evaluation of the effectiveness of control system in computerized accounting information system

Journal of Accounting – Business & Management 13 (2006) 39-68

Evaluation of The Effectiveness of Control Systems in Computerized Accounting Information Systems:

An Empirical Research Applied on Jordanian Banking Sector

Talal H. Hayale* Husam A. Abu Khadra†

Abstract

The objective of this study is to evaluate the level of Control Systems effectiveness in Computerized Accounting Information Systems (CAIS) that is implemented in the Jordanian banking sector to preserve confidentiality, integrity and availability of the bank's data and their CAIS. An empirical survey using self-administrated questionnaire has been carried out to achieve the above-mentioned objectives. The study results reveal that Jordanian domestic banks are using effective fraud and error reduction controls. The study also reveals that these banks lack in the application of other Control System dimensions (Physical access, Logical access, Data security, Documentation standard, Disaster Recovery, Internet, communication and E-Control and Output security controls). The study’s main recommendation is for Jordanian domestic banks to increase the CAIS control system strength for all dimensions, in order to avoid any possible threats that could threaten their CAIS.

Keywords: AIS, computerised, control, effectiveness, evaluation, jordan I. INTRODUCTION

The Computerized Accounting Information Systems (CAIS) encounter serious

security threats that may arise from the weakness of their Control Systems (CS) or from the nature of the competitive environment (Information Age) as the need for information is greater. At the same time, the very survival of organization depends on correct management, security and confidentiality of their information, Eduardo and Marino (2004). Where the information assets constitute a significant proportion of an entity’s market value (ITGI, 2001)

Consequently security threats related to CAIS require a great attention from auditors and accountants in order to be recognized and minimized by evaluating organization CS. (Greenstein and Vasarhelyi, 2000).

Many efforts herein appeared as increasing interest, especially by the auditors to evolve the audit model toward a more action-driven method of control, revision and assurance, Timothy et al, (1998). Several professional committees have undertaken

* Talal H. Hayale. Associate Professor. Arab Academy For Banking And Financial Sciences. Amman Jordan † Husam Abu Khadra. Assistant Professor. Arab Academy For Banking And Financial Sciences. Amman Jordan

Talal H. Hayale et al./ Journal of Accounting – Business & Management 13 (2006) 39-68

40

this endeavor, even if it was late, such as AICPA that published SAS No.94‡ in 2001. However, these initiatives were in the form of general instructions, and nothing specific viewed to be considered as detailed guidance to the auditors in their work, Boynton (2001) & Kinusn Tam (2002).

In 2002 The Sarbanes-Oxley act calls for “real time” disclosure of information on material changes in the financial conditions or operations of publicly held companies. As a consequence, organizations are more concerned with timeliness and quality of financial performance information. Uday (2004). Accordingly, the responsibility has increased dramatically on the accounting profession, to quickly recognize and assess of the risks that are associated with Control Systems (CS) in the IT environment and define detailed security controls checklist to be obtained; because the technology in many cases developed faster than the advancement in CS, Ryan & Bordoloi (1997).

The objective of this paper is to evaluate Computerized Accounting Information Systems (CAIS) Control Systems (CS) in the Jordanian banking sector and to measure their effectiveness. This study also aims to identify whether there are significant differences among the respondents in the study sample (Internal Auditors and Heads of Computer Department (HOCD)) in respect of the effectiveness level of CS. While the issue of creating an overall effectiveness measurement to evaluate the CAIS Control System has received considerable research attention in North America and Europe, studies based on international experience, especially in developing countries, are relatively rare. We are unaware of any studies in evaluating the CAIS Control System in Jordan that address the issue of the creation an overall effectiveness measurement to evaluate the CAIS Control System from the points of view of both the internal auditors of the companies and the IT specialists. Hence the results of this study can provide valuable insights and lead to a better understanding of the perceptions of each of these two major groups towards creating an overall effectiveness measurement to evaluate the CAIS Control System practices in a less developed country.

This study to the best of the researchers’ knowledge is the first that attempts to create an overall effectiveness measurement for evaluating the CAIS Control System through specifying all required components that should exist in the effective control system in the Jordanian banking sector.

Following consultations with experts in this field, a questionnaire was developed for the purpose of this study to evaluate the general CAIS control procedures that would be applied to all CS, which affect all computer applications in the organization. This questionnaire covers different parts of CS in CAIS.

This research attempts to answer the following questions: (1) What is the actual practice in the Jordanian domestic banks regarding information CS? In addition, are these CS adequate to protect the domestic banks against perceived security threats? (2) Are there significant differences among the respondents in the research sample

‡ AICPA, Auditing Standards Board. “SAS No. 94: The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit”. April 2001. This SAS spots the light on the effect of information technology on the auditor’s consideration in a financial statement audit; moreover, it tries to provide guidance to auditors about the effect of IT on internal controls which were programmed or built into the software, and confirms that these controls should be tested and included in the audit strategy.


41

(Internal Auditors and HOCD) regarding the effectiveness level of CAIS that are implemented in the Jordanian domestic banks?

The concept of internal control or security is as old as accounting itself, Henry, (1997); however the attention has been paid to it since the beginning of twentieth century. In early ages, the purpose of accounting was to record the monetary transactions and then report them in useful and accurate forms, Lee, (1971). However, that reporting was simple and was only prepared for internal use because most companies were individual or family companies.

Later, these primary forms of financial reporting developed dramatically to be in the shape of current financial statements, which became the major or even the sole source of information for the owners and other related parties such as lenders. Consequently, the need to ensure the accuracy of these statements leads the profession to start seeking a control system that guarantees not only accurate reporting but also achieving the company goals.

The profession reaction to these changes started early in the twentieth century, where the first formal definition for the Security Controls or Control Systems was in the 1947 publication by the AICPA entitled “Internal Control” that mentioned three factors contributing to the expanding recognition of the significance of internal control, Boynton et al., (2001).

Previous studies also defined the concept of internal control. One of the earliest was (Grady, 1957) who defined the internal control as the control that represents “the organization plan and procedures which are used within the business to (1) safeguard its assets from loss by fraud or unintentional errors (2) check the accuracy and reliability of the accounting data that use in making decisions (3) promote operational effectiveness and encourage adherence to adopted policies in those areas in which the accounting and financial departments have responsibility, directly or indirectly".

The theory of internal control has undergone major reappraisals and changes during the last decade. These changes began in 1988, when the AICPA issued SAS No. 55, which describes internal control in terms of its three major components: control environments, accounting systems and control procedures. Four years later, the Committee of Sponsoring Organizations (COSO)§ issued the Internal Control Integrated Framework, in which internal control was characterized by five components: control environments, control activities, risk assessment, information & communication and monitoring. In the mean time, the concept of internal control evolved from a "structure" into a "process," making it both broader and more dynamic. Subsequently, in 1995, the American Institute of Certified Public

§ COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private sector initiative which studied the causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions. The National Commission was jointly sponsored by five major professional associations in the United States, the American Accounting Association, the American Institute of Certified Public Accountants, Financial Executives International, The Institute of Internal Auditors, and the National Association of Accountants (now the Institute of Management Accountants). The Commission was wholly independent of each of the sponsoring organizations, and contained representatives from industry, public accounting, investment firms, and the New York Stock Exchange.


