Evaluation of The Effectiveness of Control System in Computerized Accounting Information System

Journal of Accounting – Business & Management 13 (2006) 39-68
Evaluation of The Effectiveness of Control Systems in

Computerized Accounting Information Systems:
An Empirical Research Applied on Jordanian Banking Sector
Talal H. Hayale*
Husam A. Abu Khadra†
Abstract
The objective of this study is to evaluate the level of Control Systems

effectiveness in Computerized Accounting Information Systems (CAIS) that is
implemented in the Jordanian banking sector to preserve confidentiality, integrity and
availability of the bank's data and their CAIS.
An empirical survey using self-administrated questionnaire has been carried out to
achieve the above-mentioned objectives. The study results reveal that Jordanian
domestic banks are using effective fraud and error reduction controls. The study also
reveals that these banks lack in the application of other Control System dimensions
(Physical access, Logical access, Data security, Documentation standard, Disaster
Recovery, Internet, communication and E-Control and Output security controls). The
study’s main recommendation is for Jordanian domestic banks to increase the CAIS
control system strength for all dimensions, in order to avoid any possible threats that
could threaten their CAIS.
Keywords: AIS, computerised, control, effectiveness, evaluation, jordan
I. INTRODUCTION
The Computerized Accounting Information Systems (CAIS) encounter serious

security threats that may arise from the weakness of their Control Systems (CS) or
from the nature of the competitive environment (Information Age) as the need for
information is greater. At the same time, the very survival of organization depends on
correct management, security and confidentiality of their information, Eduardo and
Marino (2004). Where the information assets constitute a significant proportion of an
entity’s market value (ITGI, 2001)
Consequently security threats related to CAIS require a great attention from
auditors and accountants in order to be recognized and minimized by evaluating
organization CS. (Greenstein and Vasarhelyi, 2000).
Many efforts herein appeared as increasing interest, especially by the auditors to
evolve the audit model toward a more action-driven method of control, revision and
assurance, Timothy et al, (1998). Several professional committees have undertaken
* Talal H. Hayale. Associate Professor. Arab Academy For Banking And Financial Sciences.
Amman Jordan
† Husam Abu Khadra. Assistant Professor. Arab Academy For Banking And Financial
Sciences. Amman Jordan

40 Talal H. Hayale et al./ Journal of Accounting – Business & Management 13 (2006) 39-68
this endeavor, even if it was late, such as AICPA that published SAS No.94‡ in 2001.
However, these initiatives were in the form of general instructions, and nothing
specific viewed to be considered as detailed guidance to the auditors in their work,
Boynton (2001) & Kinusn Tam (2002).
In 2002 The Sarbanes-Oxley act calls for “real time” disclosure of information
on material changes in the financial conditions or operations of publicly held
companies. As a consequence, organizations are more concerned with timeliness and
quality of financial performance information. Uday (2004). Accordingly, the
responsibility has increased dramatically on the accounting profession, to quickly
recognize and assess of the risks that are associated with Control Systems (CS) in the
IT environment and define detailed security controls checklist to be obtained; because
the technology in many cases developed faster than the advancement in CS, Ryan &
Bordoloi (1997).
The objective of this paper is to evaluate Computerized Accounting
Information Systems (CAIS) Control Systems (CS) in the Jordanian banking sector
and to measure their effectiveness. This study also aims to identify whether there are
significant differences among the respondents in the study sample (Internal Auditors
and Heads of Computer Department (HOCD)) in respect of the effectiveness level of
CS. While the issue of creating an overall effectiveness measurement to evaluate the
CAIS Control System has received considerable research attention in North America
and Europe, studies based on international experience, especially in developing
countries, are relatively rare. We are unaware of any studies in evaluating the CAIS
Control System in Jordan that address the issue of the creation an overall
effectiveness measurement to evaluate the CAIS Control System from the points of
view of both the internal auditors of the companies and the IT specialists. Hence the
results of this study can provide valuable insights and lead to a better understanding
of the perceptions of each of these two major groups towards creating an overall
effectiveness measurement to evaluate the CAIS Control System practices in a less
developed country.
This study to the best of the researchers’ knowledge is the first that attempts to
create an overall effectiveness measurement for evaluating the CAIS Control System
through specifying all required components that should exist in the effective control
system in the Jordanian banking sector.
Following consultations with experts in this field, a questionnaire was
developed for the purpose of this study to evaluate the general CAIS control
procedures that would be applied to all CS, which affect all computer applications in
the organization. This questionnaire covers different parts of CS in CAIS.
This research attempts to answer the following questions: (1) What is the actual
practice in the Jordanian domestic banks regarding information CS? In addition, are
these CS adequate to protect the domestic banks against perceived security threats?
(2) Are there significant differences among the respondents in the research sample
‡ AICPA, Auditing Standards Board. “SAS No. 94: The Effect of Information Technology on
the Auditor’s Consideration of Internal Control in a Financial Statement Audit”. April 2001.
This SAS spots the light on the effect of information technology on the auditor’s consideration
in a financial statement audit; moreover, it tries to provide guidance to auditors about the
effect of IT on internal controls which were programmed or built into the software, and
confirms that these controls should be tested and included in the audit strategy.
Talal H. Hayale et al./ Journal of Accounting – Business & Management 13 (2006) 39-68 41
(Internal Auditors and HOCD) regarding the effectiveness level of CAIS that are
implemented in the Jordanian domestic banks?
The concept of internal control or security is as old as accounting itself, Henry,
(1997); however the attention has been paid to it since the beginning of twentieth
century. In early ages, the purpose of accounting was to record the monetary
transactions and then report them in useful and accurate forms, Lee, (1971). However,
that reporting was simple and was only prepared for internal use because most
companies were individual or family companies.
Later, these primary forms of financial reporting developed dramatically to be
in the shape of current financial statements, which became the major or even the sole
source of information for the owners and other related parties such as lenders.
Consequently, the need to ensure the accuracy of these statements leads the
profession to start seeking a control system that guarantees not only accurate
reporting but also achieving the company goals.
The profession reaction to these changes started early in the twentieth century,
where the first formal definition for the Security Controls or Control Systems was in
the 1947 publication by the AICPA entitled “Internal Control” that mentioned three
factors contributing to the expanding recognition of the significance of internal
control, Boynton et al., (2001).
Previous studies also defined the concept of internal control. One of the
earliest was (Grady, 1957) who defined the internal control as the control that
represents “the organization plan and procedures which are used within the business
to (1) safeguard its assets from loss by fraud or unintentional errors (2) check the
accuracy and reliability of the accounting data that use in making decisions (3)
promote operational effectiveness and encourage adherence to adopted policies in
those areas in which the accounting and financial departments have responsibility,
directly or indirectly".
The theory of internal control has undergone major reappraisals and changes
during the last decade. These changes began in 1988, when the AICPA issued SAS
No. 55, which describes internal control in terms of its three major components:
control environments, accounting systems and control procedures. Four years later,
the Committee of Sponsoring Organizations (COSO)§ issued the Internal Control
Integrated Framework, in which internal control was characterized by five
components: control environments, control activities, risk assessment, information &
communication and monitoring. In the mean time, the concept of internal control
evolved from a "structure" into a "process," making it both broader and more
dynamic. Subsequently, in 1995, the American Institute of Certified Public
§ COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent
Financial Reporting, an independent private sector initiative which studied the causal factors
that can lead to fraudulent financial reporting and developed recommendations for public
companies and their independent auditors, for the SEC and other regulators, and for
educational institutions. The National Commission was jointly sponsored by five major
professional associations in the United States, the American Accounting Association, the
American Institute of Certified Public Accountants, Financial Executives International, The
Institute of Internal Auditors, and the National Association of Accountants (now the Institute
of Management Accountants). The Commission was wholly independent of each of the
sponsoring organizations, and contained representatives from industry, public accounting,
investment firms, and the New York Stock Exchange.
Accountants (AICPA) adopted COSO's definition and its five components of internal
control and issued SAS No. 78 to supplement SAS No. 55, Curtis and Borthick,
(1999).
In addition, COSO reports and AU 319.07**, consider the five interrelated

