accountants (AICPA) adopted COSO's definition and its five components of internal
control and issued SAS No. 78 to supplement SAS No. 55, Curtis and Borthick,
(1999).
Few studies focused on CAIS control system and how it differs from the
manual one. Kinsun, (2002) considered that the rapid adoption of information
technology by business has not changed the basic need for internal control but it has
extended the role of IT-based internal controls. In other words, Kinsun believed that
the development in internal controls should be in control procedures without
changing the internal control framework.
In 2000, ISACF†† developed the COBIT‡‡, which is a framework of generally
applicable IS security and control practices of information technology control. This
framework allows management to benchmark the security and control practices of IT
environment. Additionally, it ensures that adequate security and controls exist,
Lainhart & John, (2000).
However, control objectives under COBIT are defined in a process-oriented
manner following the principle of business reengineering. This type of control is
exercised at the domain and process level. The "IT control" concept is adapted by the
ISACF Report and defined as "A statement of the desired results or purpose to be
achieved by implementing control procedures in a particular IT activity." This control
is exercised at the IT activity level, Curtis and Borthick, (1999).
The COBIT IT domain consists of four parts: Planning & organization,
acquisition & implementation, delivery, support and monitoring. Thirty-four IT
processes are identified within each of the four domains.
Consequently, activities within processes are also identified activities dealing
with day-to-day IT routines. The central control objective is to link IT domains,
processes and activities to the entity's operational processes and activities. The IT
objective is basically to facilitate the accomplishment of business objectives. Business
objectives are referred to as "Business Requirements for Information" which include
the followings:
- Quality requirements (quality, cost and delivery)
- Fiduciary requirements, as defined by COSO (effectiveness and efficiency of
operations, reliability of information and compliance with laws and regulations).
- Security requirements (confidentiality, integrity and availability).
They provided an empirical justification for each control and specified the
threats that control procedure could prevent, which gives creditability and greater
chances to find these controls in practice. Furthermore, Boockholdt ,(1999),
mentiond four categories of general controls as follows:
Fixed Responsibilities
A) Network administration. Selecting and updating network communication software.
B) PC help center. Answering user’s questions on personal computers, scheduling
maintenance.
C) Database Administration. Selecting and updating software, limiting access to data,
maintaining efficiency.
44 Talal H. Hayale et al./ Journal of Accounting – Business & Management 13 (2006) 39-68
Generally, both Romeny and Steinbart ,(1999) and Boockholdt ,(1999) have
similar points but with different classifications for the main groups, and sometimes
different naming for the same detailed procedure (e.g. Contingency Plan instead of
Disaster Recovery Plan - DRP). The current study depends mainly on Romeny’s
categorization, and formulates a detailed procedure list for each category.
In the following section we preview the available peer reviewed studies, starting
with the ones that cover partial areas of CS evaluation and ending with those that
cover this area in more comprehensive views.
Jacob & Weiner ,(1997) carried out a theoretical study in which they listed
eleven points to build effective Disaster Recovery Plan (DRP). These points
according to Jacob et. al. study ensure building a comprehensive DRP, respond to the
worst-case scenario and enable organizations to recover their operations quickly.
These points are:
1. Define mission critical company functions & establish a hierarchy of operational
importance.
2. List the critical personnel and their job function.
3. List equipment needs of critical persons.
4. Determine a site relocation contingency.
5. Establish a recovery even task list.
6. Document current computer data backup methods and frequencies.
7. Identify those hard copy documents which are vital to the company and not able
tobe re-created electronically, and provide solutions to eliminate susceptibility to
loss of such documents.
8. Identify mission critical items vital to company operations which would be
required in the event of disaster emergency.
9. Form an internal emergency response (“crises”) committee with employees
assigned to specific crises functions.
10. Create a crises management “media kit”.
11. Create a systematic schedule for updating the plan.
- Data Encryption: This encryption is for the sensitive data in the DW to ensure
that the data is accessed on an authorized basis only.
- Partitioning: A mechanism should be developed to partition sensitive data into
separate tables, so that only authorized users can access these tables according to
their needs.
Henry ,(1997) carried out a survey on 261 companies in the US, to determine
the nature of their accounting systems and security in use. Seven basic security
methods were presented in his study. These methods were encryption, password
access, backup of the data, viruses’ protection, and authorization for system changes,
physical system security and periodic audit. Henry’s study results indicated that 80.3%
of the companies backup their accounting systems, 74.4% of the companies secure
their accounting systems with passwords, where only 42.7% use antivirus in their
systems. The results also revealed that less than 6% of the companies use data
encryption, lastly, 45% of companies underwent some sort of periodic audit for their
accounting information systems.
