Posts

Posts

  • Roger S Debreceny
    Challenges From and To the Senior Editors of the Journal of...
    blog entry posted October 7, 2014 by Roger S Debreceny, tagged research in JIS Senior Editors' Blog public
     Editorial appearing in the Spring 2015 issue of the Journal of Information Systems.

    Challenges From and To the Senior Editors of the Journal of Information Systems

    Roger Debreceny, University of Hawai‘i at Mānoa

    Mary B. Curtis, University of North Texas

    The Journal of Information Systems is the premier journal in the accounting information systems (AIS) domain. The journal’s primary role is to inform theory and practice in accounting and auditing, in any way that draws upon computerized information systems. Our first task in embarking on our partnership as Senior Editors of JIS was to develop a shared vision for the journal. We see JIS playing an innovative, forward looking role in fostering understanding of the nature and implications of AIS. In this editorial, we set out our vision for the types of research that we hope to see published over our term. We first analyze the professional and institutional context in which AIS is practiced and researched. We then define what we see as the nature and boundaries of accounting information systems. We discuss how research in AIS draws from and informs research in cognate disciplines. Then we describe areas of research that we see as being particularly needed in our rapidly changing technology environment. In doing so, we do not wish to confine the types of research submitted to JIS but rather to highlight some areas that either have been overlooked in the past or which are now on the horizon. This is followed by a discussion of the classes of research methodologies that are welcome at JIS. Finally, we feature some of the changes in the editorial process that will help achieve our objectives for authors, reviewers, editors and – most importantly – for readers.

    Seeing Accounting Information Systems in Context

    It is clear, from a variety of professional authorities, that accounting information systems (AIS) plays an increasingly critical role in the practice of accounting and auditing within organizations, and in the nature and shape of the accounting profession. For example, the final report of the Pathways Commission states that “Accounting information is how businesses communicate, attract resources, and decide how to reconfigure themselves in a world where technology continually accelerates the pace of change” (AAA/AICPA 2012, 24). The report goes on to state that “businesses are processes, not buckets of accounting information,” and warns that the accounting community must gain an understanding of the technology and dynamic business processes that run companies of the 21st century, or the accounting profession has the potential to become obsolete (AAA/AICPA 2012, 68). The AICPA’s CPA Horizons 2025 report observes the impact of information technology primarily from a perspective of IT’s impact on the accounting profession (AICPA 2011). The report notes that: “In a world driven by technology, CPAs leverage both knowledge of the risks and advantages offered by technology and CPA knowledge and skills to enhance their work.” Further, the report notes that “CPAs must stay current with, embrace and exploit technology for their benefit for increased efficiency and expansion of services” (AICPA 2011, 16). The report addresses several implications of technology for the CPA profession, including: use of IT for reporting to stakeholders; adoption by the profession of mobile technologies and social media; and enhanced methodologies for fraud detection. This catalog is reflected in our current AIS research agenda. The intellectual endeavors of the AIS research community are, then, vital for the future of the accounting and auditing profession.

    We assert that there is almost total reliance in accounting and auditing on computerized information systems. We see enhanced innovation in the building of solutions for accounting and auditing, as well as data repositories for all organizational users. Organizational members increasingly access accounting information systems directly or construct shadow systems for purposes of their own analyses and reporting, bypassing accounting and MIS in the process. Increasingly, successful organizations are those whose decision makers make the best use of information resources (Borthick 1992). Within these organizations, IT is key for value generation. While IT brings its own risks to the organization, IT systems are central to enterprise risk management. In essence, information technology plays a ubiquitous role in all aspects of the lives of individuals and of organizations.

    The Accounting Information Systems (AIS) section of the American Accounting Association and the Journal of Information Systems, in particular, play important roles in understanding, communicating and advancing the role of accounting information systems in business and in accounting education. For example, over the last three years there have been papers published in JIS on essentially all of the AICPA’s top 10 technology initiatives for 2013 (AICPA/CPAC 2013).

    The nature of accounting information systems

    We define AIS as a discipline that sits between accounting and auditing, on the one hand, and management information systems and computer science, on the other (Debreceny 2011) (Figure 1). As Steinbart (2009, 2) notes, “the field called AIS is not just a part of accounting, or just a part of information systems, but also possesses its own unique identity”.

    Figure 1: Pathways Commission (AAA/AICPA 2012)

    The study of AIS is necessarily multi-disciplinary. We employ theory and practice from the cognate disciplines of MIS and computer science as well as from accounting, auditing and the disciplines of economics, management, psychology, sociology, philosophy and history (Figure 2, with apologies to Tuttle (2005)).

    Figure 2: Intersection of AIS and Cognate Research Domains

    Our emphasis on the need to align AIS research to accounting and auditing should not be interpreted as our being hostile to MIS and computer science research, or other behavioral sciences. To the contrary, we welcome and strongly encourage research papers that come from these domains. All that we ask is that the paper explains to the reader how the research assists innovation or understanding of IT in accounting and auditing. Here are a couple of examples. There are very active research agendas in business process management and process mining. These agendas have clear linkages with areas such as auditing, internal control, and management accounting. Researchers in the electronic commerce domain have paid particular attention to the roles of recommenders and recommender systems. These systems have potential to influence the adoption of new technologies within accounting professional services firms or accounting functions within organizations. What we ask of authors who submit papers from other domains is to clearly show how their research aligns with AIS, accounting or auditing research or practice and/or has implications for these research domains. As Senior Editors, we have instituted an active environmental scanning program, reaching out to potential authors who may not have considered JIS as an outlet for their work. An important component of that program involves pre-screening papers to mentor authors in identifying AIS-relevant implications and contributions for their work.

    One of the implications of this mandate is that we are open to any and all research methodologies. In the early stages of technological and institutional innovation, design science research will be appropriate. Equally, axiomatic and analytical research can play an important role in developing an understanding of the field. Much of our work as AIS researchers is understand and map the effects of IT within organizations. Case study, survey, field study and participant observer techniques are appropriate research methodologies for this purpose. The AIS research community has a long and distinguished history of applying behavioral approaches and we expect this to continue. Similarly, researchers employ archival techniques to address questions that can be answered with publicly available information. We welcome all these methodologies. Our primary criteria for accepting papers are quality, relevance and clear communication with the AIS community.

    We continue with the well-established academic research and practice sections in JIS. The role of the practice section is to communicate to an audience of researchers the nature and implications of developments in practice. Practice section papers may include data, typically descriptive in nature. We reiterate the plea for innovation in AIS research (Stone 2002, Tuttle 2005) and continue the role of innovation editor, for papers that address leading edge information technologies or applications, or which employ new or unusual research methodologies. Under the editorial leadership of Faye Borthick, innovation papers may appear in either the academic research or practice sections. A section in JIS we have introduced are research letters, to rapidly communicate results for time-sensitive questions.

