Paper 1 of 6 · Session 1: Financial & Accounting IS

Digital Innovation in Accounting: A Cybersecurity Perspective on Financial Information Systems

Jiu Xiaoxiao¹ · Radoslava Hristova² · Vladimir Dimitrov²

Authors

¹ Jiu Xiaoxiao — corresponding author; jiuxiaoxiao [at] proton.me
² Assoc. Prof. Dr. Radoslava Hristova — radoslava [at] fmi.uni-sofia.bg
² Prof. Dr. Vladimir Dimitrov — cht [at] fmi.uni-sofia.bg

Affiliations

¹ Independent researcher in residence at Sofia, Bulgaria; previously Senior Internal Auditor, financial-services sector, People's Republic of China.
² Faculty of Mathematics and Informatics, Sofia University “St. Kliment Ohridski”, 5 James Bourchier Blvd., Sofia 1164, Bulgaria.

Track

Full research paper, double-blind reviewed (3 reviewers)

Keywords

accounting information systems · cybersecurity · digital innovation · financial reporting · NIS2 · internal controls · trustworthy AI

Pages in volume

pp. 1–14

Abstract

This paper examines the under-theorised intersection of digital innovation and cybersecurity in contemporary accounting information systems (AIS). While the accounting literature has documented the productivity, transparency and reporting-quality gains of cloud accounting, robotic process automation and generative-AI assistants, the cybersecurity literature has separately catalogued the threat surfaces these technologies introduce: token-theft attacks on cloud-accounting tenants, prompt-injection compromises of AI bookkeeping assistants, supply-chain attacks against ERP plug-ins, and the systemic risk of consolidated audit-data lakes. We argue that these two literatures must be read together. Drawing on a structured review of 142 papers (2018–2024) and on interview material with 22 internal-audit professionals across Bulgaria, Serbia, Romania and the People's Republic of China, we develop a three-layer analytical framework — innovation surface, control surface, threat surface — that allows AIS designers and auditors to reason about cyber risk as an inherent property of digital-accounting innovation rather than as an external constraint upon it. We instantiate the framework on three running examples (cloud-native general-ledger migration, AI-assisted account reconciliation, and continuous external-audit data exchange) and derive five design propositions for resilient AIS innovation in regulated environments. The paper contributes to AIS scholarship by re-integrating the cybersecurity concern into mainstream digital-innovation theory, and offers practical guidance to chief financial officers, internal auditors and IS designers operating under the EU NIS2 directive and equivalent regimes in non-EU jurisdictions.

1. Introduction

The accounting profession has, over the last decade, embraced a vocabulary of innovation — “digital transformation”, “continuous reporting”, “AI-augmented audit”, “real-time consolidation” — that, until recently, would have sounded foreign in the conservative discourse of professional standard-setters. Cloud-native general ledgers are routinely procured by mid-market firms; large audit networks have invested heavily in machine-learning platforms for journal-entry testing; and the major ERP vendors now position generative-AI copilots as standard features of their accounting stacks. This paper takes that innovation discourse seriously, but argues that it has developed a problematic blind spot: cybersecurity is treated as a downstream operational concern, separate from the design of digital-accounting systems themselves.

The blind spot is consequential. Recent forensic-investigation reports — the 2023 incidents at three major European cloud-accounting providers, the 2024 ransomware compromise of a mid-tier Bulgarian audit firm, and the persistent threat-actor campaigns against trust-services providers across the Western Balkans — have shown that the most damaging cyber incidents in the accounting domain exploit the same technical and organisational features that the innovation literature celebrates: API openness, automated cross-tenant data flows, AI-mediated decision-making, and the consolidation of financial records into shared cloud substrates. The very innovations that promise efficiency and transparency are, in their unmodified form, also threat-amplification mechanisms.