Another study, carried out by Qurashi & Siegel ,(1997), assured the
accountant’s responsibility to check the security of the computer system. The
researchers carried out a theoretical study to develop a security checklist. This list
covers the following four security controls groups, which are Client policy, Software
security, Hardware security and Data security.
Cerullo and Michael ,(1999) conducted a survey using a questionnaire of twenty
potential security and control mechanisms, which was circulated among audit
directors of two hundred fortune companies in the US. These mechanisms were
placed by Cerullo study in four categories, namely Client-based, Network-based,
Server-based and Application-based.
46 Talal H. Hayale et al./ Journal of Accounting – Business & Management 13 (2006) 39-68
Hardy et. al. (2000) examined information system (IS) managers' and
computerized information system (CIS) auditors' judgments of the relative
importance of elements of the internal control structure for EDI systems, using the
analytic hierarchy process (AHP).
Abu Musa ,(2004) study results revealed that the head of computer
departments paid relatively more attention to the technical problems of CAIS security
controls, where the head of internal audit departments emphasized behavioral and
organizational security controls rather than the technical problems of the CAIS
security controls.
Sung et. al. (2004) proposed a decision support system help the auditors in risk
assessment that currently based on their professional judgment rather than objective
rules and criteria.
This system is based on Cased Based Reasoning Model (CBR) which is a
problem solving paradigm used specially when the domain rules are incomplete, ill
defined and inconsistent. CBR is able to utilize the specific knowledge of previously
experienced concrete cases. Sung's system is also based on COSO report, SAS Nos.
55, 78 and 94, TeamAsset checklist that established by Pricewaterhouse and the
opinion of experts who engaged in auditing practices for more than 10 years to define
the factors that affect both of “Control Environment” and “IT environment and
monitoring factors”
The above mentioned factors broken down to six factors categories, these
categories are:
1. Organizations Rules and Responsibilities.
2. Overall monitoring.
3. IT Function and Organization.
4. System characteristics.
5. IT Monitoring Control.
These categories broken down into twenty three factors and then into fifty six
indexes justified by using materiality weight.
Applying these indexes on actual cases, the researchers extract validation results
(Hit ratio) to be used in estimating the associated risk level with each internal auditing
case. To validate the performance of CRAS-CBR, 137 Korean companies’ cases were
collected and indexed out of actual cases for the manufacturing industry for the year
1999. The approach of this study and used indexes (questions) depend on the
respondents’ knowledge in respect of the questioned figures instead asking them
about the existence of specific control procedure. Such approach will be not
efficiently used if the respondent not well educated about questionable dimension.
Recently Boritz (2005) conduct an extensive review of the literature to identify
the key attributes of information integrity and related issues then he brought two
focus groups of experienced practitioners to discuss the documented findings
extracted from the literature review through questionnaire examine the core concepts
of information integrity and it elements. Boritz (2005) considerd information security
(In distinct from confidentiality) as one of core attributes for information integrity,
this security should cover the following areas: Physical access controls and Logical
access controls.
The results indicated that the security had a lower impairment severity score
than several other practical aspects such as availability and verifiability. Boritz refer
such findings to the effective use of security controls in the organizations represented.
Coe (2005) in his study focused on the fulfillment of Sarbanes-Oxley act 2002
that requires public companies to report about the effectiveness of their internal
control systems.
48 Talal H. Hayale et al./ Journal of Accounting – Business & Management 13 (2006) 39-68
Coe explained in this study that the American companies are using COBIT for
Sarbanes-Oxley act 2002 compliance, and this is because its objectives have been
mapped to COSO in a publication entitled IT Control Objectives for Sarbanes-Oxley.
COBIT also has been mapped to popular enterprise resource planning (ERP) systems
such as SAP, Oracle and PeopleSoft. This mapping and related guidance provides
COBIT framework references and methodologies for auditing and testing the major
ERP systems.
But it was decided later to use Systrust service to ensure the company’s systems
carry out business processes reliably. Herein Coe establish five step processes shows
how the CPAs can use the trust service framework to evaluate a company's IT
controls when the entity primarily uses the COSO approach.
These steps are:
1. Use COSO framework to identify the risks in each business cycle and the controls
that mitigate them.
