You are on page 1of 14

Then find out what critically evaluate entails

CE type and nature of risk/security threats

computerization and internet use.




Mihalache, A. (n.d.). Risk
Infrastructure. SSRN Journal.






Enterprise risk management

In 2009 83% of large UK businesses had a malicious security breaches within the
past 12 months. The average number of security breaches was 45.
The response to risk must be determined by the likelihood and associated cost to
make the response efficient.
Company A is a large category 1a firm
A framework which expanded on internal control

Different forms of corporate activity are exposed to different to different risk so must
have specified precautionary activities.
Information systems would for examples would requires precautionary management
technologies in the form of
1. Internal control activities fraud detection activities( moderate/strong form
precautionary activity)
2. Computer based virus management
In a corporate accounting information systems context there are two primary sources
of risk and three associated sources of risk
1. Event based risk that is risk associated with particular event or a group of
events and subsidiary primary source.
2. Resource/asset based risk that is risk associated with a particular
event/activity with the possession and or use of a resource/asset or group of
Secondary sources of risk associated information systems context
1. Authorised internal employee or external agent based risk risk of possible
loss that may result from either unintentional mistake/oversight or
premeditated intentional or deliberate error, theft or acts of violence.
2. Unauthorised persons based risk risk of loss that may result from possible
breaches of security or violence resulting I theft misappropriation of assets,
informations or identity.

Main types of risk for informational accounting systems


False billing
Financial funds fraud
Advance fees fraud
Identity theft

Cyber terrorism

Unintentional errors
deliberate errors
unintentional loss of assets
theft of assets
breaches of security
acts of violence
natural disasters

Key risks are:


computer crime (or computer assisted crime)

cyber terrorism

Internal controls and security systems

Internal controls are the processes designed to provide reasonable assurances that a
companys businesses objective primarily the maximisation of shareholder wealth
will be achieved and any incidents will be prevented or detected and corrected.
Proponents of internal control
1. Management control which can be defined as activities designed to conduct,
direct and control business activities and ensure consistency with corporate
business objectives.
2. Information control activities undertaken by a company management to
ensure the proper and appropriate operation of underlying information
systems, and the consistency, reliability and relevance of information
provision for both internal and external use
3. ICT control activities conducted by company to ensure reliability of
companys information systems.
The above are used to ensure
1. Reliability and integrity of financial and non financial information


The effective use of business resources

Safeguarding of all business assets and resources
Accomplishment of corporate objectives
Safeguarding business resources

According to TB to provide effective internal control 5 main condition must be met

1. Understanding of control environment
2. Understanding of relevant and control activities
3. Understanding of risk
4. Assessment of efficiency and effectiveness of information and communication
channels used both internally within the company and externally within the
5. Understanding of need of appropriate monitoring of transaction process and

types of controls

the power/ability to influence another entity

(external control)
the mechanism through which compliance is
monitored and regulations enforced
(internal control)

Computer crime
Computer crime can be defined as

Managing cyber risks in an interconnected world Key findings from The Global State
of Information Security Survey 2015
The annual survey of more than 9,700 security, IT, and business executives found
that the total number of security incidents detected by respondents climbed to 42.8
million this year, an increase of 48% over 2013. Thats the equivalent of 117,339
incoming attacks per day, every day. Taking a longer view, our survey data shows
that the compound annual growth rate (CAGR) of detected security incidents has
increased 66% year-over-year since 2009.
Assaults on major retailers reached epic levels in the past year, resulting in the theft
of hundreds of millions of customer payment card records, a rash of litigation, and a
rush to adopt a new payment card standard in the US. In the UK, payroll information
and bank account numbers of 100,000 employees of a supermarket chain were
stolen by a company insider and published online.3
Huge heists of consumer data were also reported in South Korea, where 105 million
payment card accounts were exposed in a security breach.4 And in Verden,
Germany, city officials announced the theft of 18 million e-mail addresses,
passwords, and other information.5
We also saw increases in attacks on connected consumer devices such as baby
monitors, home thermostats, and televisions that comprise the Internet of Things,
a nascent ecosystem of devices that interconnect information, operational, and
consumer technologies. These Internet-connected devices are vulnerable to attack
because they lack fundamental security safeguards, a point verified by a recent HP
Fortify on Demand study.
HP reviewed 10 of the most commonly used connected devices and found that 70%
contain serious vulnerabilities. 13

