The implementation of SysTrust principles and criteria for assuring reliability of AIS: empirical study

Purpose – This study aims at investigating the extent of SysTrust’s framework (principles and criteria) as an internal control approach for assuring the reliability of accounting information system (AIS) were being implemented in Jordanian business organizations. Design/methodology/approach – The study is based on primary data collected through a structured questionnaire from 239 out of 328 shareholdings companies. The survey units were the shareholding companies in Jordan, and the single key respondents approach was adopted. The extents of SysTrust principles were also measured. Previously validated instruments were used where required. The data were analysed using t-test andANOVA. Findings – The results indicated that the extent of SysTrust being implemented could be considered to be moderate at this stage. This implies that there are some variations among business organizations in terms of their level of implementing of SysTrust principles and criteria. The results also showed that the extent of SysTrust principles being implemented was varied among business organizations based on their business sector. However, there were not found varied due to their size of business and a length of time in business (experience). Research limitations/implications – This study is only conducted in Jordan as a developing country. Although Jordan is a valid indicator of prevalent factors in the wider MENA region and developing countries, the lack of external validity of this research means that any generalization of the research findings should be made with caution. Future research can be orientated to other national and cultural settings and compared with the results of this study. Practical implications – The study provides evidence of the need for management to recognize the importance of the implementation of SysTrust principles and criteria as an internal control for assuring the reliability of AIS within their organizations and be aware which of these principles are appropriate to their size and industry sector. Originality/value – The findings would be valuable for academic researchers, managers and professional accounting to acquire a better undemanding of the current status of the implementation of the SysTrust principles (i.e., availability, security, integrity processing, confidentiality, and privacy) as an internal control method for assuring the reliability of AIS by testing the phenomenon in Jordan as a developing country.


Introduction
The adoption of information technology as a pillar in the business world renders it critical in terms of reliability and security.System assurance, as a core part of management, is required to ensure that the accounting system and information initiated is reliable.Information technology in business is essential as long as it is reliable and secure.System reliability in administration primarily guarantees the solidity of data and Automated auditing programs: The auditor requires readily made auditing programs or those developed by the auditor because continuous auditing is applied through computing systems.
The core importance of a reliable computing system is specifically identified by the developers of the SysTrust project: The computing systemare running business, producing products and services and dealing with consumers and business partners [. . .]As business dependencies on information technology increases, tolerance decreases for systems that are unsecured, unenviable when needed, and unable to produce accurate information on an instant basis.Like the weak link in a fence, the unreliable system can cause a chain of events that negatively affect the company and its customers, suppliers and business partners (ACICPA/CICA, 2013).
In fact, SysTrust acquires its importance because of the following factors: It reengineers the internal control system of AIS depending on technological basis.It re-conceptualizes AIS-invisible-control-mechanism.It enhances standards of operations and security that are designed for increasing efficiency of AIS.
It grants a guide on a solid ground that helps in measuring AIS reliability and associated risks.
A reliable system is one that is capable of operating without material error, fault, or failure during a specified period in a specified environment.Therefore, any company must have the reliability of the software and database.Romney and Steinbart, (2017), describes the software and databases are not reliable can harm not only the company and employees who use them, but also the company's supply chain.This study gains its importance as it is represented by that fact that it provides orientation for accounting practitioners, users and auditors who receive better understanding of the implementation of the principles of SysTrust service requirements, and a result, facilitates a more in-depth comprehension and assessment of the applied AIS process in terms of reliability.Furthermore, greater understanding of the empirical literature on accounting information reliability should assist policymakers and regulators in establishing financial reporting standards, auditors to implement standards and financial statement users to evaluate accounting information reliability.A deeper understanding of reliability should also assist academics in conducting research to produce new insights on reliability.

Problem statement
Recently studies have emphasized on the necessity and importance of the internal control system in the accounting information system (Joseph et al., 2009;Al-Laith, 2012;Kuhn et al., 2013).However, articles on SysTrust service engagement as an internal control method for assessing reliability in the professional accounting literature are primarily devoted to explaining the background and purpose of this service and its potential demand (such as in Boritz et al., 1999;Pugliese and Hales, 2000).Furthermore, assessment of the reliability of accounting information system remains under-researched as the majority of such studies have focused on the status of AIS use and its applications (Iceman and Hillson, 2012;Yigitbasioglu, 2016;Tarek et al., 2017).Given that most articles of AIS implementation have been based on cases in Europe and the US, cultural and legislation challenges, although complex, show some inconsistency.However, relatively few studies have been implemented outside of the most developing countries, such as in Jordan, which is a beachhead for new

Implementation of SysTrust principles
technologies and business practices in the Middle East and North Africa (MENA).Several authors state that within organizations, attention must be given to the accounting standards and laws of each country because they affect accounting management (Davila and Foster, 2005;Tarek et al., 2017;Romney and Steinbart, 2017).Therefore, the purpose of this research is to investigate the extent of the implementation of the SysTrust service framework (principles and criteria) as an internal control method for assessing the reliability of accounting information system processes by Jordanian shareholding companies.The study also aims to examine the whether the level of implementation of SysTrust service framework's requirements are differ on the basis of the demographic characteristics of business organizations (i.e.sector type, size and experience in business).