    An unfortunate, development in academia is the consideration of research ethics, particularly data validity. The AAA Publications Ethics Task Force is designing standards which every AAA journal will adopt. For example, submissions now undergo a rigorous screening process for unattributed materials with the manuscript. Policies on authorship and plagiarism have been approved, and a policy on data validity is in draft form. In regard to data validity, we believe that replication serves an important role in encouraging quality research, and discouraging unethical research practices. We, therefore, invite replications of previously-published AIS research and have set out expectations for such submissions in our Editorial Policy.

    An innovative, inclusive and influential journal

    We take over a journal that is in an excellent state. Under the leadership of Senior Editor Miklos Vasarhelyi, JIS has grown to publish a significant amount of important and vital research. Calls for research on special topics in areas such as virtual worlds, XBRL and IT governance have shown that the AIS domain is alive and well. We build on the groundwork of prior Senior Editors in several ways. First, we are actively seeking commentaries from practitioners with a goal of educating our readership on important practice topics and inspiring future research. Pairing these practitioners with academic partners has ensured an academic focus to the discussion. We have also invited the former Senior Editors to write commentaries on the state of AIS research since their editorship. Second, we continue the practice of calls for research on special topics, including Information Security and Ethical Issues in AIS. Third, we have taken this notion further, however, by organizing small annual research conferences. These are built around specific topics, with papers to be published in JIS. The first conference in 2015 (JISC2015) addresses IT audit, an important issue for our AIS community. Planning of the 2016 conference (JISC2016) is underway with big data as the theme. Each of the conferences will feature close co-operation with the profession and active participation of practitioners in the review of papers and in the discussions at the conference. Diane Janvrin and David Wood will co-edit JISC2015, and Faye Borthick and Rick Dull will co-edit JISC2016.

    Fourth, we have expanded the book report section to include all types of knowledge resources, under the expert guidance of Eileen Taylor, our Knowledge Resources editor. Knowledge resources include blogs, Twitter feeds, professional Websites, as well as the more traditional book reviews. One of the more important aspects of the knowledge resources section is to encourage senior professionals and academics to provide their insights on how they maintain currency in such a rapidly changing technological and institutional environment. Fifth, we are seeking to communicate the quality of research published in JIS to those who may not be familiar with the journal. An article in this issue provides a critical assessment of the current impact of JIS on promotion and tenure decisions (Janvrin et al. 2015). Addressing issues raised by their survey, we have created a document, intended for use by deans, promotion and tenure committees, and our authors, that details the importance and rankings of the journal on a national and international level. We are heightening the online profile of JIS with a re-engineered Website with a Senior Editor’s blog and presence on LinkedIn, Facebook and Twitter.

    An important part of the role of the senior editors is to measure performance of the Journal of Information Systems. One component of our vision for the journal is that the review process should add value on two key dimensions. First, it assists authors to improve the quality and enhance the fit of their papers to the JIS mission. Second, it provides a quality assurance screen that ensures that JIS publishes high quality and relevant papers. Our ambition is to provide a welcoming, productive, and responsive review process. There are many different ways that we can understand how well JIS is fulfilling its mission. One of the very important dimensions is to quantify the quality of author feedback. For this purpose, we borrow a tool frequently employed in the corporate world called 360-degree feedback, where supervisors review subordinates, subordinates review subordinates, subordinates review superiors. The 360-degree process at JIS involves senior editors, editors and reviewers as well as authors. 360-degree feedback commences shortly after the review process ends, whether the paper is accepted or rejected. Each of the authors and reviewers and the designated editor receive targeted emails that point to a survey on Qualtrics.com. Authors answer questions on the submission process, the nature and quality of the reviews received, and support from the editor and senior editors, where appropriate. Data from the 360-degree feedback will help us to understand how well we are managing the review process and will provide the foundation for identifying “Outstanding Reviewers” and “Outstanding Editor,” presented at the Annual Meeting of the AAA. Each year, as senior editors, we will produce a report for the AIS Section Research and Publications Committee as well as for the broader JIS community. We will report aggregated information from the surveys. We will then track our performance on these metrics in succeeding years.

    Current and future threads in Accounting Information Systems research

    A principal joy of researching in the Accounting Information Systems domain is that we are never short of interesting and vital research questions. Unlike many other research domains that often only make highly marginal gains in each research paper, AIS researchers have the ability to make significant strides in their research agendas. Importantly, AIS research regularly has important implications for both practice and theory development. As we note above, the AIS research domain in general is strong and vital and JIS plays a central role in the communication of that research. We celebrate long-established focal areas of AIS research. We recently evaluated the papers published over the last decade in JIS and the International Journal of Accounting Information Systems. Some of the research issues that are frequently observed in the current AIS literature include: auditing, and particularly IT audit and continuous auditing; enterprise systems; accounting systems design; internal controls; IT governance; decision aids and IT-enabled decision making; information integrity and assurance; Internet financial reporting (IFR) and XBRL; technology adoption; and measurement of return on IT investment. Several of these research areas can be seen in AIS research over more than a twenty year period (Sutton 2010). Yet very few if any of these research topics can be considered as settled. Changes in technology and the institutional environment, and the extent of problems and issues we face militate against this. We enjoin researchers to consider extending and enlivening these existing areas of research. For example, we have much to do to have a complete understanding of IT governance (ITG), a research area where JIS published a theme issue in 2012. There is value in studying ITG as an interesting and important issue in itself. Equally, there are many intersections of ITG with other research areas that are of great importance to the AIS community, including internal control (and particularly internal control over financial reporting), auditing (including continuous assurance and continuous monitoring), return on investment and management of risk.

    There are some glaring omissions in the catalog of research issues set out above. These are research areas that impact on the conduct of accounting and auditing and the profession of accounting and where we have seen little or no research in the AIS literature. Very limited research has been undertaken on the intersection of AIS with management accounting. This intersection is multi-dimensional, and includes accounting systems design; role of decision aids (e.g dashboards); data mining, and reliance on technology by management and management accountants. Similarly, it is important to understand the technology skillset of management accountants and their need for decision tools in their work. Small business, not-for-profits and their CPA advisors have been almost completely ignored by academic researchers in the AIS domain. Yet the small business and not-for-profit sectors represent a critical share of the modern economy. Similarly, there has been little or no research on AIS in the public sector.