Executives of multinational organizations are keeping an eye on European Union

Data Protection Regulation, which is on track to be finalized in 2015. The regulation
is expected to add new requirements for breach notification to individuals, require
organizations that handle personal data to conduct risk assessments and audits, and
increase fines for compromised businesses.16
The EU General Data Protection Regulations breach notification requirements may
increase disclosure of security incidents in Europe, according to John W. Woods, Jr.,
co-leader of the global cybersecurity practice for the law firm Baker & McKenzie LLP
Financial impact may include decreased revenues, disruption of business systems,
regulatory penalties, and erosion of customers. Non-financial impact may include
reputational damage, the pirating of products, diversion of research and
development information, impacts to innovation, stolen product designs or
prototypes, theft of business and manufacturing processes, as well as loss of
sensitive information such as M&A plans and corporate strategy
Large companies typically spend more on information security and have a more
mature program. As a result, they are more likely to have the processes and
knowledge to accurately calculate financial losses. Accordingly, they may consider a
full range of possible impacts, including costs associated with loss of customer
business, legal defence fees, court settlements, forensics, and reputational damage.
Larger organizations also take a more strategic approach to security by identifying
sensitive assets and allocating spending to their most valuable data, and they are
likely to understand third-party risks through the use of security baselines for
partners. Large companies tend to have the processes and technologies in place to
actively monitor and analyse security intelligence; should anomalies be detected,
they are in a better position to have an incident response process at the ready. And
big organizations more frequently cultivate a culture of security through employee
awareness and training programs, as well as by ensuring that senior executives
broadcast the importance of cybersecurity across the enterprise.
while large companies report a 53% jump in financial damages
This is a threat that has been made all too apparent by a rampage of attacks on US
retailers over the past year, some of which were achieved by criminals who gained
access to the networks and point-of-sale systems of retailers through compromises
of third-party suppliers and contractors. Labeling 2013 as the year of the retailer
breach, Verizon counted 467 retailer breaches around the world in its annual Data
Breach Investigations Report, noting that payment card data was the primary target
in 95% of incidents within the retail industry.33 It looks as if 2014 will be another
year of unprecedented breaches. As we prepared this report, news broke of another
US retailer heist that resulted in the loss of 56 million payment card records.34
Information security budgets are declining steeply among organizations in the
aerospace and defense (-25%), technology (-21%), automotive (-16%), and retail and
consumer products (-15%) industries
Figure 8 Top spending priorities over the next 12 months Prevent, protect, detect,
respond Prevent Protect 24% Account provisioning/ deprovisioning 27% Employee
security awareness training program 19% Role-based access controls 23%
Behavioral profiling and Encryption of smartphones 20% Tools to discover
unauthorized access 21% Data loss prevention tools 19% Patch management tools
18% Malicious code detection

Mobile malware detection 22% Active monitoring/ analysis of information security

intelligence 20% Vulnerability scanning tools 20% Tools to discover unauthorized
access 21% Security event correlation tools 20% Unauthorized use or access
monitoring tools 17% Security information and event management (SIEM)
technologies 18% Threat assessments 18% Malicious code detection tools 14%
Incident management response process