Research aim, objectives and questions
The research aim is to explore the extent of the implementation of the SysTrust service model's requirements within Jordanian shareholding companies, and to probe the extent to which its main components are implemented and achieved.Specifically, the core objectives of the present study are as follows: To identify the extent to which SysTrust model requirements (principles and criteria) for assuring the reliability of the AIS process are implemented or used by the shareholding companies in Jordan.This involves examining the content and context of internal control of AIS in Jordan.Several researchers argue that, within organizations, attention must be given to the accounting standards and laws of each country because they impact on accounting management (Davila and Foster, 2005;Romney and Steinbart, 2017;Tarek et al., 2017).
To establish any similarities or differences among business companies in respect of the implementation of SysTrust principles and criteria for assuring reliability of AIS process based on their business sector, size and experiences.
To provide the decision makers with recommendations those aid the account management units in these companies to enhance the reliability of AIS.
The specific questions to be examined are: Q1.To which extent are the existing AIS processes and applications in the Jordanian shareholding companies reliable in terms of providing the requirements of the five principles of the SysTrust model (availability, security, confidentiality, integrity processing and privacy)?
Q2.Is the level of implementation of SysTrust principles criteria for assuring the reliability of AIS differ according to the demographic characteristics of Jordanian shareholding companies, including sector type, number of employees and business experiences?
Theoretical background and literature review SysTrust service framework: definition and importance The SysTrust service framework is an assurance service that was jointly developed by AICPA and CICA.It is designed to increase the comfort of management, customers, and business partners with systems that support a business or particular activity.SysTrust is a type of assurance service performed by a licensed CPA or CA to independently test an organization's system and to offer assurance on the system's reliability.The intent is to enable those who use or rely on the system including the company itself, its partners, and IJAIM 27,3 customers to gain trust and confidence in the system (AICPA/CICA, 2017; Bedard et al., 2005).Unlike COCO and COBIT, Trust Services framework was specifically designed for independent auditors to give an audit opinion as to whether the controls around the system were sufficiently effective to deem the system as "reliable".SysTrust initially began as a distinct standard (separate from WebTrust).In 2003, the two standards, SysTrust and WebTrust, were amalgamated into a single standard.However, practitioners can now draw on the relevant principles and criteria from the Trust Services Principles and Criteria framework and give a SysTrust opinion.The standard in its entirety consists of 5 principles, 4 control layers and 139 criteria in total (AICPA/CICA, 2013).
The greatest difference between COBIT and SysTrust can be understood by examining the deliverable that is produced by each framework.COBIT envisions a "maturity model", wherein a firm moves from a low level of maturity (the lowest being 0) to the highest level of maturity.The idea behind assessing the organizations level of maturity is that management will "grade itself" (Martin, 2005).In contrast, SysTrust is designed specifically with the idea that independent auditors will render opinions on the state of control that exists over a system.According to Irving Tyler CIO of Quaker Chemical "COBIT is great from a management point of view, but not all of that applies to Sarbanes-Oxley [. ..]There's lots of good advice and guidance in there that should not be a part of a Sarbanes-Oxley audit" (Martin, 2005).In contrast, the SysTrust framework identifies the specific controls that are necessary to ensure that the system is reliable.
According to the AICPA (2013), SysTrust is an assurance service that independently tests and verifies a system's reliability.The AICPA succinctly describes the overall purpose of SysTrust in the following way: Developments in information technology provide far greater power to companies at far lower costs.As business dependence on information technology increases, tolerance decreases for systems that are not secure, and these systems become unavailable when needed and unable to produce accurate information on a consistent basis.An unreliable system can cause a chain of events that negatively affect a company and its customers, suppliers, and business partners (Boritz and Hunton, 2002).Although COBIT and SysTrust share common foundational frameworks (Committee of Sponsoring Organizations of the Treaway Commission [COSO], 2013), the terminology used to describe information quality is slightly different in each document.Using the definitions contained in each document, the AICPA information qualities have been mapped into the seven COBIT information qualities of efficiency, integrity, effectiveness, availability, confidentiality, reliability and compliance.Five of the COBIT information qualities map directly into the SysTrust principles.Efficiency and reliability are not directly represented (Boritz and Hunton, 2002).An IT control objective is defined by COBIT as "[a] statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity."The objective of a SysTrust engagement is to determine whether management has maintained effective controls over its system to enable the system to function reliably.First, management provides assertions regarding the availability, security, integrity and maintainability of the system.Then, the auditor determines the existence of system controls and performs tests to assess the extent to which such controls were operating effectively during the period covered by the assurance report.
The SysTrust assurance service is distinct from reporting on internal control over financial reporting, which was established in 1993 by the AICPA and is described in SSAE No. 6.5 The latter service is limited to internal controls related to financial reporting and typically uses the criteria established in COSO, Internal Control: Integrated Framework.As such, it does not address the reliability of information systems designed for the broader decision needs of management and external users, who may need online access to real-time,

Implementation
of SysTrust principles updated and accurate information.In contrast, the new SysTrust assurance service relates directly to the overall reliability of a system, regardless of the type of information processed by the system.As such, the system may include financial and nonfinancial information that is critical to management and external users.Martin, (2005) also found the Trust Services framework to be a much more focused framework to work within the context of a SOX engagement and due the Trust Services "focus on the controls that are in place to ensure the company's systems carry out business processes reliably".He also found that the "Trust Services' illustrative controls are detailed enough to help management identify the controls that exist and those that are missing".A reliable system is the one that works without material errors, fault, or failure during a specified time in a specified environment.As for the symptoms of unreliable systems, they include frequent system failures and accidents that prevent users from accessing essential services, failure to prevent unauthorized access to the system, which makes it vulnerable to viruses, hackers and loss of data confidentiality, loss of data integrity, including corrupted, incomplete and fictitious data, and serious maintenance problems resulting in unintended negative side effects (Boritz and Kearns, 2000).This assurance service has the potential to provide a twofold benefit: (1) enhancing the confidence of a broad audience (management, boards of directors, customers, and business partners) regarding the reliability of information systems (Pugliese and Hales, 2000); and (2) providing accounting professionals with the ability to leverage their existing skills to fulfil the needs of the systems assurance marketplace (Pugliese and Hales, 2000).
Based on these potential benefits and the increasing dependence of companies on information technology, the profession expects that SysTrust engagements will contribute to the demand for trust services, as well as other assurance services, as predicted by Elliott (1995).Through the WebTrust and SysTrust services, companies have the ability to establish their credibility and build confidence with important end users.SysTrust can benefit a business's day-to-day operations in the following scenarios: A company is trying to win a major contract as a supplier to a corporation that uses just-in-time (JIT) inventory management.A SysTrust report that demonstrates the reliability of the company's systems and shows its capacity to be a dependable partner in the JIT environment enables the company to differentiate itself from its competitors.A company decides to outsource its human resources, payroll, and other employeerelated systems.To ensure smooth operations, it insists that any successful bidder maintain unqualified SysTrust reports on the outsourced systems.
A retailer qualifies for a discount on business interruption insurance because its SysTrust report attests to the reliability of its inventory management systems.
When technology problems at foreign subsidiaries cause trouble for an international company, its audit committee decides to adopt the SysTrust principles and criteria as a minimum standard for key subsidiaries (Arnold, et al., 2000).
Users of SysTrust would be interested in a systems assurance examination for some of the following reasons: Internal and external users can lose access to essential services because of system failures and crashes.Systems can be vulnerable to viruses and hackers because of unauthorized system access.

IJAIM 27,3
System failure can result in loss of access to system services or loss of data confidentiality or integrity.
Negative publicity in the wake of high-profile system failures can undermine customer and investor confidence.
Regarding the factors and drivers that are behind the demand on this service, (Boritz and Kearns, 2000) pointed out that the demand on this service resulted from companies' search for new markets, reduced costs, and faster change which forced companies to rely on third parties' systems through different ventures.This assurance service profits internal and external parties of the entities that are engaged in information-based commercial activity, such as system users, outsourcing service providers, system developers and consultants, management and board of directors, and internal auditors and system owners (Boritz and Hunton, 2002).Furthermore, as computer systems can be isolated, it is necessary to observe and verify their performance through a capable assurance provider, and also as an IT is a complex field, it requires special expertise.System unreliability can pose a risk due to making incorrect decisions for system users, or when there are major consequences related to unreliability, such as unnecessary costs, poor revenue, loss of investors' trust due to system failure; therefore, assurance on system reliability is greatly valued (Boritz and Hunton, 2002;El-Syaed and Hassan, 2010).Boritz et al. (1999) and McPhie (2000) have documented several examples of unreliable systems.These include: denial of service, where users cannot use the system because it fails or crashes, or there are capacity issues; unauthorized access, where the system is working, but viruses or hackers invade the system, or confidentiality is lost; and loss of data integrity, where information is corrupted, incomplete or fictitious.
In a SysTrust service, the management of a company prepares a description that defines the aspects of the system that will be covered, so that the scope is clear to users of the report.Then, a licensed practitioner (CPA or CA) performs audit procedures to examine and test the five key components of the system (infrastructure, software, people, procedures, and data), as well as their relationships.Finally, the practitioner assesses whether the whole system meets the SysTrust principles and the related criteria.If the system satisfactorily meets all the principles and the related criteria, it achieves the reliability defined by SysTrust.The practitioner will issue a written SysTrust assurance report with an unqualified opinion, independently verifying that the company has effective system controls and safeguards enabling the system to function reliably.The company may use the SysTrust assurance report in its marketing of documents, agreements and contract with customers, business partners or others system users to enhance trust in its system.Concerning the participating parties in the assurance services, Bedard et al. (2005) notes that there are three parties involved in systems assurance services: the users of the assurance services; the entity hiring the assuror (assurance provider); and the assuror or "provider".
Assurance providers play a crucial role in the assurance service engagement, and they should have certain attributes.Knechel et al. (2006) discusses the required attributes of assurance service providers by using a sample of Dutch senior accounting and financial officers, and suggests certain attributes: confidentiality, expertise, professional reputation, independence, objectivity, integrity, and costliness.They concluded that overall expertise

