Risky business: Information systems research targets accounting threats

Call them a special breed: the scholars who work at the intersection of accounting and information systems. They target corporate risk by studying security, IT controls, IT processes, governance and compliance with Sarbanes-Oxley. Professor Paul Steinbart moderated a workshop involving some of the leaders of this field at the 2011 International Conference on Information Systems (ICIS). Their research is at the forefront of risk mitigation in the digital age.

The Android Market jumped from 150,000 to 400,000 offerings last year — a field full of exciting potential for developers. But, according Paul Steinbart, there’s at least one group of IT experts with little interest in developing the next hot app. People who study accounting information systems are “more focused on what risks are created by that whiz-bang app and how firms can implement controls to mitigate it,” he says.

Steinbart is a professor of information systems at the W. P. Carey School of Business, and like many of the scholars who study and teach accounting information systems, Steinbart started his career in the accounting department.

Sometimes accounting systems professors remain in the accounting department, but Steinbart and his colleagues work at the intersection of accounting and information systems. They target corporate risk by studying security, IT controls, IT processes, governance, and compliance with Sarbanes-Oxley. Steinbart moderated a workshop at the 2011 International Conference on Information Systems (ICIS). Recently he reviewed the presentations delivered at the workshop. The research shows that accountants are at the forefront of risk mitigation in the digital age.

Accountants playing offense

For those pursuing a career in accounting, most business schools have a mandatory class on accounting information systems, Steinbart says. “You can’t treat the computer like a black box. If you’re going to audit financial statements, you need to understand the systems that created the numbers in them,” he explains. That exercise is about more than just making sure the numbers are right. It’s also about making sure the system is reliable and can be trusted.

Internal controls are one way to validate systems and the numbers they produce. Asset protection, which includes fraud prevention, is another primary goal of internal controls.

“Unlike violent crimes, financial crimes are seldom, if ever, spur-of-the-moment crimes of passion,” Steinbart explains. “People think about fraud and try to figure out ways to cover it up.” Those in the business of preventing fraud recognize the “fraud triangle,” which holds that people need three things to engage in the illegal activity: motivation, rationalization and opportunity.

Motivation may come from living beyond your means, racking up gambling debts, family illness or a host of other causes that give people sticky fingers. Rationalization is the self-talk that lets people who steal tell themselves they’re not doing anything all that wrong or, perhaps, convince themselves that they deserve to take the money from the company to balance out a perceived slight.

“You can’t control motive and rationalization, but you can do something about opportunity,” notes Steinbart, who explains that this is the main idea behind internal controls. For example, separation of duties is a control measure. “If the same person keeping the books is the one who writes checks or has control over inventory, that person could steal and use the books to hide it.”

He adds: “Internal controls, if properly designed, are not ‘red tape’ but can improve overall efficiency by making sure things are done properly in the first place.”

Losing control

Research has shown that if internal controls go awry, income statements and balance sheets are more likely to be wrong and require correction. That’s one of the main ideas behind Section 404 of the Sarbanes-Oxley Act, which requires auditors to assess and report on the efficacy of internal controls. Among companies with internal control deficiencies, several factors are likely to be present, according to a study presented at the accounting information systems workshop Steinbart recently attended.

“Looking at organization-level characteristics, the researchers found that firms with internal control weaknesses were more likely to have international sales, be undergoing restructuring and be involved in mergers and acquisitions,” he recalls. What kinds of weaknesses were identified by the researchers? According to Steinbart, problems identified by the team of scholars included, “lack of accounting personnel with sufficient knowledge in dealing with complex accounting and tax issues, inadequate overall security, deficiencies in design of information technology controls, insufficient disaster recovery plans” and failure to maintain effective control over separation of duties or access to financial reporting systems.

A little proactive auditing and monitoring could have caught some of these problems, and that was the topic of another research paper. For some 20 years, accounting systems professionals have talked about the benefits of doing auditing and monitoring throughout the year, not just at quarter-end or year-end.

“The difference between monitoring and auditing is subtle but important,” Steinbart says. Monitoring is something corporate managers do to identify problems and, if they find abnormalities, those managers are supposed to intervene. Auditing is done by outside observers to see if reported results are trustworthy.

