An analysis of the Perceived Threat of Computerized Accounting

Information Systems towards Cyber-crimes in Sri Lanka

K.G.I.Roshani
CPM 10080 MC 67007

ACC 4328: Artificial Neural Networks in Accounting and Finance

Department of Accounting, University of Sri Jayewardenepura.

Abstract
The objective of this paper is to research the significant perceived security threats of
computerized accounting information systems (CAIS) towards cyber-crimes in Sri Lanka. An
exact study utilizing a self-directed questionnaire has been used to accomplish this target. The
overview results uncovered that half of the reacted Sri Lankan associations have endured
money related misfortunes because of inward and outer CAIS security breaks.
The statistical outcomes also discovered that unauthorized access to the information by
external parties and introduction of computer viruses to CAIS are the important perceived
security threats to CAIS in Sri Lankan organizations. Thus, it is suggested to build up or
develop the security controls over the above stated weaken security extents and to increase
the responsiveness of CAIS security issues among employees and other related parties of Sri
Lankan organizations to ensure the security on CAIS.
Key Words: Perceived Security threat, Accounting Information systems, Empirical survey,
Information Technology.

Contents

CHAPTER 01:

INTRODUCTIONS OF THE STUDY...................................................................................

1.1

Background of the study............................................................................................................................

1.2

Objective of the study................................................................................................................................

1.3

Scope of the study......................................................................................................................................

CHAPTER 02:

LITERATURE REVIEW.......................................................................................................

2.1

Summary of the Model Article...................................................................................................................

2.2

Further Analysis for Perceived threat of CAIS...........................................................................................

2.3

Secondary Data..........................................................................................................................................

CHAPTER 03:

RESEARCH METHODS.....................................................................................................

3.1

Data collections methods.........................................................................................................................

3.2

Types of variables....................................................................................................................................

3.3

List of hypothesis.....................................................................................................................................

3.4

Data analysis methods..............................................................................................................................

3.5

Populations and Sample...........................................................................................................................

CHAPTER 04:

DATA ANALYSIS.................................................................................................................

4.1

Descriptive statistic..................................................................................................................................

4.2

Hypothesis testing....................................................................................................................................

CHAPTER 05:

CONCLUSION.....................................................................................................................

REFERENCES....................................................................................................................................................
APPENDIX..........................................................................................................................................................

CHAPTER 01:

INTRODUCTIONS OF THE STUDY

2

1.1

Background of the study

Cybercrime has become a prominent issue around the world, which has affected for the Sri
Lankan context also by past few decades. Cybercrimes are Criminal activities carried out by
means of computers or the Internet. (Oxford Dictionary). These crimes are mainly because of
the rapid development of technology. With that, development organizations tend to make
their operations easier with Accounting Information Systems. Myrtle & Ogundeji (2013)
emphasized that Computerized Accounting Information Systems (CAIS) handle both
financial and non-financial transactions that directly affect the processing of financial
transactions. Musa (2005) stated that advanced technology has also created significant risks
related to ensuring the security and integrity of computerized accounting information systems
(CAIS). The technology, in many cases, has been developed faster than the advancement in
control practices and has not been combined with similar development of the employees
knowledge, skills, awareness, and compliance.
Furthermore, this identification of various types of threats would be leads to inaugurate
adequate measures to ensure the protection of information assets through effective policy,
controls, and standardized procedures and control testing. This would ensure the reduction in
threats to CAIS. Muhrtala & Ogundeji (2013)
1.2

Objective of the study

To conduct the above mentioned evaluation the researcher has identified objectives of the
study as follows.
i.

To find out the existing perceived threat of computerized accounting information

systems towards cyber crimes in Sri Lanka.

ii.

To find out organizations internal control procedures to minimize computer

accounting cyber-crimes in Sri Lanka.

1.3

Scope of the study

There are certain limitations of the study. Since the dynamic nature of the business
environment and technological environment particular significant threats cannot be identified
3

faithfully, which leads to not recognising newest threats complying with new technology.
Therefore, findings of the research paper are relevant to Sri Lankan context in early stage of
21st century.
Further, Computerized Accounting Information System practices have become
divergent among the world. Adoption of different Accounting Standards, Security packages
and impact of various social aspects among countries makes the CAIS practices more
divergent. Hence, the dimensions considered in the research paper in order to measure the
level of threat might not be relevant to other countries or the significance of such selected
criteria might different from country to country.

