This article appeared in a journal published by Elsevier. The attached
copy is furnished to the author for internal non-commercial research
and education use, including for instruction at the authors institution
and sharing with colleagues.
Other uses, including reproduction and distribution, or selling or
licensing copies, or posting to personal, institutional or third party
websites are prohibited.
In most cases authors are permitted to post their version of the
article (e.g. in Word or Tex form) to their personal website or
institutional repository. Authors requiring further information
regarding Elsevier’s archiving and manuscript policies are
encouraged to visit:
http://www.elsevier.com/authorsrights
Author's personal copy
Information & Management 51 (2014) 187–205
Contents lists available at ScienceDirect
Information & Management
journal homepage: www.elsevier.com/locate/im
Internal control framework for a compliant ERP system
She-I Chang a, David C. Yen b,*, I-Cheng Chang c, Derek Jan d
a
Department of Accounting and Information Technology, National Chung Cheng University, Taiwan, ROC
School of Economics and Business, SUNY College at Oneonta, USA
c
Department of Accounting, National Dong Hwa University, ROC
d
KPMG, Taiwan, ROC
b
A R T I C L E I N F O
A B S T R A C T
Article history:
Received 1 February 2012
Received in revised form 17 October 2013
Accepted 4 November 2013
Available online 20 November 2013
After the occurrence of numerous worldwide financial scandals, the importance of related issues such as
internal control and information security has greatly increased. This study develops an internal control
framework that can be applied within an enterprise resource planning (ERP) system. A literature review
is first conducted to examine the necessary forms of internal control in information technology (IT)
systems. The control criteria for the establishment of the internal control framework are then
constructed. A case study is conducted to verify the feasibility of the established framework. This study
proposes a 12-dimensional framework with 37 control items aimed at helping auditors perform effective
audits by inspecting essential internal control points in ERP systems. The proposed framework allows
companies to enhance IT audit efficiency and mitigates control risk. Moreover, companies that refer to
this framework and consider the limitations of their own IT management can establish a more robust IT
management mechanism.
ß 2013 Elsevier B.V. All rights reserved.
Keywords:
Internal control framework
Enterprise resource planning
IT control
1. Introduction
The popularity of information technology (IT) applications has
increased reliance on computers for processing business transactions. Companies adopt IT systems to improve their operations.
Surveys on the collaborative operations of IT systems conducted by
the Market Intelligence and Consulting Institute [42] indicate that
the enterprise resource planning (ERP) system is the most widely
adopted IT system among large companies.
Given that ERP is a popular and all-encompassing information
system utilized by many organizations and because of the increased
consideration of the risks associated with IT, information system
security and internal control related to information systems have
greatly increased [17,45,63,75]. The Committee of Sponsoring
Organizations of the Treadway Commission (COSO) defines internal
control as ‘‘a process, effected by an entity’s board, management, and
other personnel, designed to provide reasonable assurance regarding the achievement of objectives such as effectiveness and
efficiency of operation, reliability of financial reporting, and
compliance with regulation’’ [15]. The internal control related to
information systems is commonly referred to as IT control and is
composed of controls (i.e., policies and procedures) over the
* Corresponding author at: School of Economics and Business, SUNY College at
Oneonta, USA. Tel.: +1 607 436 3458; fax: +1 607 436 2543.
E-mail addresses: actsic@ccu.edu.tw (S.-I. Chang), David.Yen@oneonta.edu
(D.C. Yen), icc@mail.ndhu.edu.tw (I.-C. Chang), Derek.Jan@seed.net.tw (D. Jan).
0378-7206/$ – see front matter ß 2013 Elsevier B.V. All rights reserved.
http://dx.doi.org/10.1016/j.im.2013.11.002
organizational IT infrastructure and systems [47,63]. IT control
consists of general and application controls. General controls refer to
the relevant controls designed to ensure that an entity’s control
environment is well managed and applied to all sizes of systems
ranging from large mainframe systems to client/server systems and
to desktop and/or laptop computer systems. Application controls
include input, processing, and output control based on the flow of
data processing. In other words, application controls focus on the
accuracy, completeness, validity, and authorization of the data
captured, entered in the system, processed, stored, transmitted to
other systems, and reported [54]. Further, general controls can be
used to support the application controls and, hence, allow the
smooth operation of the information system [22]. Given that
financial reporting in many entities is based on information systems
such as ERP systems, IT controls help entities achieve the objective of
internal control. Similar to information security, IT controls can also
manage and protect information and information systems from
unauthorized access, use, disclosure, disruption, modification, or
destruction [68].
An attack on information generally leads to the theft of
confidential data, financial fraud, incapacitated web servers, and
corrupted operational data [27], which all influence the accuracy
and reliability of the financial data derived from the information
system [75]. If entities fail to establish proper information security,
they cannot guarantee the accuracy and reliability of their financial
data [51]. ERP built-in control features may positively impact the
effectiveness of internal controls over financial reporting. However, ERP does not necessarily safeguard against some deliberate
Author's personal copy
188
S.-I. Chang et al. / Information & Management 51 (2014) 187–205
system manipulations, for example, a few control features might
not be activated in a timely manner in the implementation stage
[45]. Further, to manipulate the date to perform earnings
management, top managers may attempt to override some control
features [6]. Following a number of reported business scandals,
investors are beginning to question the accuracy of financial
reports, including those generated by major companies around the
world. In fact, investor confidence in the accuracy of financial
reports and the shared holding positions of large companies has
collapsed over recent years [56]. Durfee [18] emphasizes that an
announcement of material weakness in the internal control system
may result in a drop in stock prices, an increase in share volume,
and the loss of chief financial positions. Goel and Shawky [26] also
indicate that announcements of security breaches would decrease
the market share of firms. Conversely, effective internal control can
help firms to achieve their expected financial goals, maintain
precise records of daily transactions, and produce accurate
financial statements [20]. The accuracy and reliability of data
within the ERP system are critical to ensure the transparency of the
company’s situation at all times, to help rebuild investor
confidence, and to ensure low cost of capital [3].
Software vendors establish ‘‘built-in’’ control within ERP
systems [45]. Companies also have an internal control framework
in their ERP systems. Management is required to establish the
framework, especially when a company is publicly listed.
Companies constantly audit the effectiveness of their ERP system’s
internal control. Thus, an increasing number of companies have
started to focus on the implementation of effective controls in their
ERP systems while simultaneously providing management and
external auditors a suitable framework within which to assess the
ERP system’s internal control. COSO released a report entitled
‘‘Internal Control-Integrated Framework’’ [15] in 1992 in an
attempt to illustrate a systematic framework for internal control.
However, the report failed to list supplemental criteria in the
implementation and assessment of IT controls [49]. Referring to
specific control items would allow management and auditors to
execute IT control procedures [29]. However, IT control procedures
not only consider the environment within the entity but also
control as it relates to the external environment [66]. In addition,
given the minimal compliance guidance in the use of IT established
by the government, the interpretation of the scope and nature of
the IT environment is inconsistent [8]. These limitations increase
the difficulty of compliance. Despite the importance of deploying
proper internal control frameworks to fully develop the effectiveness of the ERP system, only a few academic studies have assessed
this issue. Accordingly, this study derives its primary research
question: what are the types of internal control that must be
considered when auditing an ERP system? The primary objective of
this study is to develop a preliminary internal control framework
for application in an ERP system.
2. Research background
The growing awareness of IT’s role in managing knowledge
derived from information systems has caused the production of
accurate and relevant information to become the focus of studies
on information systems such as accounting information systems
(AIS) and management information systems (MIS) [76]. IT
governance has been recently discussed and has gained attention;
IT governance is ‘‘used to describe how those persons entrusted
with governance of an entity will consider IT in this supervision,
monitoring, control, and direction of the entity’’ [32]. Well-defined
controls are considered to be an imperative and necessary part of IT
governance. This study attempts to establish good internal control
standards for ERP systems by proposing an internal control
framework for such systems. Three subtopics are discussed in this
section. The first subsection describes system security and internal
controls in the ERP system. The second subsection introduces the
audit and inspection challenges associated with the ERP system.
The third subsection presents and discusses the internal control
framework.
2.1. System security and internal controls in the ERP system
An increasing number of firms depend on ERP to address
operational transactions. Therefore, information system security
must be emphasized, especially in financial transactions [70,73].
Walters [75] states that many information system threats, such as
unauthorized access and system vulnerability attacks, influence
the accuracy and reliability of the financial data derived from
information systems. Information security protects and controls IT
resources and ensures the accuracy and reliability of information
[1]. Van de Riet et al. [69] note a number of security aspects
associated with an ERP system; these aspects include security
policy, user authentication, authorization, time restrictions, log
and trace, and database security.
Information security control maintains the reliability of the
information system resource and the availability and integrity of
financial data. Thus, information security control is closely linked
with information security and internal controls. After the
occurrence of numerous worldwide financial scandals, company
management teams and auditors are now required to take
responsibility for their respective financial reports. The effectiveness of internal control has been emphasized during this decade
[52]. If firms lack the proper level and types of information
security, they cannot ensure the effectiveness of their internal
controls and the integrity of their financial data [51]. Thus,
identifying the necessary control-related considerations in an ERP
system is an important initial task for management and auditors.
2.2. Audit and inspection challenges in the ERP system
The introduction of a new information system in a company
may generate a new risk that is different from the risks initially
associated with the legacy framework: the risks that accompany
new framework operations may not be similar to those of the
original system [50]. Reengineering business processes and the
organizational changes brought about by the introduction of a new
system may also lead to changes in the control requirements of a
company in terms of ERP [11]. Problems frequently associated with
ERP systems are generally contained. Such issues include business
interruption, process interdependency, network security, database
security, application security, and overall internal controls [31].
Therefore, many key aspects of the risk control environment must
be considered [56]. Glover et al. [25] suggest that internal auditors
consider the relevant risks and controls required for system
planning based on their knowledge of risk management and of the
internal risks present in the company during the introduction of
the ERP system. Auditors and inspectors should first understand
the basic architecture of the ERP system to effectively exert
internal control over it [2,9]. In the comprehensive application of
the IT environment, ‘‘owning’’ the control framework can help
auditors to evaluate the effectiveness of IT control and decide on an
auditing strategy and program. The control framework can also
enhance the efficiency of IT control evaluation and mitigate the
audit risk for auditors [29].
2.3. Internal control framework
Management and the auditors must follow a suitable and holistic
internal control framework to ensure the effectiveness of
internal control in a firm. COSO released a report entitled ‘‘Internal
Author's personal copy
189
S.-I. Chang et al. / Information & Management 51 (2014) 187–205
Theoretical
Research Question and
Purpose
Knowledge Claims
Philosophies
Interpretations
Theories
Principles
Concepts
Literature Review
Expert Questionnaire
Methodological
Comparison
and
Revision
Transformations
Data Gathering
Prototype Construction
Case Study
Fig. 1. Research flow.
