(PDF) Internal control framework for a compliant ERP system

The paper considers key IT controls in three important business processes in Enterprise Resource Planning (ERP) systems i.e.in Procure-to-Pay, Order-To-Cash and Financial Reporting cycle and proposes an effective internal control framework over efficient financial reportingusing XBRL and hence according to Sox 404 compliance. The paper uses COBITframework as a reference point to identify the IT controls in the systems. Key controls have been further subdivided into application, access and general controls. The paper, with examples, from SAP and Oracle ERP lists out assessment of internal controls, preparing Risk Control matrix and Segregation Of Duties conflict matrix in all the three cycles mentioned above which helps identifying deficiencies and material misstatements. The paper provides a SOx 404 compliant preliminary framework of crucial internal controls for auditors to consider while inspecting Enterprise Resource Planning Systems.

Information technology is changing almost every phase of global business environment. Auditors are facing the vast challenge of working and keeping up-to-date with such sophisticated technologies. In ERP systems, operational and financial data are tied together through a complex information flow. Transactions can be automatically entered without review or pre-checking with the ERP system. Therefore with the implementation of integrated ERP systems, internal controls are developing itself to support automated operational management. The ERP systems are one of such technologies used by various organizations to achieve a strategic advantage in the competitive market. The ERP systems are computer-based systems designed to process an organization’s transactions. It facilitates integrated and real-time planning, production, and customer response. From an auditing perspective, ERP systems created new opportunities as well as new challenges. Based on a questionnaire survey, the paper attemp...

ABSTRACT: Software vendors that market enterprise resource planning (ERP) systems have taken advantage of the increased focus on internal controls that grew out of the Sarbanes-Oxley (SOX) legislation by emphasizing that a key feature of ERP systems is the use of “built-in” controls that mirror a firm’s infrastructure. They argue that these built-in controls and other features will help firms improve their internal control over financial reporting as required by SOX. This study tests that assertion by examining SOX Section 404 compliance data for a sample of firms that implemented ERP systems between 1994 and 2003. The results suggest that ERP-implementing firms are less likely to report internal control weaknesses (ICW) than a matched control sample of non-ERP-implementing firms. It also finds that this difference exists for both general (entity-wide), and individual (account-level) controls.

This article appeared in a journal published by Elsevier. The attached copy is furnished to the author for internal non-commercial research and education use, including for instruction at the authors institution and sharing with colleagues. Other uses, including reproduction and distribution, or selling or licensing copies, or posting to personal, institutional or third party websites are prohibited. In most cases authors are permitted to post their version of the article (e.g. in Word or Tex form) to their personal website or institutional repository. Authors requiring further information regarding Elsevier’s archiving and manuscript policies are encouraged to visit: http://www.elsevier.com/authorsrights Author's personal copy Information & Management 51 (2014) 187–205 Contents lists available at ScienceDirect Information & Management journal homepage: www.elsevier.com/locate/im Internal control framework for a compliant ERP system She-I Chang a, David C. Yen b,*, I-Cheng Chang c, Derek Jan d a Department of Accounting and Information Technology, National Chung Cheng University, Taiwan, ROC School of Economics and Business, SUNY College at Oneonta, USA c Department of Accounting, National Dong Hwa University, ROC d KPMG, Taiwan, ROC b A R T I C L E I N F O A B S T R A C T Article history: Received 1 February 2012 Received in revised form 17 October 2013 Accepted 4 November 2013 Available online 20 November 2013 After the occurrence of numerous worldwide ﬁnancial scandals, the importance of related issues such as internal control and information security has greatly increased. This study develops an internal control framework that can be applied within an enterprise resource planning (ERP) system. A literature review is ﬁrst conducted to examine the necessary forms of internal control in information technology (IT) systems. The control criteria for the establishment of the internal control framework are then constructed. A case study is conducted to verify the feasibility of the established framework. This study proposes a 12-dimensional framework with 37 control items aimed at helping auditors perform effective audits by inspecting essential internal control points in ERP systems. The proposed framework allows companies to enhance IT audit efﬁciency and mitigates control risk. Moreover, companies that refer to this framework and consider the limitations of their own IT management can establish a more robust IT management mechanism. ß 2013 Elsevier B.V. All rights reserved. Keywords: Internal control framework Enterprise resource planning IT control 1. Introduction The popularity of information technology (IT) applications has increased reliance on computers for processing business transactions. Companies adopt IT systems to improve their operations. Surveys on the collaborative operations of IT systems conducted by the Market Intelligence and Consulting Institute [42] indicate that the enterprise resource planning (ERP) system is the most widely adopted IT system among large companies. Given that ERP is a popular and all-encompassing information system utilized by many organizations and because of the increased consideration of the risks associated with IT, information system security and internal control related to information systems have greatly increased [17,45,63,75]. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) deﬁnes internal control as ‘‘a process, effected by an entity’s board, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives such as effectiveness and efﬁciency of operation, reliability of ﬁnancial reporting, and compliance with regulation’’ [15]. The internal control related to information systems is commonly referred to as IT control and is composed of controls (i.e., policies and procedures) over the * Corresponding author at: School of Economics and Business, SUNY College at Oneonta, USA. Tel.: +1 607 436 3458; fax: +1 607 436 2543. E-mail addresses: actsic@ccu.edu.tw (S.-I. Chang), David.Yen@oneonta.edu (D.C. Yen), icc@mail.ndhu.edu.tw (I.-C. Chang), Derek.Jan@seed.net.tw (D. Jan). 0378-7206/$ – see front matter ß 2013 Elsevier B.V. All rights reserved. http://dx.doi.org/10.1016/j.im.2013.11.002 organizational IT infrastructure and systems [47,63]. IT control consists of general and application controls. General controls refer to the relevant controls designed to ensure that an entity’s control environment is well managed and applied to all sizes of systems ranging from large mainframe systems to client/server systems and to desktop and/or laptop computer systems. Application controls include input, processing, and output control based on the ﬂow of data processing. In other words, application controls focus on the accuracy, completeness, validity, and authorization of the data captured, entered in the system, processed, stored, transmitted to other systems, and reported [54]. Further, general controls can be used to support the application controls and, hence, allow the smooth operation of the information system [22]. Given that ﬁnancial reporting in many entities is based on information systems such as ERP systems, IT controls help entities achieve the objective of internal control. Similar to information security, IT controls can also manage and protect information and information systems from unauthorized access, use, disclosure, disruption, modiﬁcation, or destruction [68]. An attack on information generally leads to the theft of conﬁdential data, ﬁnancial fraud, incapacitated web servers, and corrupted operational data [27], which all inﬂuence the accuracy and reliability of the ﬁnancial data derived from the information system [75]. If entities fail to establish proper information security, they cannot guarantee the accuracy and reliability of their ﬁnancial data [51]. ERP built-in control features may positively impact the effectiveness of internal controls over ﬁnancial reporting. However, ERP does not necessarily safeguard against some deliberate Author's personal copy 188 S.-I. Chang et al. / Information & Management 51 (2014) 187–205 system manipulations, for example, a few control features might not be activated in a timely manner in the implementation stage [45]. Further, to manipulate the date to perform earnings management, top managers may attempt to override some control features [6]. Following a number of reported business scandals, investors are beginning to question the accuracy of ﬁnancial reports, including those generated by major companies around the world. In fact, investor conﬁdence in the accuracy of ﬁnancial reports and the shared holding positions of large companies has collapsed over recent years [56]. Durfee [18] emphasizes that an announcement of material weakness in the internal control system may result in a drop in stock prices, an increase in share volume, and the loss of chief ﬁnancial positions. Goel and Shawky [26] also indicate that announcements of security breaches would decrease the market share of ﬁrms. Conversely, effective internal control can help ﬁrms to achieve their expected ﬁnancial goals, maintain precise records of daily transactions, and produce accurate ﬁnancial statements [20]. The accuracy and reliability of data within the ERP system are critical to ensure the transparency of the company’s situation at all times, to help rebuild investor conﬁdence, and to ensure low cost of capital [3]. Software vendors establish ‘‘built-in’’ control within ERP systems [45]. Companies also have an internal control framework in their ERP systems. Management is required to establish the framework, especially when a company is publicly listed. Companies constantly audit the effectiveness of their ERP system’s internal control. Thus, an increasing number of companies have started to focus on the implementation of effective controls in their ERP systems while simultaneously providing management and external auditors a suitable framework within which to assess the ERP system’s internal control. COSO released a report entitled ‘‘Internal Control-Integrated Framework’’ [15] in 1992 in an attempt to illustrate a systematic framework for internal control. However, the report failed to list supplemental criteria in the implementation and assessment of IT controls [49]. Referring to speciﬁc control items would allow management and auditors to execute IT control procedures [29]. However, IT control procedures not only consider the environment within the entity but also control as it relates to the external environment [66]. In addition, given the minimal compliance guidance in the use of IT established by the government, the interpretation of the scope and nature of the IT environment is inconsistent [8]. These limitations increase the difﬁculty of compliance. Despite the importance of deploying proper internal control frameworks to fully develop the effectiveness of the ERP system, only a few academic studies have assessed this issue. Accordingly, this study derives its primary research question: what are the types of internal control that must be considered when auditing an ERP system? The primary objective of this study is to develop a preliminary internal control framework for application in an ERP system. 