The implementation of SysTrust principles and criteria for assuring reliability of AIS: empirical study

Introduction

The adoption of information technology as a pillar in the business world renders it critical in terms of reliability and security. System assurance, as a core part of management, is required to ensure that the accounting system and information initiated is reliable. Information technology in business is essential as long as it is reliable and secure. System reliability in administration primarily guarantees the solidity of data and accounting framework. However, an unreliable system can exhibit a number of side effects, such as failure to prevent unauthorized access to the system, making it vulnerable to viruses, hackers and loss of data confidentiality Loss of data integrity, including defiled, inadequate and invented information, and genuine support issues bringing about unintended negative reactions from system changes, such as loss of access to system administrations, loss of information privacy or loss of information trustworthiness (Boritz, 2005; McPhie, 2000; Topash, 2014). In fact, the complexity of computerized information systems has increased the necessity of the assessment of the reliability of a firm's internal control systems (Joseph et al., 2009).

Furthermore, due to globalization and the advancement of technology around the world, the achievements of the overall objectives of the business become more difficult and complicated. This includes the mission and visions that are also affected by other factors such as fraud, money laundering and terrorism activities. To avoid such challenge caused by advances in technology, companies tend to design their strategies whereby dealing with customers, provision of service, corporate social responsibilities and successful procedure of control system are embedded therein (Douglas, 2011). To enhances and maintain the reliability of control system, the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) has developed a new assurance service called SysTrust, whereby a public accountant can write about the adequacy of controls over the reliability of a system. The team formulated a definition of system reliability as “a system that operates without material error, fault or failure in system availability, privacy, integrity, and maintainability during a specified time in a specified environment” (Saitio, 2001).

Computerized accounting information systems can face a range of potential threats, and this entails protection of data from abuse and physical and moral loss where administration of business companies tend to design a rigid control system that is reliable and guarantees protection from both internal and external threats. This keeps the quality of outputs of the systems and aids in the efficient achievement of the organization’s objectives. Furthermore, a reliable system is also required as continuous auditing is conducted under the supervision of real-time accounting systems. The expected benefits from web-based continuous auditing depend on the reliability of real-time accounting systems. AICPA (2017) pointed out the characteristics of a reliable system as follows:

• Accuracy: The system must obtain record and report the information to be audited accurately, completely, and on a timely basis.

• Security: There must be controls to prevent unauthorized access to business data and processes. When violations are detected or suspected, the system must warn the auditor and there must be temporary restriction

• Integrity: The system processing must be complete, accurate, timely and in accordance with the entity’s transaction approval and output distribution policy.

• Maintainability: The system must be updated to provide continuous accuracy, security and integrity.

• Automated auditing programs: The auditor requires readily made auditing programs or those developed by the auditor because continuous auditing is applied through computing systems.

The core importance of a reliable computing system is specifically identified by the developers of the SysTrust project: The computing system – are running business, producing products and services and dealing with consumers and business partners […] As business dependencies on information technology increases, tolerance decreases for systems that are unsecured, unenviable when needed, and unable to produce accurate information on an instant basis. Like the weak link in a fence, the unreliable system can cause a chain of events that negatively affect the company and its customers, suppliers and business partners (ACICPA/CICA, 2013).

In fact, SysTrust acquires its importance because of the following factors:

• It reengineers the internal control system of AIS depending on technological basis.

• It re-conceptualizes AIS-invisible-control-mechanism.

• It enhances standards of operations and security that are designed for increasing efficiency of AIS.

• It grants a guide on a solid ground that helps in measuring AIS reliability and associated risks.

A reliable system is one that is capable of operating without material error, fault, or failure during a specified period in a specified environment. Therefore, any company must have the reliability of the software and database. Romney and Steinbart, (2017), describes the software and databases are not reliable can harm not only the company and employees who use them, but also the company's supply chain.

This study gains its importance as it is represented by that fact that it provides orientation for accounting practitioners, users and auditors who receive better understanding of the implementation of the principles of SysTrust service requirements, and a result, facilitates a more in-depth comprehension and assessment of the applied AIS process in terms of reliability. Furthermore, greater understanding of the empirical literature on accounting information reliability should assist policymakers and regulators in establishing financial reporting standards, auditors to implement standards and financial statement users to evaluate accounting information reliability. A deeper understanding of reliability should also assist academics in conducting research to produce new insights on reliability.

