Accounting Environment: Ranking of Internal Controls to Safeguard Accounting Information and its Integration with IT Operations

Cyber criminals continue targeting organizations’ accounting information mostly because of its sensitivity and high value. This leads to devastating losses that impact the confidentiality, integrity, and availability of such information. General Information Technology Controls related to computer operations or GITC-CO are critical in ensuring the security, integrity, completeness, and reliability of accounting information. Per the literature reviewed, traditional methodologies do not necessarily promote an effective assessment of these types of controls in organizations, preventing the implementation of required controls and/or the exclusion of unnecessary controls. The aim of this research is to develop an assessment methodology, based on Grey Systems Theory, that will adequately address weaknesses identified in traditional assessment methodologies, resulting in a more accurate selection of controls. Through a case evaluation, the approach proved successful in providing a more precise and complete evaluation of GITC-CO in organizations.


Introduction
Cyber criminals continue targeting organizations' accounting information mostly because of its high value. In fact, by the year 2021, the cybercrime's global cost is estimated to reach $6 trillion (Cybercrime Damages, 2016;Otero & Fink, 2020). Such constant attacks lead to devastating losses resulting in the loss of confidentiality, integrity, and availability of sensitive accounting information (Kuhn & Morris, 2017;Ponemon, 2016). Examples of sensitive accounting information constantly attacked, based on Tucker (2018), include transactions associated with globalization, intercompany trades, and mergers and acquisitions as these transactions create major risks related to financial and regulatory reporting. A 2016 survey conducted by the Sarbanes-Oxley Act of 2002 (SOX) & Internal Controls Professionals Group suggested that increasing the focus on cyber and information technology (IT) controls around accounting software systems was top priority for organizations to protect their information (SOX & Internal Controls Professionals Group, 2017). Figure 1 shows primary attack points for