Implementation of SysTrust principles
and objectivity are perceived to be the most important attributes for selecting an assurance service provider.Cost is perceived as the least important attribute for assurance services in general.Most respondents (97.6 per cent) agree that expertise is important in the assessment of systems reliability.In addition, the provider of system trust service should have skills related to information technology; however, the degree of complexity depends on the system being examined (Boritz et al., 1999).
The AICPA (2013) Assurance Services Executive Committee has developed a set of principles and criteria (trust services principles and criteria) to be used in evaluating controls relevant to the security, availability, and integrity processing of a system, and the confidentiality and privacy of the information processed by the system.In this document, a system is designed, implemented, and operated to achieve specific business objectives (for example, delivery of services, production of goods) in accordance with management specified requirements.System components can be classified into the following five categories: (1) Infrastructure: The physical structures, IT and other hardware (for example, facilities, computers, equipment, mobile devices and telecommunications networks).
(2) Software: The application programs and IT system software that supports application programs (operating systems, middleware and utilities).
(3) People: The personnel involved in the governance, operation, and use of a system (developers, operators, entity users, vendor personnel and managers).(4) Processes: The automated and manual procedures.
(5) Data.The information used or processed by a system (transaction streams, files, databases and tables).
The AICPA (2013) and CICA have developed the following principles and related criteria for use by practitioners in the performance of trust services engagements.Availability.The system is available for operation and use as committed or agreed.The availability principle refers to access to the system, products, or services that contract, servicelevel, or other agreements advertise or agree.To note, the principle itself does not set a minimum acceptable performance level for system availability.The minimum performance level is confirmed through a mutual agreement (contract) agreed upon between parties.The availability principle does not address system functionality (the specific functions a system performs) and system usability (the ability of users to apply system functions to the performance of specific tasks or problems), but does address whether the system includes controls to support system accessibility for operation, monitoring, and maintenance.In assuring availability, the SysTrust provider attests that accessibility to the system, products or services is available as committed to, or agreed upon, by the entity.
Security.The security principle refers to the protection of the system resources through logical and physical access control measures to support the achievement of management's commitments and requirements related to security, availability, integrity processing, and confidentiality.Controls over the security of a system prevent or detect the breakdown and circumvention of segregation of duties, system failure, incorrect processing, theft or unauthorized removal of data or system resources, misuse of software, and improper access to, or use of, alteration, destruction, or disclosure of information.Assurance of system security implies that access is restricted to the physical components of the system, the logical functions the system performs, and the information stored in the system (AICPA, 2013).

IJAIM 27,3
Processing integrity.The integrity processing principle refers to the completeness, accuracy, validity, timeliness, and authorization of system processing.Processing integrity exists if a system performs its intended function in an unimpaired manner, free from unauthorized or inadvertent manipulation.Completeness generally indicates that all transactions are processed or all services are performed without exception.Validity refers to processing transactions and services no more than once and with compliance to business principles and expectations.Accuracy refers to keeping important information, concerning the submitted transaction, accurate while the transaction is being processed and that the transaction or service is processed as planned.The agreement context made for the provision of services or delivery of goods shows their eligibility (AICPA, 2013(AICPA, , 2017)).Authorization means that processing is performed in accordance with the required approvals and privileges defined by policies governing system processing.Processing integrity does not automatically imply that the information received and stored by the system is complete, valid, accurate, current, and authorized.System control usually cannot address the risk that data contain errors introduced prior to its input in the system, and the unit is not usually liable to identify these types of errors.In the same way, users from outside the system boundary may be accountable for starting processing.The data may become invalid, imprecise, or unsuitable if actions such as these are not taken.System integrity processing refers to the completeness, accuracy, timeliness, and authorization of system processing (i.e., all phases of processing, including input, transmission, processing, storage, and output).If integrity processing is not present, even a system that is secure and available is of little benefit to users.While the number of audit failures directly attributed to inaccurate assessment of controls is relatively small, there have been a significant number of system failures that have caused users untold grief.System integrity processing addresses all system components and all phases of processing (input, transmission, processing, storage, and output) that are the subject of the SysTrust engagement.If a system processes information inputs from sources outside the system's boundaries, an entity can establish only limited controls over the completeness, accuracy, authorization, and timeliness of the information submitted for processing because, for the most part, procedures at external sites are beyond the entity's control.Thus, when the information source is explicitly excluded from the boundaries of the system that define the SysTrust engagement, it is important to describe that exclusion in the system description.In other cases, the data source may be an inherent part of the system being examined, and controls over the completeness, accuracy, authorization, and timeliness of information submitted for processing would be included in the system description (ACIPA, 2017).
System integrity exists if a system performs its intended function in an unimpaired manner, free from unauthorized or inadvertent manipulation of the system.In this document, system integrity refers to the completeness, accuracy, timeliness, and authorization of system processing.In this document, data integrity refers to the completeness, accuracy, currency, and authorization of data.Data integrity depends on system integrity, and system integrity depends on controls over system components and the risks affecting those components in the system's business context.Although system and data integrity are obviously related, the focus of a SysTrust engagement is system integrity.Because SysTrust is a controls-based engagement, ordinarily it would not provide sufficient evidence to enable a practitioner to provide examination level assurance about data integrity (AICPA, 2013).This is due to the following inherent limitations of controls: the possibility of circumvention, either by employee collusion or management override, when it is difficult to prevent or detect such circumvention;

Implementation of SysTrust principles
the trade-off between operating efficiency and complex controls that may reduce exposure; the practical materiality limits, below which it is impractical to implement controls; changing conditions in entities that may lead controls to deteriorate or to become inappropriate; and the reliance on human judgment in the design, implementation, and monitoring of controls, any of which may lead to control breakdowns.
Because of the inherent limitations of controls, evidence about the effectiveness of controls over system integrity ordinarily would not provide sufficient evidence about data integrity to reduce attestation risk to the low level required.Thus, although evidence about the effectiveness of controls over system integrity may be very persuasive, procedures beyond those performed in a SysTrust examination would be required to reduce attestation risk about data integrity to a level required by examination-level attestation standards.It is also important to recognize that system integrity does not automatically imply that the information stored by the system is complete, accurate, current, and authorized.This is because errors may have been introduced into system data at some previous time (for example, at initial data conversion) and those errors could still be present in the data, even though current system processing may be complete, accurate, timely, and authorized.