Problem statement

Recently studies have emphasized on the necessity and importance of the internal control system in the accounting information system (Joseph et al., 2009; Al-Laith, 2012; Kuhn et al., 2013). However, articles on SysTrust service engagement as an internal control method for assessing reliability in the professional accounting literature are primarily devoted to explaining the background and purpose of this service and its potential demand (such as in Boritz et al., 1999; Pugliese and Hales, 2000). Furthermore, assessment of the reliability of accounting information system remains under-researched as the majority of such studies have focused on the status of AIS use and its applications (Iceman and Hillson, 2012; Yigitbasioglu, 2016; Tarek et al., 2017). Given that most articles of AIS implementation have been based on cases in Europe and the US, cultural and legislation challenges, although complex, show some inconsistency. However, relatively few studies have been implemented outside of the most developing countries, such as in Jordan, which is a beachhead for new technologies and business practices in the Middle East and North Africa (MENA). Several authors state that within organizations, attention must be given to the accounting standards and laws of each country because they affect accounting management (Davila and Foster, 2005; Tarek et al., 2017; Romney and Steinbart, 2017). Therefore, the purpose of this research is to investigate the extent of the implementation of the SysTrust service framework (principles and criteria) as an internal control method for assessing the reliability of accounting information system processes by Jordanian shareholding companies. The study also aims to examine the whether the level of implementation of SysTrust service framework’s requirements are differ on the basis of the demographic characteristics of business organizations (i.e. sector type, size and experience in business).

Theoretical background and literature review

Literature review

To survey empirical studies pertinent to the reliability of AIS as the main focus, a scholarly internet search engine (scholar.google.com), in addition to several online databases, was used. The databases cover all leading journals, not only in the fields of internal control of AIS process, but also in the accounting of information systems in general and the recently developing field of trust service in e-commerce and accounting. AIS is embedded within IS journals. The majority are conceptual or non-empirical, where the empirical previous studies that discuss the same topic apply one of the two approaches, either qualitative or quantitative. The theory of demand for trust services is based on some innate hardships related to electronic commerce. While all business transactions carry a risk factor that intended transactions will not be processed as planned, the risk factor is greater in electronic commerce because of the loss of human mediators that are at hand in physical markets, indicating a reliance on electronic systems to avert, or identify and correct, errors (Tan and Theon, 2002). In addition, as information irregularity between parties to transactions is higher in electronic commerce, they are usually geologically distributed (Enofe et al., 2012; Al-Laith, 2012).

Henry (1997) carries out a survey on 261 companies in the USA to determine the nature of their accounting systems and security in use. Seven basic security methods were presented in his study. These methods were encryption, password access, backup of the data, viruses’ protection, and authorization for system changes, physical system security and periodic audit. Henry’s study results indicate that 80.3 per cent of the companies’ backup their accounting systems, 74.4 per cent of the companies secure their accounting systems with passwords, where only 42.7 per cent use antivirus in their systems. The results also reveal that less than 6 per cent of the companies use data encryption, lastly 45 per cent of companies undergo some sort of periodic audit for their accounting information systems. Another study, carried out by Qurashi and Siegel (1997), assures the accountant’s responsibility to check the security of the computer system. The researchers carried out a theoretical study to develop a security checklist. This list covers the following four security controls groups: Client policy, Software security, Hardware security and Data security. Cerullo and Michael (1999) conducted a survey using a questionnaire of twenty potential security and control mechanisms, which was circulated among audit directors of two hundred fortune companies in the USA. These mechanisms were placed by Cerullo study in four categories, namely, client-, network-, server- and application-based. Tan and Theon (2002) conclude that parties would not use an electronic transaction unless the degree of transaction trust is higher than the threshold value, which relies on features of the party and of the transaction itself. The possibility to resist taking part in electronic transactions develops the requirement for a service that will strengthen trust to the level that it exceeds the user’s threshold.

WebTrust and SysTrust deal with this requirement through assuring observance of standards of control. Together, the attributes of the particular assurances made (e.g. reliability, privacy, etc.), and the attributes of the assuring party (Kaplan and Nieschwietz, 2003) are theorized to result in the trust-enhancing value of these services. From amongst trust services literature, the researchers Kovar and Mauldin (2003) give a theoretical model that targets its focus on the natural prospective need for assurance services, resulting together from circumstantial business setting features and sources of information risk within that setting and from a precedent of the market demand for third-party assurance services. Furthermore, many studies investigate whether web trust influence consumers’ concerns about taking part in online transactions (McCole, et al., 2010; Fortesa and Ritab, 2016). These studies tend to find a positive influence of WebTrust on customers’ attitudes and/or behaviour, but also find that the level of the influence varies according to the knowledge of the customers, which includes their familiarity with the service.