Literature Review
According to Barnard and Von Solms (2000), the process of identifying effective GITC-CO in organizations has been a challenge in the past. For instance, risk analysis and management (RAM) has been recognized in the literature as an effective approach to identify GITC-CO (Barnard & Von Solms, 2000). RAM consists of performing business analyses to determine information security requirements (Barnard & Von Solms, 2000). GITC-CO are then put into place to mitigate the risks resulting from the analyses performed. RAM, however, has been described as a subjective, bottom-up approach (Van der Haar & Von Solms, 2003), not necessarily taking into account unique organizational constraints.
The use of best practice frameworks is another approach widely used by organizations to introduce minimum controls in organizations (Barnard & Von Solms, 2000). Saint-Germain (2005) states that best practice frameworks assist organizations in identifying appropriate GITC-CO. Some best practices include: Control Objectives for Information and related Technology (COBIT); Information Technology Infrastructure Library (ITIL); the National Institute of Standards and Technology (NIST); and the Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE). Da Veiga and Eloff (2007) mentioned other best practice frameworks that have also assisted in the identification and selection of GITC-CO, such as, International Standardization Organization (ISO) / International Electrotechnical Commission (IEC) 27001 and 27002 and the Capability Maturity Model (CMM).
Selecting effective GITC-CO from best practice frameworks can be challenging. Van der Haar and Von Solms (2003) state that best practice frameworks leave the choosing of controls to the user, while offering little guidance in determining the best controls to provide adequate protection for the particular business situation. Additionally, frameworks do not take into consideration organization specific constraints, such as, costs of implementation, scheduling, and resource constraints to name a few. Other less formal methods like ad hoc or random approaches could lead to the inclusion of unnecessary controls and/or exclusion of required/necessary controls (Barnard & Von Solms, 2000).
In a different study, a model was developed for defining and recommending legal requirements and relevant controls (Gerber & Von Solms, 2008). Legal information security requirements resulted from a legal compliance questionnaire combined with a matrix that mapped legal aspects within each of the proposed legal categories to all related ISO/IEC 27002 controls. Following determination of the legal requirements, a list of relevant controls from the ISO/IEC 27002 framework, including GITC-CO, was produced to satisfy the previously identified legal requirements. Nonetheless, as evidenced earlier, selection of controls from best practice frameworks like ISO/IEC 27002 offers minimum guidance in determining effective controls for a particular organization (Van der Haar & Von Solms, 2003).
In Otero, Otero, and Qureshi (2010), an innovative control evaluation and selection approach was developed, particularly for information security GITC-CO controls, to help decision makers select the most effective ones in resource-constrained environments. The approach used desirability functions to quantify the desirability of each control after taking into account benefits and restrictions associated with implementing the particular control (Otero, Sonnenberg & Delgado-Perez, 2020). Through a case study, the approach proved successful in providing a way for measuring the quality of information security GITC-CO in organizations. However, the boolean criteria the authors used for evaluating the quality attributes of controls to ultimately determine which ones to select, may not be considered a precise enough assessment for selecting and ultimately implementing controls in organizations.
Another common method used to select GITC-CO in organizations is through checklists. Chen and Yoon (2010) used checklists as a framework to identify common GITC-CO, including information security risks, within cloud-based organizations. Numerous information security checklists have been proposed and used over the years (Baskerville, 1993). Their importance, according to Dhillon and Torkzadeh (2006), has been focused on identifying "all possible threats to a computer system and propose solutions that would help in overcoming the threat" (p. 294). However, Dhillon and Torkzadeh (2006) stress that the significance of information security checklists has declined simply "because they provide little by way of analytical stability" (p. 294). Even though checklists may be viewed as good means to ensure information security, exclusive reliance on them could result in a flawed information systems security strategy.
In Otero (2015b), a methodology was developed using fuzzy set theory to address weaknesses in the existing literature pertaining to the evaluation of GITC-CO in organizations' financial systems. The methodology resulted in a more effective selection and enhanced information security in organizations (Otero, 2015b;Otero, 2020;Otero, Tejay, Otero, & Ruiz, 2012). Due to convenience and availability, the research performed by Otero (2015b) involved a single university located in the southeast U.S. within the schools, universities, and non-profit industry. However, further similar studies must be performed at organizations in other locations, or from different sizes and industry types in order to generalize the findings in a broader scope. Also, implementation of the design-science research (DSR) method used to develop the methodology, represents a limitation given the rapid advances in technology that can potentially upset its results before they are implemented successfully in organizations (Hevner, March, Park, & Ram, 2004).
In Rahimian, Bajaj, and Bradley (2016), an Operational, Public image, Legal (OPL) method was proposed, using DSR, to classify the security criticality of the organization's data along three dimensions (i.e., operations, public image, and firm's compliance). Through empirical study, the authors demonstrated how the OPL method allowed for a quantitative estimation of the significance of existing GITC-CO, as well as the risk of missing controls. Questionnaires were completed by senior information security officers and internal auditors supporting the developed model, and its acceptability and usefulness in the organization. Nonetheless, the significance of information security checklists or questionnaires has declined simply "because they provide little by way of analytical stability" (p. 294). Moreover, Backhouse and Dhillon (1996) argued that although checklists or questionnaires draw concern on particular details of procedures, they do not completely address the key task of understanding the substantive questions.
Another research study from Al-Safwani, Fazea, and Ibrahim (2018) developed a GITC computer information security prioritization model to determine critical controls consistent with an assessment criterion. The model used techniques from the Order Performance by Similarity to Ideal Solution (TOPSIS) method (a sub-method of multiple attribute decision making). Assessment of controls with TOPSIS involved a multi-and dynamic evaluation model that assists organizations in evaluating controls accurately. The model enabled adequate security decision making by considering assigned weights of each assessment criterion within the organization. With management-assigned weights, TOPSIS helped the organization implement only the most effective and critical controls. Nevertheless, significant decision making based strictly on management's assigned weights (subjective in nature) may not necessarily be the most objective, nor considered a precise enough assessment for selecting controls in organizations. Bettaieb, Shin, Sabetzadeh, Briand, Nou, and Garceau (2019) developed an automated decision support system to assist in the identification of GITC for a banking domain. The developed system was based on machine learning and leveraged historical data from security assessments performed over past banking systems. Results suggested that the system provided effective decision support for controls. However, evaluation metrics were limited in scope to GITC controls for which there were at least five occurrences in the historical data. Generalizability of results represented another limitation and important concern of the research. Additional studies (including more longitudinal studies) are needed for validating whether the developed system remains effective in other application contexts, and to ensure the accuracy and relevance of the automated selection process. Based on the reviewed literature, we are not aware of any other studies that have addressed the evaluation of GITC-CO in organizations.