components of the internal control that are derived from the way a management runs
a business and integrated with the management process, Vallabhaneni, (2001). These
five components are:
ِA. Control Environment:
B. Risk Assessment:
C. Control Activities:
D. Information and Communication:
F. Monitoring:
Few studies focused on CAIS control system and how it differs from the
manual one. Kinsun, (2002) considered that the rapid adoption of information
technology by business has not changed the basic need for internal control but it has
extended the role of IT-based internal controls. In other words, Kinsun believed that
the development in internal controls should be in control procedures without
changing the internal control framework.
In 2000, ISACF†† developed the COBIT‡‡, which is a framework of generally
applicable IS security and control practices of information technology control. This
framework allows management to benchmark the security and control practices of IT
environment. Additionally, it ensures that adequate security and controls exist,
Lainhart & John, (2000).
However, control objectives under COBIT are defined in a process-oriented
manner following the principle of business reengineering. This type of control is
exercised at the domain and process level. The "IT control" concept is adapted by the
ISACF Report and defined as "A statement of the desired results or purpose to be
achieved by implementing control procedures in a particular IT activity." This control
is exercised at the IT activity level, Curtis and Borthick, (1999).
The COBIT IT domain consists of four parts: Planning & organization,
acquisition & implementation, delivery, support and monitoring. Thirty-four IT
processes are identified within each of the four domains.
Consequently, activities within processes are also identified activities dealing
with day-to-day IT routines. The central control objective is to link IT domains,
processes and activities to the entity's operational processes and activities. The IT
objective is basically to facilitate the accomplishment of business objectives. Business
objectives are referred to as "Business Requirements for Information" which include
the followings:
- Quality requirements (quality, cost and delivery)
- Fiduciary requirements, as defined by COSO (effectiveness and efficiency of
operations, reliability of information and compliance with laws and regulations).
- Security requirements (confidentiality, integrity and availability).
** Statement on Auditing Standards : AU Section 319 : Consideration of Internal Control in a

Financial Statement Audit.
†† The Information System Audit and Control Foundation .
‡‡ Control objectives for Information and related Technology.
II. LITERATURE REVIEW
Examining the literature concerned with the effectiveness evaluation of CAIS

control systems conclude the rareness of available studies in this particular area of
research. One reason for this is that this area of research is relatively new. Also, most
of the studies in this field are conducted on a micro level and connected with
consolidated studies from the fields of business management, computer science, and
sometimes engineering and they are usually in the form of reports or descriptive
studies, and rarely empirical ones.
Starting with the text books, Romeny and Steinbart (1999) listed twelve points
of general controls that should exist in the CS in order to achieve its goals effectively;
these twelve controls are:
1. Developing security plans.

2. Segregation of duties within the system function.
3. Project development controls.
4. Physical access controls.
5. Logical access controls.
6. Data storage controls.
7. Data transmission controls.
8. Documentation standards
9. Minimizing system downtime.
10. Disaster recovery plans.
11. Protection of personal computer and client/server networks.
12. Internal controls.
They provided an empirical justification for each control and specified the
threats that control procedure could prevent, which gives creditability and greater
chances to find these controls in practice. Furthermore, Boockholdt ,(1999),
mentiond four categories of general controls as follows:
- Data center operation controls. This includes Data Backup Procedures,

Contingency Plans (DRP) and Segregation of Duties.
- System software acquisition and maintenance controls.
- Access security controls.
- Application system development and maintenance controls. These controls are;
formal review and authorization of each new system, Adequate documentation for
manual and programmed procedures, A plan for testing each new system
adequately and authorization and documentation for change to existing systems
Boockholdt (1999) classified the system software acquisition and maintenance

controls into two main sections:
Fixed Responsibilities
A) Network administration. Selecting and updating network communication software.
B) PC help center. Answering user’s questions on personal computers, scheduling
maintenance.
C) Database Administration. Selecting and updating software, limiting access to data,
maintaining efficiency.
D) Web administrator. Determining content of website, implementing security in

electronic commerce.
Policies and Procedures

A) Screen applicants. Technical knowledge becomes outdated quickly.
B) Information systems steering committee. Review software acquisition decisions.
C) Standard PC configurations. Software and hardware the organization approves to
support.
Generally, both Romeny and Steinbart ,(1999) and Boockholdt ,(1999) have
similar points but with different classifications for the main groups, and sometimes
different naming for the same detailed procedure (e.g. Contingency Plan instead of
Disaster Recovery Plan - DRP). The current study depends mainly on Romeny’s
categorization, and formulates a detailed procedure list for each category.
In the following section we preview the available peer reviewed studies, starting
with the ones that cover partial areas of CS evaluation and ending with those that
cover this area in more comprehensive views.
Jacob & Weiner ,(1997) carried out a theoretical study in which they listed
eleven points to build effective Disaster Recovery Plan (DRP). These points
according to Jacob et. al. study ensure building a comprehensive DRP, respond to the
worst-case scenario and enable organizations to recover their operations quickly.
These points are:
1. Define mission critical company functions & establish a hierarchy of operational
importance.
2. List the critical personnel and their job function.
3. List equipment needs of critical persons.
4. Determine a site relocation contingency.
5. Establish a recovery even task list.
6. Document current computer data backup methods and frequencies.
7. Identify those hard copy documents which are vital to the company and not able
tobe re-created electronically, and provide solutions to eliminate susceptibility to
loss of such documents.
8. Identify mission critical items vital to company operations which would be
required in the event of disaster emergency.
9. Form an internal emergency response (“crises”) committee with employees
assigned to specific crises functions.
10. Create a crises management “media kit”.
11. Create a systematic schedule for updating the plan.
Warigon ,(1998) conducted a theoretical study in which he clarified a group of

protective measures that should exist to safeguard data warehouses. These measures
can be illustrated as follows:
- The Human wall: A proper number of computer security staff should exist.
- User Access Classification: Data warehouses (DW) users should be classified as
General Access Users, Limited Access Users, or Unlimited Access users.
- Access Controls: End-users can access only the data or programs for which they
have legitimate privilege.
- Integrity Controls: These controls include well designed and tested Disaster
recovery plans.
- Data Encryption: This encryption is for the sensitive data in the DW to ensure
that the data is accessed on an authorized basis only.
- Partitioning: A mechanism should be developed to partition sensitive data into
separate tables, so that only authorized users can access these tables according to
their needs.
Buttross and Ackers ,(1990) conducted a theoretical study in which they

discussed microcomputer security practice. In addition, Buttross and Ackers study
provided security controls checklist that could be used to help the internal auditors in
evaluating computer security. This helps in identifying security weakness and
correcting it. The checklist was designed for the small and medium size companies.
This checklist included four security controls categories. Each category included
several security controls elements. These categories are:
- Organizational controls.
- Hardware controls.
- Software controls.
- Data and data integrity controls.
Dougan ,(1994) suggested an internal control checklist for computer systems.