Additionally, Arnold et al. (2000) find that a graded report may be more informative than the binary report that is presently administered (i.e. reporting that the service either meets or does not meet certain criteria). Also, experimental studies tend to find that the effect of WebTrust is similar to that of other competitive products, signifying consumers' lack of ability to differentiate between them. Findings from other research reveal that as well as consumers, financial professionals may also help WebTrust in the decisions they make. Hunton et al. (2000) find that WebTrust assurance results in greater earnings forecasts and stock price estimates by financial researchers, indicating conviction that a WebTrust seal is related to greater quality and, therefore, better expectations for future business. Because SysTrust was created after WebTrust, there is a lack of experimental research available in that perspective. In their study of electronic data interchange (EDI), Khazanchi and Sutton (2001) give evidence of the requirement for systems assurance, illustrating that numerous companies enforcing these systems do not use them to full benefit. This shows that entities authorizing EDI for their clients or customers should require assurance of suitable functioning. Results of these studies recommend a demand for trust services. Consequently, it follows that there should be a positive effect on the business of clients that meet approved trust services standards. Moreover, a study from Havelka et al. (1998) argues that expression of agreement on measurement criteria for assurance services among providers and users will enable a more effective and efficient production of those services.

They created measurement criteria for assurance services generally, and made a comparison of the views of IT consultants and system users on the related significance of those criteria in performing systems assurance. While current research indicates that trust services assist in reducing user resistance to depend on companies’ systems when undertaking electronic commerce, many types of possible future research appear from methodological and theoretical issues concerning the existing standing of the literature in this area. One methodological concern emerges from the knowledge that the prime research method used is the behavioural experiment. Experimental methods are important because they are strong in internal validity. However, if there were archival research and field studies in addition to behavioural research, understanding of users’ demand for trust services and the impact on user decisions would be improved. As written in the financial statement auditing literature, targeting research on actual users’ experiences would allow a stability of internal and external validity. For example, experimental research could be important in evaluating the nature of demand for trust services. The principal theories available regarding user demand are connected to the presence of threshold levels of trust needed to decrease resistance in using electronic commerce. In hypothetical scenarios, usually found in behavioural experiments, it may be hard to imitate this resistance. Information not available on the difference on how users' threshold trust levels, and factors connected with this variance, make it difficult to explain demand for trust services in general and for the particular aspects of these services in particular. Another theoretical issue is that so far there has been no research that addresses users' assumptions regarding outcomes of trust services, or what their actions would be if these assumptions are not met. Supposedly, if an assurance services' trust levels increased to the level that a formerly resistant party uses electronic commerce, then that user will uphold the assumption that trade will continue in a safe and continuous way. Breach of this assumption could result in legal actions against the provider because this issue is related to verification risk for the assuror and is explained in the provider’s section below.

Chang's (2001) research declares that organizational effectiveness in a worldwide competitive environment is extensively attributed to accounting information. Doms et al. (2004) point out that the most significant source of externally viable information on companies is still financial statements. There is some concern that accounting practice is not up-to-date with fast economic and high technology changes, in spite of their widespread use and continuing advance, which consistently affects the significance value of accounting information. The significance of Chang’s declaration is strengthened by a fast changing business environment and reports by some researchers indicating that the importance value of accounting information has decreased due to an increase in accounting fraud in developed countries such as the USA. Furthermore, SysTrust is one of the models to update Internal Control Systems (ICS) of AIS through frame working the technological variables which affect designing AIS. Due to such nature, much of the practical studies have been implemented using the principles and criteria of SysTrust to examine quality and performance of AIS. The term ICS has been used by COSO (2013) to refer to the risks associated with ineffectiveness management of public companies, both large and small. Integrated framework of COSO has long served as a blueprint for establishing internal controls that promote efficiency, minimize risks, help check the reliability of financial statements, and comply with laws and regulations. According to COSO’s study, ICS is no longer accounting concept. COSO’s report has outlined 26 fundamental principles associated with the five key components of ICS: control environment, risk assessment, control activities, information and communication and monitoring. SACF (2001) considers the control objectives associated with use of IT. The study is widely known as COBIT. COBIT consists of three control groups: business objectives, IT resources, and IT-based process. The key feature of COBIT is coming from the fact that it has developed 36 standards of control related to security of IT-based AIS. The impact of IT formed an accounting process on the operational variables of cost and productivity, and profitability has been addressed by Casolaro and Gobbi (2004). The study was conducted on more than 600 banks belonging to the Italian banking industry. The study concludes with the facts that intensive use of IT-based AIS has reasonable impact on:

• reduction of banking services cost,

• expansion of banking services package, and

• increasing banking profit.

Another study was conducted by Raupeliene and Stabingis, (2003) has considered the effectiveness of IT based AIS. The study has developed a quantitative model based on set of technological, economics, and social parameters. Their study revealed that the effectiveness of IT-based AIS varies according to the superiority level of IT infrastructure of AIS and the environmental development of AIS.

A study by Warren (2002) entitled “Security Practices” attempts to study the difficulties facing the information system using a sample consisting of Australian, English and American companies. The results of the study show that the limitation of technological security procedures and intentional incorrect entry of financial data in the American companies is a noticeable limitation facing information system. Previous literature discussed the effect of assurance on its beneficiaries. Boritz and Hunton (2002) tried to evaluate the amount that auditor-provided systems reliability assurance affects prospective service recipients' through

• the probability of recommending that their company enter into a contractual agreement with the service provider, and

• the comfort level with the reliability of the service provider's information systems.

Abu Musa (2004) performs an empirical study to investigate the adequacy of security controls implemented in the Egyptian banking industry (EBI), where the respondents were limited to the head of the computer department and the head of internal audit department. Abu Musa tried to check whether the applied Security Controls in the EBI are adequate to protect against the perceived security threats through self-administrated checklist. The CAIS security checklist included eighty security procedures which were categorized under the following ten groups.

1. Organizational information security controls.

2. Hardware and physical access security controls.

3. Software and electronic access security controls.

4. Data and data integrity security controls.

5. Off-line programs and data security controls.

6. Utility security Controls.

7. Bypassing of normal access security controls.

8. User programming security controls.

9. Division of duties.

10. Output security control.

Another empirical study was conducted by Abu‐Musa (2010) in Saudi Arabia, shows that the majority of business organizations not have disaster recovery plans to deal with information security incidents and emergencies as well as information security functions and authorities are not well–identified and communicated. In addition, it also indicates that the risk assessment process and procedures are not appropriately and effectively executed.

Boritz (2005) conducts an extensive review of the literature to identify the key attributes of information integrity and related issues. He brought two focus groups of experienced practitioners to discuss the documented findings extracted from the literature review through questionnaire examining the core concepts of information integrity and it elements. He considers information security as one of the core attributes for information integrity. This security should cover the following areas: physical access controls and logical access controls. The results indicate that the security has a lower impairment severity score than other severe practical aspects, such as availability and verifiability. Boritz’s such findings refer to the effective use of security controls in the organizations represented.

In his study, Martin (2005) focuses on the fulfilment of Sarbanes-Oxley act 2002 that requires public companies to report about the effectiveness of their internal control systems He explained that the American companies are using COBIT for Sarbanes-Oxley act 2002 compliance, and this is because its objectives have been mapped to COSO in a publication entitled IT Control Objectives for Sarbanes-Oxley. COBIT also has been mapped to popular enterprise resource planning (ERP) systems, such as SAP, Oracle and PeopleSoft. This mapping and related guidance provides COBIT with framework references and methodologies for auditing and testing the major ERP systems. But it is decided later to use SysTrust service to ensure the company’s systems carry-out business processes reliably. Herein, Martin establishes five-step processes showing how the CPAs can use the trust service framework to evaluate a company's IT controls when the entity primarily uses the COSO approach. These steps are:

• Use COSO framework to identify the risks in each business cycle and the controls that mitigate them,

• Gather initial IT information,

• Identify all information systems that relate to financial reporting.

• Be used to trust services framework to create one overall IT matrix,

• Assess the controls identified in the matrixes created above.