Theoretical Basis Grey Systems Theory
Grey Systems Theory (GST) has significantly contributed in the areas of grey algebraic systems, equations, and matrices; sequence operators and generation of grey sequences; system analysis based on grey incidence spaces and grey clustering; grey prediction models; decision making using grey target decision models; and optimization models using grey programming, grey game theory, and grey control (Liu & Lin, 2011;Ejnioui, Otero, Tejay, Otero, & Qureshi, 2012). In practical applications, a grey number represents an indeterminate number that takes its possible value from an interval or a set of numbers. The symbol  denotes a grey number. Basic types of a grey number, according to Liu and Lin (2011), are based on the following definitions: Definition 1. Let ⨂ = [ , ] = { | ≤ ≤ , ∈ ℝ and ∈ ℝ}. Then, and are the lower and upper limits of the grey number ⨂ , respectively (Lin, Lee, & Chang, 2008). Definition 2. Let ⨂ be as defined in Definition 1, then (Yamaguchi, Li, Mizutani, Akabane, Nagai, & Kitaoka, 2006): • If → −∞ and → ∞, then ⨂ is called a black number, meaning that the data have no information. • If = , then ⨂ is called a white number, meaning that the data have complete information.

Grey Relational Analysis in Multi-Attribute Decision Making
Multi-attribute decision making problems occur in situations where a finite set of alternatives need to be evaluated according to a number of criteria or attributes. The evaluation consists of selecting the best alternative or ranking the set of alternatives based on those attributes. However, many decision problems present data that is imprecise or ambiguous leading to conflicting situations in which the evaluation of alternatives becomes difficult. This is the case when implementing GITC-CO in organizations. In the past, this information uncertainty has been modelled using fuzzy sets (Klir & Yuan, 1995) or grey numbers (Liu & Lin, 2011). While the former has been around for some time, the interest in the latter has increased recently since uncertainty can be modelled and manipulated in more flexible ways than fuzzy sets.

Selection of GITC-CO
The first step involves identifying a set of GITC-CO that could be implemented in the organization. These GITC-CO can be obtained from best practice frameworks listed in Section 2. For instance, ITIL, COBIT, and ISO/IEC 27001 and 27002, all offer best practices or controls to help organizations ensure that all computer operations are appropriately managed. Once selected, the GITC-CO are captured in the GITC-CO vector I as:

Attributes and Features
When planning to implement GITC-CO, it is often necessary to address attributes and features important in the decision problem. Each GITC-CO implementation can be evaluated against a set of quality attributes. The evaluation process takes place as follows. First, each attribute is defined in terms of f features, where f > 1. Because of the uncertain nature of data, the evaluation of each feature is represented as a grey number. For example, GITC-CO can be evaluated based on the Scope attribute. In other words, GITC-CO that effectively minimize the likelihood of disruption, unauthorized alterations, and errors impacting the accuracy, completeness, and validity of processing and recording of financial information in more than one system have a higher priority than GITC-CO that address the above in only one system. In this case, the quality attribute Scope can be defined with the following features: System 1, System 2, ..., System n. Therefore, the most important GITC-CO based on Scope would be one where System 1, System 2, and System n have higher evaluation values. Similarly, the least important GITC-CO based on the Scope is one where System 1, System 2, and System n have lower evaluation values. As a result, the overall assessment of the n GITC-CO based on all m features of all quality attributes is captured using the following decision matrix X: where the rows represent alternatives considered in GITC-CO implementation while the columns represent the attribute features of the same problem. Note that the and represent the lower and upper bounds of grey number evaluation xij for i = 1, 2, .., n and j = 1, 2, .., m.