This checklist could be used to check security controls in place; and to ensure the
implemented security procedures are sufficient and effective to prevent computer data
losses. Dougan grouped his checklist into four main categories:
- Computer room site (physical access)

- Documentation.
- Maintenance.
- Protection.
Henry ,(1997) carried out a survey on 261 companies in the US, to determine
the nature of their accounting systems and security in use. Seven basic security
methods were presented in his study. These methods were encryption, password
access, backup of the data, viruses’ protection, and authorization for system changes,
physical system security and periodic audit. Henry’s study results indicated that 80.3%
of the companies backup their accounting systems, 74.4% of the companies secure
their accounting systems with passwords, where only 42.7% use antivirus in their
systems. The results also revealed that less than 6% of the companies use data
encryption, lastly, 45% of companies underwent some sort of periodic audit for their
accounting information systems.
Another study, carried out by Qurashi & Siegel ,(1997), assured the
accountant’s responsibility to check the security of the computer system. The
researchers carried out a theoretical study to develop a security checklist. This list
covers the following four security controls groups, which are Client policy, Software
security, Hardware security and Data security.
Cerullo and Michael ,(1999) conducted a survey using a questionnaire of twenty
potential security and control mechanisms, which was circulated among audit
directors of two hundred fortune companies in the US. These mechanisms were
placed by Cerullo study in four categories, namely Client-based, Network-based,
Server-based and Application-based.
Hardy et. al. (2000) examined information system (IS) managers' and
computerized information system (CIS) auditors' judgments of the relative
importance of elements of the internal control structure for EDI systems, using the
analytic hierarchy process (AHP).
The data were collected by self administrated questionnaire by means of a mail

survey. The target population comprised IS managers and CIS internal auditors from
organizations which were members of Tradegate ECA, and CIS external auditors
from Big six accounting firms. The survey yielded 54 responses from 159
questionnaires mailed, of which 48 were useable.
The results indicate that there is a lack of consensus between IS managers and
CIS auditors in encryption techniques and operational security controls, and this is
require further investigation, for example in areas where IS managers perceive
controls to be less important than do CIS auditors, there may be a weakness in
control because the IS manager did not consider it worthwhile or cost-effective
enough to implement what the CIS auditor considers to be sufficient control. The
reverse may also be true, i.e., those unnecessary controls have been implemented. If
so, discontinuing the operation of the unnecessary controls may result in cost savings.
Moscove and Stephan (2001) consider that e-business organizations should
maintain a group of control procedures to protect their systems form any possible
threats, such procedures includes:
1. Physical access control procedures.

2. Password control procedures.
3. Data encryption such as public key encryption.
4. Disaster recovery plan (DRP).
5. Software-based security control, such as firewalls.
6. Intrusion detection software to detect unauthorized entrance into the system.
Abu Musa ,(2004) performed an empirical study to investigate the adequacy of

Security Controls implemented in the Egyptian banking industry (EBI), where the
respondents were restricted to the head of the computer department and the head of
internal audit department. Abu Musa tried to check whether the applied Security
Controls in the EBI are adequate to protect against the perceived security threats
through self-administrated checklist.
The CAIS security checklist included eighty security procedures which were
categorized under the following ten groups.
1. Organizational information security controls.

2. Hardware and physical access security controls.
3. Software and electronic access security controls.
4. Data and data integrity security controls.
5. Off-line programs and data security controls.
6. Utility security Controls.
7. Bypassing of normal access security controls.
8. User programming security controls.
9. Division of duties.
10. 10-Output security controls.
Abu Musa ,(2004) study results revealed that the head of computer
departments paid relatively more attention to the technical problems of CAIS security
controls, where the head of internal audit departments emphasized behavioral and
organizational security controls rather than the technical problems of the CAIS
security controls.
Sung et. al. (2004) proposed a decision support system help the auditors in risk
assessment that currently based on their professional judgment rather than objective
rules and criteria.
This system is based on Cased Based Reasoning Model (CBR) which is a
problem solving paradigm used specially when the domain rules are incomplete, ill
defined and inconsistent. CBR is able to utilize the specific knowledge of previously
experienced concrete cases. Sung's system is also based on COSO report, SAS Nos.
55, 78 and 94, TeamAsset checklist that established by Pricewaterhouse and the
opinion of experts who engaged in auditing practices for more than 10 years to define
the factors that affect both of “Control Environment” and “IT environment and
monitoring factors”
The above mentioned factors broken down to six factors categories, these
categories are:
1. Organizations Rules and Responsibilities.
2. Overall monitoring.
3. IT Function and Organization.
4. System characteristics.
5. IT Monitoring Control.
These categories broken down into twenty three factors and then into fifty six
indexes justified by using materiality weight.
Applying these indexes on actual cases, the researchers extract validation results
(Hit ratio) to be used in estimating the associated risk level with each internal auditing
case. To validate the performance of CRAS-CBR, 137 Korean companies’ cases were
collected and indexed out of actual cases for the manufacturing industry for the year
1999. The approach of this study and used indexes (questions) depend on the
respondents’ knowledge in respect of the questioned figures instead asking them
about the existence of specific control procedure. Such approach will be not
efficiently used if the respondent not well educated about questionable dimension.
Recently Boritz (2005) conduct an extensive review of the literature to identify
the key attributes of information integrity and related issues then he brought two
focus groups of experienced practitioners to discuss the documented findings
extracted from the literature review through questionnaire examine the core concepts
of information integrity and it elements. Boritz (2005) considerd information security
(In distinct from confidentiality) as one of core attributes for information integrity,
this security should cover the following areas: Physical access controls and Logical
access controls.
The results indicated that the security had a lower impairment severity score
than several other practical aspects such as availability and verifiability. Boritz refer
such findings to the effective use of security controls in the organizations represented.
Coe (2005) in his study focused on the fulfillment of Sarbanes-Oxley act 2002
that requires public companies to report about the effectiveness of their internal
control systems.
Coe explained in this study that the American companies are using COBIT for
Sarbanes-Oxley act 2002 compliance, and this is because its objectives have been
mapped to COSO in a publication entitled IT Control Objectives for Sarbanes-Oxley.
COBIT also has been mapped to popular enterprise resource planning (ERP) systems
such as SAP, Oracle and PeopleSoft. This mapping and related guidance provides
COBIT framework references and methodologies for auditing and testing the major
ERP systems.
But it was decided later to use Systrust service to ensure the company’s systems
carry out business processes reliably. Herein Coe establish five step processes shows
how the CPAs can use the trust service framework to evaluate a company's IT
controls when the entity primarily uses the COSO approach.
These steps are:
1. Use COSO framework to identify the risks in each business cycle and the controls
that mitigate them.
2. Gather initial IT information.
3. Identify all information systems that relate to financial reporting.
4. Use to trust services framework to create one overall IT matrix.
5. Assess the controls identified in the matrixes created above.
Finally, Martin (2005) mention the same steps in his study in which he tried to
explain how information system auditor can use the AICPA/CICA trust services
framework to evaluate internal controls particularly controls over information
technology.
The Research Hypothesis
The current research examines the following research hypothesis in null form:
H10: Jordanian domestic banks do not have effective Control Systems on their
Computerized Accounting Information Systems.
This hypothesis can be divided to the following null hypotheses:
1.1 Jordanian domestic banks do not have effective Fraud and Error Reduction
Controls.
1.2 Jordanian domestic banks do not have effective Physical Access Controls.
1.3 Jordanian domestic banks do not have effective Logical Access Controls.
1.4 Jordanian domestic banks do not have effective Data Security Controls.
1.5 Jordanian domestic banks do not have effective Documentation Standards.
1.6 Jordanian domestic banks do not have effective Disaster Recovery plans.
1.7 Jordanian domestic banks do not have effective Internet, Communications and
e-Banking controls.
1.8 Jordanian domestic banks do not have effective Output Security Controls.
H20: There are no significant differences among the respondents in the study sample
(Internal auditor / HOCD) in respect to CAIS Control systems effectiveness
level in the domestic banks.
III. METHODOLOGY
The research population consists of all Jordanian domestic banks (local and
foreign). The number of domestic banks in Jordan is twenty-three banks; three of
which were excluded from this research because of their recent establishment (they
were established only in 2005). The research covered only the banks headquarters
where the targeted respondents were expected to exist. The targeted respondents
represent the parties that had the ability and knowledge to address it; therefore, the
questionnaire was distributed to the internal auditors and head of computer
departments HOCD. Forty questionnaires were distributed; thirty were received in a
usable format.
One way to assess the potential for non-response bias is to compare data from
late respondents to data from on-time respondents as in Oppenheim (1992) and
Wallace and Mellor (1988). In our study, five responses were received following a
reminder. Those late responses were not significantly different from other responses
in any of the analyses reported in the results section.
The data is collected by using a self-administrated questionnaire that was
designed after a preliminary observation on the practice. The questionnaire reviews
the existence of all general functions and procedures that guarantee CS to be effective
in achieving its goals. Using such methodology to obtain the CAIS control systems
effectiveness minimize respondents bias that may arise if they were asked directly to
indicate whether their control systems achieve it goals or not.
The above mentioned procedures and functions are categorized under the
following eight categories according to their functions or goals:
1. Fraud and error reduction control.
2. Physical access.
3. Logical access.
4. Data security controls.
5. Documentation standards.
6. Disaster Recovery Plan.
7. Internet, communication and e-banking controls.
8. Output security controls.
To investigate research instrument validity, professionals and academics were

