The Impact of Information Technology Governance in Reducing Cloud Accounting Information Systems Risks in Telecommunications Companies in the State of Kuwait

This study aims to identify the impact of information technology governance in reducing cloud accounting information systems Risks in Kuwaiti telecommunications companies. The study population represented by all Kuwaiti telecommunications companies, which number (3) companies. The sampling unit consisted of workers in the upper and middle management of Kuwaiti telecommunications companies. The researcher distributed (327) questionnaires electronically, the researcher retrieved (291) questionnaires, of which (269) were valid for statistical analysis. The results indicated that the relative importance of all dimensions of information technology governance. The results demonstrate the importance of the role of information technology governance in reducing cloud accounting information systems risks. Also, that all information technology governance dimensions (Align, Plan and Organize, Build, Acquire and Implement, Deliver, Service and Support, Monitor, Evaluate and Assess) affect the cloud accounting information systems risks reduction in Kuwaiti telecommunications companies.


Introduction
Developments in cloud computing (CC) have accelerated over the past decade and different types of applications have emerged (Adjei, 2015), as companies turn to the cloud in order to gain competitive advantages and take advantage of the benefits it provides. As many studies have indicated that the application of CC contributes to increasing work efficiency and reducing operating expenses for companies, and it does not need much support for information technology (IT) (Prichici & Ionescu, 2015;Weng & Hung, 2014;Adiyasa et al., 2018). With the multiplicity of CC applications, the need arose to develop AIS (Dimitriu & Matei, 2014;Ali et al., 2020). Cloud accounting (CA) has emerged as the CC application that transfers AIS within companies to the servers of cloud service providers. Like multiple CC applications, CA provides companies with several benefits, such as flexibility, cost savings, sustainable competitive advantage, and scalability (Corkern et al., 2015;Brandas et al., 2015). Detlor et al. (2010) say: "The development of IT drives the accounting profession to update and develop its materials and methods so that it can continue to supply high-quality benefits. This led to the upgrowth of ITG".
Information security risks (ISR) have become the main concern of many regulators and companies (De Haes et al., 2013). Among the areas of ISR are business continuity, ability to cope with data leakage, data loss prevention, shifting of IS, and monitoring of compliance (Ernst & Young, 2014). The goal of IS is to protect the confidentiality of information, prevent access, and ensure its integrity and preservation (Turban et al., 2015). It also includes maintaining the credibility and reliability of information and ensuring accountability (Ernst & Young, 2014). The continuous alignment between corporate activities and IT in a complex and rapidly changing environment is a major challenge for business organizations. This led organizations to adopt ITG frameworks that enable them to harmonize their strategy and objectives (Nicho & Khan, 2017). In this context, several frameworks emerged, which include COSO, COBIT, ISO 9001, ISO 27002, ISO 38500 and COSO ERM. (De Souza Bermejo et al., 2014;Amorim et al., 2020)

Study Problem
Because of the great importance of AIS, in addition to the risks of CC, cloud accounting information systems (CAIS) may face many risks (Zhang & Gu, 2013;Nurhajati, 2016;Khanom, 2017). Thus, it poses a clear threat to companies, especially with regard to data security and reliability. However, there are few empirical studies on ways to reduce this risk. Here, the role of ITG emerges as a method used by companies to protect information when using CAIS. Hence, the problem of this study appears in identifying the role of ITG in reducing CAIS risks in Kuwaiti telecommunications companies. The study problem can be expressed through the following questions:

Study Importance
The importance of the study emerges from the importance of the variables discussed, as ITG is an important topic that keeps pace with developments in business environments in general, and in the Kuwaiti environment in particular. The importance of the scientific study is also highlighted by the telecommunications companies in Kuwait benefiting from the application of ITG to reduce CAIS risks that they are exposed to, such as the risks of losing information, the risks of losing customers and cyberattack, and it is expected that the results of this study will be useful to telecommunications companies in Kuwait With regard to the concepts of IT governance, as it may explain to them some of the strengths and weaknesses in the way in which CAIS are managed and also the ways through which the company can reach the achievement of its goals. Also, this study will present proposals and recommendations that would urge companies to follow up on recent developments that enable them to continue and achieve competitive advantage.