Feature Weights
In general, a GITC-CO feature will be characterized by a very specific goal. For example, the goal of an alternative may consist of minimizing restrictions while maximizing the rest of the GITC-CO features. Optimization goals consist mostly of minimizing or maximizing one or more features associated with a given decision problem. However, these goals may not have the same importance in some cases. To assess the relative importance of each feature, the following weight vector W is created: where wj represents the importance of feature fj. These weights can be decided by one or more experts in a subjective manner or synthesized objectively from the matrix X.
In this research, weights are synthesized from the decision matrix using the concept of statistical variance. In contrast to other approaches for synthesizing weights such as the entropy method (Jee & Kang, 2000]; Shanian & Savadogo, 2006), statistical variance is effective and easy to implement (Rao & Patel, 2010). Unlike statistical analysis where focus is placed on the extremes, variance examines how data points are scattered around the mean. As such, variance provides useful information about how important an attribute is to a decision problem. Definition 6. Let ⨂ = [ , ] be a grey number with < . If ⨂ is continuous, then, is the core of ⨂ (Liu & Lin, 2011).
The cores of all grey numbers in the matrix X can be used to compute the weights from X using statistical variance as follows: where ̂ is the core of grey number ⨂ while is the statistical mean of the cores of all grey numbers in feature fj. The synthetic weight of feature fj can be computed as follows: for j = 1, 2, …, m.

Normalization of the Decision Matrix
Because of the incommensurability of the values in matrix X, the matrix needs to be normalized. This normalization can be performed as follows (Lin et al., 2008;Chang, 2000): where equation (3.9) is applied to maximization features while equation (3.10) is applied to minimization features. The obtained matrix will be the normalized matrix R.

The Ideal GITC-CO Implementation
Assume that k features in the R matrix are maximization type while the remaining (mk) features are minimization type. The ideal GITC-CO implementation, also known as the reference sequence in relational analysis, in R can be defined per Zhang, Wu, and Oslon (2005)  In principle, r0 is regarded as a hypothetical vector of features in which the evaluation values are the optimal values in R. However, the evaluation values of each GITC-CO alternative in R can be higher in some features while lower in others. As a result, a compromise GITC-CO implementation must be found in R that is as close as possible to the ideal implementation.

Distance Between the Ideal GITC-CO and the GITC-CO Implementations
Equation (3.2) can be used to compute the Minkowski distance between the ideal GITC-CO and each GITC-CO implementation in the R matrix as follows: For practical purposes, it is often suggested to make p = 2 thus reducing, in a manner similar to the TOPSIS technique, the Minkowski distance in equation (3.14) to the Euclidian distance in equation (3.15) (Lin et al., 2008;Yoon & Hwang, 1985):

Grey Relational Grade
The grey relational grade of the ith GITC-CO implementation can be computed as follows (Yamaguchi, Li, & Nagai, 2005): for i = 1, 2, …, n. This grade measure is a scaled ratio of the distance between a given GITC-CO implementation and the two extremes of the ideal GITC-CO. As this grade increases, so does the distance between the GITC-CO implementation and the maximum point of the ideal GITC-CO, thus allowing the GITC-CO implementation to be somewhat not too far from the minimum point of the ideal GITC-CO. Such GITC-CO implementation is highly desirable than one that is located a far greater distance from the maximum or minimum points of the ideal GITC-CO. By sorting the GITC-CO implementations from highest to lowest grey relational grades, we can obtain a ranking of the GITC-CO from best to worst.

Case Evaluation
This section presents the results of a GITC-CO case evaluation using the proposed assessment methodology applied in the context of a fictitious organization implementing ISO/IEC 27002, an international cybersecurity management standard. The organizational requirement is to determine the most effective controls in order to mitigate risks to accounting information. For evaluation purposes, we focused on quality attributes defined within the ISO/IEC 17799 and 27002 (Da Veiga & Eloff, 2007; Nachin, Tangmanee, & Piromsopa, 2019; ISACA, 2009). We generated synthetic (simulated) data for cybersecurity quality attributes and features for the input matrix. The synthetic data represents real-life operational data from an organization's cybersecurity program. Overall, the case evaluates 10 GITC-CO based on the quality attributes described in next sub-section.

