ISSN: 2225-8329
Open access
Cyber criminals continue targeting organizations’ accounting information mostly because of its sensitivity and high value. This leads to devastating losses that impact the confidentiality, integrity, and availability of such information. General Information Technology Controls related to computer operations or GITC-CO are critical in ensuring the security, integrity, completeness, and reliability of accounting information. Per the literature reviewed, traditional methodologies do not necessarily promote an effective assessment of these types of controls in organizations, preventing the implementation of required controls and/or the exclusion of unnecessary controls. The aim of this research is to develop an assessment methodology, based on Grey Systems Theory, that will adequately address weaknesses identified in traditional assessment methodologies, resulting in a more accurate selection of controls. Through a case evaluation, the approach proved successful in providing a more precise and complete evaluation of GITC-CO in organizations.
AICPA. (2014). The importance of internal control in financial reporting and safeguarding plan assets. The American Institute of Certified Public Accountants. Retrieved from https://www.aicpa.org/content/dam/aicpa/interestareas/employeebenefitplanauditquality/resources/planadvisories/downloadabledocuments/plan-advisoryinternalcontrol-hires.pdf
Al-Safwani, N., Fazea, Y., & Ibrahim, H. (2018). ISCP: In-depth model for selecting critical security controls. Computers & Security, 77(1), 565-577.
Backhouse, J., & Dhillon, G. (1996). Structures of responsibility and security of information systems. European Journal of Information Systems, 5(1), 2-9.
Barnard, L., & Von Solms, R. (2000). A formalized approach to the effective selection and evaluation of information security controls, Computers & Security, 19(2), 185-194.
Baskerville, R. (1993). Information systems security design methods: Implications for information systems development. ACM Computing Surveys, 25(1), 375-414.
Bettaieb, S., Shin, S. Y., Sabetzadeh, M., Briand, L., Nou, G., & Garceau, M. (2019) Decision Support for Security-Control Identification Using Machine Learning. In: Knauss E., Goedicke M. (eds) Requirements Engineering: Foundation for Software Quality. REFSQ 2019. Lecture Notes in Computer Science, vol 11412. Springer, Cham.
Centrify. (2019). Primary attack points for data breaches in the United States as of 2018 [Graph]. In Statista. Retrieved from https://www-statista-com.portal.lib.fit.edu/statistics/1015959/united-states-primary-attack-points-data-breaches/
Chang, W. C. (2000). A comprehensive study of grey relational generating. Journal of Grey System, 3(3), 53-63.
Chen, Z., & Yoon, J. (2010). IT auditing to assure a secure cloud computing. In Proceedings of the 6th World Congress on Services (pp. 253-259).
Da Veiga, A., & Eloff, J. H. P. (2007). An information security governance framework, Information Systems Management, 24(4), 361-372.
Das, P. (2009). Adaptation of fuzzy reasoning and rule generation for customers' choice in retail FMCG business, Journal of Management Research, 9(1), 15-26.
Deloitte’s Risk Advisory. (2018). General IT Controls (GITC) Risk and Impact. https://www2.deloitte.com/content/dam/Deloitte/in/Documents/risk/in-ra-general-it-controls-noexp.pdf (Accessed September 2019).
Dhillon, G., & Torkzadeh, G. (2006). Value-focused assessment of information system security in organizations. Information Systems Journal, 16(1), 293-314.
Donelson, D. C., Ege, M. S., and McInnis, J. M. (2017). Internal control weaknesses and financial reporting fraud. Auditing: A Journal of Practice & Theory, 45-69.
Ejnioui, A., Otero, A. R., Tejay, G., Otero, C. E., & Qureshi, A. (2012). A Multi-Attribute Evaluation of Information Security Controls in Organizations Using Grey Systems Theory. International Conference on Security and Management, 1-7.
Federal Bureau of Investigation (FBI). (2019). White-Collar Crime. FBI Major Threats & Programs – What We Investigate. www.fbi.gov/investigate/white-collar-crime
Gerber, M., & von Solms, R. (2008). Information security requirements – Interpreting the legal aspects, Computers & Security, 27(5), 124-135.
Herath, T., & Rao, H. R. (2009). Encouraging information security behaviors in organizations: Role of penalties, pressures, and perceived effectiveness, Decision Support Systems, 47(2), 154-165.
Hevner, A. R., March, S., Park, J., & Ram, S. (2004). Design science in information systems research. MIS Quarterly, 28(1), 75-105.