42

Accountants (AICPA) adopted COSO's definition and its five components of internal control and issued SAS No. 78 to supplement SAS No. 55, Curtis and Borthick, (1999).

In addition, COSO reports and AU 319.07**, consider the five interrelated components of the internal control that are derived from the way a management runs a business and integrated with the management process, Vallabhaneni, (2001). These five components are: ِِِA. Control Environment: B. Risk Assessment: C. Control Activities: D. Information and Communication: F. Monitoring:

Few studies focused on CAIS control system and how it differs from the manual one. Kinsun, (2002) considered that the rapid adoption of information technology by business has not changed the basic need for internal control but it has extended the role of IT-based internal controls. In other words, Kinsun believed that the development in internal controls should be in control procedures without changing the internal control framework.

In 2000, ISACF†† developed the COBIT‡‡, which is a framework of generally applicable IS security and control practices of information technology control. This framework allows management to benchmark the security and control practices of IT environment. Additionally, it ensures that adequate security and controls exist, Lainhart & John, (2000).

However, control objectives under COBIT are defined in a process-oriented manner following the principle of business reengineering. This type of control is exercised at the domain and process level. The "IT control" concept is adapted by the ISACF Report and defined as "A statement of the desired results or purpose to be achieved by implementing control procedures in a particular IT activity." This control is exercised at the IT activity level, Curtis and Borthick, (1999).

The COBIT IT domain consists of four parts: Planning & organization, acquisition & implementation, delivery, support and monitoring. Thirty-four IT processes are identified within each of the four domains.

Consequently, activities within processes are also identified activities dealing with day-to-day IT routines. The central control objective is to link IT domains, processes and activities to the entity's operational processes and activities. The IT objective is basically to facilitate the accomplishment of business objectives. Business objectives are referred to as "Business Requirements for Information" which include the followings: - Quality requirements (quality, cost and delivery) - Fiduciary requirements, as defined by COSO (effectiveness and efficiency of operations, reliability of information and compliance with laws and regulations).

- Security requirements (confidentiality, integrity and availability).

** Statement on Auditing Standards : AU Section 319 : Consideration of Internal Control in a Financial Statement Audit. †† The Information System Audit and Control Foundation . ‡‡ Control objectives for Information and related Technology.


43

II. LITERATURE REVIEW

Examining the literature concerned with the effectiveness evaluation of CAIS control systems conclude the rareness of available studies in this particular area of research. One reason for this is that this area of research is relatively new. Also, most of the studies in this field are conducted on a micro level and connected with consolidated studies from the fields of business management, computer science, and sometimes engineering and they are usually in the form of reports or descriptive studies, and rarely empirical ones.

Starting with the text books, Romeny and Steinbart (1999) listed twelve points of general controls that should exist in the CS in order to achieve its goals effectively; these twelve controls are: 1. Developing security plans. 2. Segregation of duties within the system function. 3. Project development controls. 4. Physical access controls. 5. Logical access controls. 6. Data storage controls. 7. Data transmission controls. 8. Documentation standards 9. Minimizing system downtime. 10. Disaster recovery plans. 11. Protection of personal computer and client/server networks. 12. Internal controls.

They provided an empirical justification for each control and specified the threats that control procedure could prevent, which gives creditability and greater chances to find these controls in practice. Furthermore, Boockholdt ,(1999), mentiond four categories of general controls as follows: - Data center operation controls. This includes Data Backup Procedures,

Contingency Plans (DRP) and Segregation of Duties. - System software acquisition and maintenance controls. - Access security controls. - Application system development and maintenance controls. These controls are;

formal review and authorization of each new system, Adequate documentation for manual and programmed procedures, A plan for testing each new system adequately and authorization and documentation for change to existing systems

Boockholdt (1999) classified the system software acquisition and maintenance

controls into two main sections: Fixed Responsibilities A) Network administration. Selecting and updating network communication software. B) PC help center. Answering user’s questions on personal computers, scheduling maintenance. C) Database Administration. Selecting and updating software, limiting access to data, maintaining efficiency.


44

D) Web administrator. Determining content of website, implementing security in electronic commerce. Policies and Procedures A) Screen applicants. Technical knowledge becomes outdated quickly. B) Information systems steering committee. Review software acquisition decisions. C) Standard PC configurations. Software and hardware the organization approves to support.

Generally, both Romeny and Steinbart ,(1999) and Boockholdt ,(1999) have similar points but with different classifications for the main groups, and sometimes different naming for the same detailed procedure (e.g. Contingency Plan instead of Disaster Recovery Plan - DRP). The current study depends mainly on Romeny’s categorization, and formulates a detailed procedure list for each category.

In the following section we preview the available peer reviewed studies, starting with the ones that cover partial areas of CS evaluation and ending with those that cover this area in more comprehensive views.

Jacob & Weiner ,(1997) carried out a theoretical study in which they listed eleven points to build effective Disaster Recovery Plan (DRP). These points according to Jacob et. al. study ensure building a comprehensive DRP, respond to the worst-case scenario and enable organizations to recover their operations quickly. These points are: 1. Define mission critical company functions & establish a hierarchy of operational

importance. 2. List the critical personnel and their job function. 3. List equipment needs of critical persons. 4. Determine a site relocation contingency. 5. Establish a recovery even task list. 6. Document current computer data backup methods and frequencies. 7. Identify those hard copy documents which are vital to the company and not able

tobe re-created electronically, and provide solutions to eliminate susceptibility to loss of such documents.

8. Identify mission critical items vital to company operations which would be required in the event of disaster emergency.

9. Form an internal emergency response (“crises”) committee with employees assigned to specific crises functions.

10. Create a crises management “media kit”. 11. Create a systematic schedule for updating the plan.

Warigon ,(1998) conducted a theoretical study in which he clarified a group of protective measures that should exist to safeguard data warehouses. These measures can be illustrated as follows: - The Human wall: A proper number of computer security staff should exist. - User Access Classification: Data warehouses (DW) users should be classified as

General Access Users, Limited Access Users, or Unlimited Access users. - Access Controls: End-users can access only the data or programs for which they

have legitimate privilege. - Integrity Controls: These controls include well designed and tested Disaster

recovery plans.


45

- Data Encryption: This encryption is for the sensitive data in the DW to ensure that the data is accessed on an authorized basis only.

- Partitioning: A mechanism should be developed to partition sensitive data into separate tables, so that only authorized users can access these tables according to their needs.

Buttross and Ackers ,(1990) conducted a theoretical study in which they

discussed microcomputer security practice. In addition, Buttross and Ackers study provided security controls checklist that could be used to help the internal auditors in evaluating computer security. This helps in identifying security weakness and correcting it. The checklist was designed for the small and medium size companies. This checklist included four security controls categories. Each category included several security controls elements. These categories are: - Organizational controls. - Hardware controls. - Software controls. - Data and data integrity controls.