CHAPTER 02:

LITERAT

URE REVIEW
1.4

Summary of the Model Article

There are few researches have been conducted regarding the threat of Computerized
Accounting Information Systems. Further there cannot be seen any researches in this regard
in Sri Lanka context. According to the Musa AA (2005) investigate the significant perceived
security threats of computerized accounting information systems (CAIS) in Sri Lankan
organizations. Self-administered questionnaire has been distributed to accomplish the
objective with the empirical survey. Outcomes of the study discovered that majority of the
responded in Sri Lankan organizations have incurred financial losses as a result of internal
and external CAIS security issues. The statistical results also revealed that accidental and
intentional entry of bad data; accidental destruction of data by employees; employees sharing
of passwords; introduction of computer viruses to CAIS; suppression and destruction of
output; unauthorized document visibility; and directing prints and distributed information to
people who are not allowed to obtain are the important perceived security threats to CAIS in
Sri Lankan context. Thus, it is recommended to strengthen the security controls over the
above weaken security areas and to enhance the awareness of CAIS security issues among Sri
Lankan organizations to achieve better protection to their CAIS.
However, the results reported that accidental and intentional entry of bad data by employees,
accidental destruction of data by employees, introduction of computer viruses to the system,
sharing passwords by passwords, suppression and destruction of output, unauthorized
document visibility, and misdirecting prints and distributing information to people not
entitled to receive them are the most perceived significant security threats to CAIS in the Sri
Lankan organizations. Accordingly, it is recommended to strength the implemented security
controls over the weak point to provide a better protection to CAIS against these perceived
security threats.
1.5

Further Analysis for Perceived threat of

CAIS

Studying the literature of evaluating the threat of computerized accounting information

systems towards cyber-crimes discloses the lack of available studies in that particular area of
research since the security of CAIS is a comparatively new research extent. The idea of inner
control over security dangers is as old as book keeping itself. (Henry, 1997) however, it has
just pulled in consideration since the start of the twentieth century. In right on time ages, the
motivation behind bookkeeping was to record the money related exchanges and afterward

report them in helpful and exact structures (Lee, 1971). However, that recording was
straightforward and organized just for interior use in light of the fact that most organizations
were individual or family organizations.
One of the greatest studies in this extent was carried out by Loch et al. (1992). The specialists
directed an overview to investigate the impression of Management Information Systems
Executives with respect to the security dangers in microcomputer, centralized computer PC,
and system situations. The analysts added to a rundown of twelve security dangers and
observationally inspected. The outcomes demonstrated that common debacles; worker
unplanned activities (section of terrible information and demolition of information); deficient
control over media; and unapproved access to CAIS by programmers had been positioned
among the top security dangers. These outcomes affirmed the specialists' claims that the best
dangers originate from inside associations.
Since accounting data framework security has ended up one of the real attentiveness toward
data framework inspector, Davis (1996) tried to find the present status of the security issue by
and by. Davis led a review utilizing the questionnaire, Threats to Accounting Information
Systems Security Survey which was adjusted from Loch et al. (1992), in replication of their
work.
The consequences of Davis survey (1996) shown that data frameworks examiners perceived
that diverse processing situations have distinctive relative levels of security dangers. The
results of Davis (1996) study also described that employees accidental entry of bad data and
the accidental destruction of data, as well as the introduction of computer viruses, were
considered to be the three main threats in a microcomputer background. However,
unauthorized access to data and/or system by employees, accidental entry of bad data by
employees and poor segregation of information system duties were rated as the major threats
to the minicomputer background. Concerning the mainframe computer background,
accidental entry of bad data by employees and unauthorized access to data and/or system by
employees were perceived as the major threats, while unauthorized access to data and/or
system by both outsider (hackers) and insiders (employees), and technology advances faster
than control practice were said to be the most important threats in network computer
background.