Given todays interconnected business ecosystem, in which exponentially more data

is generated and shared with business partners and suppliers, an area of specific
concern is the lack of policies and due diligence regarding third parties. It is
worrisome that the focus on third-party security actually weakened in the past year
in some very key areaseven as the number of incidents attributed to these insiders
increased. We are seeing third-party vendors as a very significant source of cyber
risk, says attorney Sotto. You could have a moat around a heavily fortified castle
but if the bridge is down to your vendors, then your fortifications become worthless.
Sotto says organizations should anchor their third-party due diligence on three key
practices: Declines in fundamental security practices 05 Perform appropriate
protections of vendors to ensure that they have the ability to safeguard the
information, have robust contractual protection, and conduct ongoing monitoring to
ensure the third party is protecting the data. Based on these criteria, many
respondents are behind the curve. For instance, only 50% say they perform risk
assessments on thirdparty vendors (down from 53% in 2013), and just 50% say they
have conducted an inventory of all third parties that handle personal data of
employees and customers. Just over half (54%) of respondents say they have a
formal policy requiring third parties to comply with their privacy policies, down from
58% in 2013.

some of the threats and risks to the firm's accounting information system are down
to both internal and external forces and also categories as natural or human
causes.In most cases these risks and threats to the accounting information system
can be attributed to internal sources and are caused by human beings and not
natural. A good example is the accidental entry of bad data by the employees. In this
instance the various members of the employees may be attributed to causing risks
of huge losses by their carelessness in entering data to the system
Find out more from UK Essays here:
The intentional entry of bad data by employees is another human nature of risks to
the accounting information system. This is attributed to fraudulent and malicious
employees who might harbor thoughts of sabotaging the accountant or to embezzle
the retail shop. This risk can be attributed to demoralized staff and would eventually
pose a challenge to the accounting systems as the accounts are bound not to
balance regardless of the inventory system being used by the electronics retail shop.
This is treated as a crime and is a form of computer fraud which calls for the
prosecution of the culprits.
Accidental destruction of data by employees is another frequent human nature type
of risk and a threat to the accounting information system. This occurs when an
employee accidental deletes or distorts data in the accounting system leading to the
complete destruction of such data hence can no longer be relied on to make
economic decisions. This could occur rarely in the electronics retail shop in the UK
because most of the staffs are well versed in the operations of the accounting
information system. This calls for continuous training of new employees every year
to make them skilled to avoid accidental destruction of data. Furthermore, the
presence of a back up data system minimizes to risks and threats posed by the
accidental destruction of data by employees.
Intentional destruction of data by employees is another threat faced by system
accountant in the electronic retail shop. This might occur rarely as it is subject to
unethical behavior and embezzlement which can be eliminated at the recruitment
process of the employees and subsequent ethical standards in the organization.
(Abu-Musa, A. A. 2003)

The unauthorized access to the data and/or system by employees is also a risk and
threat to the accounting information system. This would rarely happen in many
organizations especially the electronic retail shop. When it does it could be as a
result of insecure password systems.
The unauthorized access to the data and/or system by outsiders is the other risks of
human nature although it is attributed to external forces. This risk increases with the
use of electronic services such as e-business and electronic fund transfers and is as a
result of hackers. This risk to the accounting information system increases with the
advent of information technology.
Employees' sharing of passwords can be a source of risk and threat to the
accounting information system. This is a very common threat because over time
most employees become friends and hence would not hesitate to share passwords
with their colleagues although it is prohibited. This would increase the risks
associated with theft and improper transactions as one password can be used by
several people to access data which is restricted and could furthermore, lead to
exposure of trade secrets to rivals.
Natural disasters are also viewed as potential risks and threats to the accounting
information system. Such disasters are infrequent in occurrence but are devastating
which they do. Examples are thosecaused by fire, water, wind, power outages,
lightning and earthquakes which lead to the destruction of computer facilities.
Disasters of human origin on the other hand which can pose a risk and threat to
accounting information system include fires, floods and explosions. Furthermore,
man-made disasters could be accounted to intentional or accidental human actions.
Most of the intentional acts which are a threat to the accounting information system
are crimes ranging from fraud, theft, embezzlement, extortion, larceny to mischief.
(Wood, C. ; Banks, W. 1993)
The introduction (entry) of computer viruses to the systems is one of the most
vicious threats to the accounting information system in the present times. This risk
and threat which is caused by humans can be carried out by both internal and or
external members of an organization. This occurs as a result of hacking and the
subsequent introduction of viruses or worms which are able to interfere with the
program code of the accounting information system. Such viruses and executable
programs could be attached to e-mails and other files during the process of
electronic transactions. An example in the electronics retail shop is where a potential
customer sends an enquiry to the system with attached viruses which when opened
distorts the accounting system program hence destroying the system. This is
possible when anti-virus utility programs are not installed; are not be updated on a
regular basis to enable it detect newer viruses. This also could occur when anti-virus
software is not set to automatically scan computer files when the system is first
turned on. The employees also might not be trained well to scan any external media
they introduce to the system on their daily operations.
This essay is an example of a student's work
Suppression or destruction of output is also a threat to the operations of an
accounting information system. This is whereby employees who are suspected of
corrupt mal- practices in the organization enter the system and destroyed any traces
of their illegal activity leading to the destruction of the output.
The creation of fictitious or incorrect output is another internal generated risk and
threat to the accounting information system. This would occur rarely when periodic
checks and monitoring are done. This is also as a result of unethical employees who