Confidentiality
The confidentiality principle refers to the system's ability to protect the information designated as confidential, as committed or agreed.Unlike personal information, which is defined by regulation in a number of countries worldwide and is subject to the privacy principles, there is no widely reorganized definition of what constitutes confidential information (AICPA, 2006(AICPA, , 2013)).Partners usually exchange information that need to be kept confidential, at the time of communicating and transacting business.Often the request of respective parties is that they be assured that the information they give is only accessible for those individuals who need access to it, to complete the transaction or to clarify any questions that may arise.To enhance business partner confidence, it is important that the business partner be informed about the entity's system and information confidentiality policies, procedures, and practices.The entity needs to disclose its system and information confidentiality policies, procedures, and practices relating to the manner in which it provides for an authorized access to its system, and uses and shares information designated as confidential.The need for information to be confidential may arise for many different reasons.For example, the information is proprietary information, information intended only for company personnel, personal information, or merely embarrassing information.
Confidentiality is distinguished from privacy, in that: Privacy deals with personal information, whereas confidentiality refers to a broader range of information that is not restricted to personal information.Privacy addresses requirements for the treatment, processing, and handling of personal information (AICPA, 2013(AICPA, , 2017)).
Privacy.Privacy can be defined as the rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure, and disposal of personal information.Distributed by the AICPA and CICA, criteria set forth in Generally Accepted Privacy Principles indicate that personal information is collected, used, maintained, disclosed, and destroyed.This is also in compliance with the agreements in the IJAIM 27,3 entity's privacy notice.Personal Information refers to information relative to an identifiable individual and includes any information that can be directly or indirectly used to identify an individual, and any information that can be connected to an individual.Any information, gathered by an organization, which can be linked to an individual, is most often considered personal information.Individuals expect their privacy to be respected and their personal information to be protected by the organizations with which they do business.They are no longer willing to overlook an organization's failure to protect their privacy.Therefore, all businesses need to effectively address privacy as a risk management issue.The following are specific risks of having inadequate privacy policies and procedures (AICPA, 2013): damage to the organization's reputation, brand or business relationships; legal liability and industry or regulatory sanctions; charges of deceptive business practices; customer or employee distrust; denial of consent by individuals to have their personal information used for business purposes; lost business and consequential reduction in revenue and market share; disruption of international business operations; and liability resulting from identity theft.
For organizations operating in more than one country, the management of their privacy risk can be a significant challenge.For example, the global nature of the Internet and business means regulatory actions in one country may affect the rights and obligations of individual users and customers around the world.Many countries have laws regulating trans-border data flow, including the European Union's (EU) directives on data protection and privacy, with which an organization must comply if it wants to do business in those countries (AICPA, 2013).Therefore, organizations need to comply with changing privacy requirements around the world.Further, different jurisdictions have different privacy philosophies, making international compliance a complex task.To illustrate this, some countries view personal information as belonging to the individual and take the position that the enterprise has a fiduciary-like relationship when collecting and maintaining such information.Alternatively, other countries view personal information as belonging to the enterprise that collects it.In addition, organizations are challenged to try and stay up-to-date with the requirements for each country in which they do business.By adhering to a high global standard, such as those set out in this document, compliance with many regulations will be facilitated.Even organizations with limited international exposure often face issues of compliance with privacy requirements in other countries.Many of these organizations are unsure how to address often stricter overseas regulations.This increases the risk that an organization inadvertently could commit a breach that becomes an example to be publicized by the offended host country.Furthermore, many local jurisdictions (such as states or provinces) and certain industries, such as healthcare or banking, have specific requirements related to privacy.The trust services framework identifies four essential criteria for successfully implementing each of the five principles that contribute to systems reliability (AICPA, 2013): (1) Developing and documenting policies.The entity has defined and documented its policies relevant to the particular principle.(The term policies as used here refer to written statements that communicate management's intent, objectives, requirements, responsibilities, and standards for a particular subject.)

Implementation of SysTrust principles
Management needs to develop a comprehensive set of security polices before designing and implementing specific control procedures.Developing a comprehensive set of security policies begins by taking an inventory of information system resources.This includes not only hardware but also software and database.(2) Effectively communicating policies to all authorized users.The entity has communicated its defined policies to responsible parties and authorized users of the system.To be effective, this communication must involve more than just handling people written documents and asking them to sign an acknowledgment that they received and read them.Instead, users must receive regular, periodic reminders about security and training in how to use them.
(3) Designing and employing appropriate control procedures to implement.The entity placed in operation procedures to achieve its objectives in accordance with its defined policies.(4) Monitoring the system and taking a corrective action to maintain compliance with policies: The entity monitors the system and takes action to maintain compliance with its defined policies.Effective control system involves a continuous cycle of developing policies to address identified threats, communicating those policies to all employees, implementing specific control procedures to mitigate risks, monitoring performance and taking a corrective action in response to identified problems.The necessary corrective action often involves the modification of the existing policies and the development of new ones.

Literature review
To survey empirical studies pertinent to the reliability of AIS as the main focus, a scholarly internet search engine (scholar.google.com), in addition to several online databases, was used.The databases cover all leading journals, not only in the fields of internal control of AIS process, but also in the accounting of information systems in general and the recently developing field of trust service in e-commerce and accounting.AIS is embedded within IS journals.The majority are conceptual or non-empirical, where the empirical previous studies that discuss the same topic apply one of the two approaches, either qualitative or quantitative.The theory of demand for trust services is based on some innate hardships related to electronic commerce.While all business transactions carry a risk factor that intended transactions will not be processed as planned, the risk factor is greater in electronic commerce because of the loss of human mediators that are at hand in physical markets, indicating a reliance on electronic systems to avert, or identify and correct, errors (Tan and Theon, 2002).In addition, as information irregularity between parties to transactions is higher in electronic commerce, they are usually geologically distributed (Enofe et al., 2012;Al-Laith, 2012).Henry (1997) carries out a survey on 261 companies in the USA to determine the nature of their accounting systems and security in use.Seven basic security methods were presented in his study.These methods were encryption, password access, backup of the data, viruses' protection, and authorization for system changes, physical system security and periodic audit.Henry's study results indicate that 80.3 per cent of the companies' backup their accounting systems, 74.4 per cent of the companies secure their accounting systems with passwords, where only 42.7 per cent use antivirus in their systems.The results also reveal that less than 6 per cent of the companies use data encryption, lastly 45 per cent of IJAIM 27,3 companies undergo some sort of periodic audit for their accounting information systems.Another study, carried out by Qurashi and Siegel (1997), assures the accountant's responsibility to check the security of the computer system.The researchers carried out a theoretical study to develop a security checklist.This list covers the following four security controls groups: Client policy, Software security, Hardware security and Data security.Cerullo and Michael (1999) conducted a survey using a questionnaire of twenty potential security and control mechanisms, which was circulated among audit directors of two hundred fortune companies in the USA.These mechanisms were placed by Cerullo study in four categories, namely, client-, network-, server-and application-based.Tan and Theon (2002) conclude that parties would not use an electronic transaction unless the degree of transaction trust is higher than the threshold value, which relies on features of the party and of the transaction itself.The possibility to resist taking part in electronic transactions develops the requirement for a service that will strengthen trust to the level that it exceeds the user's threshold.
WebTrust and SysTrust deal with this requirement through assuring observance of standards of control.Together, the attributes of the particular assurances made (e.g.reliability, privacy, etc.), and the attributes of the assuring party (Kaplan and Nieschwietz, 2003) are theorized to result in the trust-enhancing value of these services.From amongst trust services literature, the researchers Kovar and Mauldin (2003) give a theoretical model that targets its focus on the natural prospective need for assurance services, resulting together from circumstantial business setting features and sources of information risk within that setting and from a precedent of the market demand for third-party assurance services.Furthermore, many studies investigate whether web trust influence consumers' concerns about taking part in online transactions (McCole, et al., 2010;Fortesa and Ritab, 2016).These studies tend to find a positive influence of WebTrust on customers' attitudes and/or behaviour, but also find that the level of the influence varies according to the knowledge of the customers, which includes their familiarity with the service.
Additionally, Arnold et al. (2000) find that a graded report may be more informative than the binary report that is presently administered (i.e.reporting that the service either meets or does not meet certain criteria).Also, experimental studies tend to find that the effect of WebTrust is similar to that of other competitive products, signifying consumers' lack of ability to differentiate between them.Findings from other research reveal that as well as consumers, financial professionals may also help WebTrust in the decisions they make.Hunton et al. (2000) find that WebTrust assurance results in greater earnings forecasts and stock price estimates by financial researchers, indicating conviction that a WebTrust seal is related to greater quality and, therefore, better expectations for future business.Because SysTrust was created after WebTrust, there is a lack of experimental research available in that perspective.In their study of electronic data interchange (EDI), Khazanchi and Sutton (2001) give evidence of the requirement for systems assurance, illustrating that numerous companies enforcing these systems do not use them to full benefit.This shows that entities authorizing EDI for their clients or customers should require assurance of suitable functioning.Results of these studies recommend a demand for trust services.Consequently, it follows that there should be a positive effect on the business of clients that meet approved trust services standards.Moreover, a study from Havelka et al. (1998) argues that expression of agreement on measurement criteria for assurance services among providers and users will enable a more effective and efficient production of those services.
They created measurement criteria for assurance services generally, and made a comparison of the views of IT consultants and system users on the related significance of those criteria in performing systems assurance.While current research indicates that trust