Martin (2005) mentions the same steps in his study, in which he tries to explain how information system auditor can use the AICPA/CICA trust services framework to evaluate internal controls, particularly controls over information technology. The participants in the experiment were 481 middle and upper-level managers from a wide range of functional areas. The study concludes that auditor-provided assurances on information systems availability security, integrity and maintainability will show significant key effects with respect to the probability of the participant entering into a contractual agreement with the ASP organization. In addition, the comfort level of the participant with the reliability of the ASP organization's ERP system will increase.

In the same perspective, Mauldin et al. (2006) investigate the possible demand for third-party assurance reports in business-to-business electronic commerce (B2B e-commerce) by observing the purchase decisions of 95 professionals to advise using a B2B exchange. The experiment uses the 2 × 2 between subject’s design, and varies the assurance scope (system related assurance vs. data related assurance) and assurance timing (continuous assurance vs static assurance) with another control condition of no assurance. The results of the study show that there is more probability of purchasing professionals advising using the exchange when general assurance over the reliability of the exchange's system exists, than when specific assurance over the reliability of transaction information exists. There is also a greater chance of purchasing professionals advising using the exchange when the assurance report is continuous than when it is static, issued at a given time. However, the results also suggest that those participating are less probable to recommend using the exchange when specific information assurance or static assurance exists than when assurance does not exist at all. Also, Meharia (2012) aims to study the effects of assurance services and the trust in the mobile payment system on how users' use the system. To demonstrate this matter, the study depends on the Technology Acceptance Model (TAM). The study finds that the users' intention to use their attitude towards the system determines their real use. Their attitude towards the system is decided by the apparent usefulness of the system and the simplicity of use. However, the study adds that the assurance on the security, availability, confidentiality, privacy, and process integrity of the system will have a positive influence on the users' attitude towards the system, in combination with the apparent usefulness and simplicity of use.

Also, from a security perspective, Siponen and Oinas-Kukkonen (2007) reconcile prior security research literature and emphasize the distinct importance of accessibility and availability as it relates to communication issues, like user authentication and appropriate maintenance of data retention. Strong et al. (1997) also segregate and highlight the importance of accessibility as a determinant of data quality. In particular, they emphasize the importance of access security and timely availability to data. Likewise, Nelson et al. (2005) argue that accessibility represents a system attribute that is distinct but similar in importance to the system’s ability to produce reliable data, although they argue that this impact of accessibility is second in order of influence to the system’s processing reliability. In the same manner, Zhou (2011) intends to evaluate the influence of initial trust on user adoption of mobile banking. The study supposes that initial trust decides the intent to use the mobile banking system, as well as the apparent usefulness of the system. The initial trust is decided by the structural assurance (such as third party certifications), information quality, and system quality. The apparent usefulness is decided by the information quality and system quality. Information quality indicates the relevance, adequacy, precision and timeliness of the information. Whereas system quality indicates the speed of access, simplicity of use, navigation and look of the mobile banking system (Kim et al., 2004 as cited in Zhou, 2011). The study finds that structural assurance, information quality, and system quality have an influence on initial trust. Users need to depend on structural assurance to trust mobile banking because mobile banking relies on wireless networks and includes great risk and doubt. Information quality and system quality have an influence on the apparent usefulness of the mobile banking system. Users may feel that the providers of these types of system will not provide quality services to them if the quality of information is low.

Furthermore, if mobile banking has a slow access speed or if users experience service unavailability or interruption, because of system unreliability, users' observation towards mobile banking will have a negative effect. In the same context, Greenberg et al. (2012) aim to investigate the influence of SysTrust criteria (availability, integrity and security) on users' intent to use reliability on an online accounting system (of Oracle Small Business Suite). According to the TAM, the study supposes that the intention to take up online systems depends on the apparent usefulness of the system, apparent ease of use, trust in system reliability, and trust in the internet. The study finds that users' intention to take up the online accounting system is greater when users' trust in system reliability and trust in the internet are greater. The results of the study indicate that the reliability of a system, as measured by SysTrust criteria, is related to the decisions relevant to the intention to take up online accounting systems. Consequently, it is apparent that system assurance has a positive influence on system users, their reliance and, therefore, on their decisions, particularly when this assurance is provided constantly, which is more suitable according to the present changing environment. The study by Topash (2014) likewise found that the accompanying criteria or indicators should be available in any accounting information system for it to be productive in any organization which is, cost effectiveness, great documentation, presence of legitimate safety efforts, free inward and outside review, separation of other operation from accounting, and effective internal control. In smellier vain, Daneila (2013), state that accounting information systems and internal controls have a positive relationship to the financial reporting to produce reliable financial statements.