    Additionally, the impact of AIS on the ethical judgment and behavior of users is seldom explored. Although a new journal has been established in the IT domain to begin this conversation, there is very limited overlap in ethical issues relevant to each domain. We have a call for papers on this topic, edited by Eileen Taylor. A literature review with many ideas for future research is now available on SSRN (Guragai et al. 2014).

    We mentioned above that IT both mitigates risk as well as bringing its own risk. We have seen some research on IT risk and risk management in recent years, but it has been a marginal area in AIS research. It deserves to be brought into a more central position. Several areas of IT risk are also deserving of additional enquiry. The most obvious of these areas is IT security and particularly cybersecurity. There are clear differences in belief in the professional and academic communities on the impact of security risks on accounting systems. This tension gives rise to interesting research questions. As we note above, JIS has a forthcoming theme issue on IT security but much more research by established researchers and doctoral students is necessary in this area. Our hyper-connected business and personal environment means that cybersecurity will be central in the AIS domain as far ahead as we can see. A second risk area has been touched on somewhat in previous years but deserves to be revisited is the development of informal information systems within the enterprise, beyond formal IT controls. These shadow or rogue systems present many challenges to the maintenance of internal controls and yet are an ever present reality of the information environment in organizations. Closely aligned to this is the effect of mobile technologies on AIS, on which research has been a null set.

    Importantly, we do not see these existing, “missing” and new areas of research to be exclusive. As teachers and researchers, we have our own biases and may well be overlooking established or trending research areas.

    Conclusion

    The Journal of Information Systems is the premier research journal in accounting information systems. The AIS domain sits between the domains of accounting and auditing on the one hand and computer science and management information systems on the other hand. Other behavioral disciplines inform the AIS domain. As Senior Editors of JIS we are excited about the future of our journal and of the AIS domain. We are in the fortunate position of having a panoply of research issues that have both strong practical implications as well as the potential to add to theory. We are open to dialog on your research ideas at whatever stage the research has reached.  

    AAA/AICPA. 2012. The Pathways Commission - Charting a National Strategy for the Next Generation of Accountants. Sarasota, FL: American Accounting Association and American Institute of Certified Public Accountants, 140.

    AICPA. 2011. CPA Horizons Report 2025. Sarasota, FL: American Institute of Certified Public Accountants, 60.

    AICPA/CPAC. 2013. 2013 North America Top Technology Initiatives Survey Results. Durham, NC: American Institute of CPA & Chartered Professional Accountants Canada, 20.

    Borthick, A. F. 1992. Helping Users Get the Information They Want, When They Want It, In the Form They Want It: Integrating the Choice and Use of Information. Journal of Information Systems 6 (2):v-ix.

    Debreceny, R. S. 2011. Betwixt and Between? Bringing Information Systems and Accounting Systems Research Together. Journal of Information Systems 25 (2):1-9.

    Geerts, G. L., L. E. Graham, E. G. Mauldin, W. E. McCarthy, and V. J. Richardson. 2013. Integrating Information Technology into Accounting Research and Practice. Accounting Horizons 27 (4):815-840.

    Janvrin, D., J.-H. Lim, and G. Peters. 2015. The Perceived Impact of Journal of Information Systems on Promotion and Tenure. Journal of Information Systems 29 (1).

    Liu, Q., and M. Vasarhelyi. 2014. Big Questions in AIS Research: Measurement, Information Processing, Data Analysis, and Reporting. Journal of Information Systems 28 (1):1-17.

    Moffitt, K. C., and M. Vasarhelyi. 2013. AIS in an Age of Big Data. Journal of Information Systems 27 (2):1-19.

    Murthy, U. S., and C. E. Wiggins Jr. 1999. A perspective on accounting information systems research. Journal of Information Systems 13 (1):3-6.

    Steinbart, P. 2009. Thoughts about the Future of the Journal of Information Systems. Journal of Information Systems 23 (1):1-4.

    Stone, D. N. 2002. Researching the revolution: Prospects and possibilities for the Journal of Information Systems. Journal of Information Systems 16 (1):1-6.

    Sutton, S. G. 2010. A research discipline with no boundaries: Reflections on 20 years of defining AIS research. International Journal of Accounting Information Systems 11 (3):289–296.

    Tuttle, B. M. 2005. Editor’s Comments. Journal of Information Systems 19 (2):1-5.

    Vasarhelyi, M. 2012. AIS in a More Rapidly Evolving Era. Journal of Information Systems 26 (1):1-5.

  • Roger S Debreceny
    Observing IT Audit
    blog entry posted September 9, 2014 by Roger S Debreceny, tagged research, teaching in JIS Senior Editors' Blog public
    Where do we find the resources to fully understand the nature and scope of information technology audit? IT audit is a central concern for the Journal of Information Systems and the focus of the 1st JIS Research Conference in March 2015.

    Observing IT Audit

    A core element of the accounting information systems domain is information technology (IT) audit. At the Journal of Information Systems we both publish papers on IT audit and seek new papers in this important area. In the world beyond academia, four professional organizations in the USA touch on the IT audit discipline. These are (in alphabetic order) the AICPA (particularly including the  Information Management and Technology Assurance  Division (IMTA)), Association of Certified Fraud Examiners (ACFE), Institute of Internal Auditors (IIA) and ISACA. Given the importance of IT audit and assurance to ISACA, it is hardly surprising that ISACA provides a range of guidance including the ITAF Information Technology Assurance Framework. The ISACA resource center on IT audit and assurance includes a wealth of support for practitioners and academics with standards, guides and audit programs. Many practitioners of IT audit rely on the IIA’s Global Technology Audit Guides (GTAG®).

    The first JIS Conference in March 2015 focuses on IT audit (aaahq.org/calls/JISC2015_call.cfm). We are closely involving practising professionals in the development and assessment of papers submitted to the conference. We are grateful for the support of the IMTA division of the AICPA, professionals from ISACA and Caseware-IDEA. There is, then, quite a range of information for academics on the nature and scope of IT audit. However, going from theory and professional guidance to the practice of IT audit is a little more challenging. In the private sector, IT audit reports produced by internal or external auditors are hidden by the corporate veil. Fortunately, there are quite a number of IT audit reports on local, state and federal governments that are in the public domain.