2. Research background The growing awareness of IT’s role in managing knowledge derived from information systems has caused the production of accurate and relevant information to become the focus of studies on information systems such as accounting information systems (AIS) and management information systems (MIS) [76]. IT governance has been recently discussed and has gained attention; IT governance is ‘‘used to describe how those persons entrusted with governance of an entity will consider IT in this supervision, monitoring, control, and direction of the entity’’ [32]. Well-deﬁned controls are considered to be an imperative and necessary part of IT governance. This study attempts to establish good internal control standards for ERP systems by proposing an internal control framework for such systems. Three subtopics are discussed in this section. The ﬁrst subsection describes system security and internal controls in the ERP system. The second subsection introduces the audit and inspection challenges associated with the ERP system. The third subsection presents and discusses the internal control framework. 2.1. System security and internal controls in the ERP system An increasing number of ﬁrms depend on ERP to address operational transactions. Therefore, information system security must be emphasized, especially in ﬁnancial transactions [70,73]. Walters [75] states that many information system threats, such as unauthorized access and system vulnerability attacks, inﬂuence the accuracy and reliability of the ﬁnancial data derived from information systems. Information security protects and controls IT resources and ensures the accuracy and reliability of information [1]. Van de Riet et al. [69] note a number of security aspects associated with an ERP system; these aspects include security policy, user authentication, authorization, time restrictions, log and trace, and database security. Information security control maintains the reliability of the information system resource and the availability and integrity of ﬁnancial data. Thus, information security control is closely linked with information security and internal controls. After the occurrence of numerous worldwide ﬁnancial scandals, company management teams and auditors are now required to take responsibility for their respective ﬁnancial reports. The effectiveness of internal control has been emphasized during this decade [52]. If ﬁrms lack the proper level and types of information security, they cannot ensure the effectiveness of their internal controls and the integrity of their ﬁnancial data [51]. Thus, identifying the necessary control-related considerations in an ERP system is an important initial task for management and auditors. 2.2. Audit and inspection challenges in the ERP system The introduction of a new information system in a company may generate a new risk that is different from the risks initially associated with the legacy framework: the risks that accompany new framework operations may not be similar to those of the original system [50]. Reengineering business processes and the organizational changes brought about by the introduction of a new system may also lead to changes in the control requirements of a company in terms of ERP [11]. Problems frequently associated with ERP systems are generally contained. Such issues include business interruption, process interdependency, network security, database security, application security, and overall internal controls [31]. Therefore, many key aspects of the risk control environment must be considered [56]. Glover et al. [25] suggest that internal auditors consider the relevant risks and controls required for system planning based on their knowledge of risk management and of the internal risks present in the company during the introduction of the ERP system. Auditors and inspectors should ﬁrst understand the basic architecture of the ERP system to effectively exert internal control over it [2,9]. In the comprehensive application of the IT environment, ‘‘owning’’ the control framework can help auditors to evaluate the effectiveness of IT control and decide on an auditing strategy and program. The control framework can also enhance the efﬁciency of IT control evaluation and mitigate the audit risk for auditors [29]. 2.3. Internal control framework Management and the auditors must follow a suitable and holistic internal control framework to ensure the effectiveness of internal control in a ﬁrm. COSO released a report entitled ‘‘Internal Author's personal copy 189 S.-I. Chang et al. / Information & Management 51 (2014) 187–205 Theoretical Research Question and Purpose Knowledge Claims Philosophies Interpretations Theories Principles Concepts Literature Review Expert Questionnaire Methodological Comparison and Revision Transformations Data Gathering Prototype Construction Case Study Fig. 1. Research ﬂow. Control-Integrated Framework’’ and recommended that this report be utilized by companies, auditors, regulating agencies, and educational institutions [15]. The conceptual model of the report indicates that internal control objectives require ﬁve components of control, namely, the control environment, risk assessment, control activities, information and communication, and monitoring. However, the framework provided by COSO focuses on highlevel guidance for internal controls and does not provide the detailed control objectives that auditors require in the design of audit tests [49]. Moreover, the framework does not address the speciﬁc risks and complexities of IT [14]. An organization and its auditor require a comprehensive framework to properly adapt to the current IT auditing environment and to comply with regulations [23,66]. Transactions involving information systems require particular control standards and criteria because the computerization of business transactions leads to the digitization of audit evidence, resulting in difﬁculties in following audit trails [41]. Thus, IT internal control usually includes the following procedures: (1) general controls, which refer to the relevant control measures associated with EDP; and (2) application controls or the division of input, processing, and output controls based on the ﬂow of data processing. In this digital age, the absence of information security in a particular company implies that the entire company is built on a fragile foundation such that it cannot survive any related internal control tests [4]. Information systems in enterprises require many internal controls due to the pervasive implementation of IT and the need to minimize problems. The complexity of modern systems can overwhelm auditors and management if no appropriate guidance is provided [66]. Hence, auditors and management should increase their understanding of the IT environment and related IT processes and controls because they must periodically perform control procedures [44,47]. Given that the two control types utilized at present cannot effectively or completely regulate the robustness of an internal control framework, especially when incorporated in the current information systems, numerous institutions have established their own sets of criteria for information security. A series of standards and criteria such as the British Standard (BS7799) and the Control Objectives for Information and Related Technology (COBIT) are employed by organizations. COBIT complements the COSO enterprise framework by assessing internal control and balanced risks in ITintensive environments [33,53]. Huang et al. [29] established an IT control evaluation model that includes control objectives. Referring to speciﬁc control items allows management and auditors to execute control procedures. However, despite the importance of deploying proper internal control frameworks, only a few academic studies have been conducted to fully develop the effectiveness of the ERP system. The present study aims to develop a preliminary internal control framework for application in ERP systems to bridge this gap. 3. Research methodology and design The research ﬂow presented in this study utilized a theoretical strategy based on the V structure developed by Gowin [48] (Fig. 1). The interactions between the two sides of the structure (i.e., theoretical and methodological) merge relevant concepts and methods to achieve the proposed research goals [48]. Following the procedures listed on the ‘‘theoretical’’ side, the items related to IT control were summarized by studying the previous research. A literature review is thus conducted prior to the development of an internal control framework for ERP systems. To this end, two steps were performed in the literature review: collecting literature from the related sources and conducting coding procedures. Speciﬁcally, the relevant literature was gathered from the following sources: (1) IT controls for the internal use of companies. The data gathered are expected to be within the scope of the internal use of companies and can be compiled with the current internal control bylaws of corporate information systems; (2) Information security organization bylaws. This study refers to the regulations and criteria of COBIT, and BS7799 in particular, and includes all information systems. Both references are important, as they have been adopted by many companies worldwide [66]; and (3) Academic literature. Upon the completion of the initially constructed theoretical model and prior to conducting the case study, control items were established that met the requirements for the application of the model to the ERP system. Expert questionnaires were administered in this process. The main purpose for utilizing the expert questionnaires is to ensure and enhance the content validity of each measurement construct and to bridge the gap between the presented literature for application and the control items in actual Author's personal copy 190 S.-I. Chang et al. / Information & Management 51 (2014) 187–205 Table 1 Related literature on IT internal control. Author Literature title Literature source 1 2 3 4 A company B company C company British Standards Institution [7] A company B company C company British Standards Institution (BSI) 5 IT Governance Institute [33] 6 Cerullo and Cerullo [10] 7 Chau [12] 8 Coe [13] 9 Daveiga and Eloff [16] Computerized Process: Internal Control Computerized Process: Operation Computerized Process: Internal Control Information Security Management Part 2: Speciﬁcation for Information Security Management Systems; British Standards Institution Control Objectives for Information and Related Technology (COBIT 4.0) Business Continuity Planning: A Comprehensive Approach Application Security: It All Starts from Here Trust Services: A Better Way to Evaluate IT Controls An Information Security Governance Framework Information Security Architecture Continuous Auditing: Verifying Information Integrity and Providing Assurances for Financial Reports USB and Other Portable Storage Device Usage: Be Aware of the Risks to Your Corporate Data Take Pre-emptive and/ or Corrective Action Card Systems: Four Million Hacked– Under the Spotlight The Convergence of Physical and Electronic Security The More Things Change. . . ISO 17799: Standard for Security Information Security Management Best Practice Based on ISO/IEC 17799 Incident Analysis and Recovery Ensuring Consistent Security Implementation within a Distributed and Federated Environment On Risk: Perception and Direction Toward an Information Security Competence Maturity Model System Access Hotspots: Are Auditors Ignoring Danger? Holistic Compliance with SarbanesOxley Information Security Governance: Compliance Management vs. Operational Management Understanding Software Project Risk: a Cluster Analysis Performing a Successful Unix Audit Real Time Information Integrity = System Integrity + Data Integrity + Continuous Assurances A Draft of an Information System Security and Control Course Security for Enterprise Resource Planning Systems Risk Control: A Technical View No. 10 11 Eloff and Eloff [19] Flowerday and Von Solms [21] 12 Gorge [28] 13 Hunter [30] 14 Jones [35] 15 16 17 Marks [43] Myler and Broadbent [46] Saint-Germain [55] 18 19 Stephenson [60] Stephenson [61] 20 21 Stewart [62] Thomson and Von Solms [65] 22 Tyson and Bean [67] 23 Volonino and Gessner [71] 24 Von Solms [72] 25 Wallace et al. [74] 26 27 Williams [77] Flowerday and Von Solms [22] 28 Walters [75] 29 She and Thuraisingham [57] 30 Wilson [78] Information Systems Audit and Control Association Information Systems Management Computer Fraud & Security Journal of Accountancy Information Systems Management Computer Fraud & Security Computer Fraud & Security Computer Fraud & Security Computer Fraud & Security Computer Fraud & Security Internal Auditor Information Management Journal Information Management Journal Computer Fraud & Security Computer Fraud & Security Computers and Security Computer Fraud & Security Journal of Corporation Accounting & Finance Communication of AIS Computers and Security Information and Management Computer Fraud & Security Computers and Security Journal of Information Systems Information System Security