In reviewing the literature, it can be seen that Certified Public Accountants (CPAs) can provide assurance on RTA Information Systems. CPAs are accepted as independent parties that provide assurance concerning the accuracy and fairness of financial information (Boritz and Hunton, 2002), CPA, also acquire advanced technical competencies (Burton, et al., 2012). Boritz and Hunton (2002) aim to assess the extent to which auditor-provided systems reliability assurance affects potential service recipients':

1. likelihood of recommending that their company should enter into a contractual agreement with the service provider; and

2. comfort level with the reliability of the service provider's information systems.

Based on an experiment on 481 middle- and upper-level managers from a broad spectrum of functional areas participating in the study, the conclusion is that auditor-provided assurances on information systems availability security, integrity and maintainability will exhibit significant main effects with respect to the participants' likelihood of entering into a contractual agreement with the ASP firm and the participants' comfort level with the reliability of the ASP firm's ERP system will increase. Similarly, Greenberg et al. (2012) have attempted to study the impact of SysTrust criteria on users' intention to use online accounting systems and their reliability. Based on the TAM, the study posits that the intention to adopt online systems depend on the perceived usefulness of the system, perceived ease of use, trust in system reliability, and trust in the internet. The study finds that users' intention to adopt the online accounting system is higher when users' trust in system reliability and trust in the internet are higher. The results of the study suggest that the reliability of a system, as measured by SysTrust criteria, is relevant to the decisions related to the intention to adopt online accounting systems.

Furthermore, it is predicted that accounting organizations will benefit from their long experience of financial audits and will probably surpass other types of assurance providers in the formal application of non-financial assurance services (Perego, 2009). Additionally, when providing financial matters, CPAs should follow strict and comprehensive ethical and professional standards (Boritz and Hunton, 2002). For this reason, the American Institute of Certified Public Accountants (AICPA) considers assurance service on electronic systems a logical and natural extension to the already present services that the auditor provides (AICPA, 2017). Proposed benefits of the use of SysTrust service include improved confidence in the systems of both business partners' and one's own internal systems, avoiding problems of system development (McPhie, 2000) and reducing the cost of business interruption insurance (Pugliese and Hales, 2000). The literature also suggests that SysTrust provides a good framework for auditing internal systems and restructuring systems controls and procedures (Bedard et al., 2005). It also sets a standard for structuring information technology outsourcing agreements. While recognizing the potential benefits of trust services, Gray (2002) warns customers to investigate the relative value of the benefits against the associated cost before hiring a third party assurance provider. Accordingly, it is clear that system assurance has a positive impact on system users and their reliance and in turn on their decisions, especially when this assurance is provided on continuous basis, which is more suitable to the current changing environment. SysTrust developers also expect that the SysTrust report would be seen in the market as a sign of quality. According to this viewpoint, Bedard et al. (2005) imply that SysTrust opinions will function as a marketing tool and add value for the client. In the most recent version of the trust services guidelines, electronic seals or reports can be used with SysTrust engagements. Users may recognize that displaying the electronic seals or reports will help in their marketing efforts through improving their skill to distinguish themselves from other entities. This contention is supported by the results of the study of Arnold et al. (2000), which indicate that good-quality dealers are willing to pay for reports that differentiate along quality lines.

Moreover, Boritz and Hunton (2002) report that SysTrust assurance significantly increases user comfort levels with the reliability of the information technology of a service provider, as well as the possibility that users would recommend contracting with the service providers. Even though the possible benefits of trust services to clients have been focused on in the literature, there is a lack of experimental evidence to support the belief that the existence of a trust service assurance report gives a precise sign of systems quality. The study by Jamal and Maier (2002) focuses on this aspect and examines the link between the existence of web seals and actual company practices with regard to information privacy. The results indicate that, on overall, clients comply reasonably well with privacy policies concerning notification, disclosure, and privately identifiable information choice options. While compliance with acknowledged privacy policies is not perfect, Jamal and Maier (2002) find that disclosure for web sites with privacy seals is better than those without seals. Enofe et al. (2012) Amin and Mohamed, (2016), also indicated that an accounting process and continuous auditing cannot be conducted effectively in today worldwide market without the use of computer and accounting software. They believed that changes in the accounting profession are the main reason behind the necessity of internal control accounting system to increase security and protection. However, performing SysTrust engagements is not without potential risks. There are two potential issues inherent in such engagements, some of which present exposures to the provider of assurance services. For example, users might not recognize that trust services cannot provide continuous assurance regarding system, and further performance might not be predictable based on past performance and test (Bedard, et al., 2005).

