Accepted Manuscript Title: Internal Control Framework of a Compliant ERP System Author: Jing Fan Pengzhu Zhang David C. Yen PII: S0378-7206(13)00115-8 DOI: http://dx.doi.org/doi:10.1016/j.im.2013.11.002 Reference: INFMAN 2675 To appear in: INFMAN Received date: 1-2-2012 Revised date: 17-10-2013 Accepted date: 4-11-2013 Please cite this article as: J. Fan, P. Zhang, D.C. Yen, Internal Control Framework of a Compliant ERP System, Information & Management (2013), http://dx.doi.org/10.1016/j.im.2013.11.002 This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.
45
Embed
Internal Control Framework of a Compliant ERP · PDF fileInternal Control Framework of a Compliant ERP System Abstract After the occurrence of numerous ... 2.2 Audit and inspection
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Accepted Manuscript
Title: Internal Control Framework of a Compliant ERP System
Received date: 1-2-2012Revised date: 17-10-2013Accepted date: 4-11-2013
Please cite this article as: J. Fan, P. Zhang, D.C. Yen, Internal ControlFramework of a Compliant ERP System, Information & Management (2013),http://dx.doi.org/10.1016/j.im.2013.11.002
This is a PDF file of an unedited manuscript that has been accepted for publication.As a service to our customers we are providing this early version of the manuscript.The manuscript will undergo copyediting, typesetting, and review of the resulting proofbefore it is published in its final form. Please note that during the production processerrors may be discovered which could affect the content, and all legal disclaimers thatapply to the journal pertain.
B154, B162, C40, C61, C87, C114, C158, C170, and C219 describe anomalies in the
information system, how the information department is contacted and informed, how the
information department rules out anomalies, and how information security incidents are
addressed. Thus, these codes (concepts) were grouped in the domain of “whether procedures
exist to report disasters.” The other concepts were translated into domains according to the
same rule; 66 domains were established as internal control key issues based on the 670
concepts determined in the open coding process.
4.2 Axial coding
Axial coding is usually conducted after open coding. This stage aims to recompose the
Page 11 of 44
Accep
ted
Man
uscr
ipt
distributed data into new methods such that the classifications and sub-classifications become
related to one another.
The 66 domains of the coded entries were further classified into dimensions. For example,
the domains “whether relevant control procedures exist regarding system outsourcing” and
“whether contracts are signed for system outsourcing” are related to the outsourcing operation
control and are imperative in managing system outsourcing for an organization. Therefore,
these domains were classified into the dimension of “control of outsourced operations.” The
results of axial coding are summarized in Table 2.
-----------------------------------------------
Insert Table 2 here
-----------------------------------------------
4.3 Selective coding
Axial coding consolidates complex data and is the foundation of selective coding.
Selective coding is conducted to explain a selected core category systematically, verify the
relationship of the main and other classifications, and fill the gap for supplements or
developments required for individual classifications [64].
Based on the internal controls and the analysis of relevant literature, 66 key domains that
influence the internal control of information systems were identified. The domains integrated
through axial coding were re-classified as single key domains in selective coding. For
example, the domains “whether anti-virus measures are used” and “whether firewalls are
used,” were merged into “whether information equipment is protected with security
measures” given that both are related to the security measures of the information equipment.
Subsequently, 51 key domains were established. These domains function as internal control
items.
4.4 Expert Questionnaires
Upon the construction of the preliminary internal control items based on literature, the
methodology and validation process developed by Lawshe [37] was adopted. The adoption of
this methodology and validation process enabled the collection of opinions from experts with
Page 12 of 44
Accep
ted
Man
uscr
ipt
extensive experience in the establishment, maintenance, and auditing processes of the ERP
system. Questionnaires were distributed to gather the opinions from experts who are
responsible for the corporate functions (including internal audit and information), handle
external audits (accounting firms), and work in some partner companies regarding the
introduction of an ERP system. The backgrounds of the participating experts are shown in
Table 3. The control dimensions and items were screened to determine those suitable for the
ERP system. Both theoretical and actual application are expected to increase the validity,
extent, and practicality of this study, thereby achieving the research purpose of constructing
internal control in an ERP system.
-----------------------------------------------
Insert Table 3 here
-----------------------------------------------
The questionnaires utilized in this study measures the opinions of the respondents based
on an ordinal scale of 5 as follows: “very important (5),” “important (4),” “ordinary (3),”
“unimportant (2),” and “very unimportant (1).” Each dimension is semi-open so that the
respondents can provide relevant feedback on the key items related to internal control in the
ERP system.