This paper makes three contributions. First, it offers a structured review of the literatures that have, to date, run on parallel tracks: digital-innovation research in AIS, and information-security research in financial IS. Second, it proposes a three-layer analytical framework — innovation surface, control surface, threat surface — that re-integrates these literatures. Third, it derives five design propositions for resilient AIS innovation that are operationalisable under the EU NIS2 directive and that map cleanly to the COBIT 2019, COSO 2013, and ISO/IEC 27001:2022 control catalogues.

2. Background: Two Literatures, One Object of Study

We organise the prior literature into two streams. The digital-innovation stream in AIS (Granlund & Mouritsen 2013; Bhimani & Willcocks 2014; Vasarhelyi et al. 2015; Quattrone 2016; Moll & Yigitbasioglu 2019; Kokina & Davenport 2017; Marrone & Hazelton 2019) is principally concerned with how new information technologies change the nature of accounting work, the structure of the audit profession, and the visibility of organisational performance. Its theoretical anchors are practice theory, the affordance perspective, and institutional theory. Its empirical mode is qualitative-interpretive, frequently building on multi-site interview data.

The cybersecurity stream in financial IS (Anderson 2008; Goel & Chengalur-Smith 2010; Bose 2008; Spanos & Angelis 2016; Cremonini & Riccardi 2009; Tsohou et al. 2015; ENISA Threat Landscape reports 2018–2024) addresses the engineering and economic dimensions of securing financial computing assets: control architectures, threat-modelling methodologies, breach-disclosure economics, regulatory compliance, and the social engineering of finance personnel. Its theoretical anchors are economics of information security, principal-agent analysis, and applied security engineering. Its empirical mode is quantitative or case-engineering.

These two literatures rarely cite one another. Of the 142 papers reviewed, only 9 — under 7 % — engaged seriously with the other tradition. This is, we argue, a structural lacuna that this paper addresses.

3. The Three-Layer Framework

Our framework decomposes any digital-accounting innovation into three analytical surfaces. The innovation surface is the set of new affordances and capabilities the innovation provides to accounting work — for example, real-time consolidation across subsidiaries, automated bank reconciliation, AI-generated audit-trail explanations. The control surface is the set of internal-control points required to render those affordances auditable and accountable — for example, segregation-of-duties enforcement, change-management procedures, log-integrity guarantees, evidence-retention policies. The threat surface is the set of attack vectors the innovation introduces — for example, OAuth-token theft, prompt-injection compromises of AI assistants, supply-chain compromise of API plug-ins, insider misuse of consolidated data.

The framework's core claim is methodological: a digital-accounting innovation that grows its innovation surface without commensurate growth in the control surface will inevitably expand its threat surface in unbounded ways. Conversely, an innovation that explicitly co-designs all three surfaces is amenable to the kind of risk-based assurance that accounting standards and the NIS2 directive require.

4. Three Running Examples

4.1 Cloud-native general-ledger migration. A mid-market Bulgarian retailer migrating its general ledger from on-premise SAP to a cloud-native multi-tenant platform. Innovation surface: real-time multi-entity consolidation, API-based integration with payroll and e-invoicing. Control surface: tenant isolation, OAuth scope hygiene, change-management logging. Threat surface: token theft, cross-tenant data leakage, vendor supply-chain compromise.

4.2 AI-assisted account reconciliation. A regional audit firm deploying a large-language-model assistant for first-pass bank-statement reconciliation. Innovation surface: 80 % reduction in junior-staff time on routine matching. Control surface: prompt-injection resistance, output-attestation logging, human-in-the-loop check-pointing. Threat surface: data exfiltration via crafted prompts, hallucinated journal entries entering production, supplier-side model swap without notice.

4.3 Continuous external-audit data exchange. A continuous auditing arrangement between a public-sector entity and its external auditor, using a streaming-data pipeline. Innovation surface: near-real-time audit observations, fraud-detection latency reduced from quarterly to weekly. Control surface: cryptographic log-chaining, segregation of pipeline-administration duties, dispute-resolution procedures. Threat surface: pipeline tampering, denial-of-service on the audit stream, unauthorised disclosure of granular financial data.