Implementation
of SysTrust principles services assist in reducing user resistance to depend on companies' systems when undertaking electronic commerce, many types of possible future research appear from methodological and theoretical issues concerning the existing standing of the literature in this area.One methodological concern emerges from the knowledge that the prime research method used is the behavioural experiment.Experimental methods are important because they are strong in internal validity.However, if there were archival research and field studies in addition to behavioural research, understanding of users' demand for trust services and the impact on user decisions would be improved.As written in the financial statement auditing literature, targeting research on actual users' experiences would allow a stability of internal and external validity.For example, experimental research could be important in evaluating the nature of demand for trust services.The principal theories available regarding user demand are connected to the presence of threshold levels of trust needed to decrease resistance in using electronic commerce.In hypothetical scenarios, usually found in behavioural experiments, it may be hard to imitate this resistance.
Information not available on the difference on how users' threshold trust levels, and factors connected with this variance, make it difficult to explain demand for trust services in general and for the particular aspects of these services in particular.Another theoretical issue is that so far there has been no research that addresses users' assumptions regarding outcomes of trust services, or what their actions would be if these assumptions are not met.Supposedly, if an assurance services' trust levels increased to the level that a formerly resistant party uses electronic commerce, then that user will uphold the assumption that trade will continue in a safe and continuous way.Breach of this assumption could result in legal actions against the provider because this issue is related to verification risk for the assuror and is explained in the provider's section below.Chang's (2001) research declares that organizational effectiveness in a worldwide competitive environment is extensively attributed to accounting information.Doms et al. (2004) point out that the most significant source of externally viable information on companies is still financial statements.There is some concern that accounting practice is not up-to-date with fast economic and high technology changes, in spite of their widespread use and continuing advance, which consistently affects the significance value of accounting information.The significance of Chang's declaration is strengthened by a fast changing business environment and reports by some researchers indicating that the importance value of accounting information has decreased due to an increase in accounting fraud in developed countries such as the USA.Furthermore, SysTrust is one of the models to update Internal Control Systems (ICS) of AIS through frame working the technological variables which affect designing AIS.Due to such nature, much of the practical studies have been implemented using the principles and criteria of SysTrust to examine quality and performance of AIS.The term ICS has been used by COSO (2013) to refer to the risks associated with ineffectiveness management of public companies, both large and small.Integrated framework of COSO has long served as a blueprint for establishing internal controls that promote efficiency, minimize risks, help check the reliability of financial statements, and comply with laws and regulations.According to COSO's study, ICS is no longer accounting concept.COSO's report has outlined 26 fundamental principles associated with the five key components of ICS: control environment, risk assessment, control activities, information and communication and monitoring.SACF (2001) considers the control objectives associated with use of IT.The study is widely known as COBIT.COBIT consists of three control groups: business objectives, IT resources, and IT-based process.
The key feature of COBIT is coming from the fact that it has developed 36 standards of control related to security of IT-based AIS.The impact of IT formed an accounting process IJAIM 27,3 on the operational variables of cost and productivity, and profitability has been addressed by Casolaro and Gobbi (2004).The study was conducted on more than 600 banks belonging to the Italian banking industry.The study concludes with the facts that intensive use of ITbased AIS has reasonable impact on: reduction of banking services cost, expansion of banking services package, and increasing banking profit.
Another study was conducted by Raupeliene and Stabingis, (2003)  A study by Warren (2002) entitled "Security Practices" attempts to study the difficulties facing the information system using a sample consisting of Australian, English and American companies.The results of the study show that the limitation of technological security procedures and intentional incorrect entry of financial data in the American companies is a noticeable limitation facing information system.Previous literature discussed the effect of assurance on its beneficiaries.Boritz and Hunton (2002) tried to evaluate the amount that auditor-provided systems reliability assurance affects prospective service recipients' through the probability of recommending that their company enter into a contractual agreement with the service provider, and the comfort level with the reliability of the service provider's information systems.
Abu Musa (2004) performs an empirical study to investigate the adequacy of security controls implemented in the Egyptian banking industry (EBI), where the respondents were limited to the head of the computer department and the head of internal audit department.Abu Musa tried to check whether the applied Security Controls in the EBI are adequate to protect against the perceived security threats through self-administrated checklist.The CAIS security checklist included eighty security procedures which were categorized under the following ten groups.
(2) Hardware and physical access security controls.
(3) Software and electronic access security controls.
(4) Data and data integrity security controls.
(5) Off-line programs and data security controls.Another empirical study was conducted by Abu- Musa (2010) in Saudi Arabia, shows that the majority of business organizations not have disaster recovery plans to deal with information security incidents and emergencies as well as information security functions