2. Gather initial IT information.
3. Identify all information systems that relate to financial reporting.
4. Use to trust services framework to create one overall IT matrix.
5. Assess the controls identified in the matrixes created above.
Finally, Martin (2005) mention the same steps in his study in which he tried to
explain how information system auditor can use the AICPA/CICA trust services
framework to evaluate internal controls particularly controls over information
technology.
The current research examines the following research hypothesis in null form:
H10: Jordanian domestic banks do not have effective Control Systems on their
Computerized Accounting Information Systems.
This hypothesis can be divided to the following null hypotheses:
1.1 Jordanian domestic banks do not have effective Fraud and Error Reduction
Controls.
1.2 Jordanian domestic banks do not have effective Physical Access Controls.
1.3 Jordanian domestic banks do not have effective Logical Access Controls.
1.4 Jordanian domestic banks do not have effective Data Security Controls.
1.5 Jordanian domestic banks do not have effective Documentation Standards.
1.6 Jordanian domestic banks do not have effective Disaster Recovery plans.
1.7 Jordanian domestic banks do not have effective Internet, Communications and
e-Banking controls.
1.8 Jordanian domestic banks do not have effective Output Security Controls.
H20: There are no significant differences among the respondents in the study sample
(Internal auditor / HOCD) in respect to CAIS Control systems effectiveness
level in the domestic banks.
Talal H. Hayale et al./ Journal of Accounting – Business & Management 13 (2006) 39-68 49
III. METHODOLOGY
The research population consists of all Jordanian domestic banks (local and
foreign). The number of domestic banks in Jordan is twenty-three banks; three of
which were excluded from this research because of their recent establishment (they
were established only in 2005). The research covered only the banks headquarters
where the targeted respondents were expected to exist. The targeted respondents
represent the parties that had the ability and knowledge to address it; therefore, the
questionnaire was distributed to the internal auditors and head of computer
departments HOCD. Forty questionnaires were distributed; thirty were received in a
usable format.
One way to assess the potential for non-response bias is to compare data from
late respondents to data from on-time respondents as in Oppenheim (1992) and
Wallace and Mellor (1988). In our study, five responses were received following a
reminder. Those late responses were not significantly different from other responses
in any of the analyses reported in the results section.
The data is collected by using a self-administrated questionnaire that was
designed after a preliminary observation on the practice. The questionnaire reviews
the existence of all general functions and procedures that guarantee CS to be effective
in achieving its goals. Using such methodology to obtain the CAIS control systems
effectiveness minimize respondents bias that may arise if they were asked directly to
indicate whether their control systems achieve it goals or not.
The above mentioned procedures and functions are categorized under the
following eight categories according to their functions or goals:
1. Fraud and error reduction control.
2. Physical access.
3. Logical access.
4. Data security controls.
5. Documentation standards.
6. Disaster Recovery Plan.
7. Internet, communication and e-banking controls.
8. Output security controls.
Z= Ps – P
------------
P (1-P)
---------
n
Where
Ps = Observed proportion of successes (Number of successes divided on sample size
P = Hypothesized proportion of successes in the population.
Talal H. Hayale et al./ Journal of Accounting – Business & Management 13 (2006) 39-68 51
IV. RESULTS
As appears in table (1), 80% of the respondents reported that their banks had
more than four information specialists.
Table 1
Frequency distribution of Information system specialist
Information system Frequencies Percent
specialist number
0 2 6.7%
1-3 4 13.3%
4-7 9 30.0%
8-11 2 6.7%
12-15 8 26.7%
More than 15 5 16.7%
Total 30 %100
The majority of the respondents (73.3%) and as appears in table (2) reported
that they had four or more years of experience in the current position that they had,
while only 20.7 % of the respondents had less than four years of experience in their
current position.
Table 2
Frequency distribution of the respondents experience in their current
position
Experience in current position Frequencies Percent
Less than one year 1 3.3 %
1-3 7 23.3 %
4-7 15 50.0 %
8-11 4 13.3 %
12-15 2 6.7 %
More than 15 1 3.3 %
Total 30 100 %
Almost eighty-nine percent of the respondents declared that they had four or
more years of experience in the same bank, while only eleven percent reported that
they had less than four years of experience in the observed bank.