A total of 18 experts responded to the questionnaires. Following the methodology and
validation process proposed by Lawshe [37], content validity ratio (CVR) can be calculated as
CVR = (n-N/2)/(N/2) where n represents the number of times that experts categorized the
items as either “very important” or “important” and N represents the total number of experts.
The value of CVR should be greater than 0.43 to meet the targeted requirement. However,
this study requires that CVR ratio be greater than 0.60 before a control item is adopted to
ensure that the control items constructed in this study remain important and feasible for most
companies. Table 4 provides a summary of the questionnaire results, including the statistics
from the questionnaires and the calculation of CVR.
As described previously, a literature review was conducted and 51 key items were
Page 13 of 44
Accep
ted
Man
uscr
ipt
identified for the internal control of ERP systems. Fourteen items were considered
unimportant and were deleted after calculating and comparing the CVR values derived from
the questionnaires. The remaining 37 control items were generalized and consolidated. The
preliminary internal control items were further modified by referring to the suggestions
provided by the expert respondents. Table 5 shows the modified internal control framework.
-----------------------------------------------
Insert Table 4 here
-----------------------------------------------
-----------------------------------------------
Insert Table 5 here
-----------------------------------------------
5. Empirical findings on internal control for the ERP system
This section provides a brief description of the practices employed by the case company.
The selected company was established in 1996 and is dedicated to the development and
manufacturing of wireless telecommunication products. The company aspires to become the
world leader in the area of wireless telecommunications by exerting efforts in research and
development (R&D) which is aimed at improving technology. Its products are divided into
three lines; and they are namely, satellite telecommunications, mobile telecommunications,
and wireless network equipment.
The managers in the company can keep abreast of the key technologies associated with
their product lines in accordance with the changes occurred in the marketplace through their
extensive experience and background in technology. The company is thus capable of
developing the relevant niche products to meet the market demands by quickly integrating
telecommunication technologies into their product lines.
This company provides the comprehensive wireless and telecommunication products and
timely after-sale services to its customers. With its focus on the R&D of new technologies and
extensive in-house development of accompanied software and hardware, the company designs
Page 14 of 44
Accep
ted
Man
uscr
ipt
and develops its own products effectively. In fact, the company has achieved their best
economies of scale by establishing an increasingly comprehensive product line. As a result,
the company is capable of maintaining its competitive advantage in the wireless
telecommunications industry.
The computer auditors working for the accountant were invited to participate in this
study. Interviews were also conducted to study the actual company’s operations with
collecting the current internal control information as primary data. The company was asked to
provide secondary data (i.e., relevant operation documents and files) for the analysis and
synthesis of the research findings. Table 6 summarizes the background of all the interviewees.
-----------------------------------------------
Insert Table 6 here
-----------------------------------------------
A select group of public companies that introduced ERP systems was filtered for the case
study. The company targeted for interview is the one engaged in the tasks of R&D and
manufacturing of wireless telecommunication products. The company actually replaced its
Baan computer system with the Oracle ERP system in 2006. The interviewees comprised an
internal auditing supervisor who facilitates two different ERP systems, an assistant manager
in the MIS Department who maintains and deploys these two different systems, and a
computer auditing manager who works for the accounting firm to audit the information
system of this company. In other words, these three individuals are responsible for the ERP
audit. All the three interviewees have relevant experience and background in the auditing and
maintenance of ERP systems.
A case study on a public company with the obtained audited financial reports was
conducted. A manufacturing firm similar to this telecommunications company can be
regarded as a representative case of companies in other industries. For this reason, this case
result can be employed and justified as a rationale for the use of a single case [79]. In specific,
the case study protocol was developed in the preparation step. Primary data about the actual
operations of the company were gathered on-site in the collection step, while secondary data
Page 15 of 44
Accep
ted
Man
uscr
ipt
were utilized to address the main objectives of this research. Further, data were gathered,
analyzed, and collated prior to conducting the interviews with personnel who are experts in IT
control and have worked with the independent accounting firm maintaining a relationship
with the company selected in the case study. The feasibility of the internal control items that
were applied in the planning of the ERP system was evaluated in the analysis and sharing
steps. Finally, the results and findings were presented.
The control items and information auditing of the ERP system in the case company were
reviewed. The feasibility of the control items constructed for the company were also
evaluated.