Dougan ,(1994) suggested an internal control checklist for computer systems. This checklist could be used to check security controls in place; and to ensure the implemented security procedures are sufficient and effective to prevent computer data losses. Dougan grouped his checklist into four main categories: - Computer room site (physical access) - Documentation. - Maintenance. - Protection.

Henry ,(1997) carried out a survey on 261 companies in the US, to determine the nature of their accounting systems and security in use. Seven basic security methods were presented in his study. These methods were encryption, password access, backup of the data, viruses’ protection, and authorization for system changes, physical system security and periodic audit. Henry’s study results indicated that 80.3% of the companies backup their accounting systems, 74.4% of the companies secure their accounting systems with passwords, where only 42.7% use antivirus in their systems. The results also revealed that less than 6% of the companies use data encryption, lastly, 45% of companies underwent some sort of periodic audit for their accounting information systems.

Another study, carried out by Qurashi & Siegel ,(1997), assured the accountant’s responsibility to check the security of the computer system. The researchers carried out a theoretical study to develop a security checklist. This list covers the following four security controls groups, which are Client policy, Software security, Hardware security and Data security.

Cerullo and Michael ,(1999) conducted a survey using a questionnaire of twenty potential security and control mechanisms, which was circulated among audit directors of two hundred fortune companies in the US. These mechanisms were placed by Cerullo study in four categories, namely Client-based, Network-based, Server-based and Application-based.


46

Hardy et. al. (2000) examined information system (IS) managers' and computerized information system (CIS) auditors' judgments of the relative importance of elements of the internal control structure for EDI systems, using the analytic hierarchy process (AHP).

The data were collected by self administrated questionnaire by means of a mail survey. The target population comprised IS managers and CIS internal auditors from organizations which were members of Tradegate ECA, and CIS external auditors from Big six accounting firms. The survey yielded 54 responses from 159 questionnaires mailed, of which 48 were useable.

The results indicate that there is a lack of consensus between IS managers and CIS auditors in encryption techniques and operational security controls, and this is require further investigation, for example in areas where IS managers perceive controls to be less important than do CIS auditors, there may be a weakness in control because the IS manager did not consider it worthwhile or cost-effective enough to implement what the CIS auditor considers to be sufficient control. The reverse may also be true, i.e., those unnecessary controls have been implemented. If so, discontinuing the operation of the unnecessary controls may result in cost savings.

Moscove and Stephan (2001) consider that e-business organizations should maintain a group of control procedures to protect their systems form any possible threats, such procedures includes: 1. Physical access control procedures. 2. Password control procedures. 3. Data encryption such as public key encryption. 4. Disaster recovery plan (DRP). 5. Software-based security control, such as firewalls. 6. Intrusion detection software to detect unauthorized entrance into the system.

Abu Musa ,(2004) performed an empirical study to investigate the adequacy of Security Controls implemented in the Egyptian banking industry (EBI), where the respondents were restricted to the head of the computer department and the head of internal audit department. Abu Musa tried to check whether the applied Security Controls in the EBI are adequate to protect against the perceived security threats through self-administrated checklist.

The CAIS security checklist included eighty security procedures which were categorized under the following ten groups. 1. Organizational information security controls. 2. Hardware and physical access security controls. 3. Software and electronic access security controls. 4. Data and data integrity security controls. 5. Off-line programs and data security controls. 6. Utility security Controls. 7. Bypassing of normal access security controls. 8. User programming security controls. 9. Division of duties. 10. 10-Output security controls.


47

Abu Musa ,(2004) study results revealed that the head of computer departments paid relatively more attention to the technical problems of CAIS security controls, where the head of internal audit departments emphasized behavioral and organizational security controls rather than the technical problems of the CAIS security controls.

Sung et. al. (2004) proposed a decision support system help the auditors in risk assessment that currently based on their professional judgment rather than objective rules and criteria.

This system is based on Cased Based Reasoning Model (CBR) which is a problem solving paradigm used specially when the domain rules are incomplete, ill defined and inconsistent. CBR is able to utilize the specific knowledge of previously experienced concrete cases. Sung's system is also based on COSO report, SAS Nos. 55, 78 and 94, TeamAsset checklist that established by Pricewaterhouse and the opinion of experts who engaged in auditing practices for more than 10 years to define the factors that affect both of “Control Environment” and “IT environment and monitoring factors”

The above mentioned factors broken down to six factors categories, these categories are: 1. Organizations Rules and Responsibilities. 2. Overall monitoring. 3. IT Function and Organization. 4. System characteristics. 5. IT Monitoring Control.

These categories broken down into twenty three factors and then into fifty six indexes justified by using materiality weight.

Applying these indexes on actual cases, the researchers extract validation results (Hit ratio) to be used in estimating the associated risk level with each internal auditing case. To validate the performance of CRAS-CBR, 137 Korean companies’ cases were collected and indexed out of actual cases for the manufacturing industry for the year 1999. The approach of this study and used indexes (questions) depend on the respondents’ knowledge in respect of the questioned figures instead asking them about the existence of specific control procedure. Such approach will be not efficiently used if the respondent not well educated about questionable dimension.

Recently Boritz (2005) conduct an extensive review of the literature to identify the key attributes of information integrity and related issues then he brought two focus groups of experienced practitioners to discuss the documented findings extracted from the literature review through questionnaire examine the core concepts of information integrity and it elements. Boritz (2005) considerd information security (In distinct from confidentiality) as one of core attributes for information integrity, this security should cover the following areas: Physical access controls and Logical access controls.

The results indicated that the security had a lower impairment severity score than several other practical aspects such as availability and verifiability. Boritz refer such findings to the effective use of security controls in the organizations represented.

Coe (2005) in his study focused on the fulfillment of Sarbanes-Oxley act 2002 that requires public companies to report about the effectiveness of their internal control systems.


48

Coe explained in this study that the American companies are using COBIT for Sarbanes-Oxley act 2002 compliance, and this is because its objectives have been mapped to COSO in a publication entitled IT Control Objectives for Sarbanes-Oxley. COBIT also has been mapped to popular enterprise resource planning (ERP) systems such as SAP, Oracle and PeopleSoft. This mapping and related guidance provides COBIT framework references and methodologies for auditing and testing the major ERP systems.

But it was decided later to use Systrust service to ensure the company’s systems carry out business processes reliably. Herein Coe establish five step processes shows how the CPAs can use the trust service framework to evaluate a company's IT controls when the entity primarily uses the COSO approach. These steps are: 1. Use COSO framework to identify the risks in each business cycle and the controls

that mitigate them. 2. Gather initial IT information. 3. Identify all information systems that relate to financial reporting. 4. Use to trust services framework to create one overall IT matrix. 5. Assess the controls identified in the matrixes created above.