Control-Integrated Framework’’ and recommended that this report
be utilized by companies, auditors, regulating agencies, and
educational institutions [15]. The conceptual model of the report
indicates that internal control objectives require five components of
control, namely, the control environment, risk assessment, control
activities, information and communication, and monitoring.
However, the framework provided by COSO focuses on highlevel guidance for internal controls and does not provide the
detailed control objectives that auditors require in the design of
audit tests [49]. Moreover, the framework does not address the
specific risks and complexities of IT [14]. An organization and its
auditor require a comprehensive framework to properly adapt to
the current IT auditing environment and to comply with
regulations [23,66].
Transactions involving information systems require particular
control standards and criteria because the computerization of
business transactions leads to the digitization of audit evidence,
resulting in difficulties in following audit trails [41]. Thus, IT
internal control usually includes the following procedures: (1)
general controls, which refer to the relevant control measures
associated with EDP; and (2) application controls or the division of
input, processing, and output controls based on the flow of data
processing.
In this digital age, the absence of information security in a
particular company implies that the entire company is built on a
fragile foundation such that it cannot survive any related internal
control tests [4]. Information systems in enterprises require many
internal controls due to the pervasive implementation of IT and the
need to minimize problems. The complexity of modern systems
can overwhelm auditors and management if no appropriate
guidance is provided [66]. Hence, auditors and management
should increase their understanding of the IT environment and
related IT processes and controls because they must periodically
perform control procedures [44,47]. Given that the two control
types utilized at present cannot effectively or completely regulate
the robustness of an internal control framework, especially when
incorporated in the current information systems, numerous
institutions have established their own sets of criteria for
information security. A series of standards and criteria such as
the British Standard (BS7799) and the Control Objectives for
Information and Related Technology (COBIT) are employed by
organizations. COBIT complements the COSO enterprise framework by assessing internal control and balanced risks in ITintensive environments [33,53]. Huang et al. [29] established an IT
control evaluation model that includes control objectives. Referring to specific control items allows management and auditors to
execute control procedures. However, despite the importance of
deploying proper internal control frameworks, only a few
academic studies have been conducted to fully develop the
effectiveness of the ERP system. The present study aims to develop
a preliminary internal control framework for application in ERP
systems to bridge this gap.
3. Research methodology and design
The research flow presented in this study utilized a theoretical
strategy based on the V structure developed by Gowin [48] (Fig. 1).
The interactions between the two sides of the structure (i.e.,
theoretical and methodological) merge relevant concepts and
methods to achieve the proposed research goals [48]. Following
the procedures listed on the ‘‘theoretical’’ side, the items related to
IT control were summarized by studying the previous research. A
literature review is thus conducted prior to the development of an
internal control framework for ERP systems. To this end, two steps
were performed in the literature review: collecting literature from
the related sources and conducting coding procedures. Specifically,
the relevant literature was gathered from the following sources:
(1) IT controls for the internal use of companies. The data gathered
are expected to be within the scope of the internal use of
companies and can be compiled with the current internal
control bylaws of corporate information systems;
(2) Information security organization bylaws. This study refers to
the regulations and criteria of COBIT, and BS7799 in particular,
and includes all information systems. Both references are
important, as they have been adopted by many companies
worldwide [66]; and
(3) Academic literature.
Upon the completion of the initially constructed theoretical
model and prior to conducting the case study, control items were
established that met the requirements for the application of the
model to the ERP system. Expert questionnaires were administered
in this process. The main purpose for utilizing the expert
questionnaires is to ensure and enhance the content validity of
each measurement construct and to bridge the gap between the
presented literature for application and the control items in actual
Author's personal copy
190
S.-I. Chang et al. / Information & Management 51 (2014) 187–205
Table 1
Related literature on IT internal control.
Author
Literature title
Literature source
1
2
3
4
A company
B company
C company
British Standards Institution [7]
A company
B company
C company
British Standards Institution (BSI)
5
IT Governance Institute [33]
6
Cerullo and Cerullo [10]
7
Chau [12]
8
Coe [13]
9
Daveiga and Eloff [16]
Computerized Process: Internal Control
Computerized Process: Operation
Computerized Process: Internal Control
Information Security Management Part
2: Specification for Information
Security Management Systems; British
Standards Institution
Control Objectives for Information and
Related Technology (COBIT 4.0)
Business Continuity Planning: A
Comprehensive Approach
Application Security: It All Starts from
Here
Trust Services: A Better Way to
Evaluate IT Controls
An Information Security Governance
Framework
Information Security Architecture
Continuous Auditing: Verifying
Information Integrity and Providing
Assurances for Financial Reports
USB and Other Portable Storage Device
Usage: Be Aware of the Risks to Your
Corporate Data Take Pre-emptive and/
or Corrective Action
Card Systems: Four Million Hacked–
Under the Spotlight
The Convergence of Physical and
Electronic Security
The More Things Change. . .
ISO 17799: Standard for Security
Information Security Management Best
Practice Based on ISO/IEC 17799
Incident Analysis and Recovery
Ensuring Consistent Security
Implementation within a Distributed
and Federated Environment
On Risk: Perception and Direction
Toward an Information Security
Competence Maturity Model
System Access Hotspots: Are Auditors
Ignoring Danger?
Holistic Compliance with SarbanesOxley
Information Security Governance:
Compliance Management vs.
Operational Management
Understanding Software Project Risk: a
Cluster Analysis
Performing a Successful Unix Audit
Real Time Information
Integrity = System Integrity + Data
Integrity + Continuous Assurances
A Draft of an Information System
Security and Control Course
Security for Enterprise Resource
Planning Systems
Risk Control: A Technical View
No.
10
11
Eloff and Eloff [19]
Flowerday and Von Solms [21]
12
Gorge [28]
13
Hunter [30]
14
Jones [35]
15
16
17
Marks [43]
Myler and Broadbent [46]
Saint-Germain [55]
18
19
Stephenson [60]
Stephenson [61]
20
21
Stewart [62]
Thomson and Von Solms [65]
22
Tyson and Bean [67]
23
Volonino and Gessner [71]
24
Von Solms [72]
25
Wallace et al. [74]
26
27
Williams [77]
Flowerday and Von Solms [22]
28
Walters [75]
29
She and Thuraisingham [57]
30
Wilson [78]
Information Systems Audit and Control Association
Information Systems Management
Computer Fraud & Security
Journal of Accountancy
Information Systems Management
Computer Fraud & Security
Computer Fraud & Security
Computer Fraud & Security
Computer Fraud & Security
Computer Fraud & Security
Internal Auditor
Information Management Journal
Information Management Journal
Computer Fraud & Security
Computer Fraud & Security
Computers and Security
Computer Fraud & Security
Journal of Corporation Accounting & Finance
Communication of AIS
Computers and Security
Information and Management
Computer Fraud & Security
Computers and Security
Journal of Information Systems
Information System Security
Computer Fraud & Security
Nos. 1–3 are classified as A (IT control for the internal use of companies).
Nos. 4–5 are classified as B (information security organization bylaws).
Nos. 6–30 are classified as C (academic literature).
practice. The measurement constructs and item indicators were
screened separately to determine the internal control issues
prevalent in the ERP system and to enhance the quality of the
examination process and gain deeper insights.
Next, following the procedures outlined on the ‘‘practical’’ side,
an empirical case study was then conducted to investigate the
feasibility of the proposed framework derived from the literature
review and the questionnaires. The case study included ‘‘how’’ and
‘‘why’’ questions [79] and a pre-identified company was selected
for the case study. In addition, the case study included steps related
to design, preparation, collection, analysis, and sharing [79]. Not
only was the case design identified in the design step, but the unit
of case study was also described in detail in this step.
4. Construction of the preliminary framework for the internal
controls of the ERP system
The Science Direct database was utilized to search for the
relevant academic literature. The main criteria for this search
include the following items:
Author's personal copy
Table 2
Results of axial coding.