(1) Practices within the case company
Two auditors are employed in the audit department of the case company. Their tasks
include inspecting domestic and overseas affiliates in the same group. In addition to adjusting
the internal control framework originally based on the “eight major cycles,” the two auditors
also perform internal audits and execute special projects assigned by their supervisors because
these tasks are part of their job description. In auditing ERP systems, the focus is on soft
control. The company’s MIS department has established a division called “ERP System
Services.” All seven employees in this division are responsible for the maintenance of the
ERP system. Their major responsibilities include maintaining the normal operations of the
system, solving all problems raised by users, and meeting the operational demands of users.
These employees perform ordinary control tests and passive checks on requests from the
auditing department as ERP system audits.
(2) Control items within the case company
The current audit checklist for ERP systems was originally based on the control items
listed by the company headquarters. The checklist was later modified in accordance with the
actual situations experienced by the company. The key control items comply with the criteria
set by the authority. However, these control items are not fixed and are regularly reviewed for
appropriateness.
Director Chen said, “After the introduction of the new Oracle ERP system in 2006, the
Page 16 of 44
Accep
ted
Man
uscr
ipt
company conducted timely adjustments to ascertain control items.”
(3) Information auditing of the ERP system
The internal auditors of the case company focus their audit on soft control items in the
ERP system such as accounts, passwords, authorization, and remote access. The auditors are
equipped to perform only soft audits. Other forms of audits are delegated to the MIS
department as the internal auditors perform these tasks through collaborative procedures. The
definition of the items pertaining to overall control is modified by referring to previous audit
records. For example, each audit is performed on a regular basis (i.e., once a year) to
minimize risk. However, the items with poor records have a high-risk profile and are therefore
analyzed under strict standards (i.e., conducted quarterly or every semester).
Given that financial reports are generated by the company’s ERP system, the reporting
accounts must be spot-checked as a form of internal control to reduce confirmatory audit
risks. The computer audit personnel of the accounting firm check the system setups and the
ordinary control measures of the company.
Manager Li said, “Basically, auditing for the ERP system within the company is mainly
focused on general and basic checking of the Oracle ERP architecture in the UNIX operating
system, Oracle database, and network. These are the critical points of our audit.”
If audit results indicate that the internal control of a company is proper, then the
accountants may reduce the required number of spot-checking procedures. Auditing
procedures should be modified on a timely basis in accordance with the actual demands of
companies. The company under study was able to amend system faults and failures pointed
out by its external auditors. This review process should be performed continuously to
establish a robust internal control structure.
The difficulties encountered by the company’s ERP system auditors are caused by lack of
IT training. Consequently, the company can focus only on software controls. With regard to
the other forms of audits, the auditors remain dependent on the MIS department for
effectiveness. However, despite the sufficient IT knowledge of the personnel in the MIS
department, these personnel cannot perform audits effectively owing to control issues posed
Page 17 of 44
Accep
ted
Man
uscr
ipt
by individuals, control measure requirements, and related auditing concepts. External auditors
continue to believe that most companies do not have any personnel dedicated to computer
audits.
Manager Li said, “Currently, the competent authority or relevant institutions are not
certified with regard to computer audits. In addition, most auditors claim they lack sufficient
IT training. Given the limited computer audit talents, very few companies have established a
stable computer audit department.”
In sum, the challenges involving ERP systems include whether auditors can clearly
understand the operational flows of the company and its overall information system
environment to effectively manage both the behavioral risks caused by human factors and the
technical risks integrated in a system. For auditors who do not have expertise in both audit
(accounting) and IT, the auditing processes in an ERP environment pose imminent obstacles
and challenges.
(4) Understanding the feasibility of the control items
Both interviewees concurred that the control items constructed in this study meet most of
the requirements. However, a suitable list of control items should consider the infrastructure
of the company, including the company scale and number of MIS employees. These
considerations are important because individual control points have important roles in legacy
information architecture. Accordingly, a number of control items cannot completely meet the
specifications of the company under study owing to limitations in identifying infrastructure
concepts such as whether the responsibilities of MIS personnel are clearly defined.
Assistant Manager Lin said, “This proposed framework seems suitable for my company,
but the premise must consider the company's structure. For example, the company did not do
well in distinguishing the responsibilities of IT personnel. The main reason is due to the lack
of manpower and information unit personnel. Therefore, some control items within this
proposed framework may be excluded. Nevertheless, the framework is still useful for my
company.”