    At the federal level, the  U.S. Government Accountability Office (GAO) has a wide range of reports that touch on information technology. At http://www.gao.gov/browse/topic there are 712 reports under Information Management as well as Information Security (381) and Information Technology (1,335). These reports provide an invaluable overview of current issues facing not just federal government agencies but all larger entities. Taking a recent report at random (http://www.gao.gov/products/GAO-14-693R), the GAO reports on Information Systems Controls at the Bureau of the Fiscal Service within the Treasury. Understandably, some of the detailed recommendations in the report are pushed to a confidential report. The public report does, however, contain sufficient information for an interested observer to have an insight on the challenges facing the Bureau and the nature of the IT audit processes. The report notes “14 new information systems general control deficiencies related to security management, access controls, and configuration management.”

    The report states that:

    In addition, during our follow-up on the status of Fiscal Service’s corrective actions to address

    information systems control-related deficiencies and associated recommendations contained in our prior years’ reports that were open as of September 30, 2012, we determined that corrective actions were complete for 7 of the 13 open recommendations and corrective action was in progress for each of the 6 remaining open recommendations related to access controls and configuration management.

    These new deficiencies in Fiscal Service’s information systems controls, along with unresolved control deficiencies from prior audits, collectively represent a significant deficiency [emphasis added] in Fiscal Service’s internal control over financial reporting. The potential effect of these new and continuing deficiencies on the Schedule of Federal Debt financial reporting for fiscal year 2013 was mitigated primarily by Fiscal Service’s physical security measures and compensating management and reconciliation controls designed to detect potential misstatements on the Schedule of Federal Debt.

    It is interesting to see the GAO use the language of SOX 404. It is also noteworthy that the catalog of issues did not add up to a material weakness in internal control over financial reporting.

    Each of the major federal departments and agencies has an Inspector General, a position comparable to the CAE (Chief Audit Executive) in private sector organizations. Most of the reports of the IGs are available on the Web. For example, the Department of Defense IG’s reports are at www.dodig.mil/pubs/index.cfm. Screening the reports for keywords such as Cyber Security or Technology, reveals several unclassified reports and other reports for which a freedom of information request must be filed. For example, a recent report on the Army’s ERP systems is revealingly and delightfully entitled “Army Business Systems Information Technology Strategy Needs Improvement.” This continues the long and rather unedifying history of issues facing the multi-billion dollar rollout of ERP systems across the uniformed and civilian branches of the Department of Defense.

    At the state level, most State Auditors-General provide all their reports online. Unfortunately, it can be rather difficult to identify those reports that relate to IT. An exception to this is the manner in which the Auditor-General of the State of Florida provides access to their reports by broad subject area as well as by entity. The IT audit reports are for a broad array of educational organizations, boards, and state agencies. As such, the nature and range of size of organizations touched on by the Auditor-General somewhat mirrors those in the private sector.  These high quality reports provide fascinating and sometimes disturbing reading. Risk patterns familiar to all IT auditors frequently recur in these reports. Inadequate perimeter security, and issues with user management, business interruption, and the understanding of stakeholder needs are common themes.

    Taken as a whole, the public reports of audit agencies (broadly defined) from the local, state and federal governments provide a rich vein of research and teaching to be mined.

    Roger Debreceny

  • Roger S Debreceny
    Aggravated Cybersecurity Risks Implications for Accounting...1
    blog entry posted April 22, 2014 by Roger S Debreceny, tagged research, teaching in JIS Senior Editors' Blog public

    There have been a number of important cybersecurity breaches in recent months. This blog posting reviews some of these cybersecurity breaches and points to some of the guidance and standards that assist organizations in building reliable and repeatable security infrastructure. The blog analyzes recent guidance on cybersecurity risks from the Center for Audit Quality, which I see as a taking an overly conservative view of the implications of the risk environment for internal control over financial reporting. Finally, I canvass the implications for the academic research community.

    Aggravated Cybersecurity Risks
    Implications for Accounting and Auditing Research and Practice

    A Heightened Threat Environment

    Over the last several months we have seen some important cybersecurity challenges faced by several organizations. Probably the most important of these challenges was the breach of credit card and customer data faced by Target Corporation. The attack on Target Corporation, Nieman Marcus and many other organizations are all indicative of a heightened threat environment. In this blog posting, I review some of these cybersecurity breaches and point to some of the guidance and standards that assist organizations in building reliable and repeatable security infrastructure. In my view, there are clear implications of the heightened cybersecurity risks for the conduct of IT audit, which is a core concern for the accounting information systems community that is served by the Journal of Information Systems. I analyze recent guidance on cybersecurity risks from the Center for Audit Quality, which I see as a taking an overly conservative view of the implications of the risk environment for internal control over financial reporting. Finally, I canvass the implications for the academic research community.

    Target and Nieman Marcus breaches

    In December 2013, Target Corporation confirmed that information on more than 40m credit and debit card were exfiltrated from their networks. In January, Target disclosed that, in addition to the loss of card information, that information on “guests” was stolen, including “names, mailing addresses, phone numbers or email addresses for up to 70 million individuals” (goo.gl/Gz1Hev).  In a world where loss of personal data seems a daily occurrence, these are truly startling numbers. There are clearly severe implications of the breach for Target in direct costs, an array of class action legal suits, suits against Target from attorneys-general in states and territories and enforcement actions by regulators, notably the Federal Trade Commission. Target is also likely to face action from credit card issuers through Payment Card Industry Security Standards Council (PCI). Indeed, just in September 2013 Target had been certified as compliant with PCI-DSS.

    The Congress has not been silent in the matter, with hearings from the Commerce and Judiciary committees. While working on my teaching, I watched the Commerce Committee hearing with Target, Niemann Marcus, the University of Maryland and representatives of the FTC and VISA (the hearings are archived at goo.gl/TSrcrN). The hearings were enlightening, and are highly recommended if you have a spare four hours available. Appearing in front of the Committee, amongst others, were John J. Mulligan, CFO of Target Corporation and Dr. Wallace Loh, President of the University of Maryland. The university suffered a breach of identifying information of more than 300,000 students and alumni.