5. Five Design Propositions

• P1. Treat every new digital-accounting affordance as triggering a paired control-surface expansion; if the control surface cannot be expanded, the affordance should be re-scoped.
• P2. Make cyber-risk reasoning a first-class part of the AIS design literature; not a footnote in an “implementation considerations” section.
• P3. Require demonstrable threat-model evidence as part of AIS innovation pilots, with at least one external review by a security professional independent of the implementation team.
• P4. Treat AI-assisted accounting as a regulated supplier relationship under NIS2 and equivalent regimes; contract for model-change notification, prompt-injection testing, and incident disclosure.
• P5. Build the human-in-the-loop check-point into the affordance itself; do not retrofit it as a post-implementation control.

6. Implications

For AIS scholarship, the paper argues for the dissolution of the boundary between digital-innovation research and cybersecurity research. The two are studying the same socio-technical object and should be theorised together. For internal-audit practice, the framework provides a structured way to challenge management's risk narratives during digital-transformation projects. For regulators, the framework operationalises the abstract NIS2 requirement of “cybersecurity by design” in the specific domain of financial reporting systems. We also note the paper's relevance to non-EU jurisdictions — including the People's Republic of China, whose 2017 Cybersecurity Law, 2021 Data Security Law, and 2021 Personal Information Protection Law collectively impose obligations of similar severity to NIS2 on enterprise financial systems.

7. Limitations & Future Work

The interview corpus is biased toward internal auditors; future work should incorporate the perspective of external auditors and chief information-security officers. The framework has been instantiated on three examples but not yet validated at scale; a multi-site action-research project across BulAIS member institutions is planned for 2025. Finally, the relationship between the framework and the emerging EU AI-Act risk classifications for accounting use cases is left to subsequent work.

References (selected)

1. Anderson, R. (2008). Security Engineering, 2nd ed. Wiley.
2. Bhimani, A. & Willcocks, L. (2014). Digitisation, big data and the transformation of accounting information. Accounting and Business Research, 44(4), 469–490.
3. Bose, R. (2008). Competitive intelligence process and tools for intelligence analysis. Industrial Management & Data Systems, 108(4), 510–528.
4. Cremonini, M. & Riccardi, M. (2009). The Dorothy project: an open botnet analysis framework. IEEE TrustCom, 2009.
5. ENISA (2018–2024). Threat Landscape Reports. European Union Agency for Cybersecurity.
6. Goel, S. & Chengalur-Smith, I. N. (2010). Metrics for characterising the form of security policies. Journal of Strategic Information Systems, 19(4), 281–295.
7. Granlund, M. & Mouritsen, J. (2013). Editorial: problematising the relationship between management control and information technology. European Accounting Review, 12(1), 77–83.
8. Kokina, J. & Davenport, T. H. (2017). The emergence of artificial intelligence: how automation is changing auditing. Journal of Emerging Technologies in Accounting, 14(1), 115–122.
9. Marrone, M. & Hazelton, J. (2019). The disruptive and transformative potential of new technologies for accounting, accountants and accountability. Meditari Accountancy Research, 27(5), 677–694.
10. Moll, J. & Yigitbasioglu, O. (2019). The role of internet-related technologies in shaping the work of accountants. The British Accounting Review, 51(6), 100833.
11. Quattrone, P. (2016). Management accounting goes digital: will the move make it wiser? Management Accounting Research, 31, 118–122.
12. Spanos, G. & Angelis, L. (2016). The impact of information security events to the stock market: a systematic literature review. Computers & Security, 58, 216–229.
13. Tsohou, A., Karyda, M. & Kokolakis, S. (2015). Analyzing the role of cognitive and cultural biases in the internalization of information security policies. Computers & Security, 52, 128–141.
14. Vasarhelyi, M. A., Kogan, A. & Tuttle, B. (2015). Big data in accounting: an overview. Accounting Horizons, 29(2), 381–396.

← Back to proceedings Next paper →