Implementation
of SysTrust principles and authorities are not well-identified and communicated.In addition, it also indicates that the risk assessment process and procedures are not appropriately and effectively executed.Boritz (2005) conducts an extensive review of the literature to identify the key attributes of information integrity and related issues.He brought two focus groups of experienced practitioners to discuss the documented findings extracted from the literature review through questionnaire examining the core concepts of information integrity and it elements.He considers information security as one of the core attributes for information integrity.This security should cover the following areas: physical access controls and logical access controls.The results indicate that the security has a lower impairment severity score than other severe practical aspects, such as availability and verifiability.Boritz's such findings refer to the effective use of security controls in the organizations represented.
In his study, Martin (2005) focuses on the fulfilment of Sarbanes-Oxley act 2002 that requires public companies to report about the effectiveness of their internal control systems He explained that the American companies are using COBIT for Sarbanes-Oxley act 2002 compliance, and this is because its objectives have been mapped to COSO in a publication entitled IT Control Objectives for Sarbanes-Oxley.COBIT also has been mapped to popular enterprise resource planning (ERP) systems, such as SAP, Oracle and PeopleSoft.This mapping and related guidance provides COBIT with framework references and methodologies for auditing and testing the major ERP systems.But it is decided later to use SysTrust service to ensure the company's systems carry-out business processes reliably.Herein, Martin establishes five-step processes showing how the CPAs can use the trust service framework to evaluate a company's IT controls when the entity primarily uses the COSO approach.These steps are: Use COSO framework to identify the risks in each business cycle and the controls that mitigate them, Gather initial IT information, Identify all information systems that relate to financial reporting.Be used to trust services framework to create one overall IT matrix, Assess the controls identified in the matrixes created above.Martin (2005) mentions the same steps in his study, in which he tries to explain how information system auditor can use the AICPA/CICA trust services framework to evaluate internal controls, particularly controls over information technology.The participants in the experiment were 481 middle and upper-level managers from a wide range of functional areas.The study concludes that auditor-provided assurances on information systems availability security, integrity and maintainability will show significant key effects with respect to the probability of the participant entering into a contractual agreement with the ASP organization.In addition, the comfort level of the participant with the reliability of the ASP organization's ERP system will increase.
In the same perspective, Mauldin et al. (2006) investigate the possible demand for thirdparty assurance reports in business-to-business electronic commerce (B2B e-commerce) by observing the purchase decisions of 95 professionals to advise using a B2B exchange.The experiment uses the 2 Â 2 between subject's design, and varies the assurance scope (system related assurance vs. data related assurance) and assurance timing (continuous assurance vs static assurance) with another control condition of no assurance.The results of the study show that there is more probability of purchasing professionals advising using the exchange when general assurance over the reliability of the exchange's system exists, than when specific assurance over the reliability of transaction information exists.There is also a greater chance of purchasing professionals advising using the exchange when the assurance IJAIM 27,3 report is continuous than when it is static, issued at a given time.However, the results also suggest that those participating are less probable to recommend using the exchange when specific information assurance or static assurance exists than when assurance does not exist at all.Also, Meharia (2012) aims to study the effects of assurance services and the trust in the mobile payment system on how users' use the system.To demonstrate this matter, the study depends on the Technology Acceptance Model (TAM).The study finds that the users' intention to use their attitude towards the system determines their real use.Their attitude towards the system is decided by the apparent usefulness of the system and the simplicity of use.However, the study adds that the assurance on the security, availability, confidentiality, privacy, and process integrity of the system will have a positive influence on the users' attitude towards the system, in combination with the apparent usefulness and simplicity of use.
Also, from a security perspective, Siponen and Oinas-Kukkonen (2007) reconcile prior security research literature and emphasize the distinct importance of accessibility and availability as it relates to communication issues, like user authentication and appropriate maintenance of data retention.Strong et al. (1997) also segregate and highlight the importance of accessibility as a determinant of data quality.In particular, they emphasize the importance of access security and timely availability to data.Likewise, Nelson et al. (2005) argue that accessibility represents a system attribute that is distinct but similar in importance to the system's ability to produce reliable data, although they argue that this impact of accessibility is second in order of influence to the system's processing reliability.In the same manner, Zhou (2011) intends to evaluate the influence of initial trust on user adoption of mobile banking.The study supposes that initial trust decides the intent to use the mobile banking system, as well as the apparent usefulness of the system.The initial trust is decided by the structural assurance (such as third party certifications), information quality, and system quality.The apparent usefulness is decided by the information quality and system quality.Information quality indicates the relevance, adequacy, precision and timeliness of the information.Whereas system quality indicates the speed of access, simplicity of use, navigation and look of the mobile banking system (Kim et al., 2004as cited in Zhou, 2011).The study finds that structural assurance, information quality, and system quality have an influence on initial trust.Users need to depend on structural assurance to trust mobile banking because mobile banking relies on wireless networks and includes great risk and doubt.Information quality and system quality have an influence on the apparent usefulness of the mobile banking system.Users may feel that the providers of these types of system will not provide quality services to them if the quality of information is low.
Furthermore, if mobile banking has a slow access speed or if users experience service unavailability or interruption, because of system unreliability, users' observation towards mobile banking will have a negative effect.In the same context, Greenberg et al. (2012) aim to investigate the influence of SysTrust criteria (availability, integrity and security) on users' intent to use reliability on an online accounting system (of Oracle Small Business Suite).According to the TAM, the study supposes that the intention to take up online systems depends on the apparent usefulness of the system, apparent ease of use, trust in system reliability, and trust in the internet.The study finds that users' intention to take up the online accounting system is greater when users' trust in system reliability and trust in the internet are greater.The results of the study indicate that the reliability of a system, as measured by SysTrust criteria, is related to the decisions relevant to the intention to take up online accounting systems.Consequently, it is apparent that system assurance has a positive influence on system users, their reliance and, therefore, on their decisions, particularly when this assurance is provided constantly, which is more suitable according to