Finally, Martin (2005) mention the same steps in his study in which he tried to explain how information system auditor can use the AICPA/CICA trust services framework to evaluate internal controls particularly controls over information technology. The Research Hypothesis

The current research examines the following research hypothesis in null form: H10: Jordanian domestic banks do not have effective Control Systems on their

Computerized Accounting Information Systems. This hypothesis can be divided to the following null hypotheses:

1.1 Jordanian domestic banks do not have effective Fraud and Error Reduction Controls.

1.2 Jordanian domestic banks do not have effective Physical Access Controls. 1.3 Jordanian domestic banks do not have effective Logical Access Controls. 1.4 Jordanian domestic banks do not have effective Data Security Controls. 1.5 Jordanian domestic banks do not have effective Documentation Standards. 1.6 Jordanian domestic banks do not have effective Disaster Recovery plans. 1.7 Jordanian domestic banks do not have effective Internet, Communications and

e-Banking controls. 1.8 Jordanian domestic banks do not have effective Output Security Controls. H20: There are no significant differences among the respondents in the study sample

(Internal auditor / HOCD) in respect to CAIS Control systems effectiveness level in the domestic banks.


49

III. METHODOLOGY

The research population consists of all Jordanian domestic banks (local and foreign). The number of domestic banks in Jordan is twenty-three banks; three of which were excluded from this research because of their recent establishment (they were established only in 2005). The research covered only the banks headquarters where the targeted respondents were expected to exist. The targeted respondents represent the parties that had the ability and knowledge to address it; therefore, the questionnaire was distributed to the internal auditors and head of computer departments HOCD. Forty questionnaires were distributed; thirty were received in a usable format.

One way to assess the potential for non-response bias is to compare data from late respondents to data from on-time respondents as in Oppenheim (1992) and Wallace and Mellor (1988). In our study, five responses were received following a reminder. Those late responses were not significantly different from other responses in any of the analyses reported in the results section.

The data is collected by using a self-administrated questionnaire that was designed after a preliminary observation on the practice. The questionnaire reviews the existence of all general functions and procedures that guarantee CS to be effective in achieving its goals. Using such methodology to obtain the CAIS control systems effectiveness minimize respondents bias that may arise if they were asked directly to indicate whether their control systems achieve it goals or not.

The above mentioned procedures and functions are categorized under the following eight categories according to their functions or goals: 1. Fraud and error reduction control. 2. Physical access. 3. Logical access. 4. Data security controls. 5. Documentation standards. 6. Disaster Recovery Plan. 7. Internet, communication and e-banking controls. 8. Output security controls.

To investigate research instrument validity, professionals and academics were consulted. They were asked to check whether the suggested security controls and procedures that exist in the research questionnaire represent essential elements in the effective control system. They were also asked to confirm that each point (control procedure) is categorized under the correct and representative group. Finally, the experts were asked to suggest a weight§§ for each control procedure within its group where the total score for each group does not exceed 100%.

After having all experts' recommendations and suggestions, the mean and the standard deviation*** were calculated for the suggested weights and taken into consideration to come out with the final list of control procedures and a materiality weight for each one of them in order to use them in the current research.

Cronbach's Alpha is used to check the questionnaire stability for all of its components. Furthermore, reliability analysis allowed the researchers to study the properties of measurement scales and the items that make them up. §§ These weights will be called as "Norms" later in the study. *** The standard deviation was calculated for each point and for all points.


50

Using a nominal scale to measure the control procedure effectiveness make us select the chi square as nonparametric procedure to test the second hypotheses that examine whether there is a significant difference between EDP controllers and internal auditors with respect to CAIS control systems effectiveness level. X 2 – test is equal to the squared difference between the observed and expected frequencies, dividing by the expected frequency in each cell of the table, summed over all cells of the table. The test of X2 approximately follows a chi-square distribution with 1 degree of freedom. Zikmond, (Pp 520, 2003).

To have accurate results for the chi-square (2 X 2) table, it is assumed that each expected frequency should have five cases at least. In the situation that this assumption was not met, Fisher Exact Probability test was used to avoid this limitation. The first hypothesis (including the minor hypotheses which pertain to population proportion p Security Control effectiveness percentage) was tested by calculating the sample proportion ps (ps= X/n), then the value of this statistic compared to the hypothesized value of the parameter p (Effectiveness standards). Additionally, the p value was used in order to test the sampling distribution normality using the following rule: "If the number of successes (X) and the number of failures are each at least five, the sampling distribution of a proportion approximately follows a standardized normal distribution To perform the hypothesis test in order to evaluate the size of the differences between sample proportion ps and the hypothesized value of the parameter p for each security Control System group and for Security Control systems in General, the test for the proportion Z given in the following equations is used in this research, Berenson (2001):

Z =

Where Ps = Observed proportion of successes (Number of successes divided on sample size P = Hypothesized proportion of successes in the population.

Ps – P

------------

P (1-P)

---------

n


51

IV. RESULTS

As appears in table (1), 80% of the respondents reported that their banks had more than four information specialists. Table 1 Frequency distribution of Information system specialist

Information system specialist number

Frequencies Percent

0 2 6.7% 1-3 4 13.3% 4-7 9 30.0% 8-11 2 6.7% 12-15 8 26.7%

More than 15 5 16.7% Total 30 %100

The majority of the respondents (73.3%) and as appears in table (2) reported

that they had four or more years of experience in the current position that they had, while only 20.7 % of the respondents had less than four years of experience in their current position. Table 2 Frequency distribution of the respondents experience in their current position

Almost eighty-nine percent of the respondents declared that they had four or

more years of experience in the same bank, while only eleven percent reported that they had less than four years of experience in the observed bank. Table 3 Frequency distribution of the respondents experience in the observed bank

Experience in current position Frequencies Percent Less than one year 1 3.3 %

1-3 7 23.3 % 4-7 15 50.0 % 8-11 4 13.3 % 12-15 2 6.7 %

More than 15 1 3.3 % Total 30 100 %

Experience in current position Frequencies Percent 1-3 5 16.7 % 4-7 13 43.3 % 8-11 8 26.7 % 12-15 3 10.0 %

More than 15 1 3.3 % Total 30 100 %


52

In general it can be concluded that the individuals who answered the questionnaire had the minimum required level of knowledge, which may increases the credibility and reliability of their answers.

The following section focuses on the statistical findings related to security control. It consists of descriptive statistics such as frequencies and percentages.

Fraud and error reduction controls

To explore the existence and the implementation of fraud and error reduction control procedures, the respondents were asked to indicate the existence of such measures at their banks. The statistical findings revealed that all respondents (100%) indicated that their banks implemented successfully the segregation of duties, whether this segregation was between information system development functions (analysis / programming... etc) or between accounting duties (authorization / recording ...etc). On the other hand, the results showed that 67% of the respondents believed that their banks implemented rotation of duties in order to decrease fraud chances and increase the chance of error exposure. A similar percentage supported the existence of employee bonding. In addition, one-third of the respondents claimed that such a procedure was not implemented. These results indicate that domestic banks managements have recognized the importance of this security control in order to minimize fraud and error. Such results emphasis Romeny and Steinbart (1999) believe in respect of importance of Fraud and error reduction controls especially for the first and second control procedures. While bonding policy existenance percentage is much higher than Abu Musa (2004).