would want to cover up some ills or to benefit from some perceived outputs. An
example in the electronic retail store is when a line manager wants to get a pay raise
or promotion and hence create fictitious output which shows that he exceeded
targets yet in reality it is a mirage.
Theft of data or information from the accounting system is also a big threat to the
security of the accounting information system. This occurrence is rare in many
organizations but could be prone in industries with intense competition. This is
because such intense rivals would go to great lengths to steal data and information
from the rivals in order to gain a competitive edge. An example of this threat is when
the competitors of the electronic retail store employ hackers to steal accounting
information which can be employed to beat them in the electronic markets.
The presence of unauthorized copying of output is the other threat to the security of
the accounting information system. This can be used by corrupt official to carry out
insider trading as unpublished accounting information can be copied and used to
spur own trading in the company's shares.
Unauthorized document visibility of the company's information may be another
threat to the security of accounting information systems. This is often low is many
organizations due to stringent measures to control visibility. When it happens it is
characterized by display on monitors and printed papers and could threaten the
public image of an organization.
The unauthorized printing and distribution of data or information is a human nature
threat and risk to the security of the accounting information system. This is whereby
some part or all of the accounting information are printed or distributed without due
authorization resulting in such information falling on the wrong hands hence posing a
threat to the operations of the organization. For example in the case of the electrical
appliances store some junior staff might print future budget predictions wit out the
authority of his supervisor hence compromising the security of the company's
budget information.
Directing prints and distributed information to people not entitled to receive is also a
threat to the security of the accounting information system and could lead to bad
reputation as the customers and other stakeholders involved with a firm lose trust.
This is down to carelessness and lack of thoroughness by the employees and it could
involve the distribution of invoices and other confidential documents to the wrong
recipients. An example of this threat in the electronics retail store is when employees
mail invoices to the incorrect addresses leading to distribution of information to
people who are not entitled to receive.
Instances where sensitive documents are handled by non-security cleared personnel
for shredding is also a threat to the security of the accounting information system.
Although technology has reduced paper use in accounts, there are still few instances
of its use. The destruction or shredding of such paper calls for security, thus when
such documents are handled by non-security personnel is becomes a risk to the
accounting information system.
Interception of data transmissions is also a major security threat to accounting
information systems which is of a human nature and is credited to external forces to
the organization. This occurs were competitors and other criminal elements breach
the information system such that they are able to intercept data transmission before
reaching the recipients. E-mail for instance could be intercepted by hackers when
they figure out a computers IP address.
As part of the second answer of the solutions, is acknowledging that security of the
electronic information especially in the retail chain has become a critical concern for
the success of the accounting department. This calls for a concerted effort by
scholars, managers, accountants and auditors to be aware of the emerging threats