The case company suggested that several control items be transformed to attainable
Page 18 of 44
Accep
ted
Man
uscr
ipt
targets in the future.
The interviewees were requested to state their opinions regarding the appropriateness and
importance of the control items to understand the feasibility of the proposed framework. Table
7 provides a summary of the company’s evaluation of the control items constructed in this
study. The list shows that the MIS department is particularly focused on “system development
and control over program modifications” and “access control of programs and data,” further
proving that the list is applicable and can thus serve as future reference. With respect to the
dimension “system development and control over program modifications,” Assistant Manager
Lin said, “If the MIS department could manage developed or modified system programs
effectively, it could help improve the credibility of information and preciseness of data.”
Two interviewees presented their views on the dimension “access control of programs
and data.”
Director Chen said, “Because of the critical nature of the data and program within the
company, appropriate control strategies and controls should be set for IT systems through
access control policies. Only authorized users should be provided access to information
system assets.”
Assistant Manager Lin said, “The current system login in the company is appropriately
controlled by access control procedures such as passwords. This form of logical access
control over information is primarily required within the company to protect information
against acts such as unauthorized creation and modification as well as inadvertent errors.”
With respect to the audit of control items, auditors believe that in principle, general audits
should be conducted annually. However, several dimensions such as “access control of
programs and data” require timely system auditing procedures. Jointly auditing these
dimensions and those for the eight-cycle operations is sometimes necessary. Auditing in such
situations is conducted not only annually but also rather promptly in conjunction with other
procedures. External auditors believe that the current self-control mechanisms of the
company’s internal IT department involve two dimensions (i.e., “system development and
control over program modifications” and “access control of programs and data”), which
Page 19 of 44
Accep
ted
Man
uscr
ipt
should be audited internally at least on a quarterly basis. As for the other dimensions, auditing
may be conducted every semester depending on the impact on the company processes.
The interviewees in the case study agreed that the constructed control items could
effectively assist the company in the audit and control of its ERP system.
Director Chen said, “This proposed framework is great and comprehensive. A few
control items are not available in the company at the moment, and this framework can be
utilized to adjust the present version of the company.”
-----------------------------------------------
Insert Table 7 here
-----------------------------------------------
(5) Discussion of Findings
As per earlier discussion, several findings are rather interesting. In general, internal
control framework for ERP existed in this case company could help related personnel to
perform an effective management and track the outcomes of IT control. This proposed
framework is relatively rigorous, complete and more easily acceptable logic-wise. Although
some control items are not suitable in the case company, this proposed framework can be used
repeatedly to adjust/improve the present version.
According to the results of case study, IT general control has reasonably been
emphasized since it supports the resulting application processing. However, different
industries and company size may provide different perspectives about determining the priority
of control items. For instance, small-sized companies often use Office software package to
handle business processing, and in this case, some of control items within this proposed
framework may need to be amended. Nonetheless, this proposed framework still can be
employed to greatly assist the entity to execute IT control and perform IT governance in the
case company.
6. Conclusions
Given that the ERP system is widely utilized in many organizations, relevant information
on security and internal controls must be continuously prioritized. Stakeholders wish to feel
Page 20 of 44
Accep
ted
Man
uscr
ipt
confident that internal control within the organization is executed effectively to reduce the
possibility of business failure or fraudulent financial reporting [38]. However, improper
management of control procedures in the computer environment of a company may result in
significant financial reporting errors and financial losses for the same company. Thus, this
study developed an ERP internal control framework to assist stakeholders in verifying the
effectiveness of their respective companies’ internal control mechanisms.
Literature related to IT controls for the internal use of companies, various information
security organization bylaws, and academic literature were reviewed. Open, axial, and
selective coding were performed to finalize the 51 key items associated with ERP internal
control. Questionnaires were administered to confirm whether the abovementioned items are
suitable for and essential to the ERP system. Out of the 51 control items, only 37 were
utilized in the preliminary model. A case study was then conducted to verify the feasibility of
the proposed framework.
Our findings have provided some implications on/to future research. The internal control
matrix could be regarded as a common method to represent internal controls for specific
business processes within the SOX audit environment, which includes the internal control
objectives [24]. Only a few studies have developed a structured, systematic approach that
stakeholders can utilize. The proposed framework was derived from several rigorous methods
and contained necessary control dimensions and items that can be utilized for ERP control
and improvement of IT governance. Comparing with the previous studies on internal control
frameworks including Jo et al. [34] and Lin et al. [40], case study approach has been
recommended for this stream of studies and this is simply because of the need for detailed and
contextual information from the entity stakeholders. Further, more extant researches utilized
experts from CPA firms as a research subject, this study yet recruited several participants
from the case company to disseminate their thoughts. Since this study embraced the
application controls to broaden the IT control domain, the obtained outcome may complete
Huang’s [29] work because of its only focus is placed on the IT general controls.