Table 4 Fraud and error reduction controls (Frequencies)

Does not exist Exists # Control Procedure

Freq. Percent Freq Percent

1

There is a segregation of information system development functions (Analyst, Programmer, Operator, User, Librarian, Data controller).

0

0% 30 100.0%

2 There is a segregation of accounting duties (e.g. Authorization, Recording).

0 0% 30 100.0%

3

Rotation of duties is utilized to decrease fraud chances and increase the chance of error exposure.

10 33.3% 20 66.7%

4 The employee who has access to sensitive data has been bonded.

10 33.3% 20 66.7%

Physical access controls

The research revealed that the vast majority of the respondents (93%) claimed that their banks established locked rooms for servers and sensitive computer equipments. On the other hand, only 7% of the respondents reported that their banks


53

did not implement such control procedures, it was unfavorable by the researchers to get this percentage despite its a high one, this is because it reveal that some banks don’t even implement some of basic Systrust (2003) rules. The respondents were also asked to indicate whether the domestic banks managed physical access tools supervised by the bank’s security staff. A high proportion of the respondents (93.3%) claimed that their banks implemented such a procedure, while about 7% of the respondents believed that their banks did not manage this procedure. Moreover, frequencies statistics showed that 70% of the respondents confirmed that their banks restricted accessing server rooms and related hardware to the authorized individuals by card key systems and monitored by video surveillance. Additionally, the results showed that 63.3% of respondents reported that their banks kept records for visitors showing the visitor’s name and the purpose of his visit. Almost 77% of respondents believed that their banks maintained an adequate theft and hazard insurance covering computers’ hardware, such percentage is lower than the one that extracted from the Egyptian banking sector, Abu Musa (2004) . Furthermore, 70% of the respondents reported that their banks installed alarms with high concentration on computer equipment. In general, the results were consistent with Romeny and Steinbart (1999), Buttros and Ackers (1990), Dougan (1994), Henry (1997) Moscove and Stephan (2001) and Bortiz (2005).

Table 5 Physical access controls (Frequencies)


Freq. Percent Freq. Percent

5 Locked rooms for servers and sensitive computer equipment.

2 6.7% 28 93.3%

6

Physical access cards are managed by the bank’s security staff. Access cards usage is logged. Logs are maintained and reviewed by the bank security staff.

2 6.7% 28 93.3%

7

Physical access to the computer rooms, which contains the bank IT resources,servers, and related hardware such as firewalls and routers, is restricted to authorized individuals by card key systems and monitored by video surveillance.

9 30.0% 21 70.0%

8 Records for visitors and the purpose for their visits.

11 36.7% 19 63.3%

9 An adequate theft and hazard insurance covering computers' hardware.

7 23.3% 23 76.7%

10 Installing alarms with high concentration on computer equipment.

9 30.0% 21 70.0%


54

Logical access controls

To investigate the existence and the implementation of adequate logical access controls in the domestic banks, the respondents were asked to indicate whether the control procedure existed or not. The statistical findings revealed that all respondents claimed that their banks successfully implemented passwords and IDs on users’ computers. On the other hands, 66.7% of the respondents reported that each computer was provided with a screen saver locked with a password. 96.7% of the respondents claimed that the authorities to access company information were defined according to the user’s ID. According to 90% of the respondents, computer and software passwords contain at least six characters, one of which is non-alphanumeric. These passwords are also case sensitive and should be updated every ninety days. Moreover, 83.3% of the respondents reported that their banks managed adequate procedures to prevent unauthorized public access via dial-up, while 63.3% of respondents claimed that VPN software was used in their banks networks to permit unauthorized remote access. Furthermore, 80% of the respondents believed that their banks provided users with the only needed network services and deactivated unnecessary services. Intrusion detection systems are used in the domestic banks according to 67% of the respondents in order to provide continuous monitoring of the entity network and to identify potential security breaches. Additionally, 70% of the respondents claimed that their banks implemented routing verification procedures to ensure that messages are not routed to the wrong system addresses. Ninety percent of the respondents believed that their banks required electronic identification for each authorized network terminal, while 66.3% of the respondents reported that message acknowledgment techniques were used in their banks to inform the sender that his message had been delivered.

These results are consistent with Systrust v 2.0 proposed control procedures in contrast with the control procedures which were extracted from Romeny and Steinbart (1999).

Table 6 Logical access controls (Frequencies)



11 Each user has a password and an ID for his computer.

0 0.0% 30 100.0%

12 Screen saver with password. 10 33.3% 20 66.7%

13 The authority to access company information is defined according to the user's ID.

1 3.3% 29 96.7%

14

Each password contains at least six characters, one of which is non alphanumeric. Passwords are case sensitive and updated every 90 days.

3 10.0% 27 90.0%


55

15

Adequate procedures should be implemented to prevent unauthorized public access via dial-up (e.g. use dial-back, dial up access restricted to non-confidential information)

5 16.7% 25 83.3%

16

Virtual private networking (VPN) software is used to permit remote access by unauthorized users. Users are authenticated by a VPN server through specific "client" software and user's ID and password.

11 36.7% 19 63.3%

17

Unneeded network services (for example, telnet, ftp, and http) are deactivated on the entity servers. A listing of the required and authorized services is maintained by the IT department. This list is reviewed by the entity management on a routine basis for its validity for the current operating conditions.

6 20.0% 24 80.0%

18

Intrusion detection systems are used to provide continuous monitoring of the entity network and early identification of potential security breaches

10 33.3% 20 66.7%

19

The bank contracts with third parties to conduct periodic security reviews and vulnerability assessments. Results and recommendations for improvement are reported to management.

12 40.0% 18 60.0%

20 Routing verification procedures are used to ensure that messages are not routed to the wrong system addresses.

9 30.0% 21 70.0%

21 Electronic identification is required for each authorized network terminal.

3 10.0% 27 90.0%

22

Message acknowledgment techniques are used to inform the sender that his message has been delivered, such as (Echo check, Trailer label, and Numbered batches).

10 33.3% 20 66.7%

Data security controls

All of the respondents agreed that domestic banks protected the file storage area from harmful conditions (such as fire, dust...etc). Furthermore, 80% of the respondents reported that their banks maintained a well-defined data dictionary, while 70% of the respondent said that the data was defined into layers, and each layer had its own security level.


56

Over 66% of the respondents believed that each element of the information was identified to whom it was required, when it was needed, and in which information system it existed. Additionally, the same percent of respondents claimed that their banks maintained write-protection mechanisms in order to protect data from over writing or erasing data files. Moreover, all of the respondents reported that their banks had a well-managed backups and working copies maintained according to a predefined schedule.