Experimental work indicates that there would be demand for both WebTrust (Hunton et al., 2000; Arens et al., 2014 and SysTrust (Boritz and Hunton, 2002; Arens et al., 2014) in the marketplace. Yet, as Bedard et al. (2005) note, there are a lot of issues, questions and risks in SysTrust engagements, and most auditors are leery about delving into the ill-defined arena of systems reliability assurance. Only limited research to date has looked at ways in which to improve and deliver systems reliability assurance. Havelka et al. (1998) conduct a series of focus groups with systems development teams to establish criteria for assessing the quality of the information. Arnold et al. (2000) explore the market demand for graded reporting of systems quality versus use of a traditional auditor’s binary reporting model. These studies represent the first incremental steps in understanding systems reliability assurance. The domain is wide, open, and in great need of additional research. While SysTrust provides some broad criteria that must be considered in assessing systems reliability, little is known about how to go about assessing these criteria effectively. Given the major role that IT systems play, particularly in enterprise systems environments, the profession must rapidly advance its ability to assess systems quality and academic researchers need to step forward in helping answer the difficult questions that to date present barriers to widespread systems reliability assurance efforts.

After reviewing the previous studies, in this specific area of research, relating to reliability and of the evaluation of CAIS control systems, it can be observed that there are not enough empirical studies available, and this could be due to the fact that this area of research is reasonably new. In addition, many of the studies in this subject are administered on a small level and connected with combined studies from the fields of business management, computer science, and at times engineering. They are often in the form of reports or descriptive studies, and rarely experimental. Furthermore, studies on SysTrust service engagement as an internal control method for assessing reliability in the professional accounting literature are primarily devoted to explaining the background and purpose of this service and its potential demand (Boritz and Kearns, 2000; Pugliese and Hales, 2000; Tarek et al., 2017). Related empirical research also primarily addresses topics related to user demand for trust services. In addition, there has been relatively little business-oriented research on reliability. It should also be noted that some of the investigations are conducted in isolation, without benefit from the experience of findings from other studies. It should also be noted that the majority of these studies are confined to the experience of developed countries, such as in Europe and the USA. It is observed that in many of these studies, practical implications of research findings are only stated in general terms, and little attempt has been made to report the reliability of the scales of measurement used for data collection. Given that most studies of AIS implementation have been based on cases in Europe and the US, cultural and legislation challenges, although complex, show some consistency. However, relatively few studies have been investigated outside of the most developed countries, such as in Jordan, which is a beachhead for new technologies and business practices in the Middle East and North Africa (MENA). Several authors state that within organizations, there must be attention given to the accounting standards and laws of each country, because they affect accounting management (Davila and Foster, 2005; Romney and Steinbart, 2017).

Research hypotheses

Based upon theoretical background and literature review, the following hypotheses are examined in this study:

Research methodology

The data for this research were collected through self –administrated questionnaire. The target respondents were all the shareholding companies in Jordan and the single key respondents approach was used. The key respondent was financial/account manager/director. The identification of the individual business organizations in the country (Jordan) could be done by obtaining names of all companies, as well as their addresses, from a variety of private and public sources to identify the type of business sector, and the range of the number of companies in each sector. Restrictions of time and financial resources could make the inclusion of all business companies impossible. Therefore, the target population is only limited to all shareholding companies listed in Amman Stock Exchange Market database in 2016. Table I demonstrates the demographic characteristics of the study's population. A total of 328 self-administrated questionnaires were distributed to the respondents by e-mail and hand and the response rate was 73 per cent. 68 per cent of the respondents were from service sector. Initially, research assistants called the companies to have appointments to distribute copies of the questionnaire to their companies. After respondents answered the questions, the assistants collected the copies from them.