Ryan and Bordoloi (1997) investigated how organizations moving from a centralized
computer to a customer/server environment assessed and took efforts to establish safety to
ensure against potential security threats. The consequences of Ryan and Bordolois (1997)
study uncovered that the most noteworthy security threats were accidental destruction of data
by employees, accidental entry of erroneous data by employees, intentional destruction of
data by employees, intentional entry of erroneous data by employees, loss due to inadequate
backups or log files, natural disaster: fire, flood, loss of power, etc. single purpose of
disappointment.
Henry (1997) led an overview to decide the way of the bookkeeping frameworks and
security being used. The aftereffects of Henry's overview demonstrated that 80.3 percent of
the organizations moved down their bookkeeping frameworks. 74.4 percent of the
organizations secured their bookkeeping framework with passwords, yet just 42.7 percent
used insurance from infections. Physical security and approval for changes to the framework
were utilized by under 40 percent of the respondents. The review comes about additionally
demonstrated that just 15 organizations utilized encryption for their bookkeeping
information, which was a shocking result, considering the quantity of organizations using
some type of correspondence equipment. Just about 45 percent of the specimen experienced
some kind of review of CAIS information.
In 1998, Hood and Yang examined the effect of keeping money data frameworks security on
managing an account in China in correlation to the UK. The review results uncovered that all
respondents trust that administration knew about security yet none trusted that their banks
had sufficiently made move to decrease the dangers and misfortunes. The most well-known
purpose behind this was the absence of money related and HR. Moreover, each of the four
banks overviewed asserted to have a security arrangement, however just in one was formally
expressed. Human security dangers were seen as the most critical security dangers in Chinese
managing an account area, particularly pernicious assault from untouchables.
Checking on the way of security breaks that happened in diverse parts of the world, Dhillon
(1999) contended that a large portion of the security misfortunes coming about because of PC
related extortion could be maintained a strategic distance from if associations received a more
practical methodology in managing such episodes and in addition embracing an adjusted

methodology of security controls which place square with accentuation on specialized, formal
and casual intercessions to their electronic frameworks..

The results of Dhillons study (1999) proposed that actualizing controls, as distinguished in a
security strategy, would in fact dissuade PC abuses. Submitting PC extortion by insiders is
perceived as a few issue which could be hard to counteract particularly when it mixes with
genuine exchanges.
Siponen (2000) presented a theoretical establishment for hierarchical data security
mindfulness project to minimize the end-client mistakes and to upgrade the viability of
executed security controls. Siponen (2000) contended that data security systems or strategies
would lose their genuine handiness on the off chance that they were abused; misjudged; not
utilized or not legitimately executed by end-clients.
Hermanson et al (2000) completed an exploratory review utilizing a poll to see how
associations are tending to their IT dangers and to look at assessments of IT dangers
performed by inward inspectors in their associations. The aftereffects of the study uncovered
that inward reviewers concentrate fundamentally on conventional IT dangers and controls, for
example, IT resource shielding, application handling, and information trustworthiness,
protection and security.
Coffin and Patilis (2001) concentrated on the part of inner reviewers in assessing the security
controls of ensuring delicate information in CAIS in budgetary organizations, for example,
Banks, securities firms, and protection. The specialists contended that interior inspecting
could altogether help associations in deciding and assessing the executed security controls
encompassing the gathering, utilize and access to client data and in addition consistence with
material regulations.
White and Pearson (2001) reviewed more than two hundred USA organizations to research
the security controls of individual utilization of PCs, controlling email records, and securing
organization information. The aftereffects of the study fortified the requirement for better
security control in the dominant part of studied organizations. The outcomes likewise

uncovered that numerous partnerships started to utilize PC innovation before actualizing

proper shields; and most of the organization's protections keep on being deficient.
1.6

Secondary Data

As per the Sri Lanka Police, they have experienced some complaints as scams which can go
under the name of genuine lotteries like the UK National Lottery and the El Gordo Spanish
lottery. Unsolicited email or telephone calls tell people they are being entered or have already
been entered into a prize draw.
Further, Auction frauds (commonly called E-bay or Pay-Pal scams, after the two largest
venues) is a misrepresentation of a product advertised for sale through an Internet auction site
or the failure to deliver products purchased through an Internet auction site.
A part from that a victim receives an email that appears to be from a credible, real bank or
credit card company, with links to a website and a request to update account information. But
the website and email are fakes, made to look like the real website.
Receive a check in the mail - either from a lottery you "won" (without buying a ticket) or
from an E-Bay buyer or other source. It looks real. But after you try to cash it, you find out it
is a fake; and you're arrested for passing a counterfeit check.