Implementation of SysTrust principles
the present changing environment.The study by Topash (2014) likewise found that the accompanying criteria or indicators should be available in any accounting information system for it to be productive in any organization which is, cost effectiveness, great documentation, presence of legitimate safety efforts, free inward and outside review, separation of other operation from accounting, and effective internal control.In smellier vain, Daneila (2013), state that accounting information systems and internal controls have a positive relationship to the financial reporting to produce reliable financial statements.
In reviewing the literature, it can be seen that Certified Public Accountants (CPAs) can provide assurance on RTA Information Systems.CPAs are accepted as independent parties that provide assurance concerning the accuracy and fairness of financial information (Boritz and Hunton, 2002), CPA, also acquire advanced technical competencies (Burton, et al., 2012).Boritz and Hunton (2002) aim to assess the extent to which auditor-provided systems reliability assurance affects potential service recipients': (1) likelihood of recommending that their company should enter into a contractual agreement with the service provider; and (2) comfort level with the reliability of the service provider's information systems.
Based on an experiment on 481 middle-and upper-level managers from a broad spectrum of functional areas participating in the study, the conclusion is that auditor-provided assurances on information systems availability security, integrity and maintainability will exhibit significant main effects with respect to the participants' likelihood of entering into a contractual agreement with the ASP firm and the participants' comfort level with the reliability of the ASP firm's ERP system will increase.Similarly, Greenberg et al. (2012) have attempted to study the impact of SysTrust criteria on users' intention to use online accounting systems and their reliability.Based on the TAM, the study posits that the intention to adopt online systems depend on the perceived usefulness of the system, perceived ease of use, trust in system reliability, and trust in the internet.The study finds that users' intention to adopt the online accounting system is higher when users' trust in system reliability and trust in the internet are higher.The results of the study suggest that the reliability of a system, as measured by SysTrust criteria, is relevant to the decisions related to the intention to adopt online accounting systems.
Furthermore, it is predicted that accounting organizations will benefit from their long experience of financial audits and will probably surpass other types of assurance providers in the formal application of non-financial assurance services (Perego, 2009).Additionally, when providing financial matters, CPAs should follow strict and comprehensive ethical and professional standards (Boritz and Hunton, 2002).For this reason, the American Institute of Certified Public Accountants (AICPA) considers assurance service on electronic systems a logical and natural extension to the already present services that the auditor provides (AICPA, 2017).Proposed benefits of the use of SysTrust service include improved confidence in the systems of both business partners' and one's own internal systems, avoiding problems of system development (McPhie, 2000) and reducing the cost of business interruption insurance (Pugliese and Hales, 2000).The literature also suggests that SysTrust provides a good framework for auditing internal systems and restructuring systems controls and procedures (Bedard et al., 2005).It also sets a standard for structuring information technology outsourcing agreements.While recognizing the potential benefits of trust services, Gray (2002) warns customers to investigate the relative value of the benefits against the associated cost before hiring a third party assurance provider.Accordingly, it is clear that system assurance has a positive impact on system users and their reliance and in turn on their decisions, especially when this assurance is provided on continuous basis, IJAIM 27,3 which is more suitable to the current changing environment.SysTrust developers also expect that the SysTrust report would be seen in the market as a sign of quality.According to this viewpoint, Bedard et al. (2005) imply that SysTrust opinions will function as a marketing tool and add value for the client.In the most recent version of the trust services guidelines, electronic seals or reports can be used with SysTrust engagements.Users may recognize that displaying the electronic seals or reports will help in their marketing efforts through improving their skill to distinguish themselves from other entities.This contention is supported by the results of the study of Arnold et al. (2000), which indicate that goodquality dealers are willing to pay for reports that differentiate along quality lines.
Moreover, Boritz and Hunton (2002) report that SysTrust assurance significantly increases user comfort levels with the reliability of the information technology of a service provider, as well as the possibility that users would recommend contracting with the service providers.Even though the possible benefits of trust services to clients have been focused on in the literature, there is a lack of experimental evidence to support the belief that the existence of a trust service assurance report gives a precise sign of systems quality.The study by Jamal and Maier (2002) focuses on this aspect and examines the link between the existence of web seals and actual company practices with regard to information privacy.The results indicate that, on overall, clients comply reasonably well with privacy policies concerning notification, disclosure, and privately identifiable information choice options.While compliance with acknowledged privacy policies is not perfect, Jamal and Maier (2002) find that disclosure for web sites with privacy seals is better than those without seals.Enofe et al. (2012) Amin and Mohamed, (2016), also indicated that an accounting process and continuous auditing cannot be conducted effectively in today worldwide market without the use of computer and accounting software.They believed that changes in the accounting profession are the main reason behind the necessity of internal control accounting system to increase security and protection.However, performing SysTrust engagements is not without potential risks.There are two potential issues inherent in such engagements, some of which present exposures to the provider of assurance services.For example, users might not recognize that trust services cannot provide continuous assurance regarding system, and further performance might not be predictable based on past performance and test (Bedard, et al., 2005).
Experimental work indicates that there would be demand for both WebTrust (Hunton et al., 2000;Arens et al., 2014 andSysTrust (Boritz andHunton, 2002;Arens et al., 2014) in the marketplace.Yet, as Bedard et al. (2005) note, there are a lot of issues, questions and risks in SysTrust engagements, and most auditors are leery about delving into the ill-defined arena of systems reliability assurance.Only limited research to date has looked at ways in which to improve and deliver systems reliability assurance.Havelka et al. (1998) conduct a series of focus groups with systems development teams to establish criteria for assessing the quality of the information.Arnold et al. (2000) explore the market demand for graded reporting of systems quality versus use of a traditional auditor's binary reporting model.These studies represent the first incremental steps in understanding systems reliability assurance.The domain is wide, open, and in great need of additional research.While SysTrust provides some broad criteria that must be considered in assessing systems reliability, little is known about how to go about assessing these criteria effectively.Given the major role that IT systems play, particularly in enterprise systems environments, the profession must rapidly advance its ability to assess systems quality and academic researchers need to step forward in helping answer the difficult questions that to date present barriers to widespread systems reliability assurance efforts.

Implementation of SysTrust principles
After reviewing the previous studies, in this specific area of research, relating to reliability and of the evaluation of CAIS control systems, it can be observed that there are not enough empirical studies available, and this could be due to the fact that this area of research is reasonably new.In addition, many of the studies in this subject are administered on a small level and connected with combined studies from the fields of business management, computer science, and at times engineering.They are often in the form of reports or descriptive studies, and rarely experimental.Furthermore, studies on SysTrust service engagement as an internal control method for assessing reliability in the professional accounting literature are primarily devoted to explaining the background and purpose of this service and its potential demand (Boritz and Kearns, 2000;Pugliese and Hales, 2000;Tarek et al., 2017).Related empirical research also primarily addresses topics related to user demand for trust services.In addition, there has been relatively little business-oriented research on reliability.It should also be noted that some of the investigations are conducted in isolation, without benefit from the experience of findings from other studies.It should also be noted that the majority of these studies are confined to the experience of developed countries, such as in Europe and the USA.It is observed that in many of these studies, practical implications of research findings are only stated in general terms, and little attempt has been made to report the reliability of the scales of measurement used for data collection.Given that most studies of AIS implementation have been based on cases in Europe and the US, cultural and legislation challenges, although complex, show some consistency.However, relatively few studies have been investigated outside of the most developed countries, such as in Jordan, which is a beachhead for new technologies and business practices in the Middle East and North Africa (MENA).Several authors state that within organizations, there must be attention given to the accounting standards and laws of each country, because they affect accounting management (Davila and Foster, 2005;Romney and Steinbart, 2017).

Research hypotheses
Based upon theoretical background and literature review, the following hypotheses are examined in this study: H1.The SysTrust principles and criteria (i.e.five principles: availability, security, integrity data processing, confidentiality, and privacy) are not significantly implemented in the business organizations.
H2.There is no significant difference among business organizations in terms of the extent of SysTrust principles and criteria being implemented based on their type of business sector.
H3.There is no significant difference among business organizations in terms of the extent of SysTrust principles and criteria a being implemented based on their size of business.
H4.There is no significant difference among business organizations in terms of the extent of extent of SysTrust principles and criteria being implemented based on their business experience.

Research methodology
The data for this research were collected through self -administrated questionnaire.The target respondents were all the shareholding companies in Jordan and the single key respondents approach was used.The key respondent was financial/account manager/ IJAIM 27,3 director.The identification of the individual business organizations in the country (Jordan) could be done by obtaining names of all companies, as well as their addresses, from a variety of private and public sources to identify the type of business sector, and the range of the number of companies in each sector.Restrictions of time and financial resources could make the inclusion of all business companies impossible.Therefore, the target population is only limited to all shareholding companies listed in Amman Stock Exchange Market database in 2016.Table I demonstrates the demographic characteristics of the study's population.A total of 328 self-administrated questionnaires were distributed to the respondents by e-mail and hand and the response rate was 73 per cent.68 per cent of the respondents were from service sector.Initially, research assistants called the companies to have appointments to distribute copies of the questionnaire to their companies.After respondents answered the questions, the assistants collected the copies from them.
In this survey, some variables are factual (for example, companies' demographic characteristics such as the type of sector, business experience and number of employees), whereas others are perceptual (i.e.SysTrust principles and criteria).The extent of the implementation of SysTrust principles and criteria were measured using a seven-point Likert scale with anchor ranging from (1) "not implemented at all" to (7) "highly implemented").The study is based on primary data and the time period is cross-sectional.For data collection, a structured questionnaire was developed and collected data were fed to the statistical software called SPSS-20 to analyse.Simple statistical tools like, mean, standard deviation, and ANOVA were applied.The questionnaire's content (constructs and measures) were mainly selected from AICPA (2013) framework and some previous studies and were modified to the practice of Jordanian shareholding companies' context based on the results of a pilot study and feedback from five professional academic staff in this filed.Table II shows five fundamental principles and criteria and related measures that used in the study.