consulted. They were asked to check whether the suggested security controls and
procedures that exist in the research questionnaire represent essential elements in the
effective control system. They were also asked to confirm that each point (control
procedure) is categorized under the correct and representative group. Finally, the
experts were asked to suggest a weight§§ for each control procedure within its group
where the total score for each group does not exceed 100%.
After having all experts' recommendations and suggestions, the mean and the
standard deviation*** were calculated for the suggested weights and taken into
consideration to come out with the final list of control procedures and a materiality
weight for each one of them in order to use them in the current research.
Cronbach's Alpha is used to check the questionnaire stability for all of its
components. Furthermore, reliability analysis allowed the researchers to study the
properties of measurement scales and the items that make them up.
§§ These weights will be called as "Norms" later in the study.
*** The standard deviation was calculated for each point and for all points.
Using a nominal scale to measure the control procedure effectiveness make us

select the chi square as nonparametric procedure to test the second hypotheses that
examine whether there is a significant difference between EDP controllers and
internal auditors with respect to CAIS control systems effectiveness level. X 2 – test is
equal to the squared difference between the observed and expected frequencies,
dividing by the expected frequency in each cell of the table, summed over all cells of
the table. The test of X2 approximately follows a chi-square distribution with 1
degree of freedom. Zikmond, (Pp 520, 2003).
To have accurate results for the chi-square (2 X 2) table, it is assumed that
each expected frequency should have five cases at least. In the situation that this
assumption was not met, Fisher Exact Probability test was used to avoid this
limitation. The first hypothesis (including the minor hypotheses which pertain to
population proportion p Security Control effectiveness percentage) was tested by
calculating the sample proportion ps (ps= X/n), then the value of this statistic
compared to the hypothesized value of the parameter p (Effectiveness standards).
Additionally, the p value was used in order to test the sampling distribution normality
using the following rule: "If the number of successes (X) and the number of failures
are each at least five, the sampling distribution of a proportion approximately follows
a standardized normal distribution To perform the hypothesis test in order to
evaluate the size of the differences between sample proportion ps and the
hypothesized value of the parameter p for each security Control System group and for
Security Control systems in General, the test for the proportion Z given in the
following equations is used in this research, Berenson (2001):
Z= Ps – P
------------
P (1-P)
---------
n
Where
Ps = Observed proportion of successes (Number of successes divided on sample size
P = Hypothesized proportion of successes in the population.
IV. RESULTS
As appears in table (1), 80% of the respondents reported that their banks had
more than four information specialists.
Table 1
Frequency distribution of Information system specialist
Information system Frequencies Percent
specialist number
0 2 6.7%
1-3 4 13.3%
4-7 9 30.0%
8-11 2 6.7%
12-15 8 26.7%
More than 15 5 16.7%
Total 30 %100
The majority of the respondents (73.3%) and as appears in table (2) reported
that they had four or more years of experience in the current position that they had,
while only 20.7 % of the respondents had less than four years of experience in their
current position.
Table 2
Frequency distribution of the respondents experience in their current
position
Experience in current position Frequencies Percent
Less than one year 1 3.3 %
1-3 7 23.3 %
4-7 15 50.0 %
8-11 4 13.3 %
12-15 2 6.7 %
More than 15 1 3.3 %
Total 30 100 %
Almost eighty-nine percent of the respondents declared that they had four or
more years of experience in the same bank, while only eleven percent reported that
they had less than four years of experience in the observed bank.
Table 3
Frequency distribution of the respondents experience in the observed
bank
Experience in current position Frequencies Percent

1-3 5 16.7 %
4-7 13 43.3 %
8-11 8 26.7 %
12-15 3 10.0 %
More than 15 1 3.3 %
Total 30 100 %
In general it can be concluded that the individuals who answered the

questionnaire had the minimum required level of knowledge, which may increases the
credibility and reliability of their answers.
The following section focuses on the statistical findings related to security
control. It consists of descriptive statistics such as frequencies and percentages.
Fraud and error reduction controls
To explore the existence and the implementation of fraud and error reduction
control procedures, the respondents were asked to indicate the existence of such
measures at their banks. The statistical findings revealed that all respondents (100%)
indicated that their banks implemented successfully the segregation of duties, whether
this segregation was between information system development functions (analysis /
programming... etc) or between accounting duties (authorization / recording ...etc).
On the other hand, the results showed that 67% of the respondents believed that
their banks implemented rotation of duties in order to decrease fraud chances and
increase the chance of error exposure. A similar percentage supported the existence of
employee bonding. In addition, one-third of the respondents claimed that such a
procedure was not implemented. These results indicate that domestic banks
managements have recognized the importance of this security control in order to
minimize fraud and error. Such results emphasis Romeny and Steinbart (1999) believe
in respect of importance of Fraud and error reduction controls especially for the first
and second control procedures. While bonding policy existenance percentage is much
higher than Abu Musa (2004).
Table 4
Fraud and error reduction controls (Frequencies)
Does not exist Exists
# Control Procedure
Freq. Percent Freq Percent
There is a segregation of
information system development
1 functions (Analyst, Programmer, 0 0% 30 100.0%
Operator, User, Librarian, Data
controller).
There is a segregation of
2 accounting duties (e.g. 0 0% 30 100.0%
Authorization, Recording).
Rotation of duties is utilized to
decrease fraud chances and
3 10 33.3% 20 66.7%
increase the chance of error
exposure.
The employee who has access to
4 sensitive data has been bonded. 10 33.3% 20 66.7%
Physical access controls
The research revealed that the vast majority of the respondents (93%) claimed
that their banks established locked rooms for servers and sensitive computer
equipments. On the other hand, only 7% of the respondents reported that their banks
did not implement such control procedures, it was unfavorable by the researchers to
get this percentage despite its a high one, this is because it reveal that some banks
don’t even implement some of basic Systrust (2003) rules. The respondents were also
asked to indicate whether the domestic banks managed physical access tools
supervised by the bank’s security staff. A high proportion of the respondents (93.3%)
claimed that their banks implemented such a procedure, while about 7% of the
respondents believed that their banks did not manage this procedure. Moreover,
frequencies statistics showed that 70% of the respondents confirmed that their banks
restricted accessing server rooms and related hardware to the authorized individuals
by card key systems and monitored by video surveillance. Additionally, the results
showed that 63.3% of respondents reported that their banks kept records for visitors
showing the visitor’s name and the purpose of his visit. Almost 77% of respondents
believed that their banks maintained an adequate theft and hazard insurance covering
computers’ hardware, such percentage is lower than the one that extracted from the
Egyptian banking sector, Abu Musa (2004) . Furthermore, 70% of the respondents
reported that their banks installed alarms with high concentration on computer
equipment. In general, the results were consistent with Romeny and Steinbart (1999),
Buttros and Ackers (1990), Dougan (1994), Henry (1997) Moscove and Stephan
(2001) and Bortiz (2005).
Table 5
Physical access controls (Frequencies)
# Control Procedure
Freq. Percent Freq. Percent
Locked rooms for servers and
5 sensitive 2 6.7% 28 93.3%
computer equipment.
Physical access cards are managed by
the bank’s security staff. Access
6 cards usage is logged. Logs are 2 6.7% 28 93.3%
maintained and reviewed by the bank
security staff.
Physical access to the computer
rooms, which contains the bank IT
resources,servers, and related
hardware such as firewalls and
7 9 30.0% 21 70.0%
routers, is restricted to authorized
individuals by card key systems and
monitored by video
surveillance.
Records for visitors and the purpose
8 11 36.7% 19 63.3%
for their visits.
An adequate theft and hazard
9 insurance covering computers' 7 23.3% 23 76.7%
hardware.
Installing alarms with high
10 concentration on computer 9 30.0% 21 70.0%
equipment.
Logical access controls
To investigate the existence and the implementation of adequate logical access