    Concomitantly with the hearings, the Commerce Commission published an analysis of the Target breach in a delightfully titled majority staff report “A “Kill Chain” Analysis of the 2013 Target Data Breach” (goo.gl/zRnKBe). The report provides an excellent overview of the timelines in the breach, the technologies involved and the various breakdowns in Target’s monitoring and controls. The Executive Summary of the report notes that:

    Key points at which Target apparently failed to detect and stop the attack include, but are not limited

    to, the following:

    • Target gave network access to a third-party vendor, a small Pennsylvania HVAC company, which did not appear to follow broadly accepted information security practices. The vendor’s weak security allowed the attackers to gain a foothold in Target’s network.
    • Target appears to have failed to respond to multiple automated warnings from the company’s anti-intrusion software that the attackers were installing malware on Target’s system.
    • Attackers who infiltrated Target’s network with a vendor credential appear to have successfully moved from less sensitive areas of Target’s network to areas storing consumer data, suggesting that Target failed to properly isolate its most sensitive network assets.  Target appears to have failed to respond to multiple warnings from the company’s anti-intrusion software regarding the escape routes the attackers planned to use to exfiltrate data from Target’s network (p. i)

     

    Using publicly available information on the breach, the Commerce Committee report shows how the bad actors were able to leverage compromised e-business partner credentials to gain access to Target’s networks. Unsurprisingly, the credentials from the e-business partner were obtained following spear phishing attacks. The report shows how multiple urgent alerts from behavioral network monitoring software were ignored by Target’s security personnel. Figure 5 of the report shows the points in the kill chain where Target missed opportunities to prevent the exfiltration of information. Unfortunately, the report does not provide details on how the bad actors were able to gain access to the “guest” data, which is of significantly greater value to those actors than credit or debit cards.

    Figure 6 of the report gives a timeline of the breach, showing the length and complexity of the kill chain:

    The Commerce Committee has been active in promotion of national legislation but without much success thus far. There is draft legislation (“The Data Security and Breach Notification Act”) before the Commerce Committee but other similar bills from the House and Senate have withered away and this bill will probably suffer the same fate.

    Recent developments in guidance

    Over the years, the security standards landscape has been heavily populated. ISO/IEC17799, now renumbered as ISO/IEC27002 provides a useful framework for security management. The COBIT IT governance framework has always had security as a core component.  COBIT 5 for Information Security presents an IT security centric view of COBIT. The NIST 800 series from the National Institute of Standards and Technology (NIST) provide guidance for federally regulated organizations such as financial institutions. At the national level, in February NIST published its “Framework for Improving Critical Infrastructure Cybersecurity” (goo.gl/a41MrX). This framework was a response to an executive order from President Obama in 2013. To readers of the other guidance listed above, the framework will be familiar. The framework describes four tiers that “describe an increasing degree of rigor and sophistication in cybersecurity risk management practices and the extent to which cybersecurity risk management  is informed by business needs and is integrated into an organization’s overall risk management practices.” The tiers are closely aligned to the levels of process maturity in CMM and CMMI. Importantly, the framework does not see the world ab initio. Rather, it is tightly coupled with COBIT 5, ISO and NIST 800. What is important about the Framework is that it represents a national and integrated perspective on hardening information security defenses for a wide range of organizations.

    Reaction by regulators in the securities and audit domain

    The issue of information security has also been of heightened interest to the Securities and Exchange Commission (SEC). The Commission held an all-day Cybersecurity Forum in March archived at goo.gl/JAOoj8. There were four panels on the “cybersecurity landscape,” “public company disclosure,” “market systems,” and “broker-dealers, investment advisers, and transfer agents.” Panelists included Mary E. Galligan, Director, Cyber Risk Services, Deloitte & Touche; Adam Sedgewick, Senior Information Technology Policy Advisor, National Institute of Standards and Technology The quality of the archived webcast reminds me of video on the Internet in the last millenium, but is well worth while listening to.

    The response to the increased threat environment by other regulators and professional organizations closer to the accounting and AIS community has been mixed. A search for “cybersecurity” on the PCAOB website turned up only the following November 2013 statement from PCAOB Board Member Harris in the context of the Board’s strategic direction (see goo.gl/f2v3DX):  

    The Board will also continue to monitor current events and emerging trends that may lead to increased audit risk. For example, cybersecurity risk recently has become a topic of concern for the Securities and Exchange Commission and other financial regulators.  Such risk pose significant issues for companies such as: increased security costs; loss of material intellectual property; claims by customers; and litigation. Therefore, I believe that auditors must examine the internal controls companies have in place to address such risks. I think it important that the Board will consider forming an internal task force and preparing a practice alert related to cybersecurity and its impact on audits. I support the formation of such a task force and the issuance of an audit alert, if the Board deems such an alert appropriate.

     There were also a comment by one of the participants in the most recent meeting of the Board’s Strategic Advisory Group (SAG) pointing to the significantly elevated importance of cybersecurity in the mindshare of corporate board and audit committee members. There seems, however, to be no concrete action by the PCAOB on security at any point in its history. Similarly, a search of the Auditing Standards Board did not reveal any targeted (so to speak) action on security.

    Prior to the aforementioned SEC roundtable, the Center for Audit Quality (CAQ) issued a practice alert on “Cybersecurity and the External Audit” (available at http://goo.gl/oG1bJ0). In absence of detailed guidance from the PCAOB or ASB, the practice alert presents the best guide to thinking in the auditing community on the implications of cybersecurity for the external audit. I encourage all in the AIS community to read the practice alert. I am, however, concerned that the practice alert downplays the risks to internal control and ultimately to the integrity of financial reporting that comes from information security threats. The alert states:

    The responsibility of the independent auditor relates to the audit of the  financial statements and, when applicable, the audit of internal control over financial reporting (ICFR). The financial reporting-related information technology (IT) systems and data that may be in scope for the external audit usually are a subset of the aggregate systems and data used by companies to support their overall business operations and may be separately managed or controlled. Accordingly, the financial statement and ICFR audit responsibilities do not encompass an evaluation of cybersecurity risks across a company’s entire IT platform.

    It is difficult to quibble with this statement. Many corporations will have production systems running on different local area networks quite distinct from those systems such as sales systems that feed the core accounting applications or the core accounting applications themselves. The “entire IT platform” is not in scope. The alert goes on to state, however, that:

    Systems and data in scope for most audits usually are a subset of the totality of systems and data used by companies to support their overall business operations, and the audit’s focus is on access and changes to systems and data that could impact the financial statements and the effectiveness of ICFR. In contrast, a company’s overall IT platform includes systems (and related data) that address the operational, compliance and financial reporting needs of the entire organization.

    From an operational risk or privacy perspective, companies implement processes and controls to restrict access to their systems, applications and data, including third party records and other sensitive information. Accordingly, given the focus on a narrower slice of a company’s overall IT platform, the execution of an audit of the financial statements and ICFR in accordance with professional standards likely would not include areas that would address such a cybersecurity breach. However, if information about a material breach is identified, the auditor would need to consider the impact on financial reporting, including disclosures, and the impact on ICFR. (Emphasis added).