Table 3
Frequency distribution of the respondents experience in the observed
bank
To explore the existence and the implementation of fraud and error reduction
control procedures, the respondents were asked to indicate the existence of such
measures at their banks. The statistical findings revealed that all respondents (100%)
indicated that their banks implemented successfully the segregation of duties, whether
this segregation was between information system development functions (analysis /
programming... etc) or between accounting duties (authorization / recording ...etc).
On the other hand, the results showed that 67% of the respondents believed that
their banks implemented rotation of duties in order to decrease fraud chances and
increase the chance of error exposure. A similar percentage supported the existence of
employee bonding. In addition, one-third of the respondents claimed that such a
procedure was not implemented. These results indicate that domestic banks
managements have recognized the importance of this security control in order to
minimize fraud and error. Such results emphasis Romeny and Steinbart (1999) believe
in respect of importance of Fraud and error reduction controls especially for the first
and second control procedures. While bonding policy existenance percentage is much
higher than Abu Musa (2004).
Table 4
Fraud and error reduction controls (Frequencies)
Does not exist Exists
# Control Procedure
Freq. Percent Freq Percent
There is a segregation of
information system development
1 functions (Analyst, Programmer, 0 0% 30 100.0%
Operator, User, Librarian, Data
controller).
There is a segregation of
2 accounting duties (e.g. 0 0% 30 100.0%
Authorization, Recording).
Rotation of duties is utilized to
decrease fraud chances and
3 10 33.3% 20 66.7%
increase the chance of error
exposure.
The employee who has access to
4 sensitive data has been bonded. 10 33.3% 20 66.7%
The research revealed that the vast majority of the respondents (93%) claimed
that their banks established locked rooms for servers and sensitive computer
equipments. On the other hand, only 7% of the respondents reported that their banks
Talal H. Hayale et al./ Journal of Accounting – Business & Management 13 (2006) 39-68 53
did not implement such control procedures, it was unfavorable by the researchers to
get this percentage despite its a high one, this is because it reveal that some banks
don’t even implement some of basic Systrust (2003) rules. The respondents were also
asked to indicate whether the domestic banks managed physical access tools
supervised by the bank’s security staff. A high proportion of the respondents (93.3%)
claimed that their banks implemented such a procedure, while about 7% of the
respondents believed that their banks did not manage this procedure. Moreover,
frequencies statistics showed that 70% of the respondents confirmed that their banks
restricted accessing server rooms and related hardware to the authorized individuals
by card key systems and monitored by video surveillance. Additionally, the results
showed that 63.3% of respondents reported that their banks kept records for visitors
showing the visitor’s name and the purpose of his visit. Almost 77% of respondents
believed that their banks maintained an adequate theft and hazard insurance covering
computers’ hardware, such percentage is lower than the one that extracted from the
Egyptian banking sector, Abu Musa (2004) . Furthermore, 70% of the respondents
reported that their banks installed alarms with high concentration on computer
equipment. In general, the results were consistent with Romeny and Steinbart (1999),
Buttros and Ackers (1990), Dougan (1994), Henry (1997) Moscove and Stephan
(2001) and Bortiz (2005).
Table 5
Physical access controls (Frequencies)
Does not exist Exists
# Control Procedure
Freq. Percent Freq. Percent
Locked rooms for servers and
5 sensitive 2 6.7% 28 93.3%
computer equipment.
Physical access cards are managed by
the bank’s security staff. Access
6 cards usage is logged. Logs are 2 6.7% 28 93.3%
maintained and reviewed by the bank
security staff.
Physical access to the computer
rooms, which contains the bank IT
resources,servers, and related
hardware such as firewalls and
7 9 30.0% 21 70.0%
routers, is restricted to authorized
individuals by card key systems and
monitored by video
surveillance.
Records for visitors and the purpose
8 11 36.7% 19 63.3%
for their visits.
An adequate theft and hazard
9 insurance covering computers' 7 23.3% 23 76.7%
hardware.
Installing alarms with high
10 concentration on computer 9 30.0% 21 70.0%
equipment.
54 Talal H. Hayale et al./ Journal of Accounting – Business & Management 13 (2006) 39-68
These results are consistent with Systrust v 2.0 proposed control procedures in
contrast with the control procedures which were extracted from Romeny and
Steinbart (1999).
Table 6
Logical access controls (Frequencies)
Does not exist Exists
# Control Procedure
Freq. Percent Freq. Percent
Each user has a password and an ID for
11 0 0.0% 30 100.0%
his computer.