Table 7 Data security controls (Frequencies)



23 File storage area protected against fire, dust, and any harm conditions.

0 0.0% 30 100.0%

24 Well defined data directory is used. 6 20.0% 24 80.0%

25 Each type of data and the level of protection required for each are well defined.

9 30.0% 21 70.0%

26 Each element of the information is defined to whom it is required, when it is needed, and at which IS it exists.

10 33.3% 20 66.7%

27 Write protection mechanisms protect against users accidentally writing over or erasing data files.

10 33.3% 20 66.7%

28 Backups and working copies of data are well maintained according to a pre-defined schedule.

0 0.0% 30 100.0%

29 Adequate steps are taken to avoid unauthorized copying of hardcopy Data.

8 26.7% 22 73.3%

30

Adequate security controls should be implemented over manual handling of data between branches and the headquarters, as well as among the bank's departments.

2 6.7% 28 93.3%

31 A hardcopy should be routinely printed for the critical data.

7 23.3% 23 76.7%

32 The FORMAT command should be removed from the users’ computers.

13 43.3% 17 56.7%

33

Legal binding confidentiality agreements should be drafted by the employer and signed by the computer users who have access to sensitive data.

8 26.7% 22 73.3%

34 Backup Diskettes or cartridges are secured in safe cabinets or fire-rated Safe.

2 6.7% 28 93.3%


57

Also 73.3% of the respondents believed that their banks took the required steps in order to avoid unauthorized copying of hardcopy data. 93.3% of the respondents said that their banks implemented adequate security controls over the manual handling of data between branches and headquarters as well as among the banks' departments. Approximately 77% of respondents also believed that their banks kept a hard copy of the critical data. 57% of the respondents claimed that a FORMAT command was removed from users’ computers.Furthermore, 73% of the respondents reported that their banks drafted confidentiality. Finally, 93.3% of the respondents claimed that their banks kept backup diskettes or cartridges secured in safe cabinets or fire rated safes. The empirical results confirmed the validity of most of the protective measures that withdrawn from Warigon (1998) theoretical study.

Documentation standards

Almost 90% of the respondents reported that their banks set up well-defined standards and procedures for data processing, including the justifications and authorization of new systems and system changes...etc. On the other hand, 60% of the respondents believed that their banks kept documentation describing each application system, including narrative material, flow charts and program listings. A lower percent of the respondents (50%) believed that the documentation that was kept in their banks describing what was needed to run a program, including the equipment configuration, programs and data files as well as procedures in order to setup and execute the job. 70% of respondents reported that users were provided with instructions for communicating potential security breaches to the information security team in order to monitor these incidents and to be evaluated. Again, a lower percent (56.7%) claimed that existing documentation contained procedures that ensured that the issues of non-compliance with system security policies were promptly addressed and the corrective measures were taken on a timely basis. Table 8 Documentation standards (Frequencies)



35

Well defined standards and procedures for data processing, including the justification and authorization of new systems and system changes, standards for system analysis, design and programming, and procedures for file handling and storage.

3 10.0% 27 90.0%

36

Documentation describes each application system, including narrative material, flow charts and program listings.

12 40.0% 18 60.0%


58

37

Documentation describes what is needed to run a program, including the equipment configuration, programs and data files as well as procedures to setup and execute the job.

15 50.0% 15 50.0%

38

Users are provided with instructions for communicating potential security breaches to the information security team. These incidents are monitored and evaluated by the information security team periodically.

9 30.0% 21 70.0%

39

Procedures exist to ensure that issues of non-compliance with system security policies are promptly addressed and the corrective measures are taken on a timely basis.

13 43.3% 17 56.7%

The empirical results of this section cope with COSO fourth component, information and communication, where this component should provide a clear understanding of individuals’ roles and responsibilities. Also it emphasis the importance of Systrust 2.0 criteria “Policies“ that aim to document and define the company policies.

Disaster recovery plan

The respondents were asked to indicate whether their banks had a plan identifying the application, hardware and software necessary to keep the organization running in emergency cases, and the sequence as well as timing of all recovery activates. The statistical results herein revealed that 73.3% of the respondents reported that their banks kept such plan. In addition, 76.7% of the respondents claimed that the DRP that their banks had provided the ability to recover the lost or destroyed files when a disaster occurred. Also 63.3% of the respondents reported that the DRP that existed in their banks defined the responsible individuals or teams for implementing the different DRP activities. All of the respondents reported that their banks provided servers and sensitive operation computers with uninterruptible power supply (UPS) units in order to supply power to these computers during power outages. The lowest percentage of the respondents (60%) claimed that their banks managed an insurance policy that covered the cost of business interruption resulting from computer disasters.


59

Table 9 Disaster recovery plan components (Frequencies)



40

A plan identifying the applications, hardware and software necessary to keep the organization running in emergency cases, and the sequence as well as the timing of all recovery activities

8 26.7% 22 73.3%

41 The DRP provides the ability to recover the lost or destroyed files when a disaster occurs.

7 23.3% 23 76.7%

42 The DRP defines the responsible individuals or teams implementing the different DRP activities

11 36.7% 19 63.3%

43

The DRP provides ready backup facilities, these backup facilities can be provided through spare hardware, subcontract agreements, or a reciprocal agreement with an organization that has compatible facilities.

9 30.0% 21 70.0%

44 Uninterruptible power supply (UPS) units to supply power during power outages

0 0.0% 30 100.0%

45 Insurance covers the cost of business interruption resulting from computer Disasters

12 40.0% 18 60.0%

All of the disaster recovery plan procedures have acceptable existence percentage, which withdrawn from Jacob & Weiner (1997), Romeny & Steinbart (1999) and Moscove & Stephan (2001) Internet, communications and e-Banking controls

As expected, all of the respondents reported that their banks placed antivirus software, which includes virus scans of incoming e-mail messages and virus signatures that were updated at least weekly.

Again, 100% of the respondents claimed that their banks installed firewalls (Software & Hardware) to control and protect communication between the internal network and the external networks (e.g. the Internet). 63.3% of the respondents believed that their banks assigned a specific ceiling (e.g. 2000 JD) for the monetary transaction that went through e-banking service. Only 43.3% of the respondents reported that their banks provided two user ID's for E-Banking service, One ID for general inquires and the other for transfers and monetary transactions. A higher percentage of the respondents (66.7%) believed that the user’s account was activated only after successful login that was encrypted through a 128-bit SSL session. Additionally, 76.7% of the respondents claimed that monetary transfers in their banks were restricted to the accounts in the same bank. Merely half of the respondents believed that the unused e-banking accounts in their banks were purged automatically by the bank system. The majority of the respondents (83%) reported that the login access in


60

their banks was terminated after three unsuccessful login attempts. On the other hand, 76.7% of the respondents believed that their bank used 128-bit secure sockets layer (SSL) encryption for transmission of private or confidential information over public networks, including user's IDs and passwords. Furthermore, users were required to update their browser to the latest version tested and approved by the security administrator

Table 10 Internet, communications and e-Banking controls (Frequencies)



46

Antivirus software is in place, including virus scans of incoming e-mail messages. Virus signatures are updated at least weekly.