Computer Fraud & Security Nos. 1–3 are classiﬁed as A (IT control for the internal use of companies). Nos. 4–5 are classiﬁed as B (information security organization bylaws). Nos. 6–30 are classiﬁed as C (academic literature). practice. The measurement constructs and item indicators were screened separately to determine the internal control issues prevalent in the ERP system and to enhance the quality of the examination process and gain deeper insights. Next, following the procedures outlined on the ‘‘practical’’ side, an empirical case study was then conducted to investigate the feasibility of the proposed framework derived from the literature review and the questionnaires. The case study included ‘‘how’’ and ‘‘why’’ questions [79] and a pre-identiﬁed company was selected for the case study. In addition, the case study included steps related to design, preparation, collection, analysis, and sharing [79]. Not only was the case design identiﬁed in the design step, but the unit of case study was also described in detail in this step. 4. Construction of the preliminary framework for the internal controls of the ERP system The Science Direct database was utilized to search for the relevant academic literature. The main criteria for this search include the following items: Author's personal copy Table 2 Results of axial coding. Category Domain Codes (from open coding) References Deﬁnition of functions and responsibilities in the data processing department Whether clear deﬁnitions exist for the responsibilities of maintenance personnel in the MIS department A1, A30, A121, A193, B12, B32, B112, C17, C33, C49, C81, C94, C151, C179 Whether application procedures exist for the system accounts (authorization) A43, A45, A124, A152, A155, A209, A224, A232, A236, B65, C42, C72, C106, C109, C194, C196 A47, A210, A223, A237, C18, C48, C147 A company, B company, British Standards Institution [7], Cerullo and Cerullo [10], Eloff and Eloff [19], IT Governance Institute [33], Jones [35], She and Thuraisingham [57], Stephenson [61], Volonino and Gessner [71], Von Solms [72], Walters [75] A company, B company, C company, British Standards Institution [7], Cerullo and Cerullo [10], Gorge [28], Stephenson [60], Volonino and Gessner [71], Walters [75] A company, C company, Cerullo and Cerullo [10], Jones [35], Von Solms [72] System development and control over program modiﬁcations Whether application procedures exist for requests to modify system programs Whether modiﬁcation speciﬁcations are conﬁrmed by the MIS department and the department that submit the request Whether system program modiﬁcation documents are approved by related unit heads Whether SA and SD program documents relevant to the modiﬁcations are available Whether independent environments exist for development Whether independent environments exist for tests Whether relevant test documents and records on program developments exist Whether updated (newly added) programs are assessed by users Whether relevant control measures exist for changes in system ﬂows A46, A63, A153, A195, A225, B66, B117, C150, C197 A64, A196, A226, A228, B118, C47 A company, B company, C company, British Standards Institution [7], IT Governance Institute [33], Jones [35], Walters [75] A company, B company, C company, Cerullo and Cerullo [10], IT Governance Institute [33] A62, A102, A126, A156, B69, B113, C34, C149, C199 A51, A73, A97, A107, A125, A200 A company, B company, British Standards Institution [7], Cerullo and Cerullo [10], IT Governance Institute [33], Jones [35], Walters [75] A company, B company, C company A4, A23, A71, A127, A142, A212, B98 A company, B company, C company, British Standards Institution [7] A5, A8, A22, A24, A140, A143, B120, B127, B132, B142, C13 A company, B company, IT Governance Institute [33], Von Solms [72] A7, A21, A213, C50, C176 A company, C company, Marks [43], Walters [75] A16, A42, A129, A137, B60, B64, B99, B123, B133, B143 A company, B company, British Standards Institution [7], IT Governance Institute [33] A15, A141, A217, C121, C180 A company, B company, C company, Chau [12], Walters [75] B35, B40, B58, B93, B147, C181 British Standards Institution [7], IT Governance Institute [33], Walters [75] A10, A18, A26, A38, A128, A135, A138, A216, A221, B41, B61, B92, B124, B134, B144, C22, C122, C182, C209 A13, A14, A25, A134, A139, A218, B59, B97, B100, B122, B130, B136, B146, C21, C123, C130, C186 A29, A122, C58 A company, B company, C company, British Standards Institution [7], Chau [12], Flowerday and Von Solms [22], IT Governance Institute [33], Stewart [62], Walters [75] A company, B company, C company, British Standards Institution [7], Chau [12], IT Governance Institute [33], Stewart [62], Walters [75] S.-I. Chang et al. / Information & Management 51 (2014) 187–205 Whether system accounts (authorization) should be approved by related unit heads Whether accounts are canceled after employees leave Whether accounts are modiﬁed simultaneously with an employee change in job responsibilities Whether user authorization is continuously reviewed Whether a dedicated team is responsible for the maintenance of the hardware and software of the system A company, B company, British Standards Institution [7] 191 Author's personal copy 192 Table 2 (Continued ) Domain Codes (from open coding) References Whether coding management is executed on the documents in relation to program modiﬁcations (updates) Whether documents are updated and modiﬁed by version after the modiﬁcations (additions) of programs Whether review documents are improved after the programs have been developed Whether dedicated personnel safeguard the documents in relation to the systems Whether only certain personnel can access (modify) the documents in relation to the system programs or the original library A6, A32, A144, A214 A company, B company, C company A11, A20, A27, A31, A36, A41, A53, A54, A132, A145, A190, A219, A222, B84, B101, B126, B137, B145, C23, C187 A17, B83, B88, B125, C105, C124, C183 A company, B company, C company. British Standards Institution [7], Flowerday and Von Solms [22], IT Governance Institute [33], She and Thuraisingham [57], Stewart [62], Walters [75] A company, British Standards Institution [7], Chau [12], IT Governance Institute [33], Stephenson [61], Walters [75] A28, A33, A34, A35, A39, A149, A215, A220, B24, B173, C54 A company, B company, C company, British Standards Institution [7], Coe [13], IT Governance Institute [33] A37, A40, A194, B94, B164, C55, C192, C210 A company, B company, British Standards Institution [7], Coe [13], IT Governance Institute [33], Walters [75] Whether authority controls exist A61, A83, A159, A165, B33, B74, B76, B91, B155, B174, C26, C31, C39, C43, C56, C69, C77, C95, C108, C125, C131, C148, C195 Whether password controls exist B68, B70, B78, B89, C64, C100, C136, C138, C144, C145, C198, C202, C225 Whether different access authorizations pursuant to the nature of the users exist Whether the transfer of external data into the system has undergone veriﬁcation by the relevant programs Whether control exists over remote access to the system mainframes A49, A55, A207, A227, A231, B52, B54, B63, B67, B70, B75, B79, B156, B169, C2, C5, C27, C46, C71, C146, C203, C224, C226 A56, B55, C193 A company, B company, British Standards Institution [7], Cerullo and Cerullo [10], Chau [12], Coe [13], Daveiga and Eloff [16], Eloff and Eloff [19], IT Governance Institute [33], Jones [35], She and Thuraisingham [57], Stephenson [60], Stephenson [61], Volonino and Gessner [71], Walters [75] British Standards Institution [7], Daveiga and Eloff [16], Flowerday and Von Solms [21], Myler and Broadbent [46], Stephenson [61], Walters [75], Williams [77] A company, C company, British Standards Institution [7], Cerullo and Cerullo [10], Flowerday and Von Solms [21], Gorge [28], IT Governance Institute [33], Myler and Broadbent [46], Saint-Germain [55], Von Solms [72], Walters [75] A company, British Standards Institution [7], Walters [75] Whether dedicated personnel are responsible for the maintenance of the system databases A2, A50, A130, A151, A154, A157, A234, C3, C44, C65, C66, C73 Whether application ﬁles exist for system data ﬁling Whether original documents exist for input data Whether numbering of the documents is generated by the system Whether veriﬁcation procedures exist for the data input/output interface A60 A company A65, A158, A205, C36 A company, B company, C company, Cerullo and Cerullo [10] A67, A208 A company, C company A66, A77, A146, A162, A206, A235, B53, B85, B86, B87, B135, B165, C103, C126, C207, C227 A68, A147, A160, A163, B49, B51, B62, B90, B166, C37, C53, C70, C104, C229 A company, B company, C company, British Standards Institution [7], Chau [12], IT Governance Institute [33], Myler and Broadbent [46], Stephenson [61], Walters [75] A company, B company, British Standards Institution [7], Cerullo and Cerullo [10], Coe [13], Gorge [28], IT Governance Institute [33], Myler and Broadbent [46], Stephenson [61] A company, B company, British Standards Institution [7], Eloff and Eloff [19], IT Governance Institute [33], Walters [75] Access control of programs and data Control of data inputs and outputs Whether appropriate control measures are present for the output of conﬁdential data Whether records exist for any changes in data additions (modiﬁcations) A257, B72, B175, C25, C29, C96, C134, C135, C137, C200, C201 A48, A161, B77, B157, C80, C208 C company, British Standards Institution [7], Cerullo and Cerullo [10], IT Governance Institute [33], Stewart [62], Stephenson [61], Walters [75], Williams [77] A company, B company, C company, Cerullo and Cerullo [10], Daveiga and Eloff [16], Gorge [28], Von Solms [72] S.-I. Chang et al. / Information & Management 51 (2014) 187–205 Category Control over the compilation of system documents Author's personal copy Control of data processing Whether relevant ﬂows exist to manage the changes in data modiﬁcation Whether data are regularly backed up Whether backup data are supported by another location Security control of ﬁles and equipment Whether information equipment is listed and managed Whether information equipment is protected with security measures Whether anti-virus measures are present Whether ﬁrewalls are present A95, A106, A148, A183, B4, B11, B28, C35, C84, C168 A57, A58, A90, A185, A204, A241, A256, A258, C24, C30, C32, C41, C57, C97, C188, C214 B102, C7, C112, C116, C212 B48, B73, B159, C6, C67, C74, C78, C90, C99, C111, C213, C230 Whether the system mainframe is placed in facility rooms Whether access control over facility rooms is present B18, B20, C85, C132, C171, C221 Whether ﬁre, water, and temperature control facilities are present in facility rooms Whether UPS facilities are present A87, A91, A92, A93, A174, A175, A239, A246, C153, C155, C222 A94, A150, A173, A184, A201, A230, B19, B21, B171, C86, C133, C154, C172, C223 B22, B23, B172, C10, C152, C173 A company, B company, C company, British Standards Institution [7], Chau [12], Von Solms [72] A company, B company, C company, British Standards Institution [7], IT Governance Institute [33], Myler and Broadbent [46], Stephenson [60], Von Solms [72], Tyson and Bean [67], Walters [75] A company, B company, C company, IT Governance Institute [33], Stephenson [60], Tyson and Bean [67] A company, B company, British Standards Institution [7], Cerullo and Cerullo [10], Eloff and Eloff [19], Walters [75] A company, B company, C company, Cerullo and Cerullo [10], Coe [13], Flowerday and Von Solms [22], Saint-Germain [55], Stephenson [61], Stewart [62], Walters [75] British Standards Institution [7], Hunter [30], Saint-Germain [55], Von Solms [72] British Standards Institution [7], Daveiga and Eloff [16], Eloff and Eloff [19], Hunter [30], IT Governance Institute [33], Myler and Broadbent [46], SaintGermain [55], Stephenson [60], Stephenson [61], Thomson and Von Solms [65], Von Solms [72] British Standards Institution [7], Eloff and Eloff [19], Saint-Germain [55], Williams [77], Walters [75] A company, B company, C company, British Standards Institution [7], Eloff and Eloff [19], IT Governance Institute [33], Saint-Germain [55], Tyson and Bean [67], Walters [75], Williams [77] A company, B company, C company, Saint-Germain [55], Tyson and Bean [67] British Standards Institution [7], IT Governance Institute [33], Tyson and Bean [67], Von Solms [72], Walters [75] B company, C company, British Standards Institution [7], Walters [75] Whether control procedures exist to destroy the backup data Whether the ‘‘prevent abnormal invasion’’ measure exists A169, A229, B26, B50, C175, C191 A44, A187, B43, B158, C28, C38, C91, C141, C215, C231 A company, B company, British Standards Institution [7], Cerullo and Cerullo [10], IT Governance Institute [33], Myler and Broadbent [46], Saint-Germain [55], Stephenson [60], Wilson [78] Whether dedicated personnel responsible for the maintenance of software updates are present Whether regular inspections of hardware daily logs are conducted A74, A80, A188, A238, B96, B139 A company, B company, C company, British Standards Institution [7], IT Governance Institute [33], Wallace et al. [74] A75, B39, B80, B141, C20, C101, C139, C140, C177, C190, C204, C232 Whether the software and hardware are regularly maintained A82, A98, A133, A171, A203, A242, A248, B38, B82, B109, B138, C9, C15, C60, C113, C174 A76, A99, A172, A191, A202, A243, A249, B30, B42, B140 A136 A company, British Standards Institution [7], IT Governance Institute [33], Myler and Broadbent [46], Stephenson [61], Von Solms [72], Wilson [78], Walters [75] A company, B company, C company, British Standards Institution [7], Coe [13], Flowerday and Von Solms [22], IT Governance Institute [33], Hunter [30] Volonino and Gessner [71], Von Solms [72], Walters [75] A company, B company, C company, British Standards Institution [7], IT Governance Institute [33] B company Whether records exist for maintenance of and changes to hardware Whether the system software/program update is approved by the MIS department chief Whether records exist to note the maintenance of and changes to software Whether the system software is legal A100, B95, B148, C59, C102 A company, British Standards Institution [7], Coe [13], IT Governance Institute [33], Stephenson [61] A121, A189, A211, A250, A259, B108, B129, B161, C8, C16 A company, B company, C company, British Standards Institution [7], IT Governance Institute [33], Von Solms [72] S.