12 Screen saver with password. 10 33.3% 20 66.7%
The authority to access company
13 information is defined according to the 1 3.3% 29 96.7%
user's ID.
Each password contains at least six
characters, one of which is non
14 3 10.0% 27 90.0%
alphanumeric. Passwords are case
sensitive and updated every 90 days.
Talal H. Hayale et al./ Journal of Accounting – Business & Management 13 (2006) 39-68 55
Over 66% of the respondents believed that each element of the information was
identified to whom it was required, when it was needed, and in which information
system it existed. Additionally, the same percent of respondents claimed that their
banks maintained write-protection mechanisms in order to protect data from over
writing or erasing data files. Moreover, all of the respondents reported that their
banks had a well-managed backups and working copies maintained according to a
predefined schedule.
Table 7
Data security controls (Frequencies)
Does not exist Exists
# Control Procedure
Freq. Percent Freq. Percent
File storage area protected against fire,
23 0 0.0% 30 100.0%
dust, and any harm conditions.
24 Well defined data directory is used. 6 20.0% 24 80.0%
Each type of data and the level of
25 protection required for each are well 9 30.0% 21 70.0%
defined.
Each element of the information is defined
26 to whom it is required, when it is needed, 10 33.3% 20 66.7%
and at which IS it exists.
Write protection mechanisms protect
27 against users accidentally writing 10 33.3% 20 66.7%
over or erasing data files.
Backups and working copies of data are
28 well maintained according to a pre-defined 0 0.0% 30 100.0%
schedule.
Adequate steps are taken to avoid
29 unauthorized copying of hardcopy 8 26.7% 22 73.3%
Data.
Adequate security controls should be
implemented over manual handling of data
30 between branches and the headquarters, as 2 6.7% 28 93.3%
well as among the bank's departments.
A hardcopy should be routinely
31 7 23.3% 23 76.7%
printed for the critical data.
The FORMAT command should be
32 13 43.3% 17 56.7%
removed from the users’ computers.
Legal binding confidentiality agreements
should be drafted by the employer and
33 signed by the computer users who have 8 26.7% 22 73.3%
access to sensitive
data.
Backup Diskettes or cartridges are secured
34 in safe cabinets or fire-rated 2 6.7% 28 93.3%
Safe.
Talal H. Hayale et al./ Journal of Accounting – Business & Management 13 (2006) 39-68 57
Also 73.3% of the respondents believed that their banks took the required steps in
order to avoid unauthorized copying of hardcopy data. 93.3% of the respondents said
that their banks implemented adequate security controls over the manual handling of
data between branches and headquarters as well as among the banks' departments.
Approximately 77% of respondents also believed that their banks kept a hard copy of
the critical data. 57% of the respondents claimed that a FORMAT command was
removed from users’ computers.Furthermore, 73% of the respondents reported that
their banks drafted confidentiality. Finally, 93.3% of the respondents claimed that
their banks kept backup diskettes or cartridges secured in safe cabinets or fire rated
safes. The empirical results confirmed the validity of most of the protective measures
that withdrawn from Warigon (1998) theoretical study.
Documentation standards
Almost 90% of the respondents reported that their banks set up well-defined
standards and procedures for data processing, including the justifications and
authorization of new systems and system changes...etc. On the other hand, 60% of
the respondents believed that their banks kept documentation describing each
application system, including narrative material, flow charts and program listings.
A lower percent of the respondents (50%) believed that the documentation that was
kept in their banks describing what was needed to run a program, including the
equipment configuration, programs and data files as well as procedures in order to
setup and execute the job. 70% of respondents reported that users were provided
with instructions for communicating potential security breaches to the information
security team in order to monitor these incidents and to be evaluated. Again, a lower
percent (56.7%) claimed that existing documentation contained procedures that
ensured that the issues of non-compliance with system security policies were
promptly addressed and the corrective measures were taken on a timely basis.
Table 8
Documentation standards (Frequencies)
Does not exist Exists
# Control Procedure
Freq. Percent Freq. Percent
Well defined standards and procedures
for data processing, including the
justification and authorization of new
35 systems and system changes, standards 3 10.0% 27 90.0%
for system analysis, design and
programming, and procedures for file
handling and storage.
Documentation describes each
application system, including narrative
36 12 40.0% 18 60.0%
material, flow
charts and program listings.