Literature Review
CC refers to the transfer of the AIS from a system within the company to the cloud environment, so that it can be accessed at any time and from anywhere, without the need for prior installation of the program on devices (Ţugui & Gheorghe, 2014). CA also has the characteristics of depends on the request services, service flexibility, network access, resource sharing, flexible service, and measured service (Moudud-Ul-Huq et al., 2020). In the traditional AIS, all devices and applications are located within the company (Ali et al., 2020). However, when companies use CA services, the cloud service providers own, manage and control the CA infrastructure (Khanom, 2017). Where servers, devices, and applications are not located within the company, but in the premises of the service providers (Singerová, 2018). Păcurari and Nechita (2013) argue that there are security concerns when using CA. Zhang and Gu (2013) argue that companies may be reluctant to migrate AIS to the cloud due to concerns that cloud data will be corrupted or vulnerable to attack. However, they do not offer any solutions on how to overcome these risks. Shkurti and Muça (2014) found that data security and compatibility with current systems as well as information accuracy are among the most prominent risks of using CA. Ali et al. (2020) believes that security and privacy risks are among the most prominent risks of using CA. Corkern et al. (2015) suggest that companies may use CA when addressing reliability and security issues.
To overcome the risks of moving AIS to the cloud environment, the need for ITG arises (Ali et al., 2020). ITG is seen as a crucial part of corporate governance, as it is considered part of the leadership and organizational structures that guarantee the companies' IT support processes, strategies and objectives (Henriques et al., 2020).
In addition to the fact that ITG encourages the use of IT in a desirable manner, it aligns the company's business operations with IT (Hardin-Ramanan et al., 2018). ITG also contributes to the distribution and definition of functions and responsibilities within the IS and related technologies across the company. Selig (2018) says: "The goal of ITG is administer IT initiatives to ensure that the company's performance meets the objectives set by the administration". Among the objectives of ITG is the alignment of the IT objectives with the general corporate strategy, the identification of IT performance, and the achievement of the competitive advantage that the IT provides to the company (Joshi et al., 2018).
Many literatures distinguish between governance and IT governance, where governance determines who is responsible for managing, making and implementing decisions, while ITG refers to determining the decisions that must be taken and the effective use of IT (wolden et al., 2015), and the challenge of who should take these decisions, and how these will be made and controlled effectively (Weill & Ross, 2004). During the past years, many entities have developed frameworks and models for IT governance, with the aim of assisting companies in implementing IT governance. Firms should design their IT process architecture in order to be able to use these frameworks and achieve the benefits expected from them (Dias Canedo et al., 2020).
According to the ISO 38500 standard, ITG is one of the resources that must be made available to access, process, store and disseminate information (Calder, 2008). Therefore, ITG is a tool for evaluating and directing the use of IT to support the company when using CAIS. According to Dias Canedo et al. (2020) ITG should include stakeholder focus, IT, results management, ensuring transparency, accountability, compliance. These functions are considered one of the basic functions of AIS. In da Silva et al. (2019) that any decision related to IT has a direct impact on the company's business. Likewise, the company's strategic decisions directly affect the IT. Thus, the alignment and integration between AIS and planning IT are essential to achieving the company's goals.
It is also important for a company to ensure that its implemented ITG activities comply effectively with legislation and regulations (Vugec et al., 2017), and to give a high level of security, ITG must ensure that security issues are take it earnestly. This includes appropriate chosen of hardware and components, encryption of data within the system, making ready and testing of a catastrophe recovery plan, scalability of the cloud using virtualization techniques, proactive safeguard of the operating system before any potential external attacks, and assuring access to the cloud safely (Chraibi et al., 2013). Allahverdı̇ (2017) has pointed out that the necessity of internet access, security breach, legal limitations, and data confidentiality are among the most prominent risks of cloud information systems.

ITG Domains
ITG is one of the components of the company's strategic management. It is responsible for defining long-term strategic goals and translating them into short-term tactical goals. ITG focuses on the following areas: i.