controls in the domestic banks, the respondents were asked to indicate whether the
control procedure existed or not. The statistical findings revealed that all respondents
claimed that their banks successfully implemented passwords and IDs on users’
computers. On the other hands, 66.7% of the respondents reported that each
computer was provided with a screen saver locked with a password. 96.7% of the
respondents claimed that the authorities to access company information were defined
according to the user’s ID. According to 90% of the respondents, computer and
software passwords contain at least six characters, one of which is non-alphanumeric.
These passwords are also case sensitive and should be updated every ninety days.
Moreover, 83.3% of the respondents reported that their banks managed adequate
procedures to prevent unauthorized public access via dial-up, while 63.3% of
respondents claimed that VPN software was used in their banks networks to permit
unauthorized remote access. Furthermore, 80% of the respondents believed that their
banks provided users with the only needed network services and deactivated
unnecessary services. Intrusion detection systems are used in the domestic banks
according to 67% of the respondents in order to provide continuous monitoring of
the entity network and to identify potential security breaches. Additionally, 70% of the
respondents claimed that their banks implemented routing verification procedures to
ensure that messages are not routed to the wrong system addresses. Ninety percent of
the respondents believed that their banks required electronic identification for each
authorized network terminal, while 66.3% of the respondents reported that message
acknowledgment techniques were used in their banks to inform the sender that his
message had been delivered.
These results are consistent with Systrust v 2.0 proposed control procedures in
contrast with the control procedures which were extracted from Romeny and
Steinbart (1999).
Table 6
Logical access controls (Frequencies)
# Control Procedure
Each user has a password and an ID for
11 0 0.0% 30 100.0%
his computer.
12 Screen saver with password. 10 33.3% 20 66.7%
The authority to access company
13 information is defined according to the 1 3.3% 29 96.7%
user's ID.
Each password contains at least six
characters, one of which is non
14 3 10.0% 27 90.0%
alphanumeric. Passwords are case
sensitive and updated every 90 days.
Adequate procedures should be

implemented to prevent unauthorized
15 public access via dial-up (e.g. use dial- 5 16.7% 25 83.3%
back, dial up access restricted to non-
confidential information)
Virtual private networking (VPN)
software is used to permit remote access
by unauthorized users. Users are
16 11 36.7% 19 63.3%
authenticated by a VPN server through
specific "client" software and user's ID
and password.
Unneeded network services (for
example, telnet, ftp, and http) are
deactivated on the entity servers. A
listing of the required and authorized
17 services is maintained by the IT 6 20.0% 24 80.0%
department. This list is reviewed by the
entity management on a routine basis for
its validity for the current operating
conditions.
Intrusion detection systems are used to
provide continuous monitoring of the
18 entity network and early identification of 10 33.3% 20 66.7%
potential security breaches
The bank contracts with third parties to
conduct periodic security reviews and
19 vulnerability assessments. Results and 12 40.0% 18 60.0%
recommendations for improvement are
reported to management.
Routing verification procedures are used
20 to ensure that messages are not routed 9 30.0% 21 70.0%
to the wrong system addresses.
Electronic identification is required for
21 3 10.0% 27 90.0%
each authorized network terminal.
Message acknowledgment techniques are
used to inform the sender that his
22 message has been delivered, such as 10 33.3% 20 66.7%
(Echo check, Trailer label, and
Numbered batches).
Data security controls

All of the respondents agreed that domestic banks protected the file storage
area from harmful conditions (such as fire, dust...etc). Furthermore, 80% of the
respondents reported that their banks maintained a well-defined data dictionary, while
70% of the respondent said that the data was defined into layers, and each layer had
its own security level.
Over 66% of the respondents believed that each element of the information was
identified to whom it was required, when it was needed, and in which information
system it existed. Additionally, the same percent of respondents claimed that their
banks maintained write-protection mechanisms in order to protect data from over
writing or erasing data files. Moreover, all of the respondents reported that their
banks had a well-managed backups and working copies maintained according to a
predefined schedule.
Table 7
Data security controls (Frequencies)
# Control Procedure
File storage area protected against fire,
23 0 0.0% 30 100.0%
dust, and any harm conditions.
24 Well defined data directory is used. 6 20.0% 24 80.0%
Each type of data and the level of
25 protection required for each are well 9 30.0% 21 70.0%
defined.
Each element of the information is defined
26 to whom it is required, when it is needed, 10 33.3% 20 66.7%
and at which IS it exists.
Write protection mechanisms protect
27 against users accidentally writing 10 33.3% 20 66.7%
over or erasing data files.
Backups and working copies of data are
28 well maintained according to a pre-defined 0 0.0% 30 100.0%
schedule.
Adequate steps are taken to avoid
29 unauthorized copying of hardcopy 8 26.7% 22 73.3%
Data.
Adequate security controls should be
implemented over manual handling of data
30 between branches and the headquarters, as 2 6.7% 28 93.3%
well as among the bank's departments.
A hardcopy should be routinely
31 7 23.3% 23 76.7%
printed for the critical data.
The FORMAT command should be
32 13 43.3% 17 56.7%
removed from the users’ computers.
Legal binding confidentiality agreements
should be drafted by the employer and
33 signed by the computer users who have 8 26.7% 22 73.3%
access to sensitive
data.
Backup Diskettes or cartridges are secured
34 in safe cabinets or fire-rated 2 6.7% 28 93.3%
Safe.
Also 73.3% of the respondents believed that their banks took the required steps in
order to avoid unauthorized copying of hardcopy data. 93.3% of the respondents said
that their banks implemented adequate security controls over the manual handling of
data between branches and headquarters as well as among the banks' departments.
Approximately 77% of respondents also believed that their banks kept a hard copy of
the critical data. 57% of the respondents claimed that a FORMAT command was
removed from users’ computers.Furthermore, 73% of the respondents reported that
their banks drafted confidentiality. Finally, 93.3% of the respondents claimed that
their banks kept backup diskettes or cartridges secured in safe cabinets or fire rated
safes. The empirical results confirmed the validity of most of the protective measures
that withdrawn from Warigon (1998) theoretical study.
Documentation standards
Almost 90% of the respondents reported that their banks set up well-defined
standards and procedures for data processing, including the justifications and
authorization of new systems and system changes...etc. On the other hand, 60% of
the respondents believed that their banks kept documentation describing each
application system, including narrative material, flow charts and program listings.
A lower percent of the respondents (50%) believed that the documentation that was
kept in their banks describing what was needed to run a program, including the
equipment configuration, programs and data files as well as procedures in order to
setup and execute the job. 70% of respondents reported that users were provided
with instructions for communicating potential security breaches to the information
security team in order to monitor these incidents and to be evaluated. Again, a lower
percent (56.7%) claimed that existing documentation contained procedures that
ensured that the issues of non-compliance with system security policies were
promptly addressed and the corrective measures were taken on a timely basis.
Table 8
Documentation standards (Frequencies)
# Control Procedure
Well defined standards and procedures
for data processing, including the
justification and authorization of new
35 systems and system changes, standards 3 10.0% 27 90.0%
for system analysis, design and
programming, and procedures for file
handling and storage.
Documentation describes each
application system, including narrative
36 12 40.0% 18 60.0%
material, flow
charts and program listings.
Documentation describes what is