CHAPTER 03:

RESEAR

CH METHODS
1.7

Data collections methods

In the current study an empirical survey has been conducted to research the numerous
perceived CAIS security threats Sri Lankan surrounding. A self- administered questionnaire
(see: appendix 1) has been distributed to collect the information required for analysis and take
a look at the research hypotheses. The survey approach, employing a self-administered
questionnaire, looks to be the foremost acceptable approach for conducting this analysis. One
in all the most strengths of the survey approach is its ability to gather knowledge from an
oversized range of organizations, situated in a very unfold of locations. Moreover, this might
permit the scientist to implement measurement to check the analysis hypotheses and
additionally offers the potential chance to generalize the analysis findings.
Selecting a representative, correct and unbiased analysis sample is a vital step towards the
surveys success. Random choice of the individual observations of the analysis sample may
be an important way to acquire associate correct and a representative sample. within the
current study, hundreds questionnaires are randomly distributed to various organizations
(Manufacturing companies; Banks; Insurance companies; retail merchandising; Oil and Gas
companies; Services companies; Heath Care; Government units and others). Once the
subsequent up, fifty-two questionnaires - representing 52% initial response rate - had been
collected. However eight questionnaires of the collected questionnaires, wherever solely
manual accounting systems were used, are excluded type the analysis. Once excluding the
unfinished and invalid responses, the analysis over with 40 valid and usable questionnaires,
representing thirty 40% response rate. This response rate is taken into account as a high
response rate in such quite empirical surveys.
In the questionnaire, the respondents were asked to point the frequency of incidence of every
security threat by ticking one of 5 offered decisions (less than once a year; once a year to
monthly; once a month to weekly; one a week to daily; and more than once daily or more
frequently).

10

1.8

Types of variables

For a valued result of the research it has taken one Dependent variable and four Independent
variables as follows
Dependent Variable -

Increment of financial losses as a result of cyber activities

Independent Variables -

Unauthorized Access to the data by Password misusage

Unauthorized Access to the data by external parties
Introduction of Computer Viruses to the system
Employees security breaches
1.9

List of hypothesis

The current analysis makes an attempt to analyze below mentioned research hypotheses.

There is a significant relationship between increment of financial losses as a result of

cyber activities and degree of unauthorized access to the data by password misusage.

There is a significant relationship between increment of financial losses as a result of

cyber activities and degree of unauthorized access to the data by external parties.

There is a significant relationship between increment of financial losses as a result of

cyber activities and degree introduction of Computer Viruses to the system.

There is a significant relationship between increment of financial losses as a result of

cyber activities and degree of employees security breaches.
1.10 Data analysis methods

The collected information has been analyzed by the statistical package for social sciences
(SPSS) version twelve. Descriptive statistics (such as frequencies and percentages) of the
collected information had been administered to identify major characteristics of the analysis
variables.
1.11 Populations and Sample
In this research population was considered as all the companies in the Sri Lankan Companies
in Sri Lankan context. Among them researcher decided to have hundred companies as a
convenience sample with the time constrains of the related subject area.

11

CHAPTER 04:

ATA ANALYSIS
1.12 Descriptive statistic
Among valid questionnaires collected the descriptive analysis was conducted as follows.
From the sample, 32.5% of the respondents (organizations) represents the banking/finance
industry while 25 % comprise manufacturing sector, 20% represent the construction sector
and other rest of the 27.5% denotes few sectors such as insurance, health care, wholesale and
government etc. Further, there can be identified negative linear relationship between the
increase of financial losses of cyber activities and the industry in which they operate. (The
correlation coefficient is -0.013)
Considering the number of accounting professionals employed in the firm, 75% of the
respondents are from the firms, which have less than fifty accounting professionals, and the
rest 25% are between fifty to hundred accounting professionals. Further, there can be
identified negative linear relationship between the increase of financial losses of cyber
activities and number of accounting professionals employed. (Correlation coefficient is
-0.084)
Considering the number of system specialists are employed in the firm, 80% of the
organizations have system specialists less than five. In addition, 17.5% are employed between
five to ten system specialists in their organizations.
When concerning the accounting information system, all the respondent organizations have
combination of manual and computer process in accounting. There cannot be identified
purely manual or purely computerized accounting system within the sample, which has been
obtained.
In view of establishment of the organization, 75% of the companies are established within
recent ten years. However, there is a moderate negative linear relationship between average
increase of loss on cyber activities and the length of period that company has been
established.