Align, Plan and Organize (APO):
This dimension focuses on using information and technology and choosing the best way to harness it to achieve the company's goals and objectives. Where coordination is made between technology and the company's activities through the planning procedure, whether short or medium term, and that the company during the planning and organization process provides a technology infrastructure, an organizational structure and technical staff, and communicates with them regarding the requirements of the technical management (Tuttle & Vandervelde, 2007). In order to maintain the ITG framework, it is needful to define the management of the IT framework that interprets the characteristics of IT from the governance framework into actual procedures and practices at the company (Romero et al., 2017). Also, within APO, a general description of the needs of stakeholders is given and a statement of the purpose of managing the company's structure, as well as the identification of capacity needs and requirements, as it enables the creation of models that describe the target infrastructure and the creation of a common structure consisting of business processes, information, applications, levels of IT and achieving project efficiency and strategies of IT (Tanuwijaya & Sarno, 2010). APO also includes human resources management with the aim of providing a structured approach to ensuring a better structure, defining responsibilities and roles, and setting plans for training and development by competent and qualified persons (wolden et al., 2015).
ii. Build, Acquire and Implement (BAI): This dimension focuses on identifying the basic requirements for IT and acquiring and implementing IT within the company's current operations, and in BAI the IT requirements are defined and possessed to successfully carry out business within the company, and include providing new operational solutions including implementation planning, systems and data transformation, solutions testing and product support early and post-implementation review. And the adoption of a structured approach to deal with projects and investment portfolios to achieve the objectives of the institution. And undertaking regular procedures to organize and document company requirements, and establish an agreement between clients and the project team on changing system requirements (Iqbal, et al., 2016). And managing solutions to matches the requirements set by the company in IT matters, as IT solutions that allow compliance with those requirements must be identified and implemented (Romero et al., 2017). In addition to knowledge management, which is closely related to individuals with the aim of increasing knowledge in the minds of employees (Miklosik, 2014).
iii. Deliver, Service and Support (DSS): This is done by focusing on adding significance to the IT system as well as give support for data and processing it properly to continue the company's commercial activities, maintain the continuity of the flow of information and make it constantly available to internal and external users (Iqbal, et al., 2016), and includes operations management, which indicates to how companies produce or deliver goods and services that provide their continuity, and operations can be viewed as one of the many functions (such as marketing, financial, and personal) within the company. The operations function can be described as the part of the organization dedicated to producing or delivering goods and services. This means that all organizations carry out operating activities, because every organization produces goods or services. It also includes asset management, which clearly focuses on helping companies achieve their set goals, and determining the optimal mix of activities based on these goals (Tanuwijaya & Sarno, 2010). DSS also includes managing problems with the aim of reducing the negative impact resulting from errors in the IT infrastructure, documenting them and preventing their recurrence. DSS determines possibility impacts that menace the company, and provides a framework for building elasticities and effective rejoinder capacity that protects the interests of key stakeholders, reputation, brand and value creation activities (Mutaiara et al., 2017). Focusing on security management with the aim of maintaining an information security plan that describes how information security risks can be managed and aligned with company strategy (wolden et al., 2015). iv.

Monitor, Evaluate and Assess (MEA):
Where work is made on the existence of a plan to carry out the follow-up and evaluation process, in which it clarifies what should be followed up, what activities are necessary to attitude the follow-up and evaluation procedure, who is responsible for it, and the date and place of its attitude. MEA aims to observe and adjust performance and submissiveness by taking care to follow up the implementation of the project steps to ensure that it is carried out in accordance with the drawn plan and to follow up any defects that may lead to stopping or delaying the project and working to avoid it. Then the project is evaluated and that it has achieved the results as planned (Wolden et al., 2015). And ensuring that the monitoring process ensures that the internal control continues to operate effectively. It should be assessed whether management is reviewing the design of controls when risks alteration, and whether controls designed to minimize risks are at an appropriate level and continue to operate effectively (Mutaiara et al., 2017). As well as reviewing and ensuring compliance with contractual regulations, laws and conditions, including identifying compliance requirements, improving response and evaluating them, obtaining assurances that the terms have been complied with, and then integrating IT compliance reports with the rest of the business.
All dimensions of ITG focus on gathering and analyzing information related to an agenda that takes place during the implementation of the agenda. In addition to the necessity of performing periodic guidance, for an organization, agenda that may be conducted internally or by external independent evaluators (Iqbal, et al., 2016). The orientation and control process aims to ensure the transparency of the stakeholders and to ensure that the performance of corporate IT, conformity measurement and reporting is transparent, with stakeholders agreeing to the objectives, metrics and necessary corrective actions (wolden et al., 2015). Ensure that IT services and IT assets resulting from investments that support IT are affordable (Rakthiantam et al., 2013). And to ensure the continuous improvement of risk management by understanding, clarifying and communicating the company's desire to bear risks and how to use tolerance in dealing with them, as well as ensuring the process of identifying and managing risks on IT (Tanuwijaya & Sarno, 2010). Managing resources (personnel, processes, and technology) and ensuring that IT skills are adequate to effectively support the firm's objectives and achieve optimum value.

Study Hypotheses
Based on a review the literature, the following hypotheses can be formulated: H0: There is no impact for ITG in reducing CAIS risks in Telecommunications Companies in the State of Kuwait.
H01: There is no impact for APO in reducing CAIS risks in Telecommunications Companies in the State of Kuwait.
H02: There is no impact for BAI in reducing CAIS risks in Telecommunications Companies in the State of Kuwait.
H03: There is no impact for DSS in reducing CAIS risks in Telecommunications Companies in the State of Kuwait.
H04: There is no impact for MEA in reducing CAIS risks in Telecommunications Companies in the State of Kuwait.