58 Talal H. Hayale et al./ Journal of Accounting – Business & Management 13 (2006) 39-68
The empirical results of this section cope with COSO fourth component,
information and communication, where this component should provide a clear
understanding of individuals’ roles and responsibilities. Also it emphasis the
importance of Systrust 2.0 criteria “Policies“ that aim to document and define the
company policies.
Table 9
Disaster recovery plan components (Frequencies)
Does not exist Exists
# Control Procedure
Freq. Percent Freq. Percent
A plan identifying the applications,
hardware and software necessary to keep
40 the organization running in emergency 8 26.7% 22 73.3%
cases, and the sequence as well as the
timing of all recovery activities
The DRP provides the ability to recover
41 the lost or destroyed files when a disaster 7 23.3% 23 76.7%
occurs.
The DRP defines the responsible
42 individuals or teams implementing the 11 36.7% 19 63.3%
different DRP activities
The DRP provides ready backup facilities,
these backup facilities can be provided
through spare hardware, subcontract
43 9 30.0% 21 70.0%
agreements, or a reciprocal agreement
with an organization that has compatible
facilities.
Uninterruptible power supply (UPS) units
44 to supply power during power outages 0 0.0% 30 100.0%
Insurance covers the cost of business
45 interruption resulting from computer 12 40.0% 18 60.0%
Disasters
All of the disaster recovery plan procedures have acceptable existence percentage,
which withdrawn from Jacob & Weiner (1997), Romeny & Steinbart (1999) and
Moscove & Stephan (2001)
Again, 100% of the respondents claimed that their banks installed firewalls (Software
& Hardware) to control and protect communication between the internal network
and the external networks (e.g. the Internet). 63.3% of the respondents believed that
their banks assigned a specific ceiling (e.g. 2000 JD) for the monetary transaction that
went through e-banking service. Only 43.3% of the respondents reported that their
banks provided two user ID's for E-Banking service, One ID for general inquires and
the other for transfers and monetary transactions. A higher percentage of the
respondents (66.7%) believed that the user’s account was activated only after
successful login that was encrypted through a 128-bit SSL session. Additionally,
76.7% of the respondents claimed that monetary transfers in their banks were
restricted to the accounts in the same bank. Merely half of the respondents believed
that the unused e-banking accounts in their banks were purged automatically by the
bank system. The majority of the respondents (83%) reported that the login access in
60 Talal H. Hayale et al./ Journal of Accounting – Business & Management 13 (2006) 39-68
their banks was terminated after three unsuccessful login attempts. On the other
hand, 76.7% of the respondents believed that their bank used 128-bit secure sockets
layer (SSL) encryption for transmission of private or confidential information over
public networks, including user's IDs and passwords. Furthermore, users were
required to update their browser to the latest version tested and approved by the
security administrator
Table 10
Internet, communications and e-Banking controls (Frequencies)
Does not exist Exists
# Control Procedure
Freq. Percent Freq. Percent
Antivirus software is in place,
including virus scans of
46 incoming e-mail messages. 0 0.0% 30 100.0%
Virus signatures are
updated at least weekly.
Firewalls (Hardware &
Software)
installed to control and protect
47 communications between the 0 0.0% 30 100.0%
internal network and external
networks such
as the internet.
Limit the electronic monetary
48 transactions to (e.g. 2000 JD) 11 36.7% 19 63.3%
per day.
Each e-banking user has two
IDs,
one for general inquiries and
49 17 56.7% 13 43.3%
the other
for transfers and monetary
Transactions.
Account activation, subsequent
to successful login, is encrypted
through
a 128-bit SSL session. Users
are
50 logged out on request (by 10 33.3% 20 66.7%
selecting
the "Sign-out" button on the
website)
or after 10 minutes of
inactivity.
Monetary transfer capabilities
are restricted to the accounts in
51 the same bank ( Sender and 7 23.3% 23 76.7%
receiver in the
same bank).
Talal H. Hayale et al./ Journal of Accounting – Business & Management 13 (2006) 39-68 61
All respondents believed that their banks have control over access to sensitive
information and restricted it only to the authorized users in the authorized time. A
lower percent of the respondents (86.7) reported that sensitive computer output in
their banks was secured in a lock cabinet. Only 60% of the respondents believed that
the system output was stamped with the date and time. Also, 83.3% of the
respondents reported that their banks performed printing and distributing data and
information under proper supervision and only by authorized persons in the bank.