    This seems almost dangerously naïve. The practice alert argues, essentially, that application systems that are within the scope of ICFR are typically corralled from other operational systems. Therefore the external auditor need not concern herself with broader questions of information security and cybersecurity risks and controls. If recent events such as the Target Corporation and Neiman Marcus breaches teach us anything, they teach us that cybercriminals are capable of burying deep within corporate networks and attacking a wide variety of application systems. As the Commerce Committee staff report on Target notes, “it appears that the attackers succeeded in  moving through various key Target systems.” Just because an ERP or General Ledger system is on a different local area network than a production management or logistics systems does not, in my view, reduce the risk of external attack. Given the centrality of accounting information systems to the functioning of corporations; the wealth of data that resides on those systems that is likely to be of great interest to cybercriminals, surely the external auditor should consider the potential risks that come from cybersecurity threats. Perhaps the CAQ had a typographical mishap and the word “not,” highlighted above, was not meant to be in the alert?

    Information Security and the Accounting Information Systems Research Community

    And now we turn to the role played by our accounting, auditing and AIS research community in general and the Journal of Information Systems in particular. How well has the accounting and auditing research community faced the challenge faced by enterprises, governments and not-for-profits? Not well. As a quick metric, I searched the last five years of abstracts of papers published in all AAA journals, using the keywords “security,” “cybersecurity challenges,” and “information security.” The search revealed only six references, interestingly all published in the Journal of Information Systems. This compares with 64 papers on “earnings management” and 72 papers on “audit fees” and “audit pricing.”

    In the broader academic community, there are a limited number of initiatives from the AIS community that involved information security. For the last many years, Efrim Boritz at the University of Waterloo has organized a biennial symposium on information assurance, which touches lightly on information security. Accounting at the Robert H Smith School of Business at the University of Maryland, is organized into the  Accounting and Information Assurance (AIA) Department with Larry Gordon and Marty Loeb conducting vital research on information security. At Akron University, Akhilesh Chandra and Thomas Calderon along with other colleagues organize an annual symposium on information security, hosted by the Center for Research and Training in Information Security and Assurance (CReTISA). While individually important, these initiatives are hardly indicative of a robust teaching and research attack on information security in our community.

     

    As senior editors of the Journal of Information Systems, Mary Curtis and I are very much interested in publishing leading edge research in information security. As might be imagined, we are particularly interested in papers that have a strong connection with our accounting and auditing community. The first theme issue we initiated was on Information Security. The theme issue is edited by Dr Akhilesh Chandra, Professor of Accounting and Director of the Institute for Global Business, The University of Akron and Carlin Dowling, Associate Professor at The University of Melbourne. Papers close on October 15 and the call for papers is at aaahq.org/InfoSys/JIS/calls/InfoSecurity2014_Oct.pdf. 

    Roger Debreceny
    Senior Editor
    Journal of Information Systems

    April 2014

  • Gia M Chevis
    2014 JIAR Best Paper Award
    blog entry posted July 11, 2014 by Gia M Chevis, tagged international, research in The Forum--The Blog of the International Section public

    For their work in “Classification Shifting in an International Setting: Investor Protection and Financial Analysts Monitoring,” the authors received the 2014 Journal of International Accounting Research Best Paper Award.  Bruce K. Behn is a Professor at The University of Tennessee, Giorgio Gotti is an Assistant Professor at The University of Texas at El Paso, and Don Herrmann and Tony Kang are both Associate Professors at Oklahoma State University.  Don Herrmann (center) and Giorgio Gotti (right) are pictured above receiving their awards from Chris Skousen (left), Chair of the section’s Publications Committee.  The paper is available in Volume 12, Issue 2.

    Abstract:  Prior research on publicly traded U.S. firms provides evidence that managers engage in classification shifting to opportunistically manage “core” earnings.  We extend this line of research in a broader international setting, by examining (1) whether the level of investor protection affects managers’ decisions to engage in classification shifting behavior and (2) whether coverage by financial analysts mitigates this behavior.  Based on an international sample of firms from 40 countries, we observe evidence consistent with classification shifting in both strong and weak investor protection countries using four separate measures of investor protection.  We then explore the potential monitoring role of financial analysts in mitigating classification shifting.  We provide evidence that higher financial analyst following mitigates classification shifting, primarily in weak investor protection countries.  Overall, our results provide evidence of classification shifting in a broad international setting and evidence of financial analysts’ influence in reducing this form of earnings management.

  • Gia M Chevis
    Call for Papers: BALAS 2015
    blog entry posted June 26, 2014 by Gia M Chevis, tagged international, research in The Forum--The Blog of the International Section public
    Entrepreneurship in a Diverse World of “Glocal” Initiatives
    March 25 - 27, 2015
    San Juan, Puerto Rico
     
    Hosted by the Faculty of Business Administration,
    University of Puerto Rico, Rio Piedras Campus

    Paper Submission Due Date: November 1, 2014

    BALAS 2014 conference introduced the theme of “local responses to global challenges” exploring various angles of the challenges and potential benefits present to the LATAM and Caribbean Region. BALAS 2015 will pursue the discovery of other dimensions of “Glocalization” that may represent the key to economic prosperity in the region.   

    It is argued that “glocalization” often involves a process of trial and error in which global companies assess the power and influence of their products on local consumers worldwide. The bids are high on connecting “glocalization’ and culture, in involving local people in playing key roles in supporting global business. Could it be that local actions actually dictate global policies?  Should that assumption be true, cities and local authorities would exercise increased global influence, with the potential of benefiting the local economy.   BALAS 2015 Call for Papers will focus on the theme of “glocalization” in the context of the following aspects:

    a)      Can entrepreneurial efforts dedicated to non-traditional businesses such as the arts, and sports revitalize local economies and exercise global influence?

    b)      If local people can actually play key roles in supporting global business do they need special communication skills to survive and thrive in the “glocal” environment? Can “glocal” social networks foster the integration of local to global?

    c)       How can the historical, cultural, spiritual, political, and economic aspects of the local communities set the stage for the transformation of “glocal” initiatives?

    d)      What are the key elements that define the readiness of the LATAM and Caribbean region to embark in successful global entrepreneurial initiatives?

    BALAS 2015 is honored to have as keynote speaker, Professor Saskia Sassen, the Robert S. Lynd Professor of Sociology of Columbia University, and Co-Chair Committee on Global Thought and Columbia University. She has made compelling and controversial propositions on the impact of foreign investment in emigration, with the shocking and unexpected conclusion that foreign investment can actually aggravate emigration. She has proposed that globalization, far from being a phenomenon that is free from boundary demarcations, is actually nurtured by very specific territorial limits.  We specially hope that academics that have explored the sociology of “glocalization” within the dimensions of emigration and foreign investment will take the challenge to respond to Dr. Sassen’s assertions, to make an intellectual contribution and leave their mark in this BALAS 2015 edition. It will be a unique opportunity for academics interested in this theme to debate, refute, assert their positions with the author of such provocative ideas.