Data analysis Reliability
As shown in Table III, all principles of SysTrust were tested to ensure an adequate level of scales reliability using Cronbach's alpha, composite reliability (CR) and average variance extracted (AVE).Statistical findings in this regard indicated that all principles have Cronabch's alpha (a) value above the cut-off point of 0.70 reneging between 0.94 for privacy and 0.96 for security by the same token, CR for all principles existed within their respective level of 0.70 as reported by Hair et al. (2010).Table IV indicates that while the highest of CR (0.906) was noticed for the security, the minimum value was exhibited by availability of AIS  Sekaran and Bougie, (2017).

Convergent validity
According to Hair et al. (2017), convergent validity is established when the Average Variance for all focal constructs was more than 0.50, which meets the first condition of achieving convergent.Explained (AVE) between the constructs is equal to, or exceeds, 0.5.The average variance explained validity.To achieve the second requirement of convergent validity, it was vital to consider the reliabilities of the measurements as means of providing evidence and support for the convergent validity of the constructs (Hair et al., 2017).As presented in Table III, all the scales demonstrated an acceptable "high" reliabilities, with the Cronbach's coefficient alpha's exceeding the 0.70 threshold, as recommended by Nunnally and Bernstein (1994); thereby, satisfying the second requirement of convergent validity.

The extent of the implementation of SysTrust service principles
The measure of extent of SysTrust implementation requirements are the main five principles and criteria (i.e. the availability, security, integrity processing, confidentiality and privacy) implemented for assuring the reliability of AIS as an internal control method.The mean values, standard deviation and t-test are used here to determine whether these main principles of SysTrust being implemented by the business organizations in Jordan.Findings shown in Table IV indicate that the extent of SysTrust principles (together) being practiced is considered to be moderate (i.e.74 per cent or 5.20), as their mean are more than the mean of the scale, which is 4 (mean of the scale = R Degrees of the scale 7

Testing hypotheses
One-sample t-test is used to examine the first hypothesis in the study.The result in the above Table IV shows that (SysTrust) principles and criteria are significantly implemented as an internal control method for assuring the overall reliability of AIS among business organizations either taken separately or together.The ANOVA analysis technique is also used to examine the other hypotheses.To assess the differences among business organizations in terms of the implementation of SysTrust principles and criteria requirements based on their organization's demographic characteristics such as size, type of business, and business experience (age), one way analysis of variance (ANOVA) was used to compare the means of participants' extent of implementation of SysTrust principles and criteria requirements and determine if there are any significant differences among the types of business sectors, i.e. service vs. industrial.As it is shown in Table V, there are significant differences among business originations in terms of the practice of SysTrust principles either taken separately or together due to their types of business sector (e.g.service vs industrial business) to which they belong.When compared, the extent of SysTrust being practiced among business organizations in terms of type of business (service companies vs. industrial companies), service companies were found at a significant edge over industrial companies on all the five constructs of SysTrust.
ANOVA test is also used to measure the differences among the business originations in terms of the extent of implementation of SysTrust principles and criteria requirements based on their size (number of employees).The results shown in Table VI indicate there are no significant differences among business organizations in terms of extent of implementation of SysTrust principles and criteria requirements due to their size.This result suggests that the business organization were not varied in the extent of implementation of SysTrust principles and criteria requirements either taken together or separately due to their size of business.
Furthermore, ANOVA is used to examine the difference among the business organizations in terms of in the extent of implementation of SysTrust principles and criteria requirements based on their business experience (age).The result revealed in Table VII that there are significant differences among business organizations in terms of in the extent of extent of implementation of SysTrust principles and criteria requirements either taken together or separately due to their business experiences.Discussion and implications One of the main objectives of this study is to explore to which extent the business organizations in Jordan implemented the SysTrust principles and criteria requirements as an internal control system for assuring the reliability of AIS.The results indicate that the extent of SysTrust principles being practiced is considered to be moderate (i.e.74 per cent or 5.20).This implies that there are some variations among shareholdings companies in terms of their level of implementations of the principles of SysTrust as presented in Table (4).This might indicate that internal control's methods over the computerized accounting information systems in the Jordanian business organizations provide requirements of all principals to the AIS system.Mean values have shown that the Security principle is the highly implemented one (79 per cent).Assurance of system security implies that access is restricted to the physical components of the system, the logic functions the system performs, and the information stored in the system.This results are in consistent with prior studies such as Hayale and Abu Khadra, (2006), Abu-Musa, (2010), and Boritz (2005).It could be concluded that the IT infrastructure of the Jordanian business originations (i.e.shareholding companies included in this study) by its status qua is mature enough to provide the operational requirements for (SysTrust) principles and criteria.Such result supported by the results reached by Casolaro and Gobbi, (2004) Mansour et al. (2009, 2017), and Al Hanini (2015).
The second objective of the study is to compare differences among business organizations in terms of the SysTrust principles and criteria requirements as an internal Implementation of SysTrust principles control system for assuring the reliability of AIS being implemented based on their type of business, size and experience.Interestingly, the study found no significant differences among business organizations in the extent of the SysTrust principles and criteria requirements being implemented due to their size or experience.One explanation for this is that all of business originations in this study are shareholding companies and irrespective of their size or experience they have to approve the reliability of their accounting transactions for legality and auditing purposes.However, statistical significant difference was found based on the type of business sector.It was found that the extents of the SysTrust principles and criteria requirements being implemented were varied among business organizations due to their type of business.One explanation of the above findings is that regardless the size of business organizations or experience, it is possible to classify Jordanian business in terms of the extent of SysTrust principles being implemented based on their type of business (services vs. industrial).Based on the above discussed findings, two outstanding conclusions can be made.First, the results indicate that the extent of SysTrust principles being implemented is considered to be moderate.The results also showed that the Security principle is the highly implemented one.This could be because securities of AIS issues have been given a propriety over other principles among shareholding companies to be implemented.Second, when compared, the extent of SysTrust principles being implemented among business organizations in terms of type of business (service companies vs. industrial companies) was found at a significant edge over industrial companies on five principles of SysTrust.This result might indicate that the service companies apply or give more attention to the requirements of SysTrust principle than the industrial companies.This might be due to the fact that service companies tend to be more technology-oriented and driven than industrial companies in Jordan (Mahadeen et al., 2016).In their study of EDI, Khazanchi and Sutton (2001) give evidence of the requirement for systems assurance, illustrating that numerous companies enforcing these systems do not use them to full benefit.However, there are no significant differences in the implementation of principles of SysTrust among business organizations due to their size or experience.
The present study has important implications for studies aimed to SysTrust principles implementation in developing countries.However, explanations of several findings above indicate the importance of contextual factors (i.e.demographic characteristics) within organizations.This study provides some insights into the implementation of SysTrust principle as an internal control for assuring the reliability of AIS by Jordanian shareholding companies, which should help practitioners to acquire a better understanding of the current SysTrust principles status and implementation.However, several limitations should be considered when evaluating and generalizing the study's conclusions.The study was conducted in one country, Jordan.Although Jordan is a valid indicator of prevalent factors in the wider MENA region and developing countries, the lack of external validity of this research means that any generalizations of the research findings should be taken with caution.Future research can be orientated in other national and cultural settings and compared with the results of this study.
has considered the effectiveness of IT based AIS.The study has developed a quantitative model based on set of technological, economics, and social parameters.Their study revealed that the effectiveness of IT-based AIS varies according to the superiority level of IT infrastructure of AIS and the environmental development of AIS.
0.832).Moreover, as seen in TableIIIthe AVE value of the latent constructs ranged from 0.555 (Availability of AIS to 0.694 (security) which all are above the cut-off value of 0.50 as recommended by (