12

With reference to the accounting information system in which the company is being used
currently, there can be realized a positive moderate linear relationship with the increase of
loss on cyber activities (Correlation coefficient is 0.332).Further analyzing the composition
of the CAIS reflect that 30% of the organizations use Oracle as their accounting information
system and another 30% use QuickBooks as their accounting information system.20% uses
sage and only 5% use SAP as their accounting information system while 15% of the
organizations use Tally and other in house built systems.
When comparing organizations by the annual income and the loss on cyber activities, there is
a negative weak relationship between two components. By analyzing respondents, it can
identify that 35% of the companies have been earned between 1 million to 1.5 million rupees
as their annual income for five years of period as below mentioned.
Table 1 - Average Annual Net Income of your company for past 5 years is within
(LKR).
Cumulative
Valid

Frequency

Percent

Valid Percent

Percent

Net loss

12.5

12.5

12.5

0-500000

20.0

20.0

32.5

500000-1000000

13

32.5

32.5

65.0

1000000-1500000

14

35.0

35.0

100.0

Total

40

100.0

100.0

Considering the ability to access to the system by the employees, it says that 42.5% of the
respondents granted access only for 50 or below employees. The graph gives further
clarification on it.
Table 2 - How many employees have been granted the access to the
system?
Cumulative
Frequency
Valid

Percent

Valid Percent

Percent

1-50

17

42.5

42.5

42.5

51-100

14

35.0

35.0

77.5

101-150

7.5

7.5

85.0

151-200

15.0

15.0

100.0

Total

40

100.0

100.0

13

Apart from that only 82.5% respondents are protected their system by using passwords. Rest
27.5% respondents accounting information systems was not restricted by the password.
1.13 Hypothesis testing
Research paper adopts deductive approach. Hence, it was developed several hypothesises and
test them in order to draw conclusions. Hypothesises developed by researches has been
provided below,
H0a-There is no significant relationship between increment of financial losses as a result of
cyber activities and the degree of employees security breaches.
H0b- There is no significant relationship between increment of financial losses as a result of
cyber activities and the degree of unauthorized access to the data by Password misuse.
H0c- There is no significant relationship between increment of financial losses as a result of
cyber activities and the degree of unauthorized access to the data by external parties.
H0d- There is no significant relationship between increment of financial losses as a result of
cyber activities and the degree of introduction of computer viruses to the system.
Hypothesis testing was carried out by calculating average degree for the independent
variables by using different attribute constructed for each and every variable.
Increment of financial losses as a result of cyber activities Vs. Employees security
breaches
Increment of financial losses as a result of cyber activities has been measured using
several variables such as degree of loss on cyber activity occurrence, maintenance expense

14

incurred for secure of Accounting Information Systems, number of customers lost because of
cyber activities, legal case filed against cyber activities, implementation of recovery
procedures.
Moreover, researchers have been constructed several attributes to measure the independent
variable of employees security breaches as degree of intentional entry of bad data by
employees, degree of accidental destruction of data by employees, degree of intentional
destruction of data by employees, degree of unauthorized access to the data and / or system
by employees, degree of accidental entry of bad data by employees and degree of
unauthorized copying of output by the employees.
Statistical analysis revealed that there is no significant relationship between increment of
financial losses as a result of cyber activities and the degree of employees security breaches
since the Significant value is higher than 5%, H0a was accepted.
ANOVAb
Model
1

Sum of Squares
Regression

Df

Mean Square

.275

.275

Residual

2.781

38

.073

Total

3.056

39

F
3.759

Sig.
.060a

a. Predictors: (Constant), Employees security breaches

b. Dependent Variable: Increment of financial losses as a result of cyber activities

Further the 9% of variance in the increment of financial losses as a result of cyber activities
which can be explained by the degree of employees security breaches. Refer below
mentioned table.
Model Summary

