IT Risks and Controls in Cloud Based Systems. Research Paper

IT Risks and Controls in Cloud-Based Systems
Student’s Name
Institutional Affiliation
Professor’s Name
Course Name and Number
Assignment Due Date
IT Risks and Controls in Cloud-Based Systems
The increased use of Information Technology in Accounting and financial processes in organizations have led to high levels of research and concerns about the risks and controls in cloud-based systems, especially Accounting Information Systems (AIS) (Teru & Hla, 2015). According to Bai, Nunez, & Kalagnanam (2012), the risks and vulnerabilities of AIS can result in misstatements in the organization's financial reporting. The availability of risks in AIS presents negative impacts n the accuracy, integrity, and validity of the financial reports (Bawaneh, 2014). In this context, the approach of risk and AIS control is significant to accounting processes coupled with IT audit and governance processes within the company. In nearly every organization, accounting systems contain classified data that needs to be kept secure at all times.
Studies show that unauthorised access can lead to identity theft problems and loss of valuable information (Liu, 2016). When one changes or deletes accounting data either knowingly or unknowingly, it creates mayhem in the department of finance and accounting, thus, raising questions about the accuracy and reliability of the company’s data (Lutui & Ahokovi, 2018). To deal with accounting risk caused by cloud-based systems, experts have recommended the use of internal controls of AIS, which serve as the security mechanisms to protect confidential data.
Examples of these controls include passwords and biometric identification systems. Mohammed, Al-Hosban, & Thnaibat (2018) stated that AIS must contain internal controls to not only prevent unauthorised computer access but also limit access to authorised users within the company. AIS should also contain internal controls that defend the systems from malicious agents, malware and other security threats (Teru & Hla, 2015).
Research
Literature Review
As previously stated, the internal controls in accounting cloud-based systems include the security mechanisms it uses to protect confidential information. These security measures include passwords and biometric identification. According to Bai, Nunez, & Kalagnanam (2012), AIS must contain internal controls to prevent unauthorised access and limit authorised access of the users within the company. Key components of an effective cloud-based system (AIS software) in the accounting department include quality, security and reliability. Managers depend on the information the system relays to make sound decisions for the organization. Bawaneh (2014) asserted that cloud-based systems could be customized to meet business needs. Liu (2016), on the other hand, argued that regardless of customization options selected by the business, Sarbanes-Oxley Act (SOX) will, to some extent, dictate the AIS structure for publicly-traded companies. It is because SOX has internal controls and accounting processes that are applicable to public companies.
Lutui & Ahokovi (2018) in their research, found that a cloud-based system in AIS requires internal controls that safeguard it from attackers and other security vulnerabilities. A Strong AIS enables the business to operate efficiently. However, when the system is poorly designed, it can hinder business activities. In Liu’s (2016) view, the control environment makes up the tone and the attitude of a company towards internal control. It affects the internal control of an organization through implicit and explicit actions. Implicitly, the management that does not circumnavigate controls has strong control environments (Brandas, Stirbu, & Didraga, 2013). Explicitly, the management demonstrates controls by slowly executing them, monitoring risks, and communicating the outcomes to the staff (Brandas, Stirbu, & Didraga, 2013).
A study by Brandas, Stirbu, & Didraga (2013) on the concept of risk, control and AIS auditing outlined two methods. The first approach is a professional method which applies the application Control Objectives for Information Technologies (COBIT), the Committee of Sponsoring Organizations of the Tradeway Commission (COSO) and the SOX (Brandas, Stirbu, & Didraga, 2013). The second technique is a research-oriented method that focuses on IT accounting fraud. Brandas, Stirbu, & Didraga (2013) further determined that International Standard on Auditing (ISA) 315 requires auditors to evaluate AIS which are likely to affect financial statements; control processes; and presentation of financial reports.
According to the Information Systems Audit and Control Association (ISACA), COBIT 5 is the only business structure for control and IT enterprise management (Brandas, Stirbu, & Didraga, 2013). Based on the content and objectives of COBIT 5, it is safe to state that ISACA has an incorporated model of the risk, control and AIS auditing (Brandas, Stirbu, & Didraga, 2013). Another study by Bawaneh (2014) reported that integrating IT audit processed with risks and controls in the AIS model is an important approach that ensures the accuracy, integrity and validity of financial statements. The professional view along with the current research leads to establishment of an integrated approach to risk, control and AIS audit (Bai, Nunez, & Kalagnanam, 2012).
Effective control systems have internal controls attached to the risks that can highly hold up the success of the company. Bawaneh (2014) outlined that for a company to map controls to risk, it must first identify the risks. A best practice is to assess risks annually during the budget process of the company Bai, Nunez, & Kalagnanam (2012). Liu (2016) postulated that a business could develop the best internal control system. However, if the employees are not aware of it, them, it is less likely to benefit the organization. The information and communication sectors if the framework of internal control is responsible for ensuring that the information is correctly transmitted throughout the company (Lutui & Ahokovi, 2018). This responsibility includes information from management transmitted to employees and vice versa.
Research Methodology
This research used a case study method to identify the scope of risks and controls in cloud based systems of AIS. The case study approach assisted this research in evaluating the strengths and weaknesses of the cloud-based systems in the companies (Brandas, Stirbu, & Didraga, 2013). The organization for the study was chosen based on ‘openness to society’. Secondary sources, including websites, Newspaper reports, financial reports, and journal articles about IT risks and controls in cloud-based systems in the company were used to collect data.
The study proposed an integrated approach model for risks, control AIS audit, as shown in Figure 1. The research was conducted to explore and investigate the integration of the risks, controls and auditing of the AIS. The model utilized a set of risk, control and audit procedures categorized as follows.
Ethical Issues Related to IT Risks and Controls in Cloud-Based Systems
The rapid growth of internal controls in cloud-based systems and big data have raised new questions as well as challenges about privacy and ethical standards. As Teru & Hla, (2015) pointed out, big data not only raises privacy concerns but it also generates new questions regarding personal identity, notably, ownership of personal da...