    Submission of papers in all of the following areas of business and economics are encouraged as part of BALAS 2015:

    2015 THEME TRACKS:

    ·         “Glocal” initiatives: a study in clashing forces for economic prosperity
    ·         Mutual funds: bringing together the money from “glocal” initiatives

    GENERAL LATIN AMERICAN BUSINESS TRACKS

    ·         Accounting, Taxation and Management Information and Control Systems
    ·         Consumer Behavior
    ·         Corporate Finance
    ·         Culture, Social and Ethical Issues
    ·         Economic Environment and Regional Integration
    ·         Entrepreneurship and Family Business
    ·         Financial Markets, Investment and Risk Management
    ·         Human Resource Management
    ·         Information Technology Management
    ·         Marketing Management
    ·         Management Education and Teaching Cases
    ·         Strategies for Global Competitiveness
    ·         Supply-Chain and Operations Management

    PAPER SUBMISSION DEADLINE: NOVEMBER 1, 2014

  • Roger S Debreceny
    360-Degree Post Decision Reviews
    blog entry posted February 25, 2014 by Roger S Debreceny, tagged research in JIS Senior Editors' Blog public

    360-Degree Post Decision Reviews

    An important part of the role of the senior editors is to measure performance of the Journal of Information Systems. There are many different ways that we can understand how well JIS is fulfilling its mission. One of the very important dimensions is to quantity the quality of the author feedback process. Our ambition is to provide a welcoming, productive, and responsive review process. This process involves senior editors, editors and reviewers as well as authors. We now have 360-degree feedback on the manuscript review process.

    The concept of 360-degree feedback is widely used in human resource management. Supervisors review subordinates. Subordinates and stakeholders (internal customers) review supervisors. Recently, the US Department of Defense has rolled out 360-degree feedback across the military. The Chief of Staff of the Army Gen. Ray Odierno says “I believe that multi-dimensional feedback is an important component to holistic leader development. By encouraging input from peers, subordinates and superiors alike, leaders can better see themselves and increase self-awareness. ... The ability to receive honest and candid feedback, in an anonymous manner, is a great opportunity to facilitate positive leadership growth.”

    At JIS, 360-degree feedback commences shortly after the review process ends, whether the paper is accepted or rejected. Each of the authors and reviewers and the designated editor receive targeted emails that point to a survey on Qualtrics.com. Authors answer questions on the submission process, the nature and quality of the reviews received, and support from the editor and senior editors, where appropriate. For example, authors answer questions, using a Likert scale response, such as “the feedback provided by the review team was constructive” and “the feedback provided by the review team helped me improve the manuscript.” Reviewers also answer questions that are specific to their role in the process. At the conclusion of the survey we ask a set of questions for both authors and reviewers including “How likely is it that you will accept future reviewing requests at JIS?” and “How likely is it that you will recommend to colleagues to submit their research to JIS?”

    We will maintain strict confidentially on review responses. As the introduction to the survey notes, “All your responses will be read only by ourselves as Senior Editors and confidentiality will be maintained. Your responses will be aggregated with other responses, to generate high-level performance metrics for the JIS community.”

    Data from the 360-degree feedback will assist us in a variety of ways. First, it will help us to understand how well we are managing the review process. How well do authors feel that we are supporting them in the review process? Is the process timely and efficient? Are the views of authors and reviewers aligned? Are we providing appropriate guidance to editors and reviewers? Second, the surveys will provide the foundation for identifying “Outstanding Reviewers” and “Outstanding Editor,” presented at the Annual Meeting of the AAA.

    Each year, as senior editors, we will produce a report for the AIS Section Research and Publications Committee as well as for the broader JIS community. We will report aggregated information from the surveys. We will then track our performance on these metrics in succeeding years.

    The review process should add value on two key dimensions. First, it assists authors improve the quality and enhance the fit of their papers to the JIS mission. Second, it provides a quality assurance screen that ensures that JIS publishes high quality and relevant papers. We hope that this 360-degree feedback will enhance this value adding. 

     

    Roger Debreceny
    Senior Editor

  • Richard E Lillie
    Salman Khan -- A Breath of Fresh Air in Instructional Design...1
    blog entry posted February 8, 2014 by Richard E Lillie, tagged research, teaching, technology in Teaching with Technology > TwT public

    Earlier today, Bob Jensen posted a link on AECM to a Harvard Business Review article (January-February 2014) titled Life's Work: Salman Khan.  I've written about Salman Khan and the Khan Academy several times before.  I use technology extensively in my course designs.  Where appropriate, I draw on Khan's methods and techniques to improve what I do for my students.

    Salman Khan

    Like Salman Khan, I am very much student-centered in my approach to designing the teaching/learning experience.  My approach to teaching came from the years when I was an audit manager in the National Continuing Education Department at Grant Thornton International (GTI).  I quickly learned that you do not teach adult learners.  Rather, you guide them through a learning process.  Adult learners take responsibility for their own learning.

    In the HBR article, Khan states that "one meta-level thing is to take agency over your own learning."  I agree with his statement.  However, I think it is important to understand the point at which a learner may be development wise.

    Taking "agency" (responsibility) for your own learning assumes a learner has the maturity needed for this level of responsibility.  I believe this is where faculty play a major role in the teaching/learning process.  I don't equate "tech-savviness" with "maturity."  Just because someone can interact with others on Facebook and Twitter does not necessarily make the person ready to take total control of the teaching/learning process.

    A learner in the "becoming stage" (i.e., in the process of earning a degree or credential) needs guidance, influence, and a structured learning process.  Whereas, a learner who has moved beyond the "becoming stage" (i..e, has earned a degree or credential) into the "continuing education stage" has reached the point of personal development where it is OK to do whatever turns you on.  Learning is more "learning for learning's sake." 

    Khan states that Khan Academy is all about giving more breathing room to the learner.  He believes he can use technology to deliver information at a student's pace.  He says "there is something you get only from a human voice..It's incredibly valuable."  On this, Khan and I agree.  

    I learned the art of instructional design by the seat of my pants.  I quickly realized that "CPA" stood for "cut, paste, and attach."  I created some pretty interesting instructional materials with a pencil, ruler, invisible tape, IBM Selectric typewriter, a variety of font balls, colored markers, and some fairly modest software applications.  I was amazed what I could accomplish with an Apple2Plus computer.  This all brings back a lot of enjoyable memories.