Category
Domain
Codes (from open coding)
References
Definition of functions and
responsibilities in the data
processing department
Whether clear definitions exist for the
responsibilities of maintenance
personnel in the MIS department
A1, A30, A121, A193, B12, B32, B112, C17,
C33, C49, C81, C94, C151, C179
Whether application procedures exist
for the system accounts (authorization)
A43, A45, A124, A152, A155, A209, A224,
A232, A236, B65, C42, C72, C106, C109,
C194, C196
A47, A210, A223, A237, C18, C48, C147
A company, B company, British Standards Institution [7], Cerullo and Cerullo
[10], Eloff and Eloff [19], IT Governance Institute [33], Jones [35], She and
Thuraisingham [57], Stephenson [61], Volonino and Gessner [71], Von Solms
[72], Walters [75]
A company, B company, C company, British Standards Institution [7], Cerullo
and Cerullo [10], Gorge [28], Stephenson [60], Volonino and Gessner [71],
Walters [75]
A company, C company, Cerullo and Cerullo [10], Jones [35], Von Solms [72]
System development and control over
program modifications
Whether application procedures exist
for requests to modify system programs
Whether modification specifications
are confirmed by the MIS department
and the department that submit the
request
Whether system program modification
documents are approved by related
unit heads
Whether SA and SD program
documents relevant to the
modifications are available
Whether independent environments
exist for development
Whether independent environments
exist for tests
Whether relevant test documents and
records on program developments exist
Whether updated (newly added)
programs are assessed by users
Whether relevant control measures
exist for changes in system flows
A46, A63, A153, A195, A225, B66, B117,
C150, C197
A64, A196, A226, A228, B118, C47
A company, B company, C company, British Standards Institution [7], IT
Governance Institute [33], Jones [35], Walters [75]
A company, B company, C company, Cerullo and Cerullo [10], IT Governance
Institute [33]
A62, A102, A126, A156, B69, B113, C34,
C149, C199
A51, A73, A97, A107, A125, A200
A company, B company, British Standards Institution [7], Cerullo and Cerullo
[10], IT Governance Institute [33], Jones [35], Walters [75]
A company, B company, C company
A4, A23, A71, A127, A142, A212, B98
A company, B company, C company, British Standards Institution [7]
A5, A8, A22, A24, A140, A143, B120, B127,
B132, B142, C13
A company, B company, IT Governance Institute [33], Von Solms [72]
A7, A21, A213, C50, C176
A company, C company, Marks [43], Walters [75]
A16, A42, A129, A137, B60, B64, B99, B123,
B133, B143
A company, B company, British Standards Institution [7], IT Governance
Institute [33]
A15, A141, A217, C121, C180
A company, B company, C company, Chau [12], Walters [75]
B35, B40, B58, B93, B147, C181
British Standards Institution [7], IT Governance Institute [33], Walters [75]
A10, A18, A26, A38, A128, A135, A138,
A216, A221, B41, B61, B92, B124, B134,
B144, C22, C122, C182, C209
A13, A14, A25, A134, A139, A218, B59, B97,
B100, B122, B130, B136, B146, C21, C123,
C130, C186
A29, A122, C58
A company, B company, C company, British Standards Institution [7], Chau [12],
Flowerday and Von Solms [22], IT Governance Institute [33], Stewart [62],
Walters [75]
A company, B company, C company, British Standards Institution [7], Chau [12],
IT Governance Institute [33], Stewart [62], Walters [75]
S.-I. Chang et al. / Information & Management 51 (2014) 187–205
Whether system accounts
(authorization) should be approved by
related unit heads
Whether accounts are canceled after
employees leave
Whether accounts are modified
simultaneously with an employee
change in job responsibilities
Whether user authorization is
continuously reviewed
Whether a dedicated team is
responsible for the maintenance of the
hardware and software of the system
A company, B company, British Standards Institution [7]
191
Author's personal copy
192
Table 2 (Continued )
Domain
Codes (from open coding)
References
Whether coding management is
executed on the documents in relation
to program modifications (updates)
Whether documents are updated and
modified by version after the
modifications (additions) of programs
Whether review documents are
improved after the programs have been
developed
Whether dedicated personnel
safeguard the documents in relation to
the systems
Whether only certain personnel can
access (modify) the documents in
relation to the system programs or the
original library
A6, A32, A144, A214
A company, B company, C company
A11, A20, A27, A31, A36, A41, A53, A54,
A132, A145, A190, A219, A222, B84, B101,
B126, B137, B145, C23, C187
A17, B83, B88, B125, C105, C124, C183
A company, B company, C company. British Standards Institution [7], Flowerday
and Von Solms [22], IT Governance Institute [33], She and Thuraisingham [57],
Stewart [62], Walters [75]
A company, British Standards Institution [7], Chau [12], IT Governance Institute
[33], Stephenson [61], Walters [75]
A28, A33, A34, A35, A39, A149, A215, A220,
B24, B173, C54
A company, B company, C company, British Standards Institution [7], Coe [13],
IT Governance Institute [33]
A37, A40, A194, B94, B164, C55, C192, C210
A company, B company, British Standards Institution [7], Coe [13], IT
Governance Institute [33], Walters [75]
Whether authority controls exist
A61, A83, A159, A165, B33, B74, B76, B91,
B155, B174, C26, C31, C39, C43, C56, C69,
C77, C95, C108, C125, C131, C148, C195
Whether password controls exist
B68, B70, B78, B89, C64, C100, C136, C138,
C144, C145, C198, C202, C225
Whether different access
authorizations pursuant to the nature
of the users exist
Whether the transfer of external data
into the system has undergone
verification by the relevant programs
Whether control exists over remote
access to the system mainframes
A49, A55, A207, A227, A231, B52, B54, B63,
B67, B70, B75, B79, B156, B169, C2, C5, C27,
C46, C71, C146, C203, C224, C226
A56, B55, C193
A company, B company, British Standards Institution [7], Cerullo and Cerullo
[10], Chau [12], Coe [13], Daveiga and Eloff [16], Eloff and Eloff [19], IT
Governance Institute [33], Jones [35], She and Thuraisingham [57], Stephenson
[60], Stephenson [61], Volonino and Gessner [71], Walters [75]
British Standards Institution [7], Daveiga and Eloff [16], Flowerday and Von
Solms [21], Myler and Broadbent [46], Stephenson [61], Walters [75], Williams
[77]
A company, C company, British Standards Institution [7], Cerullo and Cerullo
[10], Flowerday and Von Solms [21], Gorge [28], IT Governance Institute [33],
Myler and Broadbent [46], Saint-Germain [55], Von Solms [72], Walters [75]
A company, British Standards Institution [7], Walters [75]
Whether dedicated personnel are
responsible for the maintenance of the
system databases
A2, A50, A130, A151, A154, A157, A234, C3,
C44, C65, C66, C73
Whether application files exist for
system data filing
Whether original documents exist for
input data
Whether numbering of the documents
is generated by the system
Whether verification procedures exist
for the data input/output interface
A60
A company
A65, A158, A205, C36
A company, B company, C company, Cerullo and Cerullo [10]
A67, A208
A company, C company
A66, A77, A146, A162, A206, A235, B53,
B85, B86, B87, B135, B165, C103, C126,
C207, C227
A68, A147, A160, A163, B49, B51, B62, B90,
B166, C37, C53, C70, C104, C229
A company, B company, C company, British Standards Institution [7], Chau [12],
IT Governance Institute [33], Myler and Broadbent [46], Stephenson [61],
Walters [75]
A company, B company, British Standards Institution [7], Cerullo and Cerullo
[10], Coe [13], Gorge [28], IT Governance Institute [33], Myler and Broadbent
[46], Stephenson [61]
A company, B company, British Standards Institution [7], Eloff and Eloff [19], IT
Governance Institute [33], Walters [75]
Access control of programs and data
Control of data inputs and outputs
Whether appropriate control measures
are present for the output of
confidential data
Whether records exist for any changes
in data additions (modifications)
A257, B72, B175, C25, C29, C96, C134, C135,
C137, C200, C201
A48, A161, B77, B157, C80, C208
C company, British Standards Institution [7], Cerullo and Cerullo [10], IT
Governance Institute [33], Stewart [62], Stephenson [61], Walters [75],
Williams [77]
A company, B company, C company, Cerullo and Cerullo [10], Daveiga and Eloff
[16], Gorge [28], Von Solms [72]
S.-I. Chang et al. / Information & Management 51 (2014) 187–205
Category
Control over the compilation of system
documents
Author's personal copy
Control of data processing
Whether relevant flows exist to manage
the changes in data modification
Whether data are regularly backed up
Whether backup data are supported by
another location
Security control of files and equipment
Whether information equipment is
listed and managed
Whether information equipment is
protected with security measures
Whether anti-virus measures are
present
Whether firewalls are present
A95, A106, A148, A183, B4, B11, B28, C35,
C84, C168
A57, A58, A90, A185, A204, A241, A256,
A258, C24, C30, C32, C41, C57, C97, C188,
C214
B102, C7, C112, C116, C212
B48, B73, B159, C6, C67, C74, C78, C90, C99,
C111, C213, C230
Whether the system mainframe is
placed in facility rooms
Whether access control over facility
rooms is present
B18, B20, C85, C132, C171, C221
Whether fire, water, and temperature
control facilities are present in facility
rooms
Whether UPS facilities are present
A87, A91, A92, A93, A174, A175, A239,
A246, C153, C155, C222
A94, A150, A173, A184, A201, A230, B19,
B21, B171, C86, C133, C154, C172, C223
B22, B23, B172, C10, C152, C173
A company, B company, C company, British Standards Institution [7], Chau [12],
Von Solms [72]
A company, B company, C company, British Standards Institution [7], IT
Governance Institute [33], Myler and Broadbent [46], Stephenson [60], Von
Solms [72], Tyson and Bean [67], Walters [75]
A company, B company, C company, IT Governance Institute [33], Stephenson
[60], Tyson and Bean [67]
A company, B company, British Standards Institution [7], Cerullo and Cerullo
[10], Eloff and Eloff [19], Walters [75]
A company, B company, C company, Cerullo and Cerullo [10], Coe [13],
Flowerday and Von Solms [22], Saint-Germain [55], Stephenson [61], Stewart
[62], Walters [75]
British Standards Institution [7], Hunter [30], Saint-Germain [55], Von Solms
[72]
British Standards Institution [7], Daveiga and Eloff [16], Eloff and Eloff [19],
Hunter [30], IT Governance Institute [33], Myler and Broadbent [46], SaintGermain [55], Stephenson [60], Stephenson [61], Thomson and Von Solms [65],
Von Solms [72]
British Standards Institution [7], Eloff and Eloff [19], Saint-Germain [55],
Williams [77], Walters [75]
A company, B company, C company, British Standards Institution [7], Eloff and
Eloff [19], IT Governance Institute [33], Saint-Germain [55], Tyson and Bean
[67], Walters [75], Williams [77]
A company, B company, C company, Saint-Germain [55], Tyson and Bean [67]
British Standards Institution [7], IT Governance Institute [33], Tyson and Bean
[67], Von Solms [72], Walters [75]
B company, C company, British Standards Institution [7], Walters [75]
Whether control procedures exist to
destroy the backup data
Whether the ‘‘prevent abnormal
invasion’’ measure exists
A169, A229, B26, B50, C175, C191
A44, A187, B43, B158, C28, C38, C91, C141,
C215, C231
A company, B company, British Standards Institution [7], Cerullo and Cerullo
[10], IT Governance Institute [33], Myler and Broadbent [46], Saint-Germain
[55], Stephenson [60], Wilson [78]
Whether dedicated personnel
responsible for the maintenance of
software updates are present
Whether regular inspections of
hardware daily logs are conducted
A74, A80, A188, A238, B96, B139
A company, B company, C company, British Standards Institution [7], IT
Governance Institute [33], Wallace et al. [74]
A75, B39, B80, B141, C20, C101, C139, C140,
C177, C190, C204, C232
Whether the software and hardware
are regularly maintained
A82, A98, A133, A171, A203, A242, A248,
B38, B82, B109, B138, C9, C15, C60, C113,
C174
A76, A99, A172, A191, A202, A243, A249,
B30, B42, B140
A136
A company, British Standards Institution [7], IT Governance Institute [33],
Myler and Broadbent [46], Stephenson [61], Von Solms [72], Wilson [78],
Walters [75]
A company, B company, C company, British Standards Institution [7], Coe [13],
Flowerday and Von Solms [22], IT Governance Institute [33], Hunter [30]
Volonino and Gessner [71], Von Solms [72], Walters [75]
A company, B company, C company, British Standards Institution [7], IT
Governance Institute [33]
B company
Whether records exist for maintenance
of and changes to hardware
Whether the system software/program
update is approved by the MIS
department chief
Whether records exist to note the
maintenance of and changes to
software
Whether the system software is legal
A100, B95, B148, C59, C102
A company, British Standards Institution [7], Coe [13], IT Governance Institute
[33], Stephenson [61]
