Security Threats Explain Companies Held Liable Losses

Security Threats

Explain companies held liable losses sustained a successful attack made accounting information system sources. The paper APA style includes -text citations sources.

Liability for losses in successful attack made on their accounting information system

"One of the fastest-growing threats on the Internet is the theft of sensitive financial data" (Beard & Wen 2007). The greater the amount of sensitive financial data available online, the greater the risk for the organization. "Failure to include basic information security unwittingly creates significant business and professional risks...With the expansion of computer technology, traditional business processes have been restructured and unique internal control techniques are required to address exposure to many new dangers" (Beard & Wen 2007).

New laws have placed additional security burdens upon managers, regarding the handling of sensitive financial data. "Management's responsibilities include the documentation, testing, and assessment of internal controls, including relevant general IT controls...and appropriate application-level controls designed to ensure that financial information generated from an organization's information system can be reasonably relied upon" (Beard & Wen 2007). Common threats that can occur to accounting data may include unauthorized use and access to relevant files, the deletion of information, or corrupting programs through viruses and other forms of hacking (Beard & Wen 2007)

Anticipating the possibility of such threats required, according to the law. The Foreign Corrupt Practices Act of 1977 and the Sarbanes-Oxley Act of 2002 (SOX) demand that the organization ensure that records are maintained in an accurate fashion and in accordance with GAAP (generally accepted accounting principles) and that they prevent unauthorized use and disposal of records (Beard & Wen 2007). SOX does not create a mandatory, uniform system of compliance and documentation but the company by law must create a feasible system of internal controls to protect clients. Thus, organizations cannot simply buy accounting software on faith and use its failure as an excuse in light of a security breach, nor can it assume its accountants will find any errors or breaches. While "SOX prohibits auditors from offering information system design and implementation services to audit clients, SOX mandates that every independent audit report include an auditor attestation report relating to the internal control assessments made by management" (Beard & Wen 2007).

Until recently, the trend in the law was to shy away from holding accountants liable for any misrepresentation in financial statements, including those caused by hacking. The accountant, such rationale stated, prepared a statement in good faith and could not be certain as to the original data's accuracy, leaving the policing of documents in the hands of management. Justice Benjamin Cardozo expressed the concern about bestowing "liability in an indeterminate times to an indeterminate class.' Ultramares v. Touche, 255 N.Y. 170, 174 N.E. 441 (1931)" (Clifford 2002). Ultramares established" that accountants must be privy to the fraud and not merely have a relationship with a fraudulent or negligent organization (Clifford 2002). The rationale was that liability could make it almost impossible for accountants to do business, given the level of vetting of every firm that would be required -- including, in today's environment, the firm's IT system.

But increasingly, accountants are seen as possessing a dual role as public watchdogs and are responsible for monitoring likely signs of fraud and data corruption. In 1984 the U.S. Supreme Court found: "the independent auditor assumes a public responsibly transcending any employment relationship with the client. The independent public accountant performing this special function owes ultimate allegiance to the corporation's creditors and stockholders, as well as to the investing public" (Clifford 2002). This suggests that the accountant is responsible for revealing any potential misrepresentation of data, regardless of the cause.