Model
1

R
.300a

R Square
.090

Adjusted R

Std. Error of the

Square

Estimate
.066

.27052

a. Predictors: (Constant), Employees security breaches

15

Increment of financial losses as a result of cyber activities Vs. Unauthorized Access to

the data by external parties
Researchers have been constructed several attributes to measure the independent variable of
unauthorized access to the data by external parties as degree of unauthorized access to the
data and / or system by outsiders (hackers), degree of unauthorized access when coordinating
operations between the Head Office and its Branches, degree of interception of data
transmission from remote locations, degree of frequency of electronic transactions and degree
of loss of data because of loss of power or network failure etc.
Statistical analysis revealed that there is significant relationship between increment of
financial losses as a result of cyber activities and the degree of unauthorized access to the
data by external parties since the Significant value is less than 5%, H0b was rejected.

ANOVAb
Model
1

Sum of Squares

Df

Mean Square

Regression

1.161

1.161

Residual

1.895

38

.050

Total

3.056

39

F
23.291

Sig.
.000a

a. Predictors: (Constant), Unauthorized Access to the data by outsiders

b. Dependent Variable: Increment of financial losses as a result of cyber activities

Further the 38% of variance in the increment of financial losses as a result of cyber activities
which can be explained by the degree of unauthorized access to the data by external parties.
Refer below mentioned table.
Model Summary

Model
1

R
.616a

R Square
.380

Adjusted R

Std. Error of the

Square

Estimate
.364

.22329

a. Predictors: (Constant), Unauthorized Access to the data by

outsiders

16

Increment of financial losses as a result of cyber activities Vs. Unauthorized Access to

the data by Password misuse.
Researchers have been constructed several attributes to measure the independent variable of
unauthorized access to the data by password misuse as degree of employees sharing of
passwords, degree of renewal of the passwords, degree of theft of data / information, degree
of review of security control system and degree of conducting internal control audit.
Statistical analysis revealed that there is no significant relationship between increment of
financial losses as a result of cyber activities and the degree of unauthorized access to the
data by password misuse since the Significant value is higher than 5%, H0c was accepted.

ANOVAb
Model
1

Sum of Squares
Regression

Df

Mean Square

.003

.003

Residual

3.053

38

.080

Total

3.056

39

Sig.
.042

.839a

a. Predictors: (Constant), Unauthorized Access to the data by Password misuse

b. Dependent Variable: Increment of financial losses as a result of cyber activities

Further the 0.1% of variance in the increment of financial losses as a result of cyber activities
which can be explained by the degree of unauthorized access to the data by password misuse.
Refer below mentioned table.

17

Model Summary

Model

R Square

.033a

Adjusted R

Std. Error of the

Square

Estimate

.001

-.025

.28343

a. Predictors: (Constant), Unauthorized Access to the data by

Password misuse

Increment of financial losses as a result of cyber activities Vs. Introduction of Computer

Viruses to the system.
Researchers have been constructed several attributes to measure the independent variable of
introduction of computer viruses as degree of conducting awareness programs about
computer viruses, degree of conducting system audit, degree of occurrence of virus threat,
degree of virus guard renewal, degree of taking backups of the operations and degree of
implementation of new technology.
Statistical analysis revealed that there is significant relationship between increment of
financial losses as a result of cyber activities and the degree of introduction of computer
viruses since the Significant value is less than 5%, H0c was rejected.

ANOVAb
Model
1

Sum of Squares
Regression

Df

Mean Square

.422

.422

Residual

2.634

38

.069

Total

3.056

39

F
6.091

Sig.
.018a

a. Predictors: (Constant), Conducting awareness programs about Computer viruses

b. Dependent Variable: Increment of financial losses as a result of cyber activities

Further the 13% of variance in the increment of financial losses as a result of cyber activities
which can be explained by the degree of introduction of computer viruses. Refer below
mentioned table.