A121, A189, A211, A250, A259, B108, B129,
B161, C8, C16
A company, B company, C company, British Standards Institution [7], IT
Governance Institute [33], Von Solms [72]
S.-I. Chang et al. / Information & Management 51 (2014) 187–205
Control over the procurement, use, and
maintenance of hardware and system
software
A3, A52, A59, A69, A70, A81, A166, A233,
B34, C4, C127
A86, A101, A111, A112, A131, A164, A167,
A178, A186, A244, A247, A251, B44, B81,
B151, B167, C11, C92, C156, C189, C205,
C228
A88, A168, A245, B152, B170, C93, C159
193
Author's personal copy
194
Table 2 (Continued )
Domain
Codes (from open coding)
References
Whether regular tests are conducted for
system recovery procedures in the face
of disaster
Whether procedures exist to report
disasters
A89, A113, A116, A180, A253, B105, B106,
B153, B168, C12, C88, C157
Whether relevant maintenance records
and documents exist in case of
abnormal situations
A79, A109, A179, B45, B47, B107, B163, C89,
C117, C178, C206
A company, B company, C company, British Standards Institution [7], IT
Governance Institute [33], Stephenson [60], Tyson and Bean [67], Von Solms
[72]
A company, B company, C company, British Standards Institution [7], Cerullo
and Cerullo [10], Coe [13], Hunter [30], IT Governance Institute [33], SaintGermain [55], She and Thuraisingham [57], Stephenson [60], Tyson and Bean
[67], Walters [75]
A company, B company, British Standards Institution [7], IT Governance
Institute [33], Hunter [30], Stephenson [60], Walters [75]
Whether dedicated personnel
responsible for reporting procedures
are present
Whether the reports are pursuant to the
regulations
Whether backups of the reporting data
exist
A118, A119, A197,
A company, B company
A117, A120, A198, A261, A262, B6, C163
A company, B company, C company, British Standards Institution [7], Walters
[75]
B company
Whether system security planning is
present
A123, A181, A255, B2, B5, B7, B29, B57,
B110, B114, B131, C1, C52, C76, C79, C82,
C98, C115, C120, C142, C160, C216, C218
Whether dedicated personnel
responsible for regular audits of
information security exist
Whether promotions and training
programs targeted at internal staff on
information security exist
B3, B111, B115, B176, C19, C45, C107, C119,
C143, C162, C164, C217
Control over the processes of
information disclosure on the
websites assigned
Independent information audit units
Control of outsourced operations
Whether control procedures on
hardware outsourcing exist
Whether evaluations of system
outsourcing are conducted
Whether contracts are signed for
system outsourcing
Whether relevant control procedures
regarding system outsourcing exist
A78, A108, A114, A115, A177, A192, A252,
B15, B16, B17, B31, B46, B104, B154, B162,
C40, C61, C87, C114, C158, C170, C219
A199
A85, A182, A254, A260, B1, B13, B14, B27,
B56, B116, B160, C14, C68, C75, C83, C110,
C118, C161, C169, C220
A96, A103, A105, A110, A170, A240, B10,
B25, B37, C63
B8, B119, B121, B150, C128, C165, C184
B9, B36, B149, C129, C166, C177, C185
A9, A12, A19, A72, A84, A104, A176, B103,
B128, C51, C62, C211
B company, C company, British Standards Institution [7], Coe [13], Eloff and
Eloff [19], Hunter [30], IT Governance Institute [33], Saint-Germain [55],
Stephenson [61], Thomson and Von Solms [65], Von Solms [72], Wilson [78],
Walters [75]
British Standards Institution [7], Cerullo and Cerullo [10], Hunter [30], IT
Governance Institute [33], Saint-Germain [55], Stephenson [60], Von Solms
[72], Walters [75], Wilson [78]
A company, B company, C company, British Standards Institution [7], Daveiga
and Eloff [16], Eloff and Eloff [19], Hunter [30], IT Governance Institute [33],
Stephenson [60], Thomson and Von Solms [65], Von Solms [72], Walters [75],
Saint-Germain [55]
A company, B company, C company, British Standards Institution [7], Coe [13]
British Standards Institution [7], Chau [12], IT Governance Institute [33],
Walters [75]
British Standards Institution [7], Chau [12], IT Governance Institute [33],
Walters [75]
A company, B company, British Standards Institution [7], Coe [13], IT
Governance Institute [33], Marks [43], Walters [75]
S.-I. Chang et al. / Information & Management 51 (2014) 187–205
Category
System recovery plans/systems and
control of testing programs
Author's personal copy
195
S.-I. Chang et al. / Information & Management 51 (2014) 187–205
(1) The keywords or the abstracts must have the words
‘‘information security’’ or ‘‘internal control’’;
(2) Literature must be related to the information field; and
(3) Studies should be published between 2003 and 2007 because
numerous financial scandals emerged worldwide primarily
after 2002, bringing the issue of internal control to the forefront
during this aforementioned period. Consequently, several
regulations that required management to assess their enterprise internal controls were proposed, and auditors were also
asked to determine whether their client’s internal control
assessment reporting was adequate. Therefore, the studies
collected in this research are limited to this aforementioned
period to investigate what was discussed or explored during
this specific time window.
Conceptualized results from 30 relevant publications were
collected based on the abovementioned criteria. The collected
results are shown in Table 1. A detailed analysis was also
performed to present a complete and consistent list of internal
control items for ERP. The preliminary model was constructed
based on the literature review. The entire process was roughly
divided into three steps as follows: (1) open coding, (2) axial
coding, and (3) selective coding.
4.1. Open coding
Open coding was performed for the literature content that
satisfied the criteria mentioned above. Section extraction was
performed; the sections identified as relevant to the internal
controls of the information operations or those that obviously
indicate the components of IT control of the information
operations are coded. Coding was conducted to classify the studies
from A to C. The codes derived from IT control for the internal use of
companies, information security organization bylaws, and academic literature were classified as A, B, and C, respectively. For
example, ‘‘C Company – Computerized Information System ICE’’
includes a section that addresses internal regulations. More
specifically, this section states, ‘‘going online requires test reports
or passing of tests.’’ This description can thus be conceptualized
and coded into three factors (i.e., A216 whether test documents
exist, A217 whether independent test environments exist, or A218
whether they have been verified by users). A total of 670 concepts
were derived through this process.
Accurate and complex interpretations were established as
particular phenomena. For instance, codes A78, A108, A114, A115,
A177, A192, A252, B15, B16, B17, B31, B46, B104, B154, B162, C40,
C61, C87, C114, C158, C170, and C219 describe anomalies in the
information system, how the information department is contacted
and informed, how the information department rules out
anomalies, and how information security incidents are addressed.
Thus, these codes (concepts) were grouped in the domain of
‘‘whether procedures exist to report disasters.’’ Other concepts
were translated into domains according to the same rule; 66
domains were established as key internal control issues based on
the 670 concepts determined in the open coding process.
4.2. Axial coding
Axial coding is usually conducted after open coding. This stage
aims to recompose the distributed data into new methods such
that the classifications and sub-classifications become related to
one another.
The 66 domains of the coded entries were further classified into
dimensions. For example, the domains ‘‘whether relevant control
procedures exist regarding system outsourcing’’ and ‘‘whether
contracts are signed for system outsourcing’’ are related to
outsourcing operation control and are imperative for managing
system outsourcing for an organization. Therefore, these domains
were classified into the dimension of ‘‘control of outsourced
operations.’’ The results of axial coding are summarized in Table 2.
4.3. Selective coding
Axial coding consolidates complex data and is the foundation of
selective coding. Selective coding is conducted to systematically
explain a selected core category, verify the relationship of the
primary and other classifications, and fill the gap for supplements
or developments required for individual classifications [64].
Based on the internal controls and the analysis of relevant
literature, 66 key domains that influence the internal control of
information systems were identified. The domains integrated
through axial coding were re-classified as single key domains in
selective coding. For example, the domains ‘‘whether anti-virus
measures are used’’ and ‘‘whether firewalls are used,’’ were merged
into ‘‘whether information equipment is protected with security
measures,’’ given that both are related to security measures for the
information equipment. Subsequently, 51 key domains were
established. These domains function as internal control items.
4.4. Expert questionnaires
Upon the construction of preliminary internal control items
based on the literature, the methodology and validation process
developed by Lawshe [37] was adopted. The adoption of this
methodology and validation process enabled the collection of
opinions from experts with extensive experience in the establishment, maintenance, and auditing processes of ERP systems.
Questionnaires were distributed to gather opinions from the
experts who are responsible for corporate functions (including
internal audit and information), handle external audits (accounting firms), and work in partner companies regarding the
introduction of ERP systems. The backgrounds of the participating
Table 3
Backgrounds of participating experts.
Group
Type
No. of people
Positions
Average years of service
Experts within companies
Audit
6
14
IT
5
Senior Auditors 4
Audit Specialists 2
Manager, MIS 1
Assistant Manager, MIS 3
Deputy Project Manager, MIS 1
Professional firms
5
ERP consultants
2
Experts outside of companies
Computer Audit, Manager 1
Computer Audit, Assistant Manager 1
Computer Audit, Assistant VP 1
Audit, Manager 1
Audit, Director 1
Consultants 2
11
6
7
Author's personal copy
196
S.-I. Chang et al. / Information & Management 51 (2014) 187–205
experts are shown in Table 3. The control dimensions and items
were screened to determine those suitable for the ERP system. Both
theoretical and actual application are expected to increase the
validity, extent, and practicality of this study, thereby achieving
the research purpose of constructing internal control in an ERP
system.
The questionnaires utilized in this study measure the opinions
of the respondents based on an ordinal scale of 5 as follows: ‘‘very
important (5),’’ ‘‘important (4),’’ ‘‘neutral (3),’’ ‘‘unimportant (2),’’
and ‘‘very unimportant (1).’’ Each dimension is semi-open, so that
the respondents can provide relevant feedback on the key items
related to internal control in the ERP system.
A total of 18 experts responded to the questionnaires. Following
the methodology and validation process proposed by Lawshe [37],
the content validity ratio (CVR) can be calculated as CVR = (n N/
2)/(N/2), where n represents the number of times that experts
categorized the items as either ‘‘very important’’ or ‘‘important,’’
and N represents the total number of experts. The value of CVR
should be greater than 0.43 to meet the targeted requirement.
However, this study requires that the CVR ratio be greater than
0.60 before a control item is adopted to ensure that the control
items constructed in this study remain important and feasible for
most companies. Table 4 provides a summary of the questionnaire
results, including the statistics from the questionnaires and the
calculation of CVR.
As described previously, a literature review was conducted and
51 key items were identified for the internal control of ERP
systems. Fourteen items were considered to be unimportant and
were deleted after calculating and comparing the CVR values
derived from the questionnaires. The remaining 37 control items
were generalized and consolidated. The preliminary internal
control items were further modified by referring to the suggestions
provided by the expert respondents. Table 5 shows the modified
internal control framework.
5. Empirical findings on internal control for the ERP system
This section provides a brief description of the practices
employed by the case company. The selected company was
established in 1996 and is dedicated to the development and
manufacture of wireless telecommunication products. The company aspires to become the world leader in the area of wireless
telecommunications by exerting efforts in research and development (R&D) that are aimed at improving technology. Its products
are divided into three lines: satellite telecommunications, mobile
telecommunications, and wireless network equipment.