needed to
run a program, including the
equipment configuration, programs
37 15 50.0% 15 50.0%
and data files as
well as procedures to setup and
execute the
job.
Users are provided with instructions
for communicating potential security
breaches
to the information security team.
38 9 30.0% 21 70.0%
These
incidents are monitored and evaluated
by the information security team
periodically.
Procedures exist to ensure that issues
of non-compliance with system
39 security policies are promptly 13 43.3% 17 56.7%
addressed and the corrective
measures are taken on a timely basis.
The empirical results of this section cope with COSO fourth component,
information and communication, where this component should provide a clear
understanding of individuals’ roles and responsibilities. Also it emphasis the
importance of Systrust 2.0 criteria “Policies“ that aim to document and define the
company policies.
Disaster recovery plan

The respondents were asked to indicate whether their banks had a plan
identifying the application, hardware and software necessary to keep the organization
running in emergency cases, and the sequence as well as timing of all recovery
activates. The statistical results herein revealed that 73.3% of the respondents
reported that their banks kept such plan. In addition, 76.7% of the respondents
claimed that the DRP that their banks had provided the ability to recover the lost or
destroyed files when a disaster occurred. Also 63.3% of the respondents reported that
the DRP that existed in their banks defined the responsible individuals or teams for
implementing the different DRP activities. All of the respondents reported that their
banks provided servers and sensitive operation computers with uninterruptible power
supply (UPS) units in order to supply power to these computers during power
outages. The lowest percentage of the respondents (60%) claimed that their banks
managed an insurance policy that covered the cost of business interruption resulting
from computer disasters.
Table 9
Disaster recovery plan components (Frequencies)
# Control Procedure
A plan identifying the applications,
hardware and software necessary to keep
40 the organization running in emergency 8 26.7% 22 73.3%
cases, and the sequence as well as the
timing of all recovery activities
The DRP provides the ability to recover
41 the lost or destroyed files when a disaster 7 23.3% 23 76.7%
occurs.
The DRP defines the responsible
42 individuals or teams implementing the 11 36.7% 19 63.3%
different DRP activities
The DRP provides ready backup facilities,
these backup facilities can be provided
through spare hardware, subcontract
43 9 30.0% 21 70.0%
agreements, or a reciprocal agreement
with an organization that has compatible
facilities.
Uninterruptible power supply (UPS) units
44 to supply power during power outages 0 0.0% 30 100.0%
Insurance covers the cost of business
45 interruption resulting from computer 12 40.0% 18 60.0%
Disasters
All of the disaster recovery plan procedures have acceptable existence percentage,
which withdrawn from Jacob & Weiner (1997), Romeny & Steinbart (1999) and
Moscove & Stephan (2001)
Internet, communications and e-Banking controls

As expected, all of the respondents reported that their banks placed antivirus
software, which includes virus scans of incoming e-mail messages and virus signatures
that were updated at least weekly.
Again, 100% of the respondents claimed that their banks installed firewalls (Software
& Hardware) to control and protect communication between the internal network
and the external networks (e.g. the Internet). 63.3% of the respondents believed that
their banks assigned a specific ceiling (e.g. 2000 JD) for the monetary transaction that
went through e-banking service. Only 43.3% of the respondents reported that their
banks provided two user ID's for E-Banking service, One ID for general inquires and
the other for transfers and monetary transactions. A higher percentage of the
respondents (66.7%) believed that the user’s account was activated only after
successful login that was encrypted through a 128-bit SSL session. Additionally,
76.7% of the respondents claimed that monetary transfers in their banks were
restricted to the accounts in the same bank. Merely half of the respondents believed
that the unused e-banking accounts in their banks were purged automatically by the
bank system. The majority of the respondents (83%) reported that the login access in
their banks was terminated after three unsuccessful login attempts. On the other
hand, 76.7% of the respondents believed that their bank used 128-bit secure sockets
layer (SSL) encryption for transmission of private or confidential information over
public networks, including user's IDs and passwords. Furthermore, users were
required to update their browser to the latest version tested and approved by the
security administrator
Table 10
Internet, communications and e-Banking controls (Frequencies)
# Control Procedure
Antivirus software is in place,
including virus scans of
46 incoming e-mail messages. 0 0.0% 30 100.0%
Virus signatures are
updated at least weekly.
Firewalls (Hardware &
Software)
installed to control and protect
47 communications between the 0 0.0% 30 100.0%
internal network and external
networks such
as the internet.
Limit the electronic monetary
48 transactions to (e.g. 2000 JD) 11 36.7% 19 63.3%
per day.
Each e-banking user has two
IDs,
one for general inquiries and
49 17 56.7% 13 43.3%
the other
for transfers and monetary
Transactions.
Account activation, subsequent
to successful login, is encrypted
through
a 128-bit SSL session. Users
are
50 logged out on request (by 10 33.3% 20 66.7%
selecting
the "Sign-out" button on the
website)
or after 10 minutes of
inactivity.
Monetary transfer capabilities
are restricted to the accounts in
51 the same bank ( Sender and 7 23.3% 23 76.7%
receiver in the
same bank).
Unused customer accounts (no

52 activity for six month) are 14 46.7% 16 53.3%
purged by the system.
The login session is terminated
after
three unsuccessful login
53 5 16.7% 25 83.3%
attempts. Terminated login
sessions are logged
for follow-up.
The bank uses 128-bit secure
sockets layer (SSL) encryption
for transmission of private or
confidential information over
public networks, including
54 7 23.3% 23 76.7%
users’ IDs and passwords.
Users are required to update
their browser to the latest
version tested and approved by
the security administrator.
Output security controls
All respondents believed that their banks have control over access to sensitive
information and restricted it only to the authorized users in the authorized time. A
lower percent of the respondents (86.7) reported that sensitive computer output in
their banks was secured in a lock cabinet. Only 60% of the respondents believed that
the system output was stamped with the date and time. Also, 83.3% of the
respondents reported that their banks performed printing and distributing data and
information under proper supervision and only by authorized persons in the bank.
On one hand, 76.7% of the respondents believed that shredding machines were
available and used for sensitive data disposal, while, 70% of the respondents reported
that shredding these sensitive documents was restricted only to security-cleared
personnel. Lastly, 76.7% of the respondents claimed that their banks performed
random output/input auditing on regular basis in order to verify correct processing.
Table 11
Output security controls (Frequencies)
# Control Procedure
Authorized access to sensitive
information
should be controlled and restricted
55 0 0.0% 30 100.0%
only to the
authorized users during the
authorized time
Sensitive computer output secured in
56 a locked 4 13.3% 26 86.7%
cabinet .
Hard copy output stamped
57 automatically with 12 40.0% 18 60.0%
date/time.
Printing and distributing data and
information
58 performed under proper supervision 5 16.7% 25 83.3%
and only by authorized persons in
the bank.
Shredding machines are available and
59 used for 7 23.3% 23 76.7%
disposal of confidential data.
Shredding sensitive documents is
60 restricted to 9 30.0% 21 70.0%
security cleared personnel.
Random output/input auditing
regularly
conducted to verify correct
61 processing 7 23.3% 23 76.7%
( e.g. Check book order against
actual printed
check books).
The following section focuses on the statistical findings concerned with the
hypothesis testing. To test the first Hypothesis and related minor hypotheses, the Z
test for proportion was conducted as can be seen in the following table.
Table 12
Z-test for percent differences
Dimension Norms Percent N Z Value P
Fraud and error reduction control 65% 91% 30 2.98 0.002
Physical access 70% 79% 30 1.05 0.29
Logical access 70% 78% 30 1.08 0.28
Data security 65% 79% 30 1.89 0.058