Referring back to the workshop presentation, Steinbart adds, “These researchers wondered why more companies aren’t taking advantage of the technologies that exist for auditing and monitoring. The researchers found that one-third of respondents to their survey were implementing some form of continuous monitoring. Among those who weren’t implementing these systems, fear of system slow-down was a strong deterrent.

“Everyone has monitoring in place, but it usually comes a week after the end of a quarter,” Steinbart says. “Continuous monitoring would look at what happened yesterday. There is a performance impact when you add these tools on top of your system, and it’s big enough that users would notice delays. That’s one reason people don’t do the monitoring they could do.”

The researchers also measured how much survey respondents valued usefulness of continuous monitoring, whether they thought the systems would help them do their jobs and other factors. What the research team ultimately found was substantiation of other academic studies that demonstrate “not all business decisions are solely based on logic or the weighing of benefits versus cost,” he continues. Even though there are verified benefits that result from monitoring systems and quickly addressing deviations from plans, many managers took a dim view of employing the technology. “It often comes down to a manager’s psychological barriers. This research found that, indeed, if managers don’t want to do something, they won’t do it.”

Open sesame

Another research project examined the woeful state of passwords. Professor Steinbart explained that the two most important factors that determine password strength are the number of different types of characters used (referred to as complexity) and the length of the password. Jointly, these two factors determine the total number of possibilities that an attacker would have to guess (as expressed in the formula cl, where c = the number of different types of characters and l = the length).

For example, Steinbart said, the PIN used to access your account at an ATM machine consists of only numbers, which means that there are only 10 possible types of characters. Thus, there are only 10,000 (104) possible different 4-digit PINs. Requiring passwords to contain numbers and both lower- and upper-case letters means that there are 62 possible choices for each character. That means that there are 628 (more than 218 trillion) possible 8-character passwords.

“As you can see, increasing the length of a password exponentially increases the total number of possibilities. Unfortunately, many people create short passwords that are common words, such as “password”, that can be easily guessed,” Steinbart said. That’s why four researchers conducted a study to see if simple training would help corporate computer users pick more complicated and, therefore, safer passwords. “The preliminary results clearly showed that very simple training on what makes a good password was effective in changing people’s willingness to choose better passwords in the future,” Steinbart says.

Other research looked at risk mitigation for small- and medium-sized enterprises. “Most academic research focuses on Fortune 1,000 companies. How do small companies that have fewer resources implement controls?” Steinbart asks.

According to the researchers, smaller businesses have to integrate business-process management with risk-assessment tools to uncover risky processes and find ways to work around them. “In general, cash is an area of risk for smaller companies,” he continues. “You have to document as early as possible that cash came in the door.” As an example, he points to the fast-food restaurant that posts a sign saying “If we don’t give you a receipt, your drink is free.” The point is to require employees to ring up sales so that business owners know how much cash to expect in the cash drawer.

Along with these studies, the accounting information systems researchers who participated in the workshop looked at employee reactions to decision-support software, how to evaluate software for its match to your requirements and factors affecting user satisfaction with systems they must use. “That’s important,” Steinbart says, “because if users don’t like the system, they won’t use it in the way that it was intended to be used. They’ll look for shortcuts and skip steps, and that could make the system less effective.”

Such shortcuts might also impact internal controls — to the displeasure of accounting IS experts. As accountants at heart, they keep one eye technology, while the other is on the bottom line. “Having better controls not only reduces opportunities for errors and fraud, it also improves overall efficiency and costs,” Steinbart concludes.

Bottom Line

• Accounting systems were the earliest information systems widely adopted by corporations, and academics who teach and study these systems straddle two worlds: accounting and information systems.
• Security and internal controls are key areas of research for accounting information systems professors.
• A special interest group for these scholars exists within the Association of Information Systems, an organization for academics who study and teach IS.
• A recent workshop held by this special interest group spotlighted preliminary findings from research that delved into corporate characteristics of companies that have poor internal controls, impediments to adoption of continuous monitoring technology, risk mitigation for smaller business, the effectiveness of password-creation training and other risk-related topics.