The managers in the company can keep abreast of the key
technologies associated with their product lines in accordance
with the changes occurring in the marketplace through their
extensive experience and background in technology. The company
is thus capable of developing relevant niche products to meet
market demand by quickly integrating telecommunication technologies into their product lines.
This company provides comprehensive wireless and telecommunication products and timely after-sale service to its customers. With its focus on R&D for new technologies and the
extensive in-house development of the accompanying software
and hardware, the company designs and develops its own
products effectively. In fact, the company has achieved their best
economies of scale by establishing an increasingly comprehensive
product line. As a result, the company is capable of maintaining its
competitive advantage in the wireless telecommunications
industry.
The computer auditors working for the accountant were invited
to participate in this study. Interviews were also conducted to
study the actual company’s operations, collecting the current
internal control information as primary data. The company was
asked to provide secondary data (i.e., relevant operation documents and files) for the analysis and synthesis of the research
findings. Table 6 summarizes the background of all of the
interviewees.
A select group of public companies that introduced ERP systems
was filtered for the case study. The company targeted for interview
is engaged in the R&D and manufacture of wireless telecommunication products. The company actually replaced its Baan computer
system with an Oracle ERP system in 2006. The interviewees
comprised an internal auditing supervisor who facilitates two
different ERP systems, an assistant manager in the MIS Department
who maintains and deploys these two different systems, and a
computer auditing manager who works for the accounting firm to
audit the information system of this company. These three
individuals are responsible for the ERP audit. All three interviewees
have relevant experience and background in the auditing and
maintenance of ERP systems.
A case study on a public company using the obtained audited
financial reports was conducted. A manufacturing firm similar to
this telecommunications company can be regarded to be a
representative case for companies in other industries. For this
reason, this case result can be employed and justified as a rationale
for the use of a single case [79]. Specifically, the case study protocol
was developed in the preparation step. Primary data about the
actual operations of the company were gathered on-site in the
collection step, while secondary data were utilized to address the
main objectives of this research. Further, data were gathered,
analyzed, and collated prior to conducting the interviews with
personnel who are experts in IT control and have worked with the
independent accounting firm that maintains a relationship with
the company selected in the case study. The feasibility of the
internal control items that were applied in the planning of the ERP
system was evaluated in the analysis and sharing steps. Finally, the
results and findings were presented.
The control items and information auditing of the ERP system in
the case company were reviewed. The feasibility of using the
control items constructed for the company was also evaluated.
5.1. Practices within the case company
Two auditors are employed in the audit department of the case
company. Their tasks include inspecting domestic and overseas
affiliates in the same group. In addition to adjusting the internal
control framework originally based on the ‘‘eight major cycles,’’ the
two auditors also perform internal audits and execute special
projects assigned by their supervisors because these tasks are part
of their job description. In auditing ERP systems, the focus is on soft
control. The company’s MIS department has established a division
called ‘‘ERP System Services.’’ All seven employees in this division
are responsible for the maintenance of the ERP system. Their major
responsibilities include maintaining the normal operations of the
system, solving all problems raised by users, and meeting the
operational demands of users. These employees perform ordinary
control tests and passive checks on requests from the auditing
department as ERP system audits.
5.2. Control items within the case company
The current audit checklist for ERP systems was originally based
on the control items listed by the company headquarters. The
checklist was later modified in accordance with the actual
situations experienced by the company. The key control items
comply with the criteria set by the authority. However, these
control items are not fixed and are regularly reviewed for
appropriateness.
Author's personal copy
Table 4
Questionnaire analysis.
Dimension
Definition of functions and
responsibilities in the data
processing department
No.
1
2
3
4
5
1
2
3
4
5
6
7
Control over the compilation of system
documents
1
2
3
4
Whether clear definitions exist for the
responsibilities of maintenance
personnel in the MIS department
Whether application procedures for the
system accounts (authorization) exist
Whether accounts are canceled after
employees leave
Whether user authorization is
continuously reviewed
Whether a dedicated team responsible
for the maintenance of the hardware
and software of the system exists
Types
Groups
CVR, all
experts
Screen
results
1.00
0.89
Yes
1.00
1.00
1.00
CVR,
CPA firm
CVR,
MIS
CVR,
Audit
1.00
0.60
1.00
1.00
1.00
CVR,
ERP
consultant
CVR, external
experts
CVR, internal
experts
Perception
difference between
groups
1.00
0.82
No
Yes
1.00
1.00
No
0.60
0.60
1.00
1.00
0.78
Yes
0.71
0.82
No
1.00
0.20
1.00
0.00
0.67
Yes
0.71
0.64
No
S0.20
1.00
0.67
1.00
0.56
No
0.14
0.82
Yes
Whether application procedures are
present for requests to modify system
programs
Whether modification specifications
are confirmed by the MIS department
and the department that submit the
request
Whether SA and SD program
documents relevant to the
modifications exist
Whether independent environments
for development and tests exist
Whether relevant test documents and
records on program developments are
present
Whether updated (newly added)
programs are assessed by users
Whether relevant control measures for
changes in system flows are present
1.00
1.00
1.00
1.00
1.00
Yes
1.00
1.00
No
1.00
1.00
0.67
1.00
0.89
Yes
1.00
0.82
No
0.60
1.00
1.00
0.00
0.78
Yes
0.43
1.00
Yes
Whether coding management is
executed on the documents in relation
to program modifications (updates)
Whether documents are updated and
modified by version after the
modifications (additions) of programs
Whether dedicated personnel
safeguarding the documents in relation
to the systems are present
Whether only certain personnel can
access (modify) the documents in
relation to the system programs or the
original library
1.00
1.00
1.00
1.00
1.00
Yes
1.00
1.00
No
0.20
0.60
0.67
0.00
0.44
No
0.14
0.64
Yes
1.00
1.00
1.00
1.00
1.00
Yes
1.00
1.00
No
0.60
1.00
1.00
1.00
0.89
Yes
0.71
1.00
No
0.60
0.60
0.00
0.00
0.33
No
0.43
0.27
No
1.00
1.00
1.00
0.00
0.89
Yes
0.71
1.00
No
S0.20
1.00
0.67
S1.00
0.33
No
S0.43
0.82
Yes
0.20
0.60
1.00
0.00
0.56
No
0.14
0.82
Yes
S.-I. Chang et al. / Information & Management 51 (2014) 187–205
System development and control over
program modifications
Control items
197
Author's personal copy
198
Table 4 (Continued )
Dimension
Access control of programs and data
No.
1
2
3
4
5
1
2
3
4
5
Control of data processing
1
2
3
Security control of files and equipment
1
2
3
4
5
Control over the procurement, use, and
maintenance of hardware and system
software
1
2
3
4
5
Types
Groups
CVR, all
experts
Screen
results
1.00
1.00
1.00
1.00
Yes
Yes
0.00
0.89
Yes
CVR,
CPA firm
CVR,
MIS
CVR,
Audit
Whether password controls exist
Whether different access
authorizations pursuant to the nature
of the users exist
Whether the transfer of external data
into the system has undergone
verification by the relevant programs
Whether control exists over remote
access to the system mainframes
Whether dedicated personnel
responsible for the maintenance of the
system databases are present
1.00
1.00
1.00
1.00
1.00
1.00
1.00
1.00
1.00
0.60
1.00
1.00
1.00
0.89
1.00
1.00
0.67
1.00
0.89
Whether original documents for input
data exist
Whether numbering of the documents
generated by the system is present
Whether verification procedures for the
data input/output interface exist
Whether appropriate control measures
are present for the output of
confidential data
Whether records on any changes in
data additions (modifications) exist
1.00
0.60
1.00
0.00
0.78
Yes
Whether relevant flows exist to manage
the changes in data modification
Whether data are regularly backed up
Whether backup data are supported by
another location
CVR,
ERP
consultant
CVR, external
experts
CVR, internal
experts
Perception
difference between
groups
1.00
1.00
1.00
1.00
No
No
0.71
1.00
No
Yes
0.71
1.00
No
Yes
1.00
0.82
No
0.71
0.82
No
0.60
1.00
1.00
1.00
0.89
Yes
0.71
1.00
No
0.60
0.60
1.00
0.00
0.67
Yes
0.43
0.82
Yes
S0.20
1.00
1.00
1.00
0.67
Yes
0.14
1.00
Yes
0.60
1.00
1.00
1.00
0.89
Yes
0.71
1.00
No
0.60
1.00
1.00
1.00
0.89
Yes
0.71
1.00
No
0.20
0.20
1.00
0.60
1.00
1.00
1.00
1.00
0.78
0.67
Yes
Yes
0.43
0.43
1.00
0.82
Yes
Yes
Whether information equipment is
listed and managed
Whether information equipment is
protected with security measures
Whether access control over facility
rooms exists
Whether facility rooms are protected
with security measures
Whether control procedures exist to
destroy backup data
S0.60
0.60
0.67
0.00
0.22
No
S0.43
0.64
Yes
0.60
1.00
1.00
1.00
0.89
Yes
0.71
1.00
No
0.20
1.00
1.00
1.00
0.78
Yes
0.43
1.00
Yes
S0.20
1.00
1.00
1.00
0.67
Yes
0.14
1.00
Yes
S0.20
0.60
1.00
1.00
0.56
Yes
0.14
0.82
Yes
Whether dedicated personnel
responsible for the maintenance of
software updates are present
Whether regular inspections of
hardware daily logs are conducted
Whether the software and hardware
are regularly maintained
Whether records to note the
maintenance of and changes to
hardware and software are present
Whether the system software is legal
0.20
1.00
0.33
0.00
0.44
No
0.14
0.64
Yes
S0.20
1.00
0.67
1.00
0.56
No
0.14
0.82
Yes
S0.20
1.00
0.33
1.00
0.44
No
0.14
0.64
Yes
S0.60
1.00
0.67
1.00
0.44
No
S0.14
0.82
Yes
0.20
1.00
1.00
1.00
0.78
Yes
0.43
1.00
Yes
S.-I. Chang et al. / Information & Management 51 (2014) 187–205
Control of data inputs and outputs
Control items
Author's personal copy
System recovery plans/systems and
control of testing programs
1
2
3
Control over the processes of
information disclosure on the
assigned websites
1
2
3
Independent information audit units
1
3
Control of outsourced operations
1
2
3
1.00
0.67
1.00
0.67
Yes
0.43
0.82
Yes
S0.60
1.00
0.67
1.00
0.44
No
S0.14
0.82
Yes
0.20
1.00
1.00
0.00
0.67
Yes
0.14
1.00
Yes
Whether dedicated personnel
responsible for reporting procedures
exist
Whether reports are pursuant to the
regulations
Whether backups of the reporting data
exist
0.20
1.00
1.00
1.00
0.78
Yes
0.43
1.00
Yes
0.60
1.00
1.00
1.00
0.89
Yes
0.71
1.00
No
0.20
1.00
0.67
1.00
0.67
Yes
0.43
0.82
Yes
Whether system security planning
exists
Whether dedicated personnel
responsible for regular audits on
information security are present
Whether promotions and training
programs targeted at internal staff on
information security exist
0.20
1.00
0.67
0.00
0.56
No
0.14
0.82
Yes
0.60
0.60
1.00
1.00
0.78
Yes
0.71
0.82
No
S0.20
0.60
0.67
0.00
0.33
No
S0.14
0.64
Yes
No
Whether relevant control procedures
regarding system outsourcing exist
Whether evaluations of system
outsourcing are present
Whether contracts are signed for
system outsourcing
0.60
0.60
0.67
1.00
0.67
Yes
0.71
0.64
0.20
0.60
0.67
1.00
0.56
No
0.43
0.64
Yes
0.60
0.60
1.00
1.00
0.78
Yes
0.71
0.82
No
S.-I. Chang et al. / Information & Management 51 (2014) 187–205
2
0.20
Whether regular tests on system
recovery procedures in the face of
disaster are conducted
Whether procedures to report disasters
exist
Whether relevant maintenance records
and documents exist in case of
abnormal situations
199
Author's personal copy
200
S.-I. Chang et al. / Information & Management 51 (2014) 187–205
Table 5
Modified internal control framework.