Study Methodology
This study was classified in terms of nature as an experimental study, and in terms of purpose it is illustrative, as it works to discover the impact of ITG on reducing the risks of CAIS in Kuwaiti telecommunications companies.
The study population that the researcher used is represented by all Kuwaiti telecommunications companies, which number (3) companies, and work in these companies (2133) employees. Because of the limited number of telecommunications companies, the researcher included all companies within the study sample, and the researcher used the random stratified sample when choosing the study sample, as the selected sample included individuals who work at the three administrative levels -upper, middle and lower -in Kuwaiti telecommunications companies, and its size reached 327 individuals, through the researcher's reliance on the sample selection table for a community that consists of (2133), according to (Sekaran, 2013), The sampling unit consisted of workers in the upper and middle management of Kuwaiti telecommunications companies, whose number is (327) individuals. The researcher distributed (327) questionnaires electronically, and that was due to the Corona pandemic, and the ban imposed in the country, which resulted in a decrease in the number of individuals working in each company, and the researcher retrieved (291) questionnaires, of which (269) were valid for statistical analysis, The researcher excluded (22) questionnaires, and the reason for the exclusion is because these questionnaires are not suitable for statistical analysis, and the percentage of recovered questionnaires that are appropriate for statistical analysis reached (82.3%), and this percentage is considered statistically acceptable (Sekaran, 2013).

Measuring Variables
The researcher used the five-component Likert scale from 1 (strongly disagree) to 5 (strongly agree) to evaluate respondents 'responses to the study management paragraphs, which is an effective method for collecting data and evaluating respondents' judgment (Zraqat, 2020). Two variables were measured in this study: IT governance, and reducing the risks of c CAIS, using a multi-component scale. The validity and reliability of the study tool construction steps are supported by a comprehensive literature review and interviews with managers of information systems in Kuwaiti telecommunications companies.   The importance of APO also appears in reducing the risks that result from the use of CAIS, as companies choose the best way to harness ITG to achieve the company's goals. Where coordination is made between technology and the company's activities through the planning procedure, whether short or medium term, and that the company during the planning and organization process provides a technology infrastructure, an organizational structure and technical staff, and communicates with them regarding the requirements of the technical management.

Test Hypotheses
The importance of BAI also appears in reducing the risks that result from the use of CAIS, as companies define the basic requirements for IT and obtain IT and implement them within the company's current operations, by providing new operational solutions, including implementation planning, systems and data transformation, solution testing, early product support and post-implementation review.
The importance of DSS also appears in reducing the risks that result from the use of CAIS, as companies focus on adding importance to the ITS in addition to providing support for data and processing it properly to continue the company's business activities and maintain the continuity of the flow of information and make it available continuously.
The importance of MEA also appears in reducing the risks that result from the use of CAIS, as companies work on having a plan to implement the follow-up and evaluation process, which clarifies what should be followed up, and what activities are necessary to guide the follow-up. Carry out the assessment, who is responsible for it, and the date and place of its position.

Conclusions
This study aims to identify the impact of IT governance in reducing CAIS Risks in Kuwaiti telecommunications companies. Two variables were measured in this study: IT governance, and CAIS Risks, using a multi-component scale. The results indicated the importance of all parts of IT governance, as companies use information technology governance while gathering and analyzing information related to the agendas that are implemented during the implementation of the agenda. In addition to periodically directing performance, which reduces the risks of cloud information systems. Information technology governance is also implemented in a manner that ensures transparency, which increases the reliability of the performance of information technology activities. Which is in line with (Wolden et al., 2015), which showed that transparency is one of the most important requirements of information technology governance because of its impact on the requirements of various stakeholders. Kuwaiti telecom companies are also working to ensure that IT services and assets resulting from investments that support information technology are affordable, which is consistent with the findings of the study (Rakthiantam et al., 2013). In addition, the study sample companies are working to ensure the continuous improvement of risk management by understanding, clarifying and communicating the company's desire to bear risks, as well as ensuring the process of identifying and managing risks on information technology, and this is in line with what he indicated (Tanuwijaya & Sarno, 2010). As well as following up on resource management (personnel, processes, and technology) and ensuring that the IT skills are sufficient to effectively support the company's objectives and achieve optimum value. Which is consistent with the goals of accounting information systems in general?
It can be concluded that there is an important impact of ITG in reducing CAIS risks, because all its parts will help in enhancing information security, ensuring data privacy and protection in CAIS, and thus protecting CAIS in Kuwaiti telecom companies.
The study recommends the necessity for Kuwaiti telecom companies to found a special department for ITG, that would have a leadership ideological trend to develop it within the firm to face the CAIS risks. As well as the necessity of activating the security controls for CAIS of all kinds and increasing the level of application contra the environmental risks besetment the firm that may take place as a result of CAIS. And the need for firms to recognize CAIS risks for form a vision of the interior controls and system-related reactions that firms must take to guarantee the continuation of the firm's business in a safe and smooth manner.