A previous study indicated that existing internal control frameworks do not consider
Page 21 of 44
Accep
ted
Man
uscr
ipt
important control aspects such as the environment outside the organization [66]. The
dimension “control of outsourced operations” in the proposed framework strengthens the ERP
internal control points. A few empirical studies examined IT control weakness and IT
operation risk [5, 36, 39]. The study of Li et al. [39] provided empirical evidence regarding
IT-related material weakness based on internal and external governance. Further, Klamm and
Watson [36] examined IT material weakness based on the internal control-integrated
framework proposed by COSO. In summary, this proposed framework may be utilized to
assess ERP control.
The proposed framework can also be applied to the external auditing profession. External
auditors can communicate logically with their clients through this framework. The
responsibility of the certified public accountants in attesting to the effectiveness of their
clients’ internal control system has been clearly regulated. An auditor in an IT environment
must have a good understanding of internal control. If an auditor does not have a proper
understanding of such concept, auditing work may incur many uncertainties and risks.
From the perspective of a business entity, acquiring effective internal control is a
complex task. However, internal control can be facilitated and maintained if a proper
framework is adopted. The proposed framework is a supplement to the COSO framework [15]
and provides a comprehensive framework to facilitate the construction of detailed controls for
ERP systems. Among the 12 dimensions constructed in this study, only the dimension “access
control of program and data” was unanimously recognized by all interviewees as an important
criterion in information risk management. This finding is similar to that of Wallace et al. [73],
thereby proving that access control is the most common and prioritized control in practice.
When an entity establishes proper access control, the probability of an attacker obtaining
unauthorized system access decreases [59]. However, most of the items in the proposed
framework were regarded as moderately important. The listed company under study should
therefore exercise compliance, and its stakeholders should assume more responsibility to
protect the information system. This result confirms the results of Wallace et al. [73].
With the proposed framework, which includes comprehensive control dimensions or
Page 22 of 44
Accep
ted
Man
uscr
ipt
items, internal auditors and MIS department chiefs can verify the effectiveness of internal
control through a complete mechanism to comply with government regulations. In other
words, internal auditors and MIS department chiefs can develop their relationship and
communicate the effectiveness of internal control by referring to the proposed framework.
According to Wallace et al. [73], a good relationship between an organization’s internal
auditors and MIS department chiefs helps the organization comply with IT-related internal
control requirements.
Several control items are considered high-priority items. Perhaps stakeholders should
prioritize high-risk control points. This process not only enhances audit efficiency also easily
identifies the weakness of internal control. Companies must consider the limitations inherent
in their infrastructures in terms of internal control management to determine the most
important control points [58]. These recommended improvements can enable companies to
build robust auditing structures.
Small and medium-sized enterprises (SMEs) need to implement information systems in
their operations to cooperate with large firms. Most large firms request to review and audit
downstream SMEs to ensure system security. SMEs may therefore consider the proposed
framework and adjust several control items following their own characteristics to determine
their IT control weaknesses in advance.
The present study has limitations. Thirty relevant studies were selected and reviewed to
construct the ERP system internal control framework. This study did not prove that the coding
process reached saturation; other control items might have been missed. Furthermore, despite
recruiting 18 qualified experts to confirm the control items derived from the literature review,
other experts might have concluded otherwise. Another limitation of this study is external
validity. The explanatory power of this study may be limited because single case method is
adopted herein. This proposed framework with control items developed in this study is
generic in nature. In other words, it could be applied to the majority of entities regardless of
the size or industry. A few industries with a higher security consideration of IT environment
(i.e., banking sector) will be able to expand this framework and add other new control
Page 23 of 44
Accep
ted
Man
uscr
ipt
dimensions and items to provide additional insights to this subject area.
Several future research avenues are discussed as follows. First, given the increasing
number of published studies on ERP internal control, follow-up research may analyze these
streamed studies to add control items and refine the proposed framework. Second, several
control items in the proposed framework may be extended to other systems, organizations
(i.e., government agencies), and industries. Future studies could examine the usefulness and
feasibility of the proposed framework.