In this survey, some variables are factual (for example, companies' demographic characteristics such as the type of sector, business experience and number of employees), whereas others are perceptual (i.e. SysTrust principles and criteria). The extent of the implementation of SysTrust principles and criteria were measured using a seven–point Likert scale with anchor ranging from (1) “not implemented at all” to (7) “highly implemented”). The study is based on primary data and the time period is cross-sectional. For data collection, a structured questionnaire was developed and collected data were fed to the statistical software called SPSS-20 to analyse. Simple statistical tools like, mean, standard deviation, and ANOVA were applied. The questionnaire's content (constructs and measures) were mainly selected from AICPA (2013) framework and some previous studies and were modified to the practice of Jordanian shareholding companies’ context based on the results of a pilot study and feedback from five professional academic staff in this filed. Table II shows five fundamental principles and criteria and related measures that used in the study.

Data analysis

Discussion and implications

One of the main objectives of this study is to explore to which extent the business organizations in Jordan implemented the SysTrust principles and criteria requirements as an internal control system for assuring the reliability of AIS. The results indicate that the extent of SysTrust principles being practiced is considered to be moderate (i.e. 74 per cent or 5.20). This implies that there are some variations among shareholdings companies in terms of their level of implementations of the principles of SysTrust as presented in Table (4). This might indicate that internal control’s methods over the computerized accounting information systems in the Jordanian business organizations provide requirements of all principals to the AIS system. Mean values have shown that the Security principle is the highly implemented one (79 per cent). Assurance of system security implies that access is restricted to the physical components of the system, the logic functions the system performs, and the information stored in the system. This results are in consistent with prior studies such as Hayale and Abu Khadra, (2006), Abu‐Musa, (2010), and Boritz (2005). It could be concluded that the IT infrastructure of the Jordanian business originations (i.e. shareholding companies included in this study) by its status qua is mature enough to provide the operational requirements for (SysTrust) principles and criteria. Such result supported by the results reached by Casolaro and Gobbi, (2004) Mansour et al. (2009, 2017), and Al Hanini (2015).

The second objective of the study is to compare differences among business organizations in terms of the SysTrust principles and criteria requirements as an internal control system for assuring the reliability of AIS being implemented based on their type of business, size and experience. Interestingly, the study found no significant differences among business organizations in the extent of the SysTrust principles and criteria requirements being implemented due to their size or experience. One explanation for this is that all of business originations in this study are shareholding companies and irrespective of their size or experience they have to approve the reliability of their accounting transactions for legality and auditing purposes. However, statistical significant difference was found based on the type of business sector. It was found that the extents of the SysTrust principles and criteria requirements being implemented were varied among business organizations due to their type of business. One explanation of the above findings is that regardless the size of business organizations or experience, it is possible to classify Jordanian business in terms of the extent of SysTrust principles being implemented based on their type of business (services vs. industrial).

Based on the above discussed findings, two outstanding conclusions can be made. First, the results indicate that the extent of SysTrust principles being implemented is considered to be moderate. The results also showed that the Security principle is the highly implemented one. This could be because securities of AIS issues have been given a propriety over other principles among shareholding companies to be implemented. Second, when compared, the extent of SysTrust principles being implemented among business organizations in terms of type of business (service companies vs. industrial companies) was found at a significant edge over industrial companies on five principles of SysTrust. This result might indicate that the service companies apply or give more attention to the requirements of SysTrust principle than the industrial companies. This might be due to the fact that service companies tend to be more technology-oriented and driven than industrial companies in Jordan (Mahadeen et al., 2016). In their study of EDI, Khazanchi and Sutton (2001) give evidence of the requirement for systems assurance, illustrating that numerous companies enforcing these systems do not use them to full benefit. However, there are no significant differences in the implementation of principles of SysTrust among business organizations due to their size or experience.

The present study has important implications for studies aimed to SysTrust principles implementation in developing countries. However, explanations of several findings above indicate the importance of contextual factors (i.e. demographic characteristics) within organizations. This study provides some insights into the implementation of SysTrust principle as an internal control for assuring the reliability of AIS by Jordanian shareholding companies, which should help practitioners to acquire a better understanding of the current SysTrust principles status and implementation. However, several limitations should be considered when evaluating and generalizing the study's conclusions. The study was conducted in one country, Jordan. Although Jordan is a valid indicator of prevalent factors in the wider MENA region and developing countries, the lack of external validity of this research means that any generalizations of the research findings should be taken with caution. Future research can be orientated in other national and cultural settings and compared with the results of this study.