Dimension
Control items
Definition of functions and responsibilities in the data processing department
Whether clear definitions exist for the responsibilities of maintenance
personnel in the MIS department
Whether application procedures exist for system accounts (authorization)
Whether accounts are canceled after employees leave
Whether user authorization is continuously reviewed
System development and control over program modifications
Whether application procedures exist for requests to modify system programs
Whether modification specifications are confirmed by the MIS department and
the department that submit the request
Whether SA and SD program documents relevant to the modifications exist
Whether independent environments for development and tests exist
Whether updated (newly added) programs are assessed by users
Whether relevant control measures for changes in system flows exist
Control over the compilation of system documents
Whether the documents are updated and modified by version after the
modifications (additions) of programs
Access control of programs and data
Whether password controls exist
Whether different access authorizations pursuant to the nature of the users
exist
Whether the transfer of external data into the system has undergone
verification by the relevant programs
Whether control exists over remote access to the system mainframes
Whether dedicated personnel responsible for the maintenance of the system
databases exist
Control of data inputs and outputs
Whether original documents for input data are present
Whether numbering of the documents generated by the system is present
Whether verification procedures for the data input/output interface exist
Whether appropriate control measures are present for the output of
confidential data
Whether records for any changes in data additions (modifications) exist
Control of data processing
Whether relevant flows exist to manage the changes in data modification
Whether data are regularly backed up
Whether backup data are supported by another location
Security control of files and equipment
Whether
Whether
Whether
Whether
Control over the procurement, use, and maintenance
of hardware and system software
Whether the system software is legal
System recovery plans/systems and control of testing programs
Whether regular tests on system recovery procedures in the face of disaster are
conducted
Whether relevant maintenance records and documents exist in case of
abnormal situations
Control over the processes of information disclosure on the assigned websites
Whether dedicated personnel responsible for reporting procedures are present
Whether reports are pursuant to the regulations
Whether backups of reporting data exist
Independent information audit units
Whether dedicated personnel responsible for regular audits on information
security exist
Control of outsourced operations
Whether relevant control procedures regarding system outsourcing exist
Whether contracts are signed for system outsourcing
Director Chen said, ‘‘After the introduction of the new Oracle ERP
system in 2006, the company conducted timely adjustments to
ascertain control items.’’
5.3. Information auditing of the ERP system
The internal auditors of the case company focus their audit on
soft control items in the ERP system such as accounts, passwords,
authorization, and remote access. The auditors are only equipped
to perform soft audits. Other forms of audit are delegated to the
MIS department, as the internal auditors perform these tasks
through collaborative procedures. The definition of the items
pertaining to overall control is modified by referring to previous
audit records. For example, each audit is performed on a regular
basis (i.e., once a year) to minimize risk. However, the items with
information equipment is protected with security measures
access control over facility rooms is present
facility rooms are protected with security measures
control procedures to destroy backup data exist
poor records have a high-risk profile and are therefore analyzed
under strict standards (i.e., conducted quarterly or every semester).
Given that financial reports are generated by the company’s ERP
system, the reporting accounts must be spot-checked as a form of
internal control to reduce confirmatory audit risks. The computer
audit personnel of the accounting firm check the system setups
and the ordinary control measures of the company.
Manager Li said, ‘‘Basically, auditing for the ERP system within the
company is mainly focused on general and basic checking of the Oracle
ERP architecture in the UNIX operating system, Oracle database, and
network. These are the critical points of our audit.’’
If the audit results indicate that the internal control of a
company is appropriate, then the accountants may reduce the
required number of spot-checking procedures. Auditing proce-
Author's personal copy
S.-I. Chang et al. / Information & Management 51 (2014) 187–205
201
Table 6
Background of the interviewees.
Case study
Function
Title
Interviewee
Experience
Company
Audit room
Audit supervisor
Director Chen
MIS
Assistant
manager
Assistant
Manager Lin
Six years in the audit department of the company; eight
years of audit experience
More than four years of experience in the introduction and
maintenance of the ERP system utilized by the company
Information risk
management
and services
Manager
Manager Li
Reporting
accounting firm
dures should be modified on a timely basis in accordance with the
actual demands of companies. The company under study was able
to amend system faults and failures pointed out by its external
auditors. This review process should be performed continuously to
establish a robust internal control structure.
The difficulties encountered by the company’s ERP system
auditors are caused by lack of IT training. Consequently, the
company can focus only on software controls. With regard to other
forms of audit, the auditors remain dependent on the MIS
department for effectiveness. However, despite the IT knowledge
of the personnel in the MIS department, these MIS personnel
cannot perform audits effectively owing to control issues posed by
individuals, control measure requirements, and related auditing
concepts. External auditors continue to believe that most
companies do not have any personnel dedicated to computer
audits.
Manager Li said, ‘‘Currently, the competent authority or relevant
institutions are not certified with regard to computer audits. In
addition, most auditors claim they lack sufficient IT training. Given the
limited computer audit talents, very few companies have established a
stable computer audit department.’’
In sum, the challenges involving ERP systems include whether
auditors can clearly understand the operational flows of the
company and its overall information system environment to
effectively manage both the behavioral risks caused by human
factors and the technical risks integrated in a system. For auditors
who do not have expertise in both audit (accounting) and IT, the
auditing processes in an ERP environment pose imminent
obstacles and challenges.
5.4. Understanding the feasibility of the control items
Both interviewees concurred that the control items constructed
in this study meet most of the requirements. However, a suitable
list of control items should consider the infrastructure of the
company, including the company scale and number of MIS
employees. These considerations are important because individual
control points have important roles in legacy information
architecture. Accordingly, a number of control items cannot
completely meet the specifications of the company under study
owing to limitations in identifying infrastructure concepts such as
whether the responsibilities of MIS personnel are clearly defined.
Assistant Manager Lin said, ‘‘This proposed framework seems
suitable for my company, but the premise must consider the
company’s structure. For example, the company did not do well in
distinguishing the responsibilities of IT personnel. The main reason is
due to the lack of manpower and information unit personnel.
Therefore, some control items within this proposed framework may be
excluded. Nevertheless, the framework is still useful for my company.’’
The case company suggested that several control items be
transformed to attainable targets in the future.
The interviewees were requested to state their opinions
regarding the appropriateness and importance of the control
More than six years of experience in computer audit; served
more than 200 companies
items to understand the feasibility of the proposed framework.
Table 7 provides a summary of the company’s evaluation of the
control items constructed in this study. The list shows that the MIS
department is particularly focused on ‘‘system development and
control over program modifications’’ and ‘‘access control of
programs and data,’’ further proving that the list is applicable
and can thus serve as future reference. With respect to the
dimension ‘‘system development and control over program
modifications,’’ Assistant Manager Lin said, ‘‘If the MIS department
could manage developed or modified system programs effectively, it
could help improve the credibility of information and preciseness of
data.’’
Two interviewees presented their views on the dimension
‘‘access control of programs and data.’’
Director Chen said, ‘‘Because of the critical nature of the data and
program within the company, appropriate control strategies and
controls should be set for IT systems through access control policies.
Only authorized users should be provided access to information system
assets.’’
Assistant Manager Lin said, ‘‘The current system login in the
company is appropriately controlled by access control procedures such
as passwords. This form of logical access control over information is
primarily required within the company to protect information against
acts such as unauthorized creation and modification as well as
inadvertent errors.’’
With respect to the audit of control items, auditors believe that
in principle, general audits should be conducted annually.
However, several dimensions such as ‘‘access control of programs
and data’’ require timely system auditing procedures. Jointly
auditing these dimensions and those for the eight-cycle operations
is sometimes necessary. Auditing in such situations is conducted
not only annually but also rather promptly in conjunction with
other procedures. External auditors believe that the current selfcontrol mechanisms of the company’s internal IT department
involve two dimensions (i.e., ‘‘system development and control
over program modifications’’ and ‘‘access control of programs and
data’’), which should be audited internally at least on a quarterly
basis. As for the other dimensions, auditing may be conducted
every semester depending on the audit’s impact on the company
processes.
The interviewees in the case study agreed that the constructed
control items could effectively assist the company in the audit and
control of its ERP system.
Director Chen said, ‘‘This proposed framework is great and
comprehensive. A few control items are not available in the company
at the moment, and this framework can be utilized to adjust the
present version of the company.’’
5.5. Discussion of findings
As per the earlier discussion, several findings are rather
interesting. In general, internal control frameworks for ERP existed
in this case company that could help related personnel to
Author's personal copy
202
S.-I. Chang et al. / Information & Management 51 (2014) 187–205
Table 7
Appropriateness and importance of control items.