Cybersecurity Quality Attributes
This section presents nine quality attributes defined within ISO/IEC 17799 and 27002.
Restrictions. There are restrictions that management must take into account before selecting and implementing GITC-CO. These may include whether the costs involved in the selection and implementation of the GITC-CO are high, whether resources are not available, and whether there are scheduling constraints associated with implementing the particular GITC-CO. The presence of any of the above will negatively affect the specific quality attribute. A high priority scenario will be one where the implementation cost of the specific GITC-CO is adequate/manageable, resources are available to implement the GITC-CO, and there are no scheduling restrictions. Restrictions is defined as: Costs (C), Availability of Resources (AoR), and Scheduling (T).
Scope. This quality attribute assesses the impact of the GITC-CO on the organization. GITC-CO that effectively minimize the likelihood of disruption, unauthorized alterations, and errors which impact the accuracy, completeness, and validity of processing and recording of financial information in more than one system have a higher priority than GITC-CO that address the above in only one system. Scope is defined as: System 1 (S1), System 2 (S2), …, System n (Sn).
Organization's Objectives. Refers to the business objectives the GITC-CO satisfies. The higher the number of objectives the GITC-CO satisfies, the higher its priority. Organization's Objectives is defined as: Objective 1 (O1), Objective 2 (O2), …, Objective n (On).
Physical Access. GITC-CO will prevent, detect, and/or record unauthorized changes to the organization's physical location access systems (e.g., building facilities, data centers, accounting department, etc.). The higher the number of physical location access systems addressed by the GITC-CO, the higher its probability of being selected. Physical Access is defined as: Location 1 (L1), Location 2 (L2), …, Location n (Ln).
Access Controls. Implementation of GITC-CO will promote appropriate levels of computer operations access controls to ensure protection of organization's systems/applications against unauthorized activities. Organizations may implement network access controls (N), operating systems access controls (O), and application controls (A) based on their specific needs.
Human Resources. Implementation of GITC-CO support reductions of unauthorized access, fraud, or misuse of computer resources by promoting information security awareness (Aw), training (Tn), and education of employees (E). Depending on the particular situation, costs involved, and availability of personnel, organizations may select which of these to employ.
Communications and Operations Management. GITC-CO will ensure secure operation of information processing facilities, including adequate segregation of duties (SOD), change management (CM), and network security (NS). Organizations may select GITC-CO to address all of these or just some depending on their particular needs.
Systems Acquisition, Development, and Maintenance. GITC-CO will support security related to the organization's in-house and/or off-the-shelf systems or applications. The higher the number of systems or applications addressed by the GITC-CO, the higher its priority. Systems Acquisition, Development, and Maintenance is defined as: Systems or Applications 1 (SoA1), Systems or Applications 2 (SoA2), …, and Systems or Applications n (SoAn).
Incident Management. This quality attribute ensures that security-related incidents (e.g., attempts to manipulate financial data, etc.) identified are timely communicated and corrected. Incident management may apply to online processing and/or batch processing, and is defined as Processing 1 (P1), Processing 2 (P2), …, and Processing n (Pn).

Results
Using synthetic data for the identified quality attributes and features, an input matrix is generated with synthesized weights for the features of the 10 GITC-CO. Table 1 presents the synthesized weights and corresponds to the input matrix X in Equation (3.4). The weights represent the weight vector shown in Equation (3.5) after applying Equations (3.6) -(3.8) on each grey number.  Table 2 corresponds to the normalized R matrix after applying Equations (3.9) and (3.10) on each number in the matrix. Ideal GITC-CO are also shown here corresponding to the vector r0 of Equation (3.11) after applying Equations (3.12) and (3.13) on each column of the Table  2.    Table 3 shows the Euclidian distance of each GITC-CO implementation from the ideal GITC-CO, as well as the grey relational grade of that implementation and its ranking. The Euclidian distances and grey relational grades are obtained after applying Equations (3.15) and (3.16) on each row of Table 1. As Table 3 shows, the best GITC-CO to implement is GITC-CO 4 (100%), followed by GITC-CO 2 (99.1%) and GITC-CO 9 (98.4%).