On one hand, 76.7% of the respondents believed that shredding machines were
available and used for sensitive data disposal, while, 70% of the respondents reported
that shredding these sensitive documents was restricted only to security-cleared
personnel. Lastly, 76.7% of the respondents claimed that their banks performed
random output/input auditing on regular basis in order to verify correct processing.
62 Talal H. Hayale et al./ Journal of Accounting – Business & Management 13 (2006) 39-68
Table 11
Output security controls (Frequencies)
Does not exist Exists
# Control Procedure
Freq. Percent Freq. Percent
Authorized access to sensitive
information
should be controlled and restricted
55 0 0.0% 30 100.0%
only to the
authorized users during the
authorized time
Sensitive computer output secured in
56 a locked 4 13.3% 26 86.7%
cabinet .
Hard copy output stamped
57 automatically with 12 40.0% 18 60.0%
date/time.
Printing and distributing data and
information
58 performed under proper supervision 5 16.7% 25 83.3%
and only by authorized persons in
the bank.
Shredding machines are available and
59 used for 7 23.3% 23 76.7%
disposal of confidential data.
Shredding sensitive documents is
60 restricted to 9 30.0% 21 70.0%
security cleared personnel.
Random output/input auditing
regularly
conducted to verify correct
61 processing 7 23.3% 23 76.7%
( e.g. Check book order against
actual printed
check books).
The following section focuses on the statistical findings concerned with the
hypothesis testing. To test the first Hypothesis and related minor hypotheses, the Z
test for proportion was conducted as can be seen in the following table.
Table 12
Z-test for percent differences
Dimension Norms Percent N Z Value P
Fraud and error reduction control 65% 91% 30 2.98 0.002
Physical access 70% 79% 30 1.05 0.29
Logical access 70% 78% 30 1.08 0.28
Talal H. Hayale et al./ Journal of Accounting – Business & Management 13 (2006) 39-68 63
The developed norms††† are used as a cut point for the minimum accepted
percentage of applying CS standards, where the bank is considered applying effective
control system if its own CS standards evaluation percentage exceeds this norm. Then
we tested for significant differences between the applied percentage in the Jordanian
domestic banks and these norms using Z test for proportion.
From table (12) p value appears to be less than 0.05 for fraud and error reduction
controls. This means that there are significant differences between the accepted
norms (65%) and the applied percentage (91%). The Z value is also higher than 1.96,
which means it falls in a rejection area. All of that lead us to reject the null
hypothesis. This implies that that the Jordanian domestic banks are using effective
fraud and error reduction controls.
While p value is more than (0.05) for (Physical access, Logical access, Data security,
Documentation standard, Disaster Recovery, Internet, communication and E-
Control, Output security controls), also the Z values for them were in the acceptance
area (1.96 < Z < -1.96) , which means that there are no significant differences.
Consequently, the researcher concludes that the Jordanian domestic banks are not
using effective control procedures for (Physical access, Logical access, Data security,
Documentation standard, Disaster Recovery, Internet, communication and E-Control
and Output security controls).
According to the above-mentioned results, we accept the main null hypothesis that
stated, "Domestic Banks are not using effective Control Systems on their
Computerized Accounting Information System."
To test the second hypothesis, we used Chi-square as appears in appendix (1), Chi-
square results show that there is no difference between EDP controllers and the
internal auditors’ opinions in respect of the CAIS control system effectiveness level.
Accordingly, the null hypothesis is accepted.
CONCLUSION
The research showed that Jordanian domestic banks effective use fraud and error
reduction controls mainly, while they do not do enough with regard to the other
dimensions (Physical access, Logical access, Data security, Documentation standard,
Disaster Recovery, Internet, communication and E-Control and Output security
controls).
††† Norms equal to materiality weights that previously mentioned into methodology section.
64 Talal H. Hayale et al./ Journal of Accounting – Business & Management 13 (2006) 39-68
The analysis indicates that there are no differences between head of computer
departments and internal auditors’ perception for the effectiveness level of CAIS
control systems for its dimensions.
REFERENCES
Moscove, Stephen A., “E-Business Security and Controls”, CPA Journal, Vol. 71,
Issue 11, Nov2001..
Jacob J. and Weiner S. "The CPA Role in Disaster Recovery Planning”, CPA Journal ,
Vol. 67, Issue 11, November 1997.