-I. Chang et al. / Information & Management 51 (2014) 187–205 Control over the procurement, use, and maintenance of hardware and system software A3, A52, A59, A69, A70, A81, A166, A233, B34, C4, C127 A86, A101, A111, A112, A131, A164, A167, A178, A186, A244, A247, A251, B44, B81, B151, B167, C11, C92, C156, C189, C205, C228 A88, A168, A245, B152, B170, C93, C159 193 Author's personal copy 194 Table 2 (Continued ) Domain Codes (from open coding) References Whether regular tests are conducted for system recovery procedures in the face of disaster Whether procedures exist to report disasters A89, A113, A116, A180, A253, B105, B106, B153, B168, C12, C88, C157 Whether relevant maintenance records and documents exist in case of abnormal situations A79, A109, A179, B45, B47, B107, B163, C89, C117, C178, C206 A company, B company, C company, British Standards Institution [7], IT Governance Institute [33], Stephenson [60], Tyson and Bean [67], Von Solms [72] A company, B company, C company, British Standards Institution [7], Cerullo and Cerullo [10], Coe [13], Hunter [30], IT Governance Institute [33], SaintGermain [55], She and Thuraisingham [57], Stephenson [60], Tyson and Bean [67], Walters [75] A company, B company, British Standards Institution [7], IT Governance Institute [33], Hunter [30], Stephenson [60], Walters [75] Whether dedicated personnel responsible for reporting procedures are present Whether the reports are pursuant to the regulations Whether backups of the reporting data exist A118, A119, A197, A company, B company A117, A120, A198, A261, A262, B6, C163 A company, B company, C company, British Standards Institution [7], Walters [75] B company Whether system security planning is present A123, A181, A255, B2, B5, B7, B29, B57, B110, B114, B131, C1, C52, C76, C79, C82, C98, C115, C120, C142, C160, C216, C218 Whether dedicated personnel responsible for regular audits of information security exist Whether promotions and training programs targeted at internal staff on information security exist B3, B111, B115, B176, C19, C45, C107, C119, C143, C162, C164, C217 Control over the processes of information disclosure on the websites assigned Independent information audit units Control of outsourced operations Whether control procedures on hardware outsourcing exist Whether evaluations of system outsourcing are conducted Whether contracts are signed for system outsourcing Whether relevant control procedures regarding system outsourcing exist A78, A108, A114, A115, A177, A192, A252, B15, B16, B17, B31, B46, B104, B154, B162, C40, C61, C87, C114, C158, C170, C219 A199 A85, A182, A254, A260, B1, B13, B14, B27, B56, B116, B160, C14, C68, C75, C83, C110, C118, C161, C169, C220 A96, A103, A105, A110, A170, A240, B10, B25, B37, C63 B8, B119, B121, B150, C128, C165, C184 B9, B36, B149, C129, C166, C177, C185 A9, A12, A19, A72, A84, A104, A176, B103, B128, C51, C62, C211 B company, C company, British Standards Institution [7], Coe [13], Eloff and Eloff [19], Hunter [30], IT Governance Institute [33], Saint-Germain [55], Stephenson [61], Thomson and Von Solms [65], Von Solms [72], Wilson [78], Walters [75] British Standards Institution [7], Cerullo and Cerullo [10], Hunter [30], IT Governance Institute [33], Saint-Germain [55], Stephenson [60], Von Solms [72], Walters [75], Wilson [78] A company, B company, C company, British Standards Institution [7], Daveiga and Eloff [16], Eloff and Eloff [19], Hunter [30], IT Governance Institute [33], Stephenson [60], Thomson and Von Solms [65], Von Solms [72], Walters [75], Saint-Germain [55] A company, B company, C company, British Standards Institution [7], Coe [13] British Standards Institution [7], Chau [12], IT Governance Institute [33], Walters [75] British Standards Institution [7], Chau [12], IT Governance Institute [33], Walters [75] A company, B company, British Standards Institution [7], Coe [13], IT Governance Institute [33], Marks [43], Walters [75] S.-I. Chang et al. / Information & Management 51 (2014) 187–205 Category System recovery plans/systems and control of testing programs Author's personal copy 195 S.-I. Chang et al. / Information & Management 51 (2014) 187–205 (1) The keywords or the abstracts must have the words ‘‘information security’’ or ‘‘internal control’’; (2) Literature must be related to the information ﬁeld; and (3) Studies should be published between 2003 and 2007 because numerous ﬁnancial scandals emerged worldwide primarily after 2002, bringing the issue of internal control to the forefront during this aforementioned period. Consequently, several regulations that required management to assess their enterprise internal controls were proposed, and auditors were also asked to determine whether their client’s internal control assessment reporting was adequate. Therefore, the studies collected in this research are limited to this aforementioned period to investigate what was discussed or explored during this speciﬁc time window. Conceptualized results from 30 relevant publications were collected based on the abovementioned criteria. The collected results are shown in Table 1. A detailed analysis was also performed to present a complete and consistent list of internal control items for ERP. The preliminary model was constructed based on the literature review. The entire process was roughly divided into three steps as follows: (1) open coding, (2) axial coding, and (3) selective coding. 4.1. Open coding Open coding was performed for the literature content that satisﬁed the criteria mentioned above. Section extraction was performed; the sections identiﬁed as relevant to the internal controls of the information operations or those that obviously indicate the components of IT control of the information operations are coded. Coding was conducted to classify the studies from A to C. The codes derived from IT control for the internal use of companies, information security organization bylaws, and academic literature were classiﬁed as A, B, and C, respectively. For example, ‘‘C Company – Computerized Information System ICE’’ includes a section that addresses internal regulations. More speciﬁcally, this section states, ‘‘going online requires test reports or passing of tests.’’ This description can thus be conceptualized and coded into three factors (i.e., A216 whether test documents exist, A217 whether independent test environments exist, or A218 whether they have been veriﬁed by users). A total of 670 concepts were derived through this process. Accurate and complex interpretations were established as particular phenomena. For instance, codes A78, A108, A114, A115, A177, A192, A252, B15, B16, B17, B31, B46, B104, B154, B162, C40, C61, C87, C114, C158, C170, and C219 describe anomalies in the information system, how the information department is contacted and informed, how the information department rules out anomalies, and how information security incidents are addressed. Thus, these codes (concepts) were grouped in the domain of ‘‘whether procedures exist to report disasters.’’ Other concepts were translated into domains according to the same rule; 66 domains were established as key internal control issues based on the 670 concepts determined in the open coding process. 4.2. Axial coding Axial coding is usually conducted after open coding. This stage aims to recompose the distributed data into new methods such that the classiﬁcations and sub-classiﬁcations become related to one another. The 66 domains of the coded entries were further classiﬁed into dimensions. For example, the domains ‘‘whether relevant control procedures exist regarding system outsourcing’’ and ‘‘whether contracts are signed for system outsourcing’’ are related to outsourcing operation control and are imperative for managing system outsourcing for an organization. Therefore, these domains were classiﬁed into the dimension of ‘‘control of outsourced operations.’’ The results of axial coding are summarized in Table 2. 4.3. Selective coding Axial coding consolidates complex data and is the foundation of selective coding. Selective coding is conducted to systematically explain a selected core category, verify the relationship of the primary and other classiﬁcations, and ﬁll the gap for supplements or developments required for individual classiﬁcations [64]. Based on the internal controls and the analysis of relevant literature, 66 key domains that inﬂuence the internal control of information systems were identiﬁed. The domains integrated through axial coding were re-classiﬁed as single key domains in selective coding. For example, the domains ‘‘whether anti-virus measures are used’’ and ‘‘whether ﬁrewalls are used,’’ were merged into ‘‘whether information equipment is protected with security measures,’’ given that both are related to security measures for the information equipment. Subsequently, 51 key domains were established. These domains function as internal control items. 4.4. Expert questionnaires Upon the construction of preliminary internal control items based on the literature, the methodology and validation process developed by Lawshe [37] was adopted. The adoption of this methodology and validation process enabled the collection of opinions from experts with extensive experience in the establishment, maintenance, and auditing processes of ERP systems. Questionnaires were distributed to gather opinions from the experts who are responsible for corporate functions (including internal audit and information), handle external audits (accounting ﬁrms), and work in partner companies regarding the introduction of ERP systems. The backgrounds of the participating Table 3 Backgrounds of participating experts. Group Type No. of people Positions Average years of service Experts within companies Audit 6 14 IT 5 Senior Auditors 4 Audit Specialists 2 Manager, MIS 1 Assistant Manager, MIS 3 Deputy Project Manager, MIS 1 Professional ﬁrms 5 ERP consultants 2 Experts outside of companies Computer Audit, Manager 1 Computer Audit, Assistant Manager 1 Computer Audit, Assistant VP 1 Audit, Manager 1 Audit, Director 1 Consultants 2 11 6 7 Author's personal copy 196 S.-I. Chang et al. / Information & Management 51 (2014) 187–205 experts are shown in Table 3. The control dimensions and items were screened to determine those suitable for the ERP system. Both theoretical and actual application are expected to increase the validity, extent, and practicality of this study, thereby achieving the research purpose of constructing internal control in an ERP system. The questionnaires utilized in this study measure the opinions of the respondents based on an ordinal scale of 5 as follows: ‘‘very important (5),’’ ‘‘important (4),’’ ‘‘neutral (3),’’ ‘‘unimportant (2),’’ and ‘‘very unimportant (1).’’ Each dimension is semi-open, so that the respondents can provide relevant feedback on the key items related to internal control in the ERP system. A total of 18 experts responded to the questionnaires. Following the methodology and validation process proposed by Lawshe [37], the content validity ratio (CVR) can be calculated as CVR = (n N/ 2)/(N/2), where n represents the number of times that experts categorized the items as either ‘‘very important’’ or ‘‘important,’’ and N represents the total number of experts. The value of CVR should be greater than 0.43 to meet the targeted requirement. However, this study requires that the CVR ratio be greater than 0.60 before a control item is adopted to ensure that the control items constructed in this study remain important and feasible for most companies. Table 4 provides a summary of the questionnaire results, including the statistics from the questionnaires and the calculation of CVR. As described previously, a literature review was conducted and 51 key items were identiﬁed for the internal control of ERP systems. Fourteen items were considered to be unimportant and were deleted after calculating and comparing the CVR values derived from the questionnaires. The remaining 37 control items were generalized and consolidated. The preliminary internal control items were further modiﬁed by referring to the suggestions provided by the expert respondents. Table 5 shows the modiﬁed internal control framework. 5. Empirical findings on internal control for the ERP system This section provides a brief description of the practices employed by the case company. The selected company was established in 1996 and is dedicated to the development and manufacture of wireless telecommunication products. The company aspires to become the world leader in the area of wireless telecommunications by exerting efforts in research and development (R&D) that are aimed at improving technology. Its products are divided into three lines: satellite telecommunications, mobile telecommunications, and wireless network equipment. The managers in the company can keep abreast of the key technologies associated with their product lines in accordance with the changes occurring in the marketplace through their extensive experience and background in technology. The company is thus capable of developing relevant niche products to meet market demand by quickly integrating telecommunication technologies into their product lines. This company provides comprehensive wireless and telecommunication products and timely after-sale service to its customers. With its focus on R&D for new technologies and the extensive in-house development of the accompanying software and hardware, the company designs and develops its own products effectively. In fact, the company has achieved their best economies of scale by establishing an increasingly comprehensive product line. As a result, the company is capable of maintaining its competitive advantage in the wireless telecommunications industry. The computer auditors working for the accountant were invited to participate in this study. Interviews were also conducted to study the actual company’s operations, collecting the current internal control information as primary data. The company was asked to provide secondary data (i.e., relevant operation documents and ﬁles) for the analysis and synthesis of the research ﬁndings. Table 6 summarizes the background of all of the interviewees. A select group of public companies that introduced ERP systems was ﬁltered for the case study. The company targeted for interview is engaged in the R&D and manufacture of wireless telecommunication products. The company actually replaced its Baan computer system with an Oracle ERP system in 2006. The interviewees comprised an internal auditing supervisor who facilitates two different ERP systems, an assistant manager in the MIS Department who maintains and deploys these two different systems, and a computer auditing manager who works for the accounting ﬁrm to audit the information system of this company. These three individuals are responsible for the ERP audit. All three interviewees have relevant experience and background in the auditing and maintenance of ERP systems. A case study on a public company using the obtained audited ﬁnancial reports was conducted. A manufacturing ﬁrm similar to this telecommunications company can be regarded to be a representative case for companies in other industries. For this reason, this case result can be employed and justiﬁed as a rationale for the use of a single case [79]. Speciﬁcally, the case study protocol was developed in the preparation step. Primary data about the actual operations of the company were gathered on-site in the collection step, while secondary data were utilized to address the main objectives of this research. Further, data were gathered, analyzed, and collated prior to conducting the interviews with personnel who are experts in IT control and have worked with the independent accounting ﬁrm that maintains a relationship with the company selected in the case study. The feasibility of the internal control items that were applied in the planning of the ERP system was evaluated in the analysis and sharing steps. Finally, the results and ﬁndings were presented. The control items and information auditing of the ERP system in the case company were reviewed. The feasibility of using the control items constructed for the company was also evaluated. 5.1. Practices within the case company Two auditors are employed in the audit department of the case company. Their tasks include inspecting domestic and overseas afﬁliates in the same group. In addition to adjusting the internal control framework originally based on the ‘‘eight major cycles,’’ the two auditors also perform internal audits and execute special projects assigned by their supervisors because these tasks are part of their job description. In auditing ERP systems, the focus is on soft control. The company’s MIS department has established a division called ‘‘ERP System Services.’’ All seven employees in this division are responsible for the maintenance of the ERP system. Their major responsibilities include maintaining the normal operations of the system, solving all problems raised by users, and meeting the operational demands of users. These employees perform ordinary control tests and passive checks on requests from the auditing department as ERP system audits. 5.2. Control items within the case company The current audit checklist for ERP systems was originally based on the control items listed by the company headquarters. The checklist was later modiﬁed in accordance with the actual situations experienced by the company. The key control items comply with the criteria set by the authority. However, these control items are not ﬁxed and are regularly reviewed for appropriateness. Author's personal copy Table 4 Questionnaire analysis. Dimension Deﬁnition of functions and responsibilities in the data processing department No. 1 2 3 4 5 1 2 3 4 5 6 7 Control over the compilation of system documents 1 2 3 4 Whether clear deﬁnitions exist for the responsibilities of maintenance personnel in the MIS department Whether application procedures for the system accounts (authorization) exist Whether accounts are canceled after employees leave Whether user authorization is continuously reviewed Whether a dedicated team responsible for the maintenance of the hardware and software of the system exists Types Groups CVR, all experts Screen results 1.00 0.89 Yes 1.00 1.00 1.00 CVR, CPA ﬁrm CVR, MIS CVR, Audit 1.00 0.60 1.00 1.00 1.00 CVR, ERP consultant CVR, external experts CVR, internal experts Perception difference between groups 1.00 0.82 No Yes 1.00 1.00 No 0.60 0.60 1.00 1.00 0.78 Yes 0.71 0.82 No 1.00 0.20 1.00 0.00 0.67 Yes 0.71 0.64 No S0.20 1.00 0.67 1.00 0.56 No 0.14 0.82 Yes Whether application procedures are present for requests to modify system programs Whether modiﬁcation speciﬁcations are conﬁrmed by the MIS department and the department that submit the request Whether SA and SD program documents relevant to the modiﬁcations exist Whether independent environments for development and tests exist Whether relevant test documents and records on program developments are present Whether updated (newly added) programs are assessed by users Whether relevant control measures for changes in system ﬂows are present 1.00 1.00 1.00 1.00 1.00 Yes 1.00 1.00 No 1.00 1.00 0.67 1.00 0.89 Yes 1.00 0.82 No 0.60 1.00 1.00 0.00 0.78 Yes 0.43 1.00 Yes Whether coding management is executed on the documents in relation to program modiﬁcations (updates) Whether documents are updated and modiﬁed by version after the modiﬁcations (additions) of programs Whether dedicated personnel safeguarding the documents in relation to the systems are present Whether only certain personnel can access (modify) the documents in relation to the system programs or the original library 1.00 1.00 1.00 1.00 1.00 Yes 1.00 1.00 No 0.20 0.60 0.67 0.00 0.44 No 0.14 0.64 Yes 1.00 1.00 1.00 1.00 1.00 Yes 1.00 1.00 No 0.60 1.00 1.00 1.00 0.89 Yes 0.71 1.00 No 0.60 0.60 0.00 0.00 0.33 No 0.43 0.27 No 1.00 1.00 1.00 0.00 0.89 Yes 0.71 1.00 No S0.20 1.00 0.67 S1.00 0.33 No S0.43 0.82 Yes 0.20 0.60 1.00 0.00 0.56 No 0.14 0.82 Yes S.-I. Chang et al. / Information & Management 51 (2014) 187–205 System development and control over program modiﬁcations Control items 197 Author's personal copy 198 Table 4 (Continued ) Dimension Access control of programs and data No. 1 2 3 4 5 1 2 3 4 5 Control of data processing 1 2 3 Security control of ﬁles and equipment 1 2 3 4 5 Control over the procurement, use, and maintenance of hardware and system software 1 2 3 4 5 Types Groups CVR, all experts Screen results 1.00 1.00 1.00 1.00 Yes Yes 0.00 0.89 Yes CVR, CPA ﬁrm CVR, MIS CVR, Audit Whether password controls exist Whether different access authorizations pursuant to the nature of the users exist Whether the transfer of external data into the system has undergone veriﬁcation by the relevant programs Whether control exists over remote access to the system mainframes Whether dedicated personnel responsible for the maintenance of the system databases are present 1.00 1.00 1.00 1.00 1.00 1.00 1.00 1.00 1.00 0.60 1.00 1.00 1.00 0.89 1.00 1.00 0.67 1.00 0.89 Whether original documents for input data exist Whether numbering of the documents generated by the system is present Whether veriﬁcation procedures for the data input/output interface exist Whether appropriate control measures are present for the output of conﬁdential data Whether records on any changes in data additions (modiﬁcations) exist 1.00 0.60 1.00 0.00 0.78 Yes Whether relevant ﬂows exist to manage the changes in data modiﬁcation Whether data are regularly backed up Whether backup data are supported by another location CVR, ERP consultant CVR, external experts CVR, internal experts Perception difference between groups 1.00 1.00 1.00 1.00 No No 0.71 1.00 No Yes 0.71 1.00 No Yes 1.00 0.82 No 0.71 0.82 No 0.60 1.00 1.00 1.00 0.89 Yes 0.71 1.00 No 0.60 0.60 1.00 0.00 0.67 Yes 0.43 0.82 Yes S0.20 1.00 1.00 1.00 0.67 Yes 0.14 1.00 Yes 0.60 1.00 1.00 1.00 0.89 Yes 0.71 1.00 No 0.60 1.00 1.00 1.00 0.89 Yes 0.71 1.00 No 0.20 0.20 1.00 0.60 1.00 1.00 1.00 1.00 0.78 0.67 Yes Yes 0.43 0.43 1.00 0.82 Yes Yes Whether information equipment is listed and managed Whether information equipment is protected with security measures Whether access control over facility rooms exists Whether facility rooms are protected with security measures Whether control procedures exist to destroy backup data S0.60 0.60 0.67 0.00 0.22 No S0.43 0.64 Yes 0.60 1.00 1.00 1.00 0.89 Yes 0.71 1.00 No 0.20 1.00 1.00 1.00 0.78 Yes 0.43 1.00 Yes S0.20 1.00 1.00 1.00 0.67 Yes 0.14 1.00 Yes S0.20 0.60 1.00 1.00 0.56 Yes 0.14 0.82 Yes Whether dedicated personnel responsible for the maintenance of software updates are present Whether regular inspections of hardware daily logs are conducted Whether the software and hardware are regularly maintained Whether records to note the maintenance of and changes to hardware and software are present Whether the system software is legal 0.20 1.00 0.33 0.00 0.44 No 0.14 0.64 Yes S0.20 1.00 0.67 1.00 0.56 No 0.14 0.82 Yes S0.20 1.00 0.33 1.00 0.44 No 0.14 0.64 Yes S0.60 1.00 0.67 1.00 0.44 No S0.14 0.82 Yes 0.20 1.00 1.00 1.00 0.78 Yes 0.43 1.00 Yes S.