HACKING THE ACCOUNTING INFORMATION SYSTEM
28 Aug. 13
Table of Contents
Responsibility if the Company
Accounting systems record the business transactions. The accounting system records can be initiated and maintained through both computerized and manual record keeping. The computerized systems and the manual systems both have their specific features, the manual systems are expensive in terms of cost and time, but they are good for understanding of the underlying principle of accounting, and the controls like segregation of duties can be applied to the manual accounting systems. The computerized accounting systems, in contrast to the manual accounting systems are fast in speed. The computerized system do not make the arithmetic mistakes because the information is just required to be entered in the first step, the other steps like maintaining different ledgers and accounts is performed from the initially stored information, and the chances of subsequent errors are least likely.
The computerized systems are faster not in terms of making calculations but they are faster in the way they retrieve data stored. The computerized systems are used by the most of the modern organization, these systems possess the complex risks, and the most potential risk is the risk of hacking. As the information is just needs to be entered at initial stage, the processing of the information is performed in a centrally maintained system, the access to the systems means the complete access to the information of the company. Therefore, the management of the company must take measures to mitigate the risk of hacking the accounting information systems. A typical control measures include the control environment, risk assessment, information, and communication, control activities and monitoring (Needles, Powers, & Crosson, 2010). The history of the company for the hacking and fraud can predict the drawback in the system, and therefore the control environment of the company can provide the guidelines for implementing any changes or the control measures. The risk assessment relevant to the nature of the business and the nature of the transactions must also be documented, and the relevant corporate governance framework must be implemented to ensure the effective working of the company and its systems.
The company management has a legal responsibility to protect the assets including the informational assets, the example of which is the unauthorized disclosure of financial information, however the protection is not limited to the unauthorized accesses, but the company also have the responsibility for manipulation, damage, and disclosure for information (Gelinas, Dull, & Wheeler, 2010). The hacking of the accounting information system can result in the damage, manipulation and the loss of data, the company may not be able to maintain the records of the business transactions, and the company may be subject to the legal consequences. Therefore, the core responsibility in preventing the risk of fraud and unauthorized access is held by the company itself.
The finance department of the company has the responsibility for fraud detection and prevention; and in this category, hacking is the most potential threat for the company; the reason for hacking may be industrial espionage, and the data of products and financial position can be accessed by the competitors, which results in weakened position of the company (Mumford, 1999). The accounting function is maintained by the department of finance and accounting, it has to deal with the security threats, for this purpose the internal controls are recommended by the finance department, and the recommendation from the audit can be taken to implement the effective measures for the prevention of the fraud.
The hacking of the system can be either deliberate or unintentional. The deliberate access may be from the competitors, the stakeholders to the company, or the service provider. The purpose of hacking in deliberate unauthorized access to the information security system is to get the knowledge of the predictive share prices in future, the chemical formula of any product or the manipulation of any data to commit fraud or to provide cover to any existing fraud. The risk assessment should be made at each level and the consequence of the unauthorized must be assessed. The IT department must work in collaboration with the information security service-provider, and the service provider must be carefully selected to prevent any mishap in future. The selection of the service provider must be made in accordance with the compliance of the service provider with the corporate governance guidelines, and the relevant system up gradation and licensing must be monitored and evaluated regularly. The expiration of licensing if the service provider may expose the system to the security threats as well as it reduces the effectiveness of the system.
The risks in the case of third party increases and the service provider can also commit the hack, and can manipulate its own invoices and may overstate the. The businesses have to rely on the external service providers or the third party when off the shelf software is not suitable for the business because of the size or complexity of the business. . In the case of outsourcing, the business fix the responsibility by hiring a data base administrator, the database approach enables the firm to make the person responsible for the data management and security, and this is the database administrator, which holds the ultimate responsibility (Perry & Newmark, 2011). For managing the tasks related to cooperation between the company and the third party, the network administrator is held responsible for ensuring the secure state of the system. The network administrator possess the command over the internal network i.e. the centralization of the internal computer systems of the company, and also the external network, which is the linking of the company with the external world through internet.