Appendix (1)
Chi Square results for Security Controls
Internal
Question IT z p
Auditor
Does not exist - -
1 0.00 1.00
Exists 15 15
Does not exist - -
2 0.00 1.00
Exists 15 15
Does not exist 4 6
3 .700 .35
Exists 11 9
Does not exist 5 5
4 0.00 1.00
Exists 10 10
Does not exist 1 1
5 0.00 1.00
Exists 14 14
Does not exist 1 1
6 0.00 1.00
Exists 14 14
Does not exist 4 5
7 0.15 0.69
Exists 11 10
Does not exist 6 5
8 0.14 0.70
Exists 9 10
Does not exist 4 3
9 0.18 0.66
Exists 11 12
Does not exist 5 4
10 0.15 0.69
Exists 10 11
Does not exist 15 15
11 0.00 1.00
Exists - -
Does not exist 4 6
12 0.60 0.43
Exists 11 9
Does not exist 1 -
13 1.03 0.39
Exists 14 15
Does not exist 1 2
14 0.37 0.54
Exists 14 13
Does not exist 2 3
15 0.24 0.62
Exists 13 12
Does not exist 5 6
16 0.14 0.70
Exists 10 9
Does not exist 2 4
17 0.83 0.36
Exists 13 11
Does not exist 5 5
18 0.00 1.00
Exists 10 10
Does not exist 6 6
19 0.00 1.00
Exists 9 9
Does not exist 4 5
20 Exists 0.15 0.69
11 10
Does not exist 1 2
21 0.37 0.54
Exists 14 13
Does not exist 5 5
22 0.00 1.00
Exists 10 10
23 Does not exist - - 0.00 1.00
Talal H. Hayale et al./ Journal of Accounting – Business & Management 13 (2006) 39-68 67
Internal
Question IT z p
Auditor
Exists 15 15
Does not exist 3 3
24 0.00 1.00
Exists 12 12
Does not exist 4 5
25 0.15 0.69
Exists 11 10
Does not exist 4 6
26 0.60 0.43
Exists 11 9
Does not exist 4 6
27 0.60 0.43
Exists 11 9
Does not exist - -
28 0.00 1.00
Exists 15 15
Does not exist 4 4
29 0.00 1.00
Exists 11 11
Does not exist 1 1
30 0.00 1.00
Exists 14 14
Does not exist 3 4
31 0.188 0.66
Exists 12 11
Does not exist 6 7
32 0.13 0.71
Exists 9 8
Does not exist 4 4
33 0.00 1.00
Exists 11 11
Does not exist 1 1
34 0.00 1.00
Exists 14 14
Does not exist 2 1
35 0.37 0.54
Exists 13 14
Does not exist 6 6
36 0.00 1.00
Exists 9 9
Does not exist 7 8
37 0.13 0.71
Exists 8 7
Does not exist 3 6
38 1.42 0.23
Exists 12 9
Does not exist 7 6
39 0.45 0.65
Exists 8 9
Does not exist 4 4
40 0.00 1.00
Exists 11 11
Does not exist 4 3
41 0.18 0.66
Exists 11 12
Does not exist 5 6
42 0.14 0.70
Exists 10 9
Does not exist 4 5
43 0.15 0.69
Exists 11 10
Does not exist - -
44 Exists 0.00 1.00
15 15
Does not exist 5 7
45 0.45 0.55
Exists 10 8
Does not exist - -
46 0.00 1.00
Exists 15 15
47 Does not exist - - 0.00 1.00
68 Talal H. Hayale et al./ Journal of Accounting – Business & Management 13 (2006) 39-68
Internal
Question IT z p
Auditor
Exists 15 15
Does not exist 5 6
48 0.14 0.70
Exists 10 9
Does not exist 10 7
49 1.22 0.26
Exists 5 8
Does not exist 5 5
50 0.000 1.00
Exists 10 10
Does not exist 4 3
51 0.18 0.66
Exists 11 12
Does not exist 6 8
52 0.34 0.72
Exists 9 7
Does not exist 3 2
53 0.24 0.62
Exists 12 13
Does not exist 4 3
54 0.18 0.66
Exists 11 12
Does not exist 2 2
55 0.00 1.000
Exists 13 13
Does not exist 2 2
56 0.00 1.000
Exists 13 13
Does not exist 6 6
57 0.00 1.000
Exists 9 9
Does not exist 3 2
58 0.24 62
Exists 12 13
Does not exist 4 3
59 0.18 0.66
Exists 11 12
Does not exist 4 5
60 0.15 0.69
Exists 11 10
Does not exist 4 3
61 0.18 0.66
Exists 11 12