Documentation standards 60% 70% 30 1.20 0.23
A Disaster Recovery Plan 60% 73% 30 1.38 0.16
Internet , communication and e-Control 75% 82% 30 1.00 0.31
Output security controls 65% 85% 30 1.81 0.07
The developed norms††† are used as a cut point for the minimum accepted
percentage of applying CS standards, where the bank is considered applying effective
control system if its own CS standards evaluation percentage exceeds this norm. Then
we tested for significant differences between the applied percentage in the Jordanian
domestic banks and these norms using Z test for proportion.
From table (12) p value appears to be less than 0.05 for fraud and error reduction
controls. This means that there are significant differences between the accepted
norms (65%) and the applied percentage (91%). The Z value is also higher than 1.96,
which means it falls in a rejection area. All of that lead us to reject the null
hypothesis. This implies that that the Jordanian domestic banks are using effective
fraud and error reduction controls.
While p value is more than (0.05) for (Physical access, Logical access, Data security,
Documentation standard, Disaster Recovery, Internet, communication and E-
Control, Output security controls), also the Z values for them were in the acceptance
area (1.96 < Z < -1.96) , which means that there are no significant differences.
Consequently, the researcher concludes that the Jordanian domestic banks are not
using effective control procedures for (Physical access, Logical access, Data security,
Documentation standard, Disaster Recovery, Internet, communication and E-Control
and Output security controls).
According to the above-mentioned results, we accept the main null hypothesis that
stated, "Domestic Banks are not using effective Control Systems on their
Computerized Accounting Information System."
To test the second hypothesis, we used Chi-square as appears in appendix (1), Chi-
square results show that there is no difference between EDP controllers and the
internal auditors’ opinions in respect of the CAIS control system effectiveness level.
Accordingly, the null hypothesis is accepted.
CONCLUSION
The research showed that Jordanian domestic banks effective use fraud and error
reduction controls mainly, while they do not do enough with regard to the other
dimensions (Physical access, Logical access, Data security, Documentation standard,
Disaster Recovery, Internet, communication and E-Control and Output security
controls).
††† Norms equal to materiality weights that previously mentioned into methodology section.
The analysis indicates that there are no differences between head of computer
departments and internal auditors’ perception for the effectiveness level of CAIS
control systems for its dimensions.
REFERENCES
Abu Musa, Ahmad, "Investigating the Security Controls of CAIS in an Emerging

Economy: An Empirical Study on the Egyptian Banking Industry", Managerial
Auditing Journal, Vol. 19, No. 2, 2004.
AICPA, Auditing Standards Board. “SAS No. 94: The Effect of Information
Technology on the Auditor’s Consideration of Internal Control in a Financial
Statement Audit”. April 2001
Berenson M., Levine D and Krehbiel T. "Basic Business Statistics, Concepts and
Applications" 8th edition, 2001.
Boritz J. Efrim. “IS practitioners' views on core concepts of information integrity”
International Journal of Accounting Information Systems ; Vol. 6 Issue 4,
p260-279, 20p , Dec2005.
Boockholdt J., “Accounting Information Systems, Transaction Processing and
Controls”, 5th Edition, McGRAW-HILL Publisher, pp. 433-444, 1999.
Boynton W.,Johnson R. and Kell W.," Modern Auditing ",John Wiley & Sons Inc. ,
Seventh edition, p322,400,401, 2001.
Buttross T. and Ackers M.D, “A Time-saving Approach to Microcomputer Security”,
Journal of accounting and EDP, Vol. 6, pp.31-35, 1990.
Cerullo M. and Michael J. “Client/Server Systems Security and Controls”, Internal
Auditor Journal, Vol. 56, Issue 5, October 1999.
Curtis M. and Borthick, "Evaluation of Internal Control from a Control Objective
Narrative", Journal of Information Systems, Vol. 13, Issue 1, Spring 1999.
Coe. Martin J., “Trust Services: A better way to evaluate IT controls”. , Journal of
Accountancy, Vol. 199, Issue 3, March 2005.
Dougan J., “Internal Control Check-list for Hospitality Computer Systems”, The
bottom line, Vol. 9, pp. 8- 11, 1994.
Eduardo Frenandez-Medina and Marino Piattini, “Designing Secure Databases”,
Information and Software Technology Journal, Vol. 47, 2005.
Grady Paul . " The Broader Concept of Internal Control" , The Journal of
Accountancy , May 1957 , pp 41-48.
Greenstein, M and Vasarhelyi, M., “The Electronization of Business Process”,
European conference on AIS, Section One, July 2000.
Hardy, Catherine, Reeve, Robert. “A Study of the Internal Control Structure for
Electronic Data Interchange System Using the Analytical Hierarchy Process”.
Accounting & Finance,, Vol. 40, Issue 3, Sep2000.
Henry Laurie, “A Study of the Nature and Security of Accounting Information
Systems: The Case of Hampton Roads, Virginia”, The Mid- Atlantic Journal of
Business, Vol. 33, Iss.63, pp. 171-189, 1997.
ITGI (IT Governance Institute). IT governance executive summary; board briefing
on IT governance. Rolling Meadows, 2001.
Martin, J. Coe, “Trust Services: A Better Way to Evaluate IT controls”, Journal of
accountancy, Vol. 199, issue 3, March2005.
Moscove, Stephen A., “E-Business Security and Controls”, CPA Journal, Vol. 71,
Issue 11, Nov2001..
Jacob J. and Weiner S. "The CPA Role in Disaster Recovery Planning”, CPA Journal ,
Vol. 67, Issue 11, November 1997.
Kinsun Tam, “Implementing Internal Accounting Controls as Constrains in RDBMS