-I. Chang et al. / Information & Management 51 (2014) 187–205 Control of data inputs and outputs Control items Author's personal copy System recovery plans/systems and control of testing programs 1 2 3 Control over the processes of information disclosure on the assigned websites 1 2 3 Independent information audit units 1 3 Control of outsourced operations 1 2 3 1.00 0.67 1.00 0.67 Yes 0.43 0.82 Yes S0.60 1.00 0.67 1.00 0.44 No S0.14 0.82 Yes 0.20 1.00 1.00 0.00 0.67 Yes 0.14 1.00 Yes Whether dedicated personnel responsible for reporting procedures exist Whether reports are pursuant to the regulations Whether backups of the reporting data exist 0.20 1.00 1.00 1.00 0.78 Yes 0.43 1.00 Yes 0.60 1.00 1.00 1.00 0.89 Yes 0.71 1.00 No 0.20 1.00 0.67 1.00 0.67 Yes 0.43 0.82 Yes Whether system security planning exists Whether dedicated personnel responsible for regular audits on information security are present Whether promotions and training programs targeted at internal staff on information security exist 0.20 1.00 0.67 0.00 0.56 No 0.14 0.82 Yes 0.60 0.60 1.00 1.00 0.78 Yes 0.71 0.82 No S0.20 0.60 0.67 0.00 0.33 No S0.14 0.64 Yes No Whether relevant control procedures regarding system outsourcing exist Whether evaluations of system outsourcing are present Whether contracts are signed for system outsourcing 0.60 0.60 0.67 1.00 0.67 Yes 0.71 0.64 0.20 0.60 0.67 1.00 0.56 No 0.43 0.64 Yes 0.60 0.60 1.00 1.00 0.78 Yes 0.71 0.82 No S.-I. Chang et al. / Information & Management 51 (2014) 187–205 2 0.20 Whether regular tests on system recovery procedures in the face of disaster are conducted Whether procedures to report disasters exist Whether relevant maintenance records and documents exist in case of abnormal situations 199 Author's personal copy 200 S.-I. Chang et al. / Information & Management 51 (2014) 187–205 Table 5 Modiﬁed internal control framework. Dimension Control items Deﬁnition of functions and responsibilities in the data processing department Whether clear deﬁnitions exist for the responsibilities of maintenance personnel in the MIS department Whether application procedures exist for system accounts (authorization) Whether accounts are canceled after employees leave Whether user authorization is continuously reviewed System development and control over program modiﬁcations Whether application procedures exist for requests to modify system programs Whether modiﬁcation speciﬁcations are conﬁrmed by the MIS department and the department that submit the request Whether SA and SD program documents relevant to the modiﬁcations exist Whether independent environments for development and tests exist Whether updated (newly added) programs are assessed by users Whether relevant control measures for changes in system ﬂows exist Control over the compilation of system documents Whether the documents are updated and modiﬁed by version after the modiﬁcations (additions) of programs Access control of programs and data Whether password controls exist Whether different access authorizations pursuant to the nature of the users exist Whether the transfer of external data into the system has undergone veriﬁcation by the relevant programs Whether control exists over remote access to the system mainframes Whether dedicated personnel responsible for the maintenance of the system databases exist Control of data inputs and outputs Whether original documents for input data are present Whether numbering of the documents generated by the system is present Whether veriﬁcation procedures for the data input/output interface exist Whether appropriate control measures are present for the output of conﬁdential data Whether records for any changes in data additions (modiﬁcations) exist Control of data processing Whether relevant ﬂows exist to manage the changes in data modiﬁcation Whether data are regularly backed up Whether backup data are supported by another location Security control of ﬁles and equipment Whether Whether Whether Whether Control over the procurement, use, and maintenance of hardware and system software Whether the system software is legal System recovery plans/systems and control of testing programs Whether regular tests on system recovery procedures in the face of disaster are conducted Whether relevant maintenance records and documents exist in case of abnormal situations Control over the processes of information disclosure on the assigned websites Whether dedicated personnel responsible for reporting procedures are present Whether reports are pursuant to the regulations Whether backups of reporting data exist Independent information audit units Whether dedicated personnel responsible for regular audits on information security exist Control of outsourced operations Whether relevant control procedures regarding system outsourcing exist Whether contracts are signed for system outsourcing Director Chen said, ‘‘After the introduction of the new Oracle ERP system in 2006, the company conducted timely adjustments to ascertain control items.’’ 5.3. Information auditing of the ERP system The internal auditors of the case company focus their audit on soft control items in the ERP system such as accounts, passwords, authorization, and remote access. The auditors are only equipped to perform soft audits. Other forms of audit are delegated to the MIS department, as the internal auditors perform these tasks through collaborative procedures. The deﬁnition of the items pertaining to overall control is modiﬁed by referring to previous audit records. For example, each audit is performed on a regular basis (i.e., once a year) to minimize risk. However, the items with information equipment is protected with security measures access control over facility rooms is present facility rooms are protected with security measures control procedures to destroy backup data exist poor records have a high-risk proﬁle and are therefore analyzed under strict standards (i.e., conducted quarterly or every semester). Given that ﬁnancial reports are generated by the company’s ERP system, the reporting accounts must be spot-checked as a form of internal control to reduce conﬁrmatory audit risks. The computer audit personnel of the accounting ﬁrm check the system setups and the ordinary control measures of the company. Manager Li said, ‘‘Basically, auditing for the ERP system within the company is mainly focused on general and basic checking of the Oracle ERP architecture in the UNIX operating system, Oracle database, and network. These are the critical points of our audit.’’ If the audit results indicate that the internal control of a company is appropriate, then the accountants may reduce the required number of spot-checking procedures. Auditing proce- Author's personal copy S.-I. Chang et al. / Information & Management 51 (2014) 187–205 201 Table 6 Background of the interviewees. Case study Function Title Interviewee Experience Company Audit room Audit supervisor Director Chen MIS Assistant manager Assistant Manager Lin Six years in the audit department of the company; eight years of audit experience More than four years of experience in the introduction and maintenance of the ERP system utilized by the company Information risk management and services Manager Manager Li Reporting accounting ﬁrm dures should be modiﬁed on a timely basis in accordance with the actual demands of companies. The company under study was able to amend system faults and failures pointed out by its external auditors. This review process should be performed continuously to establish a robust internal control structure. The difﬁculties encountered by the company’s ERP system auditors are caused by lack of IT training. Consequently, the company can focus only on software controls. With regard to other forms of audit, the auditors remain dependent on the MIS department for effectiveness. However, despite the IT knowledge of the personnel in the MIS department, these MIS personnel cannot perform audits effectively owing to control issues posed by individuals, control measure requirements, and related auditing concepts. External auditors continue to believe that most companies do not have any personnel dedicated to computer audits. Manager Li said, ‘‘Currently, the competent authority or relevant institutions are not certiﬁed with regard to computer audits. In addition, most auditors claim they lack sufﬁcient IT training. Given the limited computer audit talents, very few companies have established a stable computer audit department.’’ In sum, the challenges involving ERP systems include whether auditors can clearly understand the operational ﬂows of the company and its overall information system environment to effectively manage both the behavioral risks caused by human factors and the technical risks integrated in a system. For auditors who do not have expertise in both audit (accounting) and IT, the auditing processes in an ERP environment pose imminent obstacles and challenges. 5.4. Understanding the feasibility of the control items Both interviewees concurred that the control items constructed in this study meet most of the requirements. However, a suitable list of control items should consider the infrastructure of the company, including the company scale and number of MIS employees. These considerations are important because individual control points have important roles in legacy information architecture. Accordingly, a number of control items cannot completely meet the speciﬁcations of the company under study owing to limitations in identifying infrastructure concepts such as whether the responsibilities of MIS personnel are clearly deﬁned. Assistant Manager Lin said, ‘‘This proposed framework seems suitable for my company, but the premise must consider the company’s structure. For example, the company did not do well in distinguishing the responsibilities of IT personnel. The main reason is due to the lack of manpower and information unit personnel. Therefore, some control items within this proposed framework may be excluded. Nevertheless, the framework is still useful for my company.’’ The case company suggested that several control items be transformed to attainable targets in the future. The interviewees were requested to state their opinions regarding the appropriateness and importance of the control More than six years of experience in computer audit; served more than 200 companies items to understand the feasibility of the proposed framework. Table 7 provides a summary of the company’s evaluation of the control items constructed in this study. The list shows that the MIS department is particularly focused on ‘‘system development and control over program modiﬁcations’’ and ‘‘access control of programs and data,’’ further proving that the list is applicable and can thus serve as future reference. With respect to the dimension ‘‘system development and control over program modiﬁcations,’’ Assistant Manager Lin said, ‘‘If the MIS department could manage developed or modiﬁed system programs effectively, it could help improve the credibility of information and preciseness of data.’’ Two interviewees presented their views on the dimension ‘‘access control of programs and data.’’ Director Chen said, ‘‘Because of the critical nature of the data and program within the company, appropriate control strategies and controls should be set for IT systems through access control policies. Only authorized users should be provided access to information system assets.’’ Assistant Manager Lin said, ‘‘The current system login in the company is appropriately controlled by access control procedures such as passwords. This form of logical access control over information is primarily required within the company to protect information against acts such as unauthorized creation and modiﬁcation as well as inadvertent errors.’’ With respect to the audit of control items, auditors believe that in principle, general audits should be conducted annually. However, several dimensions such as ‘‘access control of programs and data’’ require timely system auditing procedures. Jointly auditing these dimensions and those for the eight-cycle operations is sometimes necessary. Auditing in such situations is conducted not only annually but also rather promptly in conjunction with other procedures. External auditors believe that the current selfcontrol mechanisms of the company’s internal IT department involve two dimensions (i.e., ‘‘system development and control over program modiﬁcations’’ and ‘‘access control of programs and data’’), which should be audited internally at least on a quarterly basis. As for the other dimensions, auditing may be conducted every semester depending on the audit’s impact on the company processes. The interviewees in the case study agreed that the constructed control items could effectively assist the company in the audit and control of its ERP system. Director Chen said, ‘‘This proposed framework is great and comprehensive. A few control items are not available in the company at the moment, and this framework can be utilized to adjust the present version of the company.’’ 