ISACA. (2009). COBIT and Application Controls: A Management Guide, http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/COBIT-and-Application-Controls-A-Management-Guide.aspx (Accessed May 2019).
ISACA. (2011). Web Application Security: Business and Risk Considerations, http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Web-Application-Security-Business-and-Risk-Considerations.aspx (Accessed May 2019).
Jee, D. H., & Kang, K. J. (2000). A method for optimal material selection aided with decision making theory. Materials & Design, 21, 199–206.
Karyda, M., Kiountouzis, E., & Kokolakis, S. (2004). Information systems security policies: A contextual perspective, Computer Security, 24(1), 246-260.
Keef, S. (2019). Why Security Product Investments Are Not Working. ISACA Journal volume 2, 2019.
Klir, G. J., & Yuan, B. (1995). Fuzzy Sets and Fuzzy Logic: Theory and Applications. Upper Saddle River, NJ: Prentice Hall PTR.
Kuhn, J., Ahuja, M., & Mueller, J. (2013). An examination of the relationship of IT control weakness to company financial performance and health, International Journal of Accounting & Information Management, 21(3), pp. 227-240.
Kuhn, J., & Morris, B. (2017). IT internal control weaknesses and the market value of firms. Journal of Enterprise Information Management, 30(6), pp. 964-986. https://doi.org/10.1108/JEIM-02-2016-0053
Lavion, D. (2018). Pulling fraud out of the shadows. Global Economic Crime and Fraud Survey 2018. PricewaterhouseCoopers LLP, https://www.pwc.com/gx/en/services/advisory/forensics/economic-crime-survey.html#cta-1
Lin, Y.-H., Lee, P.-C., & Chang, T.-P. (2008). Integrating grey number and Minkowski distance function into grey relational analysis technique to improve the decision quality under uncertain information. Construction Management and Economics, 26(1), 115–123.
Liu, S., & Lin, Y. (2011). Grey systems: Theory and applications. Berlin Heiderlberg, Germany: Springer-Verlag.
Nachin, N., Tangmanee, C., and Piromsopa, K. (2019). How to Increase Awareness. ISACA Journal volume 2, 2019.
Otero, A. R. & Fink, R. P. (2020). Robotic Process Automation to Aid Accounting and Finance Departments. ISACA Journal, 6(1), 1-8.
Otero, A. R. (2020). Enhanced Security over Accounting Data: A Fuzzy-Based Evaluation Model to Aid Organizations in Safeguarding their Accounting Systems. International Journal of Academic Research in Accounting, Finance and Management Sciences, 10(3), 160-175.
Otero, A. R., Sonnenberg, C., & Delgado-Perez, I. (2020). Change Management Over Financial Information: A Multi-Criteria Evaluation of System Change Controls Using Desirability Functions. Communications of the IIMA, 18(1), 1-26.
Otero, A. R. (2019a). Optimization Methodology for Change Management Controls Using Grey Systems Theory. International Journal of Business and Applied Social Science, 5(6), 41-59.
Otero, A. R. (2019b). System Change Controls: A Prioritization Approach Using Analytic Hierarchy Process. International Journal of Business and Applied Social Science, 5(8), 56-68.
Otero, A. R., Sonnenberg, C., & Bean, L. (2019). Quality Assessment of Access Security Controls over Financial Information. International Journal of Network Security & Its Applications, 11(6), 1-18.
Otero, A. R. (2018). Information Technology Control and Audit, 5th Edition. Boca Raton, FL. CRC Press and Auerbach Publications.
Otero, A. R. (2015a). Impact of IT auditors’ involvement in financial audits. International Journal of Research in Business and Technology, 6(3), 841-849.
Otero, A. R. (2015b). An Information Security Control Assessment Methodology for Organizations’ Financial Information, International Journal of Accounting Information Systems, 18(1), 26-45.
Otero, A. R. (2014). An Information Security Control Assessment Methodology for Organizations. (Doctoral dissertation). Nova Southeastern University, Fort Lauderdale, FL. Retrieved from NSUWorks, Graduate School of Computer and Information Sciences. (266) https://nsuworks.nova.edu/gscis_etd/266
Otero, A. R., Ejnioui, A., Otero, C. E., & Tejay, G. (2011). Evaluation of Information Security Controls in Organizations by Grey Relational Analysis, International Journal of Dependable and Trustworthy Information Systems, 2(3), 36-54.
Otero, A. R., Otero, C. E., & Qureshi, A. (2010). A multi-criteria evaluation of information security controls using Boolean features. International Journal of Network Security & Its Applications, 2(4), 1-11. doi:10.5121/ijnsa.2010.2401.