0 0.0% 30 100.0%

47

Firewalls (Hardware & Software) installed to control and protect communications between the internal network and external networks such as the internet.

0 0.0% 30 100.0%

48 Limit the electronic monetary transactions to (e.g. 2000 JD) per day.

11 36.7% 19 63.3%

49

Each e-banking user has two IDs, one for general inquiries and the other for transfers and monetary Transactions.

17 56.7% 13 43.3%

50

Account activation, subsequent to successful login, is encrypted through a 128-bit SSL session. Users are logged out on request (by selecting the "Sign-out" button on the website) or after 10 minutes of inactivity.

10 33.3% 20 66.7%

51

Monetary transfer capabilities are restricted to the accounts in the same bank ( Sender and receiver in the same bank).

7 23.3% 23 76.7%


61

52 Unused customer accounts (no activity for six month) are purged by the system.

14 46.7% 16 53.3%

53

The login session is terminated after three unsuccessful login attempts. Terminated login sessions are logged for follow-up.

5 16.7% 25 83.3%

54

The bank uses 128-bit secure sockets layer (SSL) encryption for transmission of private or confidential information over public networks, including users’ IDs and passwords. Users are required to update their browser to the latest version tested and approved by the security administrator.

7 23.3% 23 76.7%

Output security controls

All respondents believed that their banks have control over access to sensitive information and restricted it only to the authorized users in the authorized time. A lower percent of the respondents (86.7) reported that sensitive computer output in their banks was secured in a lock cabinet. Only 60% of the respondents believed that the system output was stamped with the date and time. Also, 83.3% of the respondents reported that their banks performed printing and distributing data and information under proper supervision and only by authorized persons in the bank. On one hand, 76.7% of the respondents believed that shredding machines were available and used for sensitive data disposal, while, 70% of the respondents reported that shredding these sensitive documents was restricted only to security-cleared personnel. Lastly, 76.7% of the respondents claimed that their banks performed random output/input auditing on regular basis in order to verify correct processing.


62

Table 11 Output security controls (Frequencies)



55

Authorized access to sensitive information should be controlled and restricted only to the authorized users during the authorized time

0 0.0% 30 100.0%

56 Sensitive computer output secured in a locked cabinet .

4 13.3% 26 86.7%

57 Hard copy output stamped automatically with date/time.

12 40.0% 18 60.0%

58

Printing and distributing data and information performed under proper supervision and only by authorized persons in the bank.

5 16.7% 25 83.3%

59 Shredding machines are available and used for disposal of confidential data.

7 23.3% 23 76.7%

60 Shredding sensitive documents is restricted to security cleared personnel.

9 30.0% 21 70.0%

61

Random output/input auditing regularly conducted to verify correct processing ( e.g. Check book order against actual printed check books).

7 23.3% 23 76.7%

The following section focuses on the statistical findings concerned with the hypothesis testing. To test the first Hypothesis and related minor hypotheses, the Z test for proportion was conducted as can be seen in the following table.

Table 12 Z-test for percent differences

Dimension Norms Percent N Z Value P

Fraud and error reduction control 65% 91% 30 2.98 0.002

Physical access 70% 79% 30 1.05 0.29

Logical access 70% 78% 30 1.08 0.28


63

Data security 65% 79% 30 1.89 0.058

Documentation standards 60% 70% 30 1.20 0.23

A Disaster Recovery Plan 60% 73% 30 1.38 0.16

Internet , communication and e-Control 75% 82% 30 1.00 0.31

Output security controls 65% 85%W 30 1.81 0.07

The developed norms††† are used as a cut point for the minimum accepted

percentage of applying CS standards, where the bank is considered applying effective control system if its own CS standards evaluation percentage exceeds this norm. Then we tested for significant differences between the applied percentage in the Jordanian domestic banks and these norms using Z test for proportion. From table (12) p value appears to be less than 0.05 for fraud and error reduction controls. This means that there are significant differences between the accepted norms (65%) and the applied percentage (91%). The Z value is also higher than 1.96, which means it falls in a rejection area. All of that lead us to reject the null hypothesis. This implies that that the Jordanian domestic banks are using effective fraud and error reduction controls. While p value is more than (0.05) for (Physical access, Logical access, Data security, Documentation standard, Disaster Recovery, Internet, communication and E-Control, Output security controls), also the Z values for them were in the acceptance area (1.96 < Z < -1.96) , which means that there are no significant differences. Consequently, the researcher concludes that the Jordanian domestic banks are not using effective control procedures for (Physical access, Logical access, Data security, Documentation standard, Disaster Recovery, Internet, communication and E-Control and Output security controls). According to the above-mentioned results, we accept the main null hypothesis that stated, "Domestic Banks are not using effective Control Systems on their Computerized Accounting Information System." To test the second hypothesis, we used Chi-square as appears in appendix (1), Chi-square results show that there is no difference between EDP controllers and the internal auditors’ opinions in respect of the CAIS control system effectiveness level. Accordingly, the null hypothesis is accepted. CONCLUSION The research showed that Jordanian domestic banks effective use fraud and error reduction controls mainly, while they do not do enough with regard to the other dimensions (Physical access, Logical access, Data security, Documentation standard, Disaster Recovery, Internet, communication and E-Control and Output security controls).

††† Norms equal to materiality weights that previously mentioned into methodology section.


64

The analysis indicates that there are no differences between head of computer departments and internal auditors’ perception for the effectiveness level of CAIS control systems for its dimensions. REFERENCES

Abu Musa, Ahmad, "Investigating the Security Controls of CAIS in an Emerging

Economy: An Empirical Study on the Egyptian Banking Industry", Managerial Auditing Journal, Vol. 19, No. 2, 2004.

AICPA, Auditing Standards Board. “SAS No. 94: The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit”. April 2001

Berenson M., Levine D and Krehbiel T. "Basic Business Statistics, Concepts and Applications" 8th edition, 2001.

Boritz J. Efrim. “IS practitioners' views on core concepts of information integrity” International Journal of Accounting Information Systems ; Vol. 6 Issue 4, p260-279, 20p , Dec2005.

Boockholdt J., “Accounting Information Systems, Transaction Processing and Controls”, 5th Edition, McGRAW-HILL Publisher, pp. 433-444, 1999.

Boynton W.,Johnson R. and Kell W.," Modern Auditing ",John Wiley & Sons Inc. , Seventh edition, p322,400,401, 2001.

Buttross T. and Ackers M.D, “A Time-saving Approach to Microcomputer Security”, Journal of accounting and EDP, Vol. 6, pp.31-35, 1990.

Cerullo M. and Michael J. “Client/Server Systems Security and Controls”, Internal Auditor Journal, Vol. 56, Issue 5, October 1999.

Curtis M. and Borthick, "Evaluation of Internal Control from a Control Objective Narrative", Journal of Information Systems, Vol. 13, Issue 1, Spring 1999.

Coe. Martin J., “Trust Services: A better way to evaluate IT controls”. , Journal of Accountancy, Vol. 199, Issue 3, March 2005.