5.5. Discussion of ﬁndings As per the earlier discussion, several ﬁndings are rather interesting. In general, internal control frameworks for ERP existed in this case company that could help related personnel to Author's personal copy 202 S.-I. Chang et al. / Information & Management 51 (2014) 187–205 Table 7 Appropriateness and importance of control items. Audit dimensions Control items Appropriateness Importance Yes High Deﬁnition of functions and responsibilities in the data processing department Whether clear deﬁnitions exist for the responsibilities of maintenance personnel in the MIS department Whether application procedures for system accounts (authorization) exist Whether accounts are canceled after employees leave Whether user authorization is continuously reviewed §} §} §} §} §} §} Whether application procedures for requests to modify system programs exist Whether modiﬁcation speciﬁcations are conﬁrmed by the MIS department and the department that submit the request Whether SA and SD program documents relevant to the modiﬁcations exist Whether independent environments for development and tests exist Whether updated (newly added) programs are assessed by users Whether independent environments for development and tests exist §} §} §} §} System development and control over program modiﬁcations §} No Medium §} §} } § §} } § §} §} §} § } Control over the compilation of system documents Whether the documents are updated and modiﬁed by version after the modiﬁcations (additions) of programs §} Access control of programs and data Whether password controls exist Whether different access authorizations pursuant to the nature of the users exist Whether the transfer of external data into the system has undergone veriﬁcation by the relevant programs Whether control exists over remote access to the system mainframes Whether dedicated personnel responsible for the maintenance of the system databases exist §} §} §} §} §} §} §} § } §} } § Control of data inputs and outputs Control of data processing Security control of ﬁles and equipment Whether original documents for input data are available Whether numbering of the documents generated by the system is available Whether records for changes in data additions (modiﬁcations) are available Whether relevant ﬂows to manage the changes in data modiﬁcation exist Whether data are regularly backed up Whether backup data are supported by another location Whether information equipment is protected with security measures Whether access control over facility rooms exists Whether the facility rooms are protected with security measures Whether control procedures are available to destroy backup data §} §} § §} §} §} §} §} §} §} §} §} § §} §} §} § } §} § §} Control over the procurement, use, and maintenance of hardware and software systems Whether the system software is legal §} System recovery plans/systems and control of testing programs Whether regular tests are conducted for system recovery procedures in the face of disaster Whether relevant maintenance records and documents are available in case of abnormal situations §} §} } } } §} §} Low § §} } Author's personal copy 203 S.-I. Chang et al. / Information & Management 51 (2014) 187–205 Table 7 (Continued ) Audit dimensions Control items Appropriateness Control over the processes of information disclosure on the assigned websites Whether dedicated personnel responsible for reporting procedures exist Whether reports are pursuant to the regulations Whether backups of the reporting data exist §} §} §} §} §} §} Independent information audit units Whether dedicated personnel responsible for regular audits on information security exist §} §} Control of outsourced operations Whether relevant control procedures regarding system outsourcing are available Whether contracts are signed for system outsourcing §} §} Yes §} No Importance High } Medium Low § § Director Chen; } Assistant Manager Lin. effectively manage and track the outcomes of IT control. This proposed framework is relatively rigorous, complete and more easily acceptable in terms of its logic. Although some control items are not suitable for the case company, this proposed framework can be used repeatedly to adjust/improve the present version. According to the results of our case study, IT general control has been reasonably emphasized because it supports the resulting application processing. However, different industries and company sizes may provide different perspectives about determining the priority of control items. For instance, small-sized companies often use the Microsoft Ofﬁce software package to handle business processing, and in this case, some of control items within this proposed framework may need to be amended. Nonetheless, this proposed framework can still be employed to greatly assist the case company to execute IT control and perform IT governance. 6. Conclusions Given that the ERP system is widely utilized in many organizations, the relevant information on security and internal controls must be continuously prioritized. Stakeholders wish to feel conﬁdent that internal control within the organization is executed effectively to reduce the possibility of business failure or fraudulent ﬁnancial reporting [38]. However, improper management of control procedures in the computer environment of a company may result in signiﬁcant ﬁnancial reporting errors and ﬁnancial losses. Thus, this study developed an ERP internal control framework to assist stakeholders in verifying the effectiveness of their respective companies’ internal control mechanisms. Literature related to IT controls for the internal use of companies, various information security organization bylaws, and academic literature were reviewed. Open, axial, and selective coding were performed to ﬁnalize the 51 key items associated with ERP internal control. Questionnaires were administered to conﬁrm whether the abovementioned items are suitable for and essential to the ERP system. Out of the 51 control items, only 37 were utilized in the preliminary model. A case study was then conducted to verify the feasibility of the proposed framework. Our ﬁndings have provided some implications for future research. The internal control matrix could be regarded as a common method to represent internal controls for speciﬁc business processes within the SOX audit environment, which includes internal control objectives [24]. Only a few studies have developed a structured, systematic approach that stakeholders can utilize. The proposed framework was derived from several rigorous methods and contained necessary control dimensions and items that can be utilized for ERP control and improvement of IT governance. Compared with previous studies on internal control frameworks, including Jo et al. [34] and Lin et al. [40], the case study approach has been recommended for this stream of studies simply because of the need for detailed and contextual information from the entity stakeholders. Further, the extant research utilized experts from CPA ﬁrms as a research subject; this study recruited several participants from the case company to disseminate their thoughts. Because this study embraced the application controls to broaden the IT control domain, the obtained outcome may complete Huang’s [29] work because its only focus is placed on the general IT controls. A previous study indicated that existing internal control frameworks do not consider important control aspects such as the environment outside of the organization [66]. The dimension ‘‘control of outsourced operations’’ in the proposed framework strengthens the ERP internal control points. A few empirical studies examined IT control weakness and IT operation risk [5,36,39]. The study of Li et al. [39] provided empirical evidence regarding IT-related material weakness based on internal and external governance. Further, Klamm and Watson [36] examined IT material weakness based on the internal control-integrated framework proposed by COSO. In summary, this proposed framework may be utilized to assess ERP control. The proposed framework can also be applied to the external auditing profession. External auditors can use this framework to communicate logically with their clients. The responsibility of the certiﬁed public accountants to attest to the effectiveness of their clients’ internal control system is clearly regulated. An auditor in an IT environment must have a good understanding of internal control. If an auditor does not have a proper understanding of this concept, auditing work may incur many uncertainties and risks. From the perspective of a business entity, acquiring effective internal control is a complex task. However, internal control can be facilitated and maintained if a proper framework is adopted. The proposed framework is a supplement to the COSO framework [15]. This comprehensive framework facilitates the construction of detailed controls for ERP systems. Among the 12 dimensions constructed in this study, only the dimension ‘‘access control of program and data’’ was unanimously recognized by all interviewees as an important criterion in information risk management. This ﬁnding is similar to that of Wallace et al. [73], thereby proving that access control is the most common and highest priority control in practice. When an entity establishes proper access Author's personal copy 204 S.-I. Chang et al. / Information & Management 51 (2014) 187–205 control, the probability of an attacker obtaining unauthorized system access decreases [59]. However, most of the items in the proposed framework were regarded as being moderately important. The listed company under study should therefore exercise compliance, and its stakeholders should assume more responsibility for protecting the information system. This result conﬁrms the results of Wallace et al. [73]. With the proposed framework, which includes comprehensive control dimensions or items, internal auditors and MIS department chiefs can verify the effectiveness of internal control through a complete mechanism to comply with government regulations. In other words, internal auditors and MIS department chiefs can develop their relationship and communicate the effectiveness of internal control by referring to the proposed framework. According to Wallace et al. [73], a good relationship between an organization’s internal auditors and MIS department chiefs helps the organization comply with IT-related internal control requirements. Several control items are considered to be high-priority items. Perhaps stakeholders should prioritize high-risk control points. This process not only enhances audit efﬁciency but also easily identiﬁes the weakness of internal control. Companies must consider the limitations inherent in their infrastructures in terms of internal control management to determine the most important control points [58]. These recommended improvements can enable companies to build robust auditing structures. Small and medium-sized enterprises (SMEs) need to implement information systems in their operations to cooperate with large ﬁrms. Most large ﬁrms ask to review and audit downstream SMEs to ensure system security. SMEs may therefore consider the proposed framework and adjust several control items according to their own characteristics to determine their IT control weaknesses in advance. The present study has limitations. Thirty relevant studies were selected and reviewed to construct the ERP system internal control framework. This study did not prove that the coding process reached saturation; other control items might have been missed. Furthermore, despite recruiting 18 qualiﬁed experts to conﬁrm the control items derived from the literature review, other experts might have concluded otherwise. Another limitation of this study is external validity. The explanatory power of this study may be limited because it adopts the single case method. This proposed framework with control items is generic in nature. In other words, it could be applied to the majority of entities regardless of their size or industry. A few industries with a higher security consideration for their IT environment (i.e., the banking sector) will be able to expand this framework and add other new control dimensions and items to provide additional insights to this subject area. Several future research avenues are discussed as follows. First, given the increasing number of published studies on ERP internal control, follow-up