18

Model Summary

Model
1

Adjusted R

Std. Error of the

Square

Estimate

R Square

.372a

.138

.115

.26327

a. Predictors: (Constant), Conducting awareness programms about

Computer viruses is

CHAPTER 05:

ONCLUSION

19

The objective of this paper is to research the significant perceived security threats of
computerized accounting information systems (CAIS) towards cyber-crimes in Sri Lanka.
Several security threats were developed based on previous surveys (for instance, Abu-Musa
(2001), Loch et al. (1992), Davis (1996) and Henry (1997)).
The results revealed that the degree of unauthorized access to the data and / or system by
outsiders (hackers), degree of unauthorized access when coordinating operations between the
head office and its branches, degree of interception of data transmission from remote
locations, degree of frequency of electronic transactions, degree of loss of data because of
loss of power or network failures, degree of conducting awareness programs about computer
viruses, degree of conducting system audit, degree of occurrence of virus threat, degree of
virus guard renewal, degree of taking backups of the operations and degree of
implementation of new technology have been affected in a high degree rather than the other
aspects which the researchers have tested in the process of research.
On the other hand, further research could be embraced to augment and enhance this
exploration. The momentum examination planned to explore the security threats of CAIS in
Sri Lankan context. More research is needed proof from other creating nations. A similar
study could be done to research the critical contrasts in the middle of creating and created
nations with respect to the CAIS security issues examined.

References
1) Abu-Musa, A. (2006). Investigating the Perceived Threats of Computerized
Accounting Information Systems in Developing Countries: An Empirical Study on
20

Saudi Organizations. Journal of King Saud University - Computer and Information

Sciences, 18, pp.1-30.
2) Abu-Musa, A (2003), The Perceived Threats to the Security of Computerized
Accounting Information Systems, The Journal of American Academy of Business,
Cambridge, USA, Vol. 3, No.1, September, pp. 9- 20.
3) Heungshik, BK (2000),"An exploratory inquiry into the perceived effectiveness of a
global information system, Information Management & Computer Security, Vol. 8
Iss 3 pp. 144 - 154
4) Coffin, RG,Patilis, C (2001), The Internal Auditors Role in Privacy, Internal
Auditing, Mar/Apr., (Vol.16, Iss.2), PP. 22-28.
5) Davis, CE (1996), Perceived Security Threats to Todays Accounting Information

Systems: A Survey of CISAs, IS Audit & Control Journal, (Vol. 3), pp. 38 - 41.
6) Dhillon, G. (1999). Managing and controlling computer misuse. Information
Management & Computer Security, 7(4), pp.171-175.
7) Henry, L 1997, A Study of the Nature and Security of Accounting Information

Systems: The Case of Hampton Roads, Virginia, the Mid- Atlantic Journal of
Business, Vol. 33, Iss.63, 1997, pp. 171-189
8) Hermanson, D., Hill, M. and Ivancevich, D. (2000). Information TechnologyRelated
Activities of Internal Auditors. Journal of Information Systems, 14(s-1), pp.39-53.
9) Hood, K. and Yang, J. (1998). Impact of Banking Information Systems Security on
Banking in China. Journal of Global Information Management, 6(3), pp.5-16.
10) Hornby, A., Cowie, A. and Lewis, J. (1974). Oxford Advanced Learners Dictionary
of current English. London: Oxford University Press.
11) Lee, TA (1971), the Historical Development of Internal Control from the Earliest
Times to the End of the Seventeenth Century, Journal of Accounting Research.
12) Loch, K., Carr, H. and Warkentin, M. (1992). Threats to Information Systems: Today's
Reality, Yesterday's Understanding. MIS Quarterly, 16(2), p.173.
13) Police.lk, (2015). SRI LANKA POLICE: [online] Available at: http://www.police.lk
[Accessed 2 Dec. 2015].
14) Muhrtala T, Ogundeji,M (2013), Computerized Accounting Information Systems and
Perceived Security Threats in Developing Economies: The Nigerian Case, Universal
Journal of Accounting and Finance.
15) Ryan, S. and Bordoloi, B. (1997). Evaluating security threats in mainframe and
client/server environments, Information & Management, 32(3), pp.137-146.
16) Siponen, M. (2000). A conceptual foundation for organizational information security
awareness. Information Management & Comp Security, 8(1), pp.31-41.
17) Webb White, G. and Pearson, S. (2001). Controlling corporate email, PC use and
computer security, Information Management & Comp Security, 9(2), pp.88-92.
21