Dougan J., “Internal Control Check-list for Hospitality Computer Systems”, The bottom line, Vol. 9, pp. 8- 11, 1994.

Eduardo Frenandez-Medina and Marino Piattini, “Designing Secure Databases”, Information and Software Technology Journal, Vol. 47, 2005.

Grady Paul . " The Broader Concept of Internal Control" , The Journal of Accountancy , May 1957 , pp 41-48.

Greenstein, M and Vasarhelyi, M., “The Electronization of Business Process”, European conference on AIS, Section One, July 2000.

Hardy, Catherine, Reeve, Robert. “A Study of the Internal Control Structure for Electronic Data Interchange System Using the Analytical Hierarchy Process”. Accounting & Finance,, Vol. 40, Issue 3, Sep2000.

Henry Laurie, “A Study of the Nature and Security of Accounting Information Systems: The Case of Hampton Roads, Virginia”, The Mid- Atlantic Journal of Business, Vol. 33, Iss.63, pp. 171-189, 1997.

ITGI (IT Governance Institute). IT governance executive summary; board briefing on IT governance. Rolling Meadows, 2001.

Martin, J. Coe, “Trust Services: A Better Way to Evaluate IT controls”, Journal of accountancy, Vol. 199, issue 3, March2005.


65

Moscove, Stephen A., “E-Business Security and Controls”, CPA Journal, Vol. 71, Issue 11, Nov2001..

Jacob J. and Weiner S. "The CPA Role in Disaster Recovery Planning”, CPA Journal , Vol. 67, Issue 11, November 1997.

Kinsun Tam, “Implementing Internal Accounting Controls as Constrains in RDBMS

and XML”. Working paper European conference of AIS on 2002. Lee T.A, "The Historical Development of Internal Control from the Earliest Times to

the End of the Seventeenth Century", Journal of Accounting Research, Spring 1971.

Lainhart IV and John W., "COBIT: A Methodology for Managing and Controlling Information and Information Technology Risks and Vulnerabilities", Journal of Information Systems, Vol. 14, Issue 1, 2000.

Qurashi A. and Siegel J., "The Accountant and Computer Security", National public accountant Journal, Vol. 42, Issue 3, May 1997.

Uday S. Murthy, “An Analysis of the Effects of Continuous Monitoring Controls on e-commerce System Performance” , Journal of Information Systems, Vol.18, No.2 , Fall 2004.

Oppenheim, A. N. “Questionnaire design, interviewing, and attitude measurement”. New York, NY: Pinter Publishers,1992.

Romeny M. and Steinbart P. “Accounting Information Systems”, Prentice Hall Publisher, 8th Edition, pp. 286-307, 383,1999.

Ryan S. D. and B. Bordoloi, “Evaluating Security Threats in Mainframe and Client Server Environments”, Information & Management, Vol.32 Issue 3, pp 137- 142, 1997.

Sung-Sik Hwang, Taeksoo Shin and Ingoo Han, “CRAS-CBR Internal Control Assessment System Using Case-based Reasoning”, Expert Systems Journal, Vol.21, No. 1, Feb2004.

Timothy B., Knechel W. Robert and Payre Jeff L., Willingham, John J. " An Empirical Relationship between the Computerization of Accounting Systems and Incidence and Size of Audit Differences " , Auditing Journal , Vol 17, Issue 1,Spring 1998,.

Vallabhaneni, S. Rao , " CISA Examination Textbook :Theory " SRV Professional Publications , 3rd Edition 2001.

Wallace, R., & Mellor, C.. “No response bias in mail accounting surveys: A pedagogical note”. British Accounting Review, 20: 131-139, 1988.

Warigon Slemo, “Data Warehouse Control & Security”, Internal Auditor Journal, Vol. 55 Issue 6, pp. 40-47, December 1998.

Zikmond William, "Business Research Methods", Thomson publisher, 7th edition, (2003).


66

Appendix (1)

Chi Square results for Security Controls

Question

IT Internal Auditor

z p

Does not exist - - 1

Exists 15 15 0.00 1.00


Exists 15 15 0.00 1.00

Does not exist 4 6 3

Exists 11 9W .700 .35


Exists 10 10W 0.00 1.00


Exists 14 14W 0.00 1.00


Exists 14 14W 0.00 1.00


Exists 11 10W 0.15 0.69


Exists 9 10W 0.14 0.70


Exists 11 12W 0.18 0.66


Exists 10 11W 0.15 0.69


Exists - - 0.00 1.00


Exists 11 9W 0.60 0.43

Does not exist 1 - 13

Exists 14 15W 1.03 0.39


Exists 14 13W 0.37 0.54


Exists 13 12W 0.24 0.62


Exists 10 9W 0.14 0.70


Exists 13 11W 0.83 0.36


Exists 10 10W 0.00 1.00


Exists 9 9W 0.00 1.00

Does not exist 4 5 20 Exists

11 10W 0.15 0.69


Exists 14 13W 0.37 0.54


Exists 10 10W 0.00 1.00

23 Does not exist - - 0.00 1.00


67

Question

IT Internal Auditor

z p

Exists 15 15 Does not exist 3 3

24 Exists 12 12W

0.00 1.00


Exists 11 10W 0.15 0.69


Exists 11 9W 0.60 0.43


Exists 11 9W 0.60 0.43


Exists 15 15 0.00 1.00


Exists 11 11W 0.00 1.00


Exists 14 14W 0.00 1.00


Exists 12 11W 0.188 0.66


Exists 9 8W 0.13 0.71


Exists 11 11W 0.00 1.00


Exists 14 14W 0.00 1.00


Exists 13 14W 0.37 0.54


Exists 9 9W 0.00 1.00


Exists 8 7W 0.13 0.71


Exists 12 9W 1.42 0.23


Exists 8 9W 0.45 0.65


Exists 11 11W 0.00 1.00


Exists 11 12W 0.18 0.66


Exists 10 9W 0.14 0.70


Exists 11 10W 0.15 0.69


Exists 15 15 0.00 1.00


Exists 10 8W 0.45 0.55


Exists 15 15 0.00 1.00

47 Does not exist - - 0.00 1.00


68

Question

IT Internal Auditor

z p

Exists 15 15 Does not exist 5 6

48 Exists 10 9W

0.14 0.70


Exists 5 8W 1.22 0.26


Exists 10 10W 0.000 1.00


Exists 11 12W 0.18 0.66


Exists 9 7W 0.34 0.72


Exists 12 13W 0.24 0.62


Exists 11 12W 0.18 0.66


Exists 13 13W 0.00 1.000


Exists 13 13W 0.00 1.000


Exists 9 9W 0.00 1.000


Exists 12 13W 0.24 62


Exists 11 12W 0.18 0.66


Exists 11 10W 0.15 0.69


Exists 11 12W 0.18 0.66

evaluation of the effectiveness of control system in computerized accounting information system

Documents

cais control system

cais control system

effective control system

information assets

effectiveness level

study results

jordanian banking sectortalal

data security