research could analyze these streamed studies to add control items and reﬁne the proposed framework. Second, several control items in the proposed framework may be extended to other systems, organizations (i.e., government agencies), and industries. Future studies could examine the usefulness and feasibility of the proposed framework. References [1] American Institute of Certiﬁed Public Accountants (AICPA), Audit Risk and Materiality in Considering an Audit, SAS No. 94, AICPA, New York, 1983. [2] American Institute of Certiﬁed Public Accountants (AICPA), The Effect of Information Technology on the Auditors’ Consideration of Internal Control in a Financial Statement Audit, SAS No. 94, AICPA, New York, 2001. [3] H. Ashbaugh-Skaife, The effect of SOX internal control deﬁciencies on ﬁrm risk and cost of equity, Journal of Accounting Research 47 (1), 2009, pp. 1–43. [4] J.C. Bedard, L.E. Graham, The effects of decision aid orientation on risk factor identiﬁcation and audit test planning, Auditing 21 (2), 2002, pp. 39–65. [5] M. Benaroch, A. Chernobai, J. Goldstein, An internal control perspective on the market value consequences of IT operational risk events, International Journal of Accounting Information Systems 13 (4), 2012, pp. 357–381. [6] J. Brazel, L. Dang, The effect of ERP system implementations on the management of earnings and earnings release dates, Journal of Information Systems 22 (2), 2008, pp. 1–21. [7] British Standards Institution (BSI), Information Security Management – Part 2: Speciﬁcation for Information Security Management Systems, British Standards Institution, London, 2002. [8] W. Brown, F. Nasuti, Sarbanes–Oxley and enterprise security: IT governance – what it takes to get the job done, Security Management Practices 14 (5), 2002, pp. 15–28. [9] L. Calabro, Looking under the hood, CFO 20 (6), 2004, pp. 97–98. [10] V. Cerullo, M.J. Cerullo, Business continuity planning: a comprehensive approach, Information Systems Management 21 (3), 2004, pp. 70–78. [11] S.I. Chang, G.G. Gable, A comparative analysis of major ERP lifecycle implementation, management and support issues in Queensland government, Journal of Global Information Management 10 (3), 2002, pp. 36–54. [12] J. Chau, Application security – it all starts from here, Computer Fraud & Security 2006 (6), 2006, pp. 7–9. [13] M. Coe, Trust services: a better way to evaluate IT controls, Journal of Accountancy 199 (3), 2005, pp. 69–75. [14] J.L. Colbert, P.L. Bowen, A comparison of internal controls: COBIT, SAC, COSO, and SAS 55/78, IS Audit and Control Journal 4, 1996, pp. 26–35. [15] Committee of Sponsoring Organizations of the Treadway Commission (COSO), Internal Control – Integrated Framework, AICPA, New York, 1992. [16] A. Daveiga, J.H.P. Eloff, An information security governance framework, Information Systems Management 24 (4), 2007, pp. 361–372. [17] G. Dhillon, Principles of Information System Security: Text and Cases, John Wiley and Sons, New Jersey, 2007. [18] D. Durfee, The 411 on 404: Reporting a material weakness in controls can cost shareholders millions and some CFOs their jobs, CFO Magazine, 2005. [19] J.H.P. Eloff, M.M. Eloff, Information security architecture, Computer Fraud & Security 2005 (11), 2005, pp. 10–16. [20] Ernst & Young, Preparing for Internal Control Reporting: A Guide for Management’s Assessment Under Section 404 of the Sarbanes–Oxley Act, Ernst, Young LLP, 2002. [21] S. Flowerday, R. Von Solms, Continuous auditing: verifying information integrity and providing assurances for ﬁnancial reports, Computer Fraud & Security 2005 (7), 2005, pp. 12–16. [22] S. Flowerday, R. Von Solms, Real-time information integrity = system integrity + data integrity + continuous assurance, Computers and Security 24 (8), 2005, pp. 604–613. [23] C. Fox, P.C. Zonneveld, IT Control Objectives for Sarbanes–Oxley: The Importance of IT in the Design, Implementation and Sustainability of Internal Control over Disclosure and Financial Reporting, IT Governance Institute, Illinois, 2003. [24] U.J. Gelinas Jr., R.B. Dull, Accounting Information Systems, 7th ed., Thomson South-Western, Mason, OH, 2008. [25] S. Glover, D. Prawitt, M. Rommy, Implementing ERP, Internal Auditor 56 (1), 1999, pp. 40–47. [26] S. Goel, H.A. Shawky, Estimating the market impact of security breach announcements on ﬁrm values, Information & Management 46 (7), 2009, pp. 404–410. [27] L.A. Gordon, M.P. Leob, W. Lucyshyn, R. Richardson, CSI/FBI Computer Crime and Security Survey, Computer Security Institute, 2005 Available at: www.gocsi.com. [28] M. Gorge, USB and other portable storage device usage: be aware of the risks to your corporate data in order to take pre-emptive and/or corrective action, Computer Fraud & Security 2005 (8), 2005, pp. 15–17. [29] S.M. Huang, W.H. Hung, D.C. Yen, I.C. Chang, D. Chiang, Building the evaluation model of the IT general control for CPAs under enterprise risk management, Decision Support Systems 50 (4), 2011, pp. 692–701. [30] P. Hunter, Card systems: four million Hack – under the spotlight, Computer Fraud & Security 2005 (11), 2005, pp. 8–9. [31] J.E. Hunton, A.M. Wright, S. Wright, Are ﬁnancial auditors overconﬁdent in their ability to assess risks associated with enterprise resource planning systems? Journal of Information Systems 18 (2), 2004, pp. 7–28. [32] IT Governance Institute (ITGI), Board brieﬁng on IT governance, 2003 Available at: http://www.itgi.org. [33] IT Governance Institute (ITGI), Control Objectives, Management Guidelines, Maturity Models in CobiT 4.0, IT Governance Institute, Illinois, 2005. [34] Y. Jo, J. Lee, J. Kim, Inﬂuential factors for COBIT adoption intention: an empirical analysis, International Journal of Contents 6 (4), 2010, pp. 79–89. [35] A. Jones, The convergence of physical and electronic security, Computer Fraud & Security 2006 (3), 2006, pp. 12–14. [36] B.K. Klamm, M.W. Watson, SOX 404 reported internal control weakness: a test of COSO framework components and information technology, Journal of Information Systems 23 (2), 2009, pp. 1–23. [37] C.H. Lawshe, A quantitative approach to content validity, Personnel Psychology 28 (4), 1975, pp. 563–575. [38] C.M. Lehmann, Internal controls: a compendium of short cases, Issues in Accounting Education 25 (4), 2010, pp. 741–754. [39] C. Li, J.H. Lim, Q. Wang, Internal and external inﬂuences on IT control governance, International Journal of Accounting Information Systems 8 (4), 2007, pp. 225– 239. [40] F. Lin, L. Guan, W. Fang, Critical factors affecting the evaluation of information control systems with the COBIT framework: a study of CPA ﬁrms in Taiwan, Emerging Markets Finance & Trade 46 (1), 2010, pp. 42–55. Author's personal copy S.-I. Chang et al. / Information & Management 51 (2014) 187–205 [41] A. Mancuso, Auditing standard board issues SAS No. 80, The CPA Journal 66, 1997, p. 74. [42] Market Intelligence and Consulting Institute (MIC), Analysis of IT Applications for Large Companies in Taiwan, Institute for Information Industry, Taipei, 2009. [43] N. Marks, The more things change, Internal Auditor 61 (4), 2004, pp. 60–64. [44] T.J. Mock, L. Sun, R.P. Srivastava, M. Vasarhelyi, An evidential reasoning approach to Sarbanes–Oxley mandated internal control risk assessment, International Journal of Accounting Information Systems 10 (2), 2009, pp. 65–78. [45] J.J. Morris, The impact of enterprise resource planning (ERP) systems on the effectiveness of internal controls over ﬁnancial reporting, Journal of Information Systems 25 (1), 2011, pp. 129–157. [46] E. Myler, G. Broadbent, ISO 17799: standard for security, Information Management Journal 40 (6), 2006, pp. 43–52. [47] C.S. Norman, M.D. Payne, V.P. Vendrzyk, Assessing information technology general control risk: an instructional case, Issues in Accounting Education 24 (1), 2009, pp. 63–76. [48] J.D. Novak, D.B. Gowin, Learning How to Learn, Cambridge University Press, NY, 1989. [49] J.B. O’Donnell, Y. Rechtman, Navigating the standards for information technology controls, The CPA Journal 75 (7), 2005, pp. 64–69. [50] D. O’Leary, Enterprise Resource Planning Systems: Systems, Life Cycle, Electronic Commerce, and Risk, Cambridge University Press, Cambridge, 2000. [51] P. Proctor, J. Viganly, The security implications of Sarbanes–Oxley, Symantec Enterprise Solutions Webcast, 2004 Available at: www.symantec.com/press/ 2004/n040218c.html. [52] Public Company Accounting Oversight Board (PCAOB), An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statement, Auditing Standard No. 2, PCAOB, Washington, 2004. [53] M. Ramos, Evaluate the control environment, Journal of Accountancy 197 (5), 2004, pp. 75–78. [54] M.B. Romney, P.J. Steinbart, Accounting Information Systems, Pearson, Upper Saddle River, NJ, 2009. [55] R. Saint-Germain, Information security management best practice based on ISO/ IEC 17799, Information Management Journal 39 (4), 2005, pp. 60–66. [56] W. Sally, M.W. Arnold, Information system assurance for enterprise resource planning system: unique risk considerations, Journal of Information Systems 16 (1), 2002, pp. 99–113. [57] W. She, B. Thurasingham, Security for enterprise resource planning systems, Information Systems Security 16 (3), 2007, pp. 152–163. [58] M. Siponen, R. Willison, Information security management standards: problems and solutions, Information & Management 46 (5), 2009, pp. 267–270. [59] P.J. Steinbart, R.L. Raschke, G. Gal, W.N. Dilla, The relationship between internal audit and information security: an exploratory investigation, International Journal of Accounting Information Systems 13 (3), 2012, pp. 228–243. View publication stats 205 [60] P. Stephenson, Incident analysis and recovery, Computer Fraud & Security 2005 (3), 2005, pp. 17–19. [61] P. Stephenson, Ensuring consistent security implementation within a distributed and federated environment, Computer Fraud & Security 2006 (11), 2006, pp. 12–14. [62] A. Stewart, On risk: perception and direction, Computers and Security 23 (5), 2004, pp. 362–370. [63] M.D. Stoel, W.A. Muhanna, IT internal control weaknesses and ﬁrm performance: an organizational liability lens, International Journal of Accounting Information Systems 12 (4), 2011, pp. 208–304. [64] A. Strauss, Qualitative Analysis for Social Scientists, Cambridge University Press, Cambridge, 1987. [65] K.L. Thomson, R. Von Solms, Towards an information security competence maturity model, Computer Fraud & Security 2006 (5), 2006, pp. 11–15. [66] B. Tuttle, S.D. Vandervelde, An empirical examination of CobiT as an internal control framework for information technology, International Journal of Accounting Information Systems 8 (4), 2007, pp. 240–263. [67] S. Tyson, L. Bean, System access hotspots: are auditors ignoring danger, Journal of Corporation Accounting and Finance 16 (4), 2005, pp. 3–9. [68] United States Code, Public Printing and Documents: Deﬁnitions. Title 44, Section 3552, United States Code, Washington, DC, 2008. [69] R. Van De Riet, W. Janssen, P. De Gruijter, Security moving from database systems, Database and Expert System Applications Proceedings 1998. [70] A. Vance, M. Siponen, S. Pahnila, Motivating IS security compliance: insights from habit and protection motivation theory, Information & Management 49 (3–4), 2012, pp. 190–198. [71] L. Volonino, G.H. Gessner, Holistic compliance with Sarbanes–Oxley, Communication of AIS 14 (1), 2004, pp. 219–233. [72] S.H. Von Solms, Information security governance – compliance management vs. operational management, Computers and Security 24 (6), 2005, pp. 443–447. [73] L. Wallace, H. Lin, M.A. Cefaratti, Information security and Sarbanes–Oxley compliance: an exploratory study, Journal of Information Systems 25 (1), 2011, pp. 185–211. [74] L. Wallace, M. Keil, A. Rai, Understanding software project risk: a cluster analysis, Information & Management 42 (1), 2004, pp. 115–125. [75] L.M. Walters, A draft of an information systems security and control course, Journal of Information Systems 21 (1), 2007, pp. 123–148. [76] C.L. Wilkin, R.H. Chenhall, A review of IT governance: a taxonomy to inform accounting information systems, Journal of Information Systems 24 (2), 2010, pp. 107–146. [77] R. Williams, Performing a successful UNIX audit, Computer Fraud & Security 2003 (8), 2003, pp. 11–12. [78] P. Wilson, Risk control: a technical view, Computer Fraud & Security 2005 (5), 2005, pp. 8–11. [79] R.K. Yin, Case Study Research – Design and Methods, Sage, California, 2009.

RELATED PAPERS

RELATED TOPICS

Log In

Internal control framework for a compliant ERP system

Internal control framework for a compliant ERP system

Related Papers

RELATED PAPERS

RELATED TOPICS