Audit dimensions
Control items
Appropriateness
Importance
Yes
High
Definition of functions and
responsibilities in the data
processing department
Whether clear definitions exist for the
responsibilities of maintenance
personnel in the MIS department
Whether application procedures for
system accounts (authorization) exist
Whether accounts are canceled after
employees leave
Whether user authorization is
continuously reviewed
§}
§}
§}
§}
§}
§}
Whether application procedures for
requests to modify system programs
exist
Whether modification specifications
are confirmed by the MIS department
and the department that submit the
request
Whether SA and SD program
documents relevant to the
modifications exist
Whether independent environments
for development and tests exist
Whether updated (newly added)
programs are assessed by users
Whether independent environments
for development and tests exist
§}
§}
§}
§}
System development and control over
program modifications
§}
No
Medium
§}
§}
}
§
§}
}
§
§}
§}
§}
§
}
Control over the compilation of system
documents
Whether the documents are updated
and modified by version after the
modifications (additions) of programs
§}
Access control of programs and data
Whether password controls exist
Whether different access
authorizations pursuant to the nature
of the users exist
Whether the transfer of external data
into the system has undergone
verification by the relevant programs
Whether control exists over remote
access to the system mainframes
Whether dedicated personnel
responsible for the maintenance of the
system databases exist
§}
§}
§}
§}
§}
§}
§}
§
}
§}
}
§
Control of data inputs and outputs
Control of data processing
Security control of files and equipment
Whether original documents for input
data are available
Whether numbering of the documents
generated by the system is available
Whether records for changes in data
additions (modifications) are available
Whether relevant flows to manage the
changes in data modification exist
Whether data are regularly backed up
Whether backup data are supported by
another location
Whether information equipment is
protected with security measures
Whether access control over facility
rooms exists
Whether the facility rooms are
protected with security measures
Whether control procedures are
available to destroy backup data
§}
§}
§
§}
§}
§}
§}
§}
§}
§}
§}
§}
§
§}
§}
§}
§
}
§}
§
§}
Control over the procurement, use, and
maintenance of hardware and
software systems
Whether the system software is legal
§}
System recovery plans/systems and
control of testing programs
Whether regular tests are conducted for
system recovery procedures in the face
of disaster
Whether relevant maintenance records
and documents are available in case of
abnormal situations
§}
§}
}
}
}
§}
§}
Low
§
§}
}
Author's personal copy
203
S.-I. Chang et al. / Information & Management 51 (2014) 187–205
Table 7 (Continued )
Audit dimensions
Control items
Appropriateness
Control over the processes of
information disclosure on the
assigned websites
Whether dedicated personnel
responsible for reporting procedures
exist
Whether reports are pursuant to the
regulations
Whether backups of the reporting data
exist
§}
§}
§}
§}
§}
§}
Independent information audit units
Whether dedicated personnel
responsible for regular audits on
information security exist
§}
§}
Control of outsourced operations
Whether relevant control procedures
regarding system outsourcing are
available
Whether contracts are signed for
system outsourcing
§}
§}
Yes
§}
No
Importance
High
}
Medium
Low
§
§ Director Chen; } Assistant Manager Lin.
effectively manage and track the outcomes of IT control. This
proposed framework is relatively rigorous, complete and more
easily acceptable in terms of its logic. Although some control items
are not suitable for the case company, this proposed framework
can be used repeatedly to adjust/improve the present version.
According to the results of our case study, IT general control has
been reasonably emphasized because it supports the resulting
application processing. However, different industries and company sizes may provide different perspectives about determining the
priority of control items. For instance, small-sized companies often
use the Microsoft Office software package to handle business
processing, and in this case, some of control items within this
proposed framework may need to be amended. Nonetheless, this
proposed framework can still be employed to greatly assist the
case company to execute IT control and perform IT governance.
6. Conclusions
Given that the ERP system is widely utilized in many
organizations, the relevant information on security and internal
controls must be continuously prioritized. Stakeholders wish to
feel confident that internal control within the organization is
executed effectively to reduce the possibility of business failure or
fraudulent financial reporting [38]. However, improper management of control procedures in the computer environment of a
company may result in significant financial reporting errors and
financial losses. Thus, this study developed an ERP internal control
framework to assist stakeholders in verifying the effectiveness of
their respective companies’ internal control mechanisms.
Literature related to IT controls for the internal use of
companies, various information security organization bylaws,
and academic literature were reviewed. Open, axial, and selective
coding were performed to finalize the 51 key items associated with
ERP internal control. Questionnaires were administered to confirm
whether the abovementioned items are suitable for and essential
to the ERP system. Out of the 51 control items, only 37 were
utilized in the preliminary model. A case study was then conducted
to verify the feasibility of the proposed framework.
Our findings have provided some implications for future
research. The internal control matrix could be regarded as a
common method to represent internal controls for specific
business processes within the SOX audit environment, which
includes internal control objectives [24]. Only a few studies have
developed a structured, systematic approach that stakeholders can
utilize. The proposed framework was derived from several rigorous
methods and contained necessary control dimensions and items
that can be utilized for ERP control and improvement of IT
governance. Compared with previous studies on internal control
frameworks, including Jo et al. [34] and Lin et al. [40], the case
study approach has been recommended for this stream of studies
simply because of the need for detailed and contextual information
from the entity stakeholders. Further, the extant research utilized
experts from CPA firms as a research subject; this study recruited
several participants from the case company to disseminate their
thoughts. Because this study embraced the application controls to
broaden the IT control domain, the obtained outcome may
complete Huang’s [29] work because its only focus is placed on
the general IT controls.
A previous study indicated that existing internal control
frameworks do not consider important control aspects such as
the environment outside of the organization [66]. The dimension
‘‘control of outsourced operations’’ in the proposed framework
strengthens the ERP internal control points. A few empirical
studies examined IT control weakness and IT operation risk
[5,36,39]. The study of Li et al. [39] provided empirical evidence
regarding IT-related material weakness based on internal and
external governance. Further, Klamm and Watson [36] examined
IT material weakness based on the internal control-integrated
framework proposed by COSO. In summary, this proposed
framework may be utilized to assess ERP control.
The proposed framework can also be applied to the external
auditing profession. External auditors can use this framework to
communicate logically with their clients. The responsibility of the
certified public accountants to attest to the effectiveness of their
clients’ internal control system is clearly regulated. An auditor in
an IT environment must have a good understanding of internal
control. If an auditor does not have a proper understanding of this
concept, auditing work may incur many uncertainties and risks.
From the perspective of a business entity, acquiring effective
internal control is a complex task. However, internal control can be
facilitated and maintained if a proper framework is adopted. The
proposed framework is a supplement to the COSO framework [15].
This comprehensive framework facilitates the construction of
detailed controls for ERP systems. Among the 12 dimensions
constructed in this study, only the dimension ‘‘access control of
program and data’’ was unanimously recognized by all interviewees as an important criterion in information risk management.
This finding is similar to that of Wallace et al. [73], thereby proving
that access control is the most common and highest priority
control in practice. When an entity establishes proper access
Author's personal copy
204
S.-I. Chang et al. / Information & Management 51 (2014) 187–205
control, the probability of an attacker obtaining unauthorized
system access decreases [59]. However, most of the items in the
proposed framework were regarded as being moderately important. The listed company under study should therefore exercise
compliance, and its stakeholders should assume more responsibility for protecting the information system. This result confirms
the results of Wallace et al. [73].
With the proposed framework, which includes comprehensive
control dimensions or items, internal auditors and MIS department
chiefs can verify the effectiveness of internal control through a
complete mechanism to comply with government regulations. In
other words, internal auditors and MIS department chiefs can
develop their relationship and communicate the effectiveness of
internal control by referring to the proposed framework. According
to Wallace et al. [73], a good relationship between an organization’s internal auditors and MIS department chiefs helps the
organization comply with IT-related internal control requirements.
Several control items are considered to be high-priority items.
Perhaps stakeholders should prioritize high-risk control points.
This process not only enhances audit efficiency but also easily
identifies the weakness of internal control. Companies must
consider the limitations inherent in their infrastructures in terms
of internal control management to determine the most important
control points [58]. These recommended improvements can enable
companies to build robust auditing structures.
Small and medium-sized enterprises (SMEs) need to implement
information systems in their operations to cooperate with large
firms. Most large firms ask to review and audit downstream SMEs
to ensure system security. SMEs may therefore consider the
proposed framework and adjust several control items according to
their own characteristics to determine their IT control weaknesses
in advance.
The present study has limitations. Thirty relevant studies were
selected and reviewed to construct the ERP system internal control
framework. This study did not prove that the coding process
reached saturation; other control items might have been missed.
Furthermore, despite recruiting 18 qualified experts to confirm the
control items derived from the literature review, other experts
might have concluded otherwise. Another limitation of this study
is external validity. The explanatory power of this study may be
limited because it adopts the single case method. This proposed
framework with control items is generic in nature. In other words,
it could be applied to the majority of entities regardless of their size
or industry. A few industries with a higher security consideration
for their IT environment (i.e., the banking sector) will be able to
expand this framework and add other new control dimensions and
items to provide additional insights to this subject area.
Several future research avenues are discussed as follows. First,
given the increasing number of published studies on ERP internal
control, follow-up research could analyze these streamed studies
to add control items and refine the proposed framework. Second,
several control items in the proposed framework may be extended
to other systems, organizations (i.e., government agencies), and
industries. Future studies could examine the usefulness and
feasibility of the proposed framework.
References
[1] American Institute of Certified Public Accountants (AICPA), Audit Risk and Materiality in Considering an Audit, SAS No. 94, AICPA, New York, 1983.
[2] American Institute of Certified Public Accountants (AICPA), The Effect of Information Technology on the Auditors’ Consideration of Internal Control in a
Financial Statement Audit, SAS No. 94, AICPA, New York, 2001.
[3] H. Ashbaugh-Skaife, The effect of SOX internal control deficiencies on firm risk
and cost of equity, Journal of Accounting Research 47 (1), 2009, pp. 1–43.
[4] J.C. Bedard, L.E. Graham, The effects of decision aid orientation on risk factor
identification and audit test planning, Auditing 21 (2), 2002, pp. 39–65.
[5] M. Benaroch, A. Chernobai, J. Goldstein, An internal control perspective on the
market value consequences of IT operational risk events, International Journal of
Accounting Information Systems 13 (4), 2012, pp. 357–381.
[6] J. Brazel, L. Dang, The effect of ERP system implementations on the management of
earnings and earnings release dates, Journal of Information Systems 22 (2), 2008,
pp. 1–21.
[7] British Standards Institution (BSI), Information Security Management – Part 2:
Specification for Information Security Management Systems, British Standards
Institution, London, 2002.
[8] W. Brown, F. Nasuti, Sarbanes–Oxley and enterprise security: IT governance –
what it takes to get the job done, Security Management Practices 14 (5), 2002, pp.
15–28.
[9] L. Calabro, Looking under the hood, CFO 20 (6), 2004, pp. 97–98.
[10] V. Cerullo, M.J. Cerullo, Business continuity planning: a comprehensive approach,
Information Systems Management 21 (3), 2004, pp. 70–78.
[11] S.I. Chang, G.G. Gable, A comparative analysis of major ERP lifecycle implementation, management and support issues in Queensland government, Journal of
Global Information Management 10 (3), 2002, pp. 36–54.
[12] J. Chau, Application security – it all starts from here, Computer Fraud & Security
2006 (6), 2006, pp. 7–9.
[13] M. Coe, Trust services: a better way to evaluate IT controls, Journal of Accountancy
199 (3), 2005, pp. 69–75.
[14] J.L. Colbert, P.L. Bowen, A comparison of internal controls: COBIT, SAC, COSO, and
SAS 55/78, IS Audit and Control Journal 4, 1996, pp. 26–35.