The risk of fraud, error, or hacking are high in those organizations where the code of ethics or internal controls are not correctly applied (Turner & Weickgenannt, 2008). The internal controls are necessary and for this purpose, there must be application controls over the accounting software as well as the physical assets should also be safeguarded against the unauthorized access. The accounting information must be documented against the source document and must be externally verified in case of any discrepancy. The sequence of the discrepancy can predict the potential risk, and the existing hacking of the system. The internal controls implement the systematic nature of controls on the software.
The information security relates to the protection of information against the loss damage or disclosure, and the purpose of information security is to reduce the business risks related to the damage of information (Gertz, 2003). The information security helps the business in preventing the assets, and this is the information, which is reflected in the financial information, the hacking of this information can manipulate the data, and hence the financial information will not be of true and fair nature. The hacking can be detected through the statistical analysis of the information and evidencing the information against evidences like the initial invoice or the hard copies of the source documents. The other purpose of hacking is more dangerous, which is the espionage of the information for industrial usage. This intrusion cannot be detected through the statistical analysis, as the purpose of this is not to manipulate the information, but to copy the information for the competitive advantage, and when it is undetected, it is more dangerous than the manipulation of data in regards to the system security.
The internal controls and the application controls can help in reducing the risk of hacking. Hacking is the unauthorized access and it may be due to physical access to the computer system, stealing of the password and the remote access. The IT department, the accounting department, and the correspondents of the accounting information service-provider must out effective controls over the access to the system. The systems and data are vulnerable in respect of hacking and unauthorized access, therefore it requires a systematic approach for protecting the information, which is based on the risk assessment and controls in place to mitigate risks (Collier & Agyei-Ampomah, 2008). The access to the computer should be controlled by applying hierarchical passwords, and the risk should be distributed for preventing the manipulation of data and for this purpose, the backups must be maintained. The data cannot be solely damaged from the hacking, but it can also be damaged from any environmental incident such as fire or flood, so this measure protects both the unauthorized access and hacking of the information.
The access to the data must be secure and the officials should be allowed. The access of the data by an employee at the remote laptop can expose serious risks to the data. The employee with remote access will give a chance to the complimentary threats related to his/ her system, and this risk will be added to the company’s risk in addition to the specific risk to the particular employee accessing the data.
The access to the systems and specifically the remote access should be authorized, the systems should be in compliance with the regulations and standards, and the test of which should be regularly conducted; the systems should include antivirus software and intruder detection system (Collier & Agyei-Ampomah, 2005). The application controls implementation must be evaluated regularly for ensuring the working of the system to prevent against any accounting hack. The accounting hack will result in the stealing or the loss of information, which can be caused by a virus or malicious software. In addition to the internal controls, the detection system must be in place to uproot any malicious software or virus, and the sources of these risks must be assessed to prevent the hack.
Collier, P. M., & Agyei-Ampomah, S. (2008). Management Accounting Risk and Control Strategy. Elsevier.
Collier, P., & Agyei-Ampomah, S. (2005). Management Accounting-Risk and Control Strategy. Elsevier.
Gelinas, U. J., Dull, R. B., & Wheeler, P. R. (2010). Accounting Information Systems. Cengage Learning.
Gertz, M. (2003). Integrity and Internal Control in Information Systems V. Springer.
Mumford, E. (1999). Dangerous Decisions: Problem Solving in Tomorrow’s World. Springer.
Needles, B. E., Powers, M., & Crosson, S. V. (2010). Financial & Managerial Accounting. Cengage Learning.
Perry, J. T., & Newmark, R. (2011). Building Accounting Systems Using Access 2010, 8th ed. Cengage Learning.
Turner, L., & Weickgenannt, A. (2008). Accounting Information Systems: Controls and Processes. John Wiley & Son.