and XML”. Working paper European conference of AIS on 2002.
Lee T.A, "The Historical Development of Internal Control from the Earliest Times to
the End of the Seventeenth Century", Journal of Accounting Research, Spring
1971.
Lainhart IV and John W., "COBIT: A Methodology for Managing and Controlling
Information and Information Technology Risks and Vulnerabilities", Journal of
Information Systems, Vol. 14, Issue 1, 2000.
Qurashi A. and Siegel J., "The Accountant and Computer Security", National public
accountant Journal, Vol. 42, Issue 3, May 1997.
Uday S. Murthy, “An Analysis of the Effects of Continuous Monitoring Controls on
e-commerce System Performance” , Journal of Information Systems, Vol.18,
No.2 , Fall 2004.
Oppenheim, A. N. “Questionnaire design, interviewing, and attitude measurement”.
New York, NY: Pinter Publishers,1992.
Romeny M. and Steinbart P. “Accounting Information Systems”, Prentice Hall
Publisher, 8th Edition, pp. 286-307, 383,1999.
Ryan S. D. and B. Bordoloi, “Evaluating Security Threats in Mainframe and Client
Server Environments”, Information & Management, Vol.32 Issue 3, pp 137-
142, 1997.
Sung-Sik Hwang, Taeksoo Shin and Ingoo Han, “CRAS-CBR Internal Control
Assessment System Using Case-based Reasoning”, Expert Systems Journal,
Vol.21, No. 1, Feb2004.
Timothy B., Knechel W. Robert and Payre Jeff L., Willingham, John J. " An Empirical
Relationship between the Computerization of Accounting Systems and
Incidence and Size of Audit Differences " , Auditing Journal , Vol 17, Issue
1,Spring 1998,.
Vallabhaneni, S. Rao , " CISA Examination Textbook :Theory " SRV Professional
Publications , 3rd Edition 2001.
Wallace, R., & Mellor, C.. “No response bias in mail accounting surveys: A
pedagogical note”. British Accounting Review, 20: 131-139, 1988.
Warigon Slemo, “Data Warehouse Control & Security”, Internal Auditor Journal, Vol.
55 Issue 6, pp. 40-47, December 1998.
Zikmond William, "Business Research Methods", Thomson publisher, 7th edition,
(2003).
Appendix (1)
Chi Square results for Security Controls
Internal
Question IT z p
Auditor
Does not exist - -
1 0.00 1.00
Exists 15 15
Does not exist - -
2 0.00 1.00
Exists 15 15
Does not exist 4 6
3 .700 .35
Exists 11 9
Does not exist 5 5
4 0.00 1.00
Exists 10 10
Does not exist 1 1
5 0.00 1.00
Exists 14 14
Does not exist 1 1
6 0.00 1.00
Exists 14 14
Does not exist 4 5
7 0.15 0.69
Exists 11 10
Does not exist 6 5
8 0.14 0.70
Exists 9 10
Does not exist 4 3
9 0.18 0.66
Exists 11 12
Does not exist 5 4
10 0.15 0.69
Exists 10 11
Does not exist 15 15
11 0.00 1.00
Exists - -
Does not exist 4 6
12 0.60 0.43
Exists 11 9
Does not exist 1 -
13 1.03 0.39
Exists 14 15
Does not exist 1 2
14 0.37 0.54
Exists 14 13
Does not exist 2 3
15 0.24 0.62
Exists 13 12
Does not exist 5 6
16 0.14 0.70
Exists 10 9
Does not exist 2 4
17 0.83 0.36
Exists 13 11
Does not exist 5 5
18 0.00 1.00
Exists 10 10
Does not exist 6 6
19 0.00 1.00
Exists 9 9
Does not exist 4 5
20 Exists 0.15 0.69
11 10
Does not exist 1 2
21 0.37 0.54
Exists 14 13
Does not exist 5 5
22 0.00 1.00
Exists 10 10
23 Does not exist - - 0.00 1.00
Internal
Question IT z p
Auditor
Exists 15 15
Does not exist 3 3
24 0.00 1.00
Exists 12 12
Does not exist 4 5
25 0.15 0.69
Exists 11 10
Does not exist 4 6
26 0.60 0.43
Exists 11 9
Does not exist 4 6
27 0.60 0.43
Exists 11 9
Does not exist - -
28 0.00 1.00
Exists 15 15
Does not exist 4 4
29 0.00 1.00
Exists 11 11
Does not exist 1 1
30 0.00 1.00
Exists 14 14
Does not exist 3 4
31 0.188 0.66
Exists 12 11
Does not exist 6 7
32 0.13 0.71
Exists 9 8
Does not exist 4 4
33 0.00 1.00
Exists 11 11
Does not exist 1 1
34 0.00 1.00
Exists 14 14
Does not exist 2 1
35 0.37 0.54
Exists 13 14
Does not exist 6 6
36 0.00 1.00
Exists 9 9
Does not exist 7 8
37 0.13 0.71
Exists 8 7
Does not exist 3 6
38 1.42 0.23
Exists 12 9
Does not exist 7 6
39 0.45 0.65
Exists 8 9
Does not exist 4 4
40 0.00 1.00
Exists 11 11
Does not exist 4 3
41 0.18 0.66
Exists 11 12
Does not exist 5 6
42 0.14 0.70
Exists 10 9
Does not exist 4 5
43 0.15 0.69
Exists 11 10
Does not exist - -
44 Exists 0.00 1.00
15 15
Does not exist 5 7
45 0.45 0.55
Exists 10 8
Does not exist - -
46 0.00 1.00
Exists 15 15
47 Does not exist - - 0.00 1.00
Internal
Question IT z p
Auditor
Exists 15 15
Does not exist 5 6
48 0.14 0.70
Exists 10 9
Does not exist 10 7
49 1.22 0.26
Exists 5 8
Does not exist 5 5
50 0.000 1.00
Exists 10 10
Does not exist 4 3
51 0.18 0.66
Exists 11 12
Does not exist 6 8
52 0.34 0.72
Exists 9 7
Does not exist 3 2
53 0.24 0.62
Exists 12 13
Does not exist 4 3
54 0.18 0.66
Exists 11 12
Does not exist 2 2
55 0.00 1.000
Exists 13 13
Does not exist 2 2
56 0.00 1.000
Exists 13 13
Does not exist 6 6
57 0.00 1.000
Exists 9 9
Does not exist 3 2
58 0.24 62
Exists 12 13
Does not exist 4 3
59 0.18 0.66
Exists 11 12
Does not exist 4 5
60 0.15 0.69
Exists 11 10
Does not exist 4 3
61 0.18 0.66
Exists 11 12

Evaluation of The Effectiveness of Control System in Computerized Accounting Information System

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Evaluation of The Effectiveness of Control System in Computerized Accounting Information System

Uploaded by

Copyright:

Available Formats

Journal of Accounting – Business & Management 13 (2006) 39-68

Evaluation of The Effectiveness of Control Systems in

The objective of this study is to evaluate the level of Control Systems

Keywords: AIS, computerised, control, effectiveness, evaluation, jordan

The Computerized Accounting Information Systems (CAIS) encounter serious

Sciences. Amman Jordan

In addition, COSO reports and AU 319.07**, consider the five interrelated

** Statement on Auditing Standards : AU Section 319 : Consideration of Internal Control in a

II. LITERATURE REVIEW

Examining the literature concerned with the effectiveness evaluation of CAIS

1. Developing security plans.

- Data center operation controls. This includes Data Backup Procedures,

Boockholdt (1999) classified the system software acquisition and maintenance

D) Web administrator. Determining content of website, implementing security in

Policies and Procedures

Warigon ,(1998) conducted a theoretical study in which he clarified a group of

Buttross and Ackers ,(1990) conducted a theoretical study in which they

Dougan ,(1994) suggested an internal control checklist for computer systems.

- Computer room site (physical access)

The data were collected by self administrated questionnaire by means of a mail

1. Physical access control procedures.

Abu Musa ,(2004) performed an empirical study to investigate the adequacy of

1. Organizational information security controls.

The Research Hypothesis

To investigate research instrument validity, professionals and academics were

Using a nominal scale to measure the control procedure effectiveness make us

Experience in current position Frequencies Percent

In general it can be concluded that the individuals who answered the

Physical access controls

Logical access controls

To investigate the existence and the implementation of adequate logical access

Adequate procedures should be

Data security controls

Documentation describes what is

Disaster recovery plan

Internet, communications and e-Banking controls

Unused customer accounts (no

Output security controls

Data security 65% 79% 30 1.89 0.058

Abu Musa, Ahmad, "Investigating the Security Controls of CAIS in an Emerging

Kinsun Tam, “Implementing Internal Accounting Controls as Constrains in RDBMS

You might also like