[15] Committee of Sponsoring Organizations of the Treadway Commission (COSO),
Internal Control – Integrated Framework, AICPA, New York, 1992.
[16] A. Daveiga, J.H.P. Eloff, An information security governance framework, Information Systems Management 24 (4), 2007, pp. 361–372.
[17] G. Dhillon, Principles of Information System Security: Text and Cases, John Wiley
and Sons, New Jersey, 2007.
[18] D. Durfee, The 411 on 404: Reporting a material weakness in controls can cost
shareholders millions and some CFOs their jobs, CFO Magazine, 2005.
[19] J.H.P. Eloff, M.M. Eloff, Information security architecture, Computer Fraud &
Security 2005 (11), 2005, pp. 10–16.
[20] Ernst & Young, Preparing for Internal Control Reporting: A Guide for Management’s Assessment Under Section 404 of the Sarbanes–Oxley Act, Ernst, Young
LLP, 2002.
[21] S. Flowerday, R. Von Solms, Continuous auditing: verifying information integrity
and providing assurances for financial reports, Computer Fraud & Security 2005
(7), 2005, pp. 12–16.
[22] S. Flowerday, R. Von Solms, Real-time information integrity = system integrity + data integrity + continuous assurance, Computers and Security 24 (8), 2005,
pp. 604–613.
[23] C. Fox, P.C. Zonneveld, IT Control Objectives for Sarbanes–Oxley: The Importance
of IT in the Design, Implementation and Sustainability of Internal Control over
Disclosure and Financial Reporting, IT Governance Institute, Illinois, 2003.
[24] U.J. Gelinas Jr., R.B. Dull, Accounting Information Systems, 7th ed., Thomson
South-Western, Mason, OH, 2008.
[25] S. Glover, D. Prawitt, M. Rommy, Implementing ERP, Internal Auditor 56 (1), 1999,
pp. 40–47.
[26] S. Goel, H.A. Shawky, Estimating the market impact of security breach announcements on firm values, Information & Management 46 (7), 2009, pp. 404–410.
[27] L.A. Gordon, M.P. Leob, W. Lucyshyn, R. Richardson, CSI/FBI Computer Crime and
Security Survey, Computer Security Institute, 2005 Available at: www.gocsi.com.
[28] M. Gorge, USB and other portable storage device usage: be aware of the risks to
your corporate data in order to take pre-emptive and/or corrective action,
Computer Fraud & Security 2005 (8), 2005, pp. 15–17.
[29] S.M. Huang, W.H. Hung, D.C. Yen, I.C. Chang, D. Chiang, Building the evaluation
model of the IT general control for CPAs under enterprise risk management,
Decision Support Systems 50 (4), 2011, pp. 692–701.
[30] P. Hunter, Card systems: four million Hack – under the spotlight, Computer Fraud
& Security 2005 (11), 2005, pp. 8–9.
[31] J.E. Hunton, A.M. Wright, S. Wright, Are financial auditors overconfident in their
ability to assess risks associated with enterprise resource planning systems?
Journal of Information Systems 18 (2), 2004, pp. 7–28.
[32] IT Governance Institute (ITGI), Board briefing on IT governance, 2003 Available
at: http://www.itgi.org.
[33] IT Governance Institute (ITGI), Control Objectives, Management Guidelines,
Maturity Models in CobiT 4.0, IT Governance Institute, Illinois, 2005.
[34] Y. Jo, J. Lee, J. Kim, Influential factors for COBIT adoption intention: an empirical
analysis, International Journal of Contents 6 (4), 2010, pp. 79–89.
[35] A. Jones, The convergence of physical and electronic security, Computer Fraud &
Security 2006 (3), 2006, pp. 12–14.
[36] B.K. Klamm, M.W. Watson, SOX 404 reported internal control weakness: a test of
COSO framework components and information technology, Journal of Information Systems 23 (2), 2009, pp. 1–23.
[37] C.H. Lawshe, A quantitative approach to content validity, Personnel Psychology 28
(4), 1975, pp. 563–575.
[38] C.M. Lehmann, Internal controls: a compendium of short cases, Issues in Accounting Education 25 (4), 2010, pp. 741–754.
[39] C. Li, J.H. Lim, Q. Wang, Internal and external influences on IT control governance,
International Journal of Accounting Information Systems 8 (4), 2007, pp. 225–
239.
[40] F. Lin, L. Guan, W. Fang, Critical factors affecting the evaluation of information
control systems with the COBIT framework: a study of CPA firms in Taiwan,
Emerging Markets Finance & Trade 46 (1), 2010, pp. 42–55.
Author's personal copy
S.-I. Chang et al. / Information & Management 51 (2014) 187–205
[41] A. Mancuso, Auditing standard board issues SAS No. 80, The CPA Journal 66, 1997,
p. 74.
[42] Market Intelligence and Consulting Institute (MIC), Analysis of IT Applications for
Large Companies in Taiwan, Institute for Information Industry, Taipei, 2009.
[43] N. Marks, The more things change, Internal Auditor 61 (4), 2004, pp. 60–64.
[44] T.J. Mock, L. Sun, R.P. Srivastava, M. Vasarhelyi, An evidential reasoning approach
to Sarbanes–Oxley mandated internal control risk assessment, International
Journal of Accounting Information Systems 10 (2), 2009, pp. 65–78.
[45] J.J. Morris, The impact of enterprise resource planning (ERP) systems on the
effectiveness of internal controls over financial reporting, Journal of Information
Systems 25 (1), 2011, pp. 129–157.
[46] E. Myler, G. Broadbent, ISO 17799: standard for security, Information Management Journal 40 (6), 2006, pp. 43–52.
[47] C.S. Norman, M.D. Payne, V.P. Vendrzyk, Assessing information technology general control risk: an instructional case, Issues in Accounting Education 24 (1),
2009, pp. 63–76.
[48] J.D. Novak, D.B. Gowin, Learning How to Learn, Cambridge University Press, NY,
1989.
[49] J.B. O’Donnell, Y. Rechtman, Navigating the standards for information technology
controls, The CPA Journal 75 (7), 2005, pp. 64–69.
[50] D. O’Leary, Enterprise Resource Planning Systems: Systems, Life Cycle, Electronic
Commerce, and Risk, Cambridge University Press, Cambridge, 2000.
[51] P. Proctor, J. Viganly, The security implications of Sarbanes–Oxley, Symantec
Enterprise Solutions Webcast, 2004 Available at: www.symantec.com/press/
2004/n040218c.html.
[52] Public Company Accounting Oversight Board (PCAOB), An Audit of Internal
Control over Financial Reporting Performed in Conjunction with an Audit of
Financial Statement, Auditing Standard No. 2, PCAOB, Washington, 2004.
[53] M. Ramos, Evaluate the control environment, Journal of Accountancy 197 (5),
2004, pp. 75–78.
[54] M.B. Romney, P.J. Steinbart, Accounting Information Systems, Pearson, Upper
Saddle River, NJ, 2009.
[55] R. Saint-Germain, Information security management best practice based on ISO/
IEC 17799, Information Management Journal 39 (4), 2005, pp. 60–66.
[56] W. Sally, M.W. Arnold, Information system assurance for enterprise resource
planning system: unique risk considerations, Journal of Information Systems 16
(1), 2002, pp. 99–113.
[57] W. She, B. Thurasingham, Security for enterprise resource planning systems,
Information Systems Security 16 (3), 2007, pp. 152–163.
[58] M. Siponen, R. Willison, Information security management standards: problems
and solutions, Information & Management 46 (5), 2009, pp. 267–270.
[59] P.J. Steinbart, R.L. Raschke, G. Gal, W.N. Dilla, The relationship between internal
audit and information security: an exploratory investigation, International Journal of Accounting Information Systems 13 (3), 2012, pp. 228–243.
View publication stats
205
[60] P. Stephenson, Incident analysis and recovery, Computer Fraud & Security 2005
(3), 2005, pp. 17–19.
[61] P. Stephenson, Ensuring consistent security implementation within a distributed
and federated environment, Computer Fraud & Security 2006 (11), 2006, pp. 12–14.
[62] A. Stewart, On risk: perception and direction, Computers and Security 23 (5),
2004, pp. 362–370.
[63] M.D. Stoel, W.A. Muhanna, IT internal control weaknesses and firm performance:
an organizational liability lens, International Journal of Accounting Information
Systems 12 (4), 2011, pp. 208–304.
[64] A. Strauss, Qualitative Analysis for Social Scientists, Cambridge University Press,
Cambridge, 1987.
[65] K.L. Thomson, R. Von Solms, Towards an information security competence
maturity model, Computer Fraud & Security 2006 (5), 2006, pp. 11–15.
[66] B. Tuttle, S.D. Vandervelde, An empirical examination of CobiT as an internal
control framework for information technology, International Journal of Accounting Information Systems 8 (4), 2007, pp. 240–263.
[67] S. Tyson, L. Bean, System access hotspots: are auditors ignoring danger, Journal of
Corporation Accounting and Finance 16 (4), 2005, pp. 3–9.
[68] United States Code, Public Printing and Documents: Definitions. Title 44, Section
3552, United States Code, Washington, DC, 2008.
[69] R. Van De Riet, W. Janssen, P. De Gruijter, Security moving from database systems,
Database and Expert System Applications Proceedings 1998.
[70] A. Vance, M. Siponen, S. Pahnila, Motivating IS security compliance: insights from
habit and protection motivation theory, Information & Management 49 (3–4),
2012, pp. 190–198.
[71] L. Volonino, G.H. Gessner, Holistic compliance with Sarbanes–Oxley, Communication of AIS 14 (1), 2004, pp. 219–233.
[72] S.H. Von Solms, Information security governance – compliance management vs.
operational management, Computers and Security 24 (6), 2005, pp. 443–447.
[73] L. Wallace, H. Lin, M.A. Cefaratti, Information security and Sarbanes–Oxley
compliance: an exploratory study, Journal of Information Systems 25 (1),
2011, pp. 185–211.
[74] L. Wallace, M. Keil, A. Rai, Understanding software project risk: a cluster analysis,
Information & Management 42 (1), 2004, pp. 115–125.
[75] L.M. Walters, A draft of an information systems security and control course,
Journal of Information Systems 21 (1), 2007, pp. 123–148.
[76] C.L. Wilkin, R.H. Chenhall, A review of IT governance: a taxonomy to inform
accounting information systems, Journal of Information Systems 24 (2), 2010, pp.
107–146.
[77] R. Williams, Performing a successful UNIX audit, Computer Fraud & Security 2003
(8), 2003, pp. 11–12.
[78] P. Wilson, Risk control: a technical view, Computer Fraud & Security 2005 (5),
2005, pp. 8–11.
[79] R.K. Yin, Case Study Research – Design and Methods, Sage, California, 2009.