Otero, A. R., Tejay, G., Otero, L. D., & Ruiz, A. (2012). A fuzzy logic-based information security control assessment for organizations. IEEE Conference on Open Systems, 1-6.
Ponemon, L. (2016). 2016 Ponemon Cost of Data Breach Study, Ponemon Institute sponsored by IBM Corporation, Traverse City, MI, available at: www-03.ibm.com/security/data-breach/ (Accessed September 2019).
Rahimian, F., Bajaj, A., & Bradley, W. (2016). Estimation of deficiency risk and prioritization of information security controls: A data-centric approach. International Journal of Accounting Information Systems, 20(1), 38-64.
Rao, R. V., & Patel, B. K. (2010). A subjective and objective integrated multiple attribute decision making method for material selection. Materials & Design, 31(1), 4738-4747.
Rui, X., & Wunshch, D. C. (2005). Survey of clustering algorithms. IEEE Transactions on Neural Networks, 16, 645–678. doi:10.1109/ TNN.2005.845141 PMID:15940994.
Saint-Germain, R. (2005). Information security management best practice based on ISO/IEC 17799, Information Management Journal, 39(4), 60-66.
Shanian, A., & Savadogo, O. (2006). TOPSIS multiple-criteria decision support analysis for material selection of metallic bipolar plates for polymer electrolyte fuel cell. Journal of Power Sources, 159(1), 1095–1104. doi:10.1016/j.jpowsour.2005.12.092.
Singh, A. N., Picot, A., Kranz, J., Gupta, M. P., & Ojha, A. (2013). Information security management (ISM) practices: Lessons from select cases from India and Germany, Global Journal of Flexible Systems Management, 14(4), 225-239.
SOX & Internal Controls Professionals Group. (2017). 2017 State of the SOX/Internal Controls Market Survey.
Thomé, J., Shar, L. K., Bianculli, D., & Briand, L. (2018). Security slicing for auditing common injection vulnerabilities, Journal of Systems and Software, 137(1), 766-783.
Tucker, I. (2018). Getting a Better Handle on Compliance and Controls. Strategic Finance, [online] Available at: https://sfmagazine.com/post-entry/december-2018-getting-a-better-handle-on-compliance-and-controls/ [Accessed June 2019].
Vaast, E. (2007). Danger is in the eye of the beholders: Social representations of information systems security in healthcare, Journal of Strategic Information Systems, 16(1), 130-152.
Van der Haar, H., & Von Solms, R. (2003). A model for deriving information security controls attribute profiles, Computers & Security, 22(3), 233-244.
Volonino, L., & Robinson, S. R. (2004). Principles and practice of information security, 1st Edition. Upper Saddle River, NJ: Pearson Prentice Hall, Inc.
Yamaguchi, D., Li, G. D., Mizutani, K., Akabane, T., Nagai, M., & Kitaoka, M. (2006). On the generalization of grey relational analysis. Journal of Grey System, 9(1), 23-34.
Yamaguchi, D., Li, G. D., & Nagai, M. (2005). New grey relational analysis for finding the invariable structure and its applications. Journal of Grey System, 8(1), 167-178.
Yoon, K. P., & Hwang, C. L. (1985). Manufacturing plant location analysis by multiple attribute decision making: Part I – Single-plant strategy. International Journal of Production Research, 23, 345-359. doi:10.1080/00207548508904712.
Zhang, J., Wu, D., & Oslon, D. L. (2005). The method of grey relational analysis to multiple attribute decision making problems with interval numbers. Mathematical and Computer Modelling, 1-8.
Zimmermann, H. -J. (2010). Fuzzy Set Theory. New York, NY: John Wiley & Sons, Inc.
In-Text Citation: (Otero, 2021)
To Cite this Article: Otero, A. R. (2021). Accounting Environment: Ranking of Internal Controls to Safeguard Accounting Information and its Integration with IT Operations. International Journal of Academic Research in Accounting Finance and Management Sciences, 11(3), 283–302.
Copyright: © 2021 The Author(s)
Published by HRMARS (www.hrmars.com)
This article is published under the Creative Commons Attribution (CC BY 4.0) license. Anyone may reproduce, distribute, translate and create derivative works of this article (for both commercial and non-commercial purposes), subject to full attribution to the original publication and authors. The full terms of this license may be seen at: http://creativecommons.org/licences/by/4.0/legalcode