    While at GTI, I started experimenting with computer-based instructional design.  I played around with sound and video.  It was difficult to do and include in course design.  The technology was far too clunky, complicated to use and far too expensive.  While experimenting, I began to follow the work of Ruth Colvin Clark and Richard E. Mayer dealing with multimedia learning.

    Khan's methodology is all about connecting with the learner in ways that empower the learner to progress as quickly as the learner is capable of doing.  I agree with this objective to a point.

    Rick Lillie, CSU San Bernardino

     

     

     

  • Gia M Chevis
    Nominate an Outstanding International Accounting...
    blog entry posted December 17, 2013 by Gia M Chevis, tagged international, research in The Forum--The Blog of the International Section public

    Call for Nominations

    2014 Outstanding International Accounting Dissertation Award

    The International Accounting Section of the American Accounting Association invites submissions for its Outstanding International Accounting Dissertation Award, to be presented at the Annual Meeting of the American Accounting Association in Atlanta, GA, during August 2014.

    All doctoral dissertations successfully defended during the 2013 calendar year in all areas of international accounting - including topics in financial, managerial, auditing, taxation, and information systems - are eligible for this award. Eligible individuals should submit via e-mail the following materials no later than (and preferably earlier than) February 28, 2014:

    1. Summary of their dissertation not exceeding 20 pages including tables, or a working paper based on their dissertation, and
    2. A letter of support from their dissertation committee chairperson.

    Upon reviewing these initial submission materials, the Outstanding Dissertation Award Committee will select finalists for the award. Finalists will be requested to submit copies of the complete dissertation to the committee.

    Please note that the committee will be grateful to receive suggestions from section members for suitable candidates for this award. Thus, we would be very happy if you could ensure that all faculty and PhD students at your school are aware of the award.

    Please send submissions via email to:

    Sudipta Basu
    Fox School of Business
    Temple University
    Sudipta.Basu@temple.edu

    The DEADLINE for nominations is February 28, 2014.

    Winners of the Outstanding International Accounting Dissertation Award to date are:

    1984 Trevor J. Harris, University of Washington
    1985 (none awarded)
    1986 Betty C. Brown, University of Louisville
    1987 Shahrokh M. Saudagaran, University of Washington
    1988 David Sharp, Massachusetts Institute of Technology
    1989 Teresa L. Conover, University of North Texas
    1990 F. Norman Shiue, George Washington University
    1991 Ajay Adhikari, Virginia Commonwealth University
    1992 Stephen B. Salter, University of South Carolina
    1993 Patricia McQueen, New York University
    1994 Keith R. Duncan, Bond University
    1995 Mary A. Flanigan, Virginia Commonwealth University
    1996 Wayne Thomas, Oklahoma State University
    1997 Paquita Y. Davis-Friday, University of Michigan
    1998 Karl Albert Muller III, University of Illinois Urbana-Champaign
    1999 Jan Marton, Göteborg University
    2000 Tracy Manly, University of Arkansas
    2001 Takashi Yaekura, University of Illinois Urbana-Champaign
    2002 Ole-Kristian Hope, Northwestern University
    2003 Thomas A. Matthews, University of Waterloo
    2004 Steven Francis Orpurt, University of Chicago
    2005 Christopher Hodgdon, Virginia Commonwealth University
    2006 Etty Retno Wulandari, Nanyang Business School
    2007 Annelies Renders, Katholieke Universiteit
    2008 Devan Mescall, University of Waterloo
    2009 Hans Christensen, University of Manchester
    2010 Lijie Yao, Tsinghua University
    2011 Gwen Yu, University of Michigan
    2012 Clare Wang, University of Pennsylvania
    2013 Roger Silvers, University of Massachusetts Amherst

  • Roger S Debreceny
    Editing the Journal of Information Systems
    blog entry posted December 30, 2013 by Roger S Debreceny, tagged research in JIS Senior Editors' Blog public

    Commencing editing the Journal of Information Systems.

    The 1st of January marks the commencement of our three-year term as the Senior Editors of the Journal of Information Systems. We have been working since June, however, putting together the many administrative and design features that go into making the journal a success. Most importantly, we have worked to build a great team of editors and members of the editorial board. Details of the eight editors and the editorial board are at www.jisonline.com.

    There are many other aspects of the administration of JIS that we have worked on but have much yet to do. This includes outreach, branding, environmental scanning and improving rankings for JIS. As we work more on these issues, expect to see more from this blog as well as our Twitter feed (@jiseditors), LinkedIn and Facebook.

     

    Mary Curtis
    Roger Debreceny
    Senior Editors, Journal of Information Systems
    jis-editors@aaahq.org

  • Gia M Chevis
    Call for papers: Special Issue on Information Security
    blog entry posted December 17, 2013 by Gia M Chevis, tagged research in The Forum--The Blog of the International Section public

    Call for Papers

    Theme Issue of the Journal of Information Systems

    Information Security: Implications for Accounting Information Producers, Assurers and Users

     

    In Fall 2015, the Journal of Information Systems (JIS), the journal of the Accounting Information Systems Section of the American Accounting Association, will publish a theme issue entitled: “Information Security: Implications for Accounting Information Producers, Assurers and Users.” This theme issue of JIS seeks high quality, theory based original research to examine security issues as they relate to accounting and AIS. Submissions are encouraged from a broad range of topics, including, but not limited to:

     

    ·         Access Control, Authentication and Authorization

    ·         Audit and IS Security

    ·         Best Practice, Models and Frameworks

    ·         Data and System Integrity

    ·         Disclosure of Information Security Exposures

    ·         Financial Consequences of Information Security

    ·         IT/IS Governance

    ·         Information Privacy

    ·         Internal Control Design, Assurance and Monitoring

    ·         Metrics for Assessing Information Security

    ·         Risk Evaluation and Security Certification

    ·         Security for Mobile and Cloud Computing

    ·         Strategy and Information Security

     

    All research methods are welcome, including behavioral, case study, design science, experimental, empirical and archival. Submissions should conform to the guidelines for regular submissions at www.jisonline.com. Submissions are due by October 15, 2014. Earlier submission is encouraged, and we will require that you conform to a fairly tight time frame in resubmissions. Please clearly state that your submission is for consideration for publication in the theme issue to be published in Fall 2015. If you have any questions, please contact the co-editors of the theme issue: Akhilesh Chandra, Professor of Accounting and Director of the Institute for Global Business, The University of Akron (email: ac10@uakron.edu) and Carlin Dowling, Associate Professor, The University of Melbourne (email: carlin@unimelb.edu.au) or to the JIS editorial office at jis-editors@aaahq.org.

     

    Follow JIS @jiseditors on Twitter www.facebook.com/jiseditors on Facebook