Appendix
The Questionnaire Used in the Empirical Survey
Perceived threat of computerized accounting information systems
towards cyber-crimes in Sri Lanka.
Sir/Madam
I am undergraduate of Department of Accounting, USJP, and in the process of
conducting
a
research
project
under
the
subject
area
of Artificial Neural Network. The purpose of this research is to assess
22

the Perceived threat of computerized accounting information systems towards

cyber-crimes in Sri Lanka.
I highly appreciate your participation in this research by completing the
questionnaire through the link given below.
https://docs.google.com/forms/d/11UBBRFiF06klTlcD3cDMi1oedhZ7qpl8qOz20V
XVgnQ/edit?uiv=1
The results of the survey will be used only in an aggregated form, and therefore
the confidentiality of your responses is assured.
We are looking forward to receive your completed questionnaire.
If you have any queries regarding the research or questionnaire, please do not
hesitate
to
contact
Ishara
via
+9471
1
846
479
or
email: isharakadawathe@gmail.com.
Thank you.
Best regards
Ishara Roshani
Department of Accounting
Faculty of Management Studies and Commerce
University of Sri Jayewardenepura
Questionnaire (Mark a in the relevant cage.)
Demographics
1.
Do you currently work in?
Manufacturing
Banking
Insurance
Health Care
Construction
Wholesale Merchandising
Government
Other - please list _____________________________
2.
How many accounting professionals are employed in your firm?
1- 50
51-100
101-150
151-200
3.
How many information system specialists are employed in your
firm?

23

1- 5
6-11
1-15
16-20

4.
What is your current job title?
Internal auditor
Staff accountant
Cost accountant
IT Controller
Accountant
Other - please list ______________________________
5.
How many years of experience do you have at your current
position?
1 5 Years
5 10 Years
10 15 Years
15 20 Years
Above 20 Years
6.
Your accounting system is: (Please, tick)
Manual, no computers are used.
a combination of manual and computer processed.
strongly computerized.
7.
When did your company established?
1 5 Years ago
5 10 Years ago
10 15 Years ago
15 20 Years ago
Above 20 Years ago
8.
What Accounting Information system are you using currently?
Account Mate
SAP
Oracle
Sage
QuickBooks
Other Please Specify .
How many followers/Branches/Subsidiaries do you have with this
system

24

 1- 50
51-100
101-150
151-200
Average Annual Net Income of your company for past 5 years is
within (LKR).
Net loss
0 - 500,000
500,000 - 1000,000
1000,000 - 1500,000
Above 1500,000
14. How many employees have been granted the access to the
system?
1 10
10 20
20 50
50 100
Above 100
15. Are every users protected with passwords?
Yes
No
Please, indicate the frequencies of each threat by ticking the appropriate place
Accounting information systems threats

Less
than
once
a
year

Criteria

1
6 Loss on cyber activity occurred within
1
7
1
8
1
9
2
0
2
1
2

Maintenance expense incurred for

secure of AIS for
Loss of customers because of cyber
activities
Legal case file against cyber activities
in
Recovery procedures implementation
is
Intentional entry of bad data by
employees is
Accidental destruction of data by

25

Once
a
year
to
mont
hly

Once
a
mont
h to
week
ly

Once
a
week
to
daily

Daily
or
more
freque
ntly

2 employees is
2 Intentional destruction of data by
3 employees is
2
4
2
5

Unauthorized access to the data and /

or system by employees is
Accidental entry of bad data by
employees is

2 Unauthorized copying of output by

6 the employees
2 Unauthorized access to the data and /
7 or system by outsiders (hackers) is
Unauthorized access when
2 coordinating operations between the
8 Head Office and its Branches is
2
9
3
0

Frequency of interception of data

transmission from remote locations is
Frequency of Electronic Transactions
is

3
1
3
2
3
3
3
4
3
5
3
6

Loss of data because of loss of

power,network faliure etc. is

3
7
3
8
3
9
4
0
4
1
4
2

Conducting awareness programs

about Computer viruses is

Employees sharing of passwords is

Renewal of the Passwords are
Theft of data / information is
Review of security control system is
Conducting internal control audit is

Conducting system audit is

Frequency of occurrence of virus
threat is
Virus guard renewal is
Backups of the operations is taken
Implementation of new technology

26