This paper will discuss accounting information system attacks and failures: who to blame. I am also going to discuss the following related topics in the following order: Firstly, I will take a position on whether a company and its management team should or should not be held liable for losses sustained in a successful attack made on their AIS by outside source. Secondly, I will suggest who should pay for the losses, to whom, and state why. Thirdly, I will give my opinion regarding the role, if any; the federal government should have deciding and enforcing remedies and punishment.
Finally, I will evaluate how AIS can contribute or not to contribute to the losses. A Company and its Management Team Should Be Held Liable for the Losses According to the Control Objectives for Information and Related Technology (COBIT) framework and the Trust Services framework, achieving organization’s business and governance objective require adequate control over IT resources. IT processes must be properly managed and controlled in order to produce information that satisfies the seven criteria: effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability.
These IT processes are grouped into the following four management activities or domains (Romney & Steinbart, 2012). 1. Plan and Organize (PO), 2. Acquire and Implement (AI), 3. Deliver and Support (DS), and 4. Monitor and Evaluate (ME) Management should develop a plan to organize information resources to provide the information it needs. Then authorizes and oversees efforts to acquire the desired functionality or technology solutions. Management also performs a number of activities to insure that the resulting system actually delivers the desired information.
Finally, there is a need for constant monitoring and evaluation of performance against established criteria. Besides management’s responsibility to manage and control over IT, management is also responsible for the security and system reliability of the entire accounting information system (AIS). This is because security is primarily a management issue, not a technology issue. The accuracy of an organization’s financial statements depends upon the reliability of its information systems. And information security is the foundation for system reliability.
Therefore, information security is first and foremost is a management issue, not an information technology issue. In other words, management plays very crucial roles in information security. These crucial roles are enumerated as follows: 1. Create and foster a proactive security aware culture. 2. Define the information architecture and place a value on organization’s information resources. 3. Assess risk and select a risk response. 4. Develop and communicate security plan, policies, and procedures. 5. Develop and communicate security plan, policies, and procedures. 6. Monitor and evaluate the effectiveness of the organization’s information security program. In addition, management and organization has a responsibility to employ multiple layers of control and time based model of information security in order to avoid having a single point of failure. For tactical and daily management of security, most organizations follow the principle of defense-in-depth and employ multiple preventive, detective, and corrective controls (Romney & Steinbart, 2012).
Another important role that a company and its management should consider is in preserving confidentiality and privacy. Organizations posses a lot of information, including strategic plans, trade secrets, cost information, legal documents, and process improvements. Of course, preserving the confidentiality the organization’s intellectual property is the basic objective of information security. Protecting the privacy of their customers’ information is also equally important. That means a company and its management team is also responsible in protecting confidentiality and in implementing privacy controls.
If they fail in these roles as well as the roles enumerated above, they should be held accountable for the failure or for the successful attack made on their AIS. Therefore, as the above analysis shows, a company and its management team should be held liable for losses sustained in a successful attack made on their AIS by outside sources. The Organization should Pay for the Losses As it was mentioned above, a company and its management team should be accountable for the losses sustained in a successful attack made on their AIS by outside sources.
All employees and management team belong to the company they work for. Therefore any failure by the management team or employee is the failure the company or the organization as whole. Particularly, the breach of security and violation of privacy has always very serious consequences on organizations. The two major privacy related concerns are spam and identity theft. Spam is unsolicited e-mail that contains either advertizing or offensive content. Spam not only reduces the efficiency benefits of email but also is a source of many viruses, worms, spyware programs, and other types of malware.
To deal with this problem, the US Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act in 2003. According to Federal Trade Commission (FTC), each separate email in violation of the CAN-SPAM Act is subject to penalties of up to $16,000. Identity Theft is the unauthorized use of someone’s personal information for perpetrator’s benefit. Often identity theft is a financial crime and is of a growing concern. Organizations have a role to play in preventing identity theft. Customers entrust them with personal information.
Organizations economically benefit from having access to that information. On the top of legal consequences, organizations have an ethical and moral obligation to implement controls to protect the personal information that they collect from and about them. In general, concern about spam, identity theft, and protecting individual privacy have resulted in numerous federal government regulations. If organizations fail to comply with these laws and regulations, they should be liable for the financial and moral damaged they caused.
Therefore, organizations, which own the AIS, must pay for the losses of their victims who suffered financial and moral damages. The Federal Government should Have Deciding and Enforcing Remedies and Punishment By definition, accounting is an information system, since an AIS collects, records, stores, and processes accounting and other data to produce information for decision makers (Romney & Steinbart, 2012). That means some federal government accounting and auditing regulations are directly or indirectly applicable to the accounting information system. The Sarbanes-Oxley Act (SOX) of 2002 is one of them.
In the late 1990s and early 2000s news stories were reporting frauds at Enron, WorldCom, Xerox, Tyco, Global Crossing, Adelphi, and other companies. In response to this fraud, US Congress passed the SOX of 2002. SOX applies to publicly held companies and their auditors and was designed to prevent financial statement fraud, to make financial reports more transparent, protect investors, strengthen internal controls, and punish executives who perpetrate fraud (Romney & Steinbart, 2012). The accuracy of an organization’s financial statements depends upon the reliability of its information system.
That is why section 302 of SOX requires CEO and CFO to certify that financial statements and disclosures are fairly presented, were reviewed by management, and are not misleading; and that the auditors were told about all internal material weaknesses and fraud. If management knowingly violates these rules, they can be prosecuted and fined. As the above analysis shows, SOX is one of the applicable regulations to accounting information system. Therefore, the federal government should have deciding and enforcing remedies and punishment in such cases. There are also some other privacy related regulations.
These regulations were passed by Congress in order to protect privacy violations and in response to accounting information system attacks. In addition to the CAN-SPAM Act discussed above, a number of federal regulations, including the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and the Financial Service Modernization Act impose specific requirements on organizations to protect the privacy of their customers’ personal information (Romney & Steinbart, 2012).
Therefore, these are some of the other cases where the federal government should have deciding and enforcing remedies and punishment with regard to violations in accounting information system. Evaluation of AIS (with Respect to Losses) An accounting information system by itself does not contribute to any meaningful losses. Organizations suffer heavy accounting losses only when their information security and processing integrity is compromised.
Information security is the foundation for system reliability. If organizations have the right management teams that insure information security and system reliability (as it was discussed under the first topic above), information technology would not be a problem by itself. That is why information security is primarily a management issue, not an information technology issue. Therefore, organizations and their management teams are responsible for any AIS losses.
Conclusions The analysis presented above sport the following conclusions: * A firm and its management team should be held liable for losses sustained in a successful attack made on their AIS by outside sources. * Organizations, which own the AIS, must pay for the losses of their victims who suffered financial and moral damages. * The federal government should have deciding and enforcing remedies and punishment with regard to violations in accounting information system.