Discussion
The research in this paper presents a methodology that uses GST to create a unified measurement that represents how well GITC-CO meet quality attributes and their related features. Through a case evaluation, the approach is proven successful in providing a way for measuring the quality of any number of GITC-CO consistent with organizational goals and objectives. The developed approach is very much appropriate in this particular context given the high visibility and significance of internal controls to organizations, managers, accountants, investors, and the public in general. Selecting and implementing the right internal controls, based on the AICPA (2014), "reduce the risk of asset loss, and help ensure that plan information is complete and accurate, financial statements are reliable, and the plan's operations are conducted in accordance with the provisions of applicable laws and regulations." (p. 3) As evidenced, the methodology developed herein provides for an effective internal control structure not only by addressing the weaknesses identified in traditional assessment methodologies (refer to Section 2), but also by carefully and precisely ranking relevant internal controls (i.e., GITC-CO), resulting in a more accurate control selection and implementation. A major advantage or benefit for organizations from having an approach that prioritizes the selection and implementation of internal controls, as it is the case in this research, is to provide reasonable assurance and consistency with organization's financial reporting strategies, goals, and/or objectives (AICPA, 2014).
There are several important contributions from this research. First, the methodology is readily available for implementation using a spreadsheet or software tool and promote usage in practical scenarios where highly complex methodologies are impractical. Second, the methodology fuses multiple-attribute assessment criteria and features to provide a holistic view of the overall GITC-CO quality. Third, the methodology is easily extended to include additional attributes and features (possibly the most meaningful contribution from this research). Finally, the methodology provides a mechanism to evaluate the quality of GITC-CO in various domains. Overall, the methodology developed and presented in this research proved to be a feasible technique for assessing GITC-CO in organizations.
The authors understand and realize the benefits of testing the developed approach in a real-world setting environment. Only after implementation in a real-world setting will the true benefits and/or limitations of the proposed approach be exhibited. However, as evidenced in the literature review presented in Section 2, it is not uncommon for controls related to information systems computer operations to be assessed and tested using case evaluations as opposed to real-world setting scenarios. In this research, a case evaluation was used with simulated data representing real-life operational data in order to validate how the proposed approach would be well-suited in most organizational settings. The developed approach proved successful in providing a way for measuring the quality of GITC-CO in protecting accounting information.

Conclusion
The research presented develops an innovative approach for evaluating the quality of GITC-CO in organizations based on a multiple-attribute assessment criteria. Opportunities for future work exist that can enhance the proposed GITC-CO evaluation process. For instance, traditional methodologies nor our proposed solution consider the true degree of relevance (imprecise in nature) when evaluating GITC-CO. The above still represents a major problem for organizations that can potentially impact the overall security over their sensitive accounting information.
An assessment methodology that accounts for organizations' goals while adequately modeling imprecise parameters can guarantee an effective selection of GITC-CO. Fuzzy Set Theory (FST), for instance, allows for a more accurate assessment of imprecise parameters than traditional methodologies. When using FST, propositions can be true to some degree, allowing for logical reasoning with partially true imprecise statements (Das, 2009). In other words, truth values are no longer restricted to the two values 'true' and 'false', but expressed by the linguistic variables 'true' and 'false' (Zimmermann, 2010). An evaluation of GITC-CO using FST will lead to a thorough, more detailed assessment, thus, supporting a more effective GITC-CO evaluation. Moreover, based on the literature reviewed, there have not been a research study that specifically evaluated and prioritized organizations' GITC-CO using FST.
While grey numbers can handle easily ambiguous and imprecise data, grey systems still do not provide the powerful analytical tools available in fuzzy sets. Since the latter has been around for more time, a number of analysis and optimization techniques have been developed to tackle challenging problems with imprecise data such as the ones described above. However, the power and sophistication of these fuzzy techniques impose sometimes a computational burden and a conceptual complexity that may defeat the initial purpose of simple and practical approaches needed to assess GITC-CO. A GITC-CO assessment methodology based on FST provides benefits and advantages over traditional methods, including a strict mathematical methodology that can precisely and rigorously examine vague conceptual phenomena (Zimmermann, 2010). Additionally, FST has been used as a modeling, problem solving, and data mining tool, and has proven superior to existing methods as well as attractive to enhance classical approaches.
A further potential research opportunity would involve examining results from this research as well as from other similar GITC-CO assessment methodologies with the purpose of comparing them to determine which method is the most effective and efficient.

References
AICPA. (2014). The importance of internal control in financial reporting and safeguarding plan assets. The American Institute of Certified Public Accountants. Retrieved from https://www.aicpa.org/content/dam/aicpa/interestareas/employeebenefitplanauditq