thus put in place security measures in order to keep safe the accounting information
systems. In order to safeguard proprietary and personal information is a big
challenge in today's digital technology and calls for a lot of integrity on the part of
the employees and also putting in place a secure accounting information system.
The implementation of an effective information system calls for the provision of
reasonable assurance so that the accounting information system is able to produce
relevant and reliable information to meet both internal and external reporting needs.
Whether a security system exists or not the internal control must be a top priority.
The policies and procedures should always require the maintenance of records that
accurately detail and fairly reflect transactions and the dispositions of assets; this
provide reasonable assurance that transactions are being recorded properly; also
ensure that receipts and expenditures are made only in accordance with proper
authorization; and finally provide reasonable assurance regarding the prevention or
timely detection of unauthorized acquisition, the use, or the disposition of assets that
could have a material effect on the company's financial statements.
The most crucial steps that need to be undertaken to secure the accounting system
from risks and threats is to identify, implement, and monitoring some of the basic
system requirements and custom sustainable solutions for both general and unique
security challenges are associated with unbounded electronic enterprise with a
technologically rich environment. These would mainly involve policies and
procedures related to the security of e-mail passwords and usage, installation of
antivirus and antispyware solutions, secure firewalls, authorized access, the
authentication, separation of duties, privacy, encryption, digital signatures and
certificates, non-repudiation, data integrity, storage, backup files and tapes, and
other emerging threats and technologies. More importantly, the establishment of the
right tone at the top management with respect to privacy and security, and as well
as the hiring of vigilant, ethical employees, would be essential in securing our
accounting information system against dangerous threats.
A control procedure or mechanism that can be employed to solve the risks and
threats to the accounting information of the retail electronics could be the use of
system privileges and the layers of password protection. This would cover the
network environment, the operating system for all users, together with its own flaws.
This shows that the company will be facing potential threats almost every side, such
as the abuse of power by the system personnel, frequent unauthorized personnel
carrying out operations and further illegal access outside the system.
Accounting software that needs to be put in place must have relatively
complete authority to approve and have maximum password protection, be able to
give full play to its role, allows accountants to publish information in the same time,
the better protection of the accounting system. It is essential that it does the
following: be able to protect computer equipment, to prevent designated personnel
from operating all manner of illegal computer and financial software to ensure the
security of the machine's program and data; permit the designated machine
operator to work on the operation of accounting software, the content and also
permissions, the password to in line with the strict management of operation, have
regular change of the operator's password ; the password is meant to limit the
operating authority, the operator checks the identity of a defense, be able to
manage each person's password, and ensure the security of the whole system.
(Haugen, S; Selin, R. 1999), This measure would be able to prevent any unauthorized
personnel from operating the accounting software, accounting personnel in
preventing unauthorized use of software; in order for the operator to leave machine
should prompt him to perform the appropriate accounting software command exit,
this ensures that the defense does not lose its role in the password, and will thus
give the opportunity to stay independent of personnel to operate. This process when

done in the retail company according to the actual situation of units, save on security
of the operating records, the records of the operator operating time, the operation
content, and software in the log management as compared to the process of carrying
out log audit.

An accounting information system is

If the company was to suffer from issues related to its ICT such as failure of online
payments; failure of IT services/processes or a disruption of power for any number of
reasons. There is a high risk of any of these events occurring so measures need to be
put in place to limit the financial cost it would have on a business. The Disaster
contingency and recovery planning can provide a cohesive plan of procedures to be
implemented in order to limit the impact of the hazard. It does this my minimising
the overall impact of any adverse incident and ensuring the business continues with
its daily operations to the best of its capability.
The DCRP consist of a prevention and recovery protocol. The prevention protocol
would consist of a DCM system which would retain the necessary changes in the firm
to initiate the DCRP. The disaster contingency backup procedure would maintain the
safe storage of companys assets and information.
After the event a recovery protocol would be initiated where a disaster contingency
emergency protocol designed to provide procedures and protocols to be followed
during and after an event.
In order for this to be successful the company must possess a thorough
understanding of the businesses past and future predicaments. This will help make
the DCRP more effective and limit the loss Company A makes as a result of lost

Unintentional errors are mistakes due do inattention or ignorance

The quality of data in accounting information systems has a significant impact on
both internal
business decision making and external regulatory compliance(Bai, Nunez and
Kalagnanam, 2012).