Page 24 of 44
Accep
ted
Man
uscr
ipt
References [1] American Institute of Certified Public Accountants (AICPA), Audit Risk and Materiality
in Considering an Audit, SAS No.94, AICPA, New York, 1983. [2] American Institute of Certified Public Accountants (AICPA), the Effect of Information
Technology on the Auditors’ Consideration of Internal Control in a Financial Statement Audit. SAS No. 94. AICPA, New York, 2001.
[3] H. Ashbaugh-Skaife, The effect of SOX internal control deficiencies on firm risk and cost of equity, Journal of Accounting Research 47(1), 2009, pp. 1–43.
[4] J. C. Bedard, L. E. Graham, The effects of decision aid orientation on risk factor identification and audit test planning, Auditing 21 (2), 2002, pp. 39-65.
[5] M. Benaroch, A. Chernobai, J. Goldstein, An internal control perspective on the market value consequences of IT operational risk events. International Journal of Accounting Information Systems 13 (4), 2012, pp. 357–381.
[6] J. Brazel, L. Dang, The effect of ERP system implementations on the management of earnings and earnings release dates, Journal of Information Systems 22 (2), 2008, pp. 1–21.
[7] British Standards Institution (BSI), Information Security Management- Part 2: Specification for Information Security Management Systems, British Standards Institution, London, 2002.
[8] W. Brown, F. Nasuti, Sarbanes-Oxley and enterprise security: IT governance—What it takes to get the job done, Security Management Practices 14(5), 2002, pp. 15–28.
[9] L. Calabro, Looking under the hood, CFO, 20 (6), 2004, pp. 97-98. [10] V. Cerullo, M. J. Cerullo, Business continuity planning: A comprehensive approach,
Information Systems Management 21(3), 2004, pp.70-78. [11] S. I. Chang, G. G. Gable, A comparative analysis of major ERP lifecycle
implementation, management and support issues in Queensland government, Journal of Global Information Management 10 (3), 2002, pp. 36-54.
[12] J. Chau, Application security – it all starts from here, Computer Fraud & Security 2006 (6), 2006, pp. 7-9.
[13] M. Coe, Trust services: A better way to evaluate IT controls, Journal of Accountancy 199 (3), 2005, pp. 69-75.
[14] J. L. Colbert, P. L. Bowen. A comparison of internal controls: COBIT, SAC, COSO, and SAS 55/78, IS Audit and Control Journal 4, 1996, pp. 26-35.
[15] Committee of Sponsoring Organizations of the Treadway Commission (COSO), Internal Control - Integrated Framework. AICPA, New York, 1992.
[16] A. Daveiga, J. H. P. Eloff, An information security governance framework, Information Systems Management 24 (4), 2007, pp. 361-372.
[17] G. Dhillon, Principles of Information System Security: Text and cases, John Wiley and Sons, New Jersey, 2007.
[18] D. Durfee, The 411 on 404: Reporting a material weakness in controls can cost shareholders millions and some CFOs their jobs. CFO Magazine, 2005.
[19] J. H. P. Eloff, M. M. Eloff, Information security architecture, Computer Fraud & Security 2005 (11), 2005, pp.10-16.
[20] Ernst & Young, Preparing for internal control reporting: A guide for management’s assessment under section 404 of the Sarbanes-Oxley Act, Ernst, Young LLP, 2002.
[21] S. Flowerday, R. Von Solms, Continuous auditing: Verifying information integrity and providing assurances for financial reports, Computer Fraud & Security 2005 (7), 2005, pp. 12-16.
[22] S. Flowerday, R. Von Solms, Real-time information integrity= system integrity+ data integrity+ continuous assurance, Computers and Security 24 (8), 2005, pp. 604-613.
[23] C. Fox, P. C. Zonneveld, IT Control Objectives for Sarbanes-Oxley: The Importance of IT in the Design, Implementation and Sustainability of Internal Control over Disclosure and Financial Reporting, IT Governance Institute, Illinois, 2003.
Page 25 of 44
Accep
ted
Man
uscr
ipt
[24] U. J., Jr. Gelinas, R. B. Dull, Accounting Information Systems, 7th edition, Mason, OH: Thomson South-Western, 2008.
[25] S. Glover, D. Prawitt, M. Rommy. Implementing ERP, Internal Auditor 56 (1), 1999, pp. 40-47.
[26] S. Goel, H.A. Shawky, Estimating the market impact of security breach announcements on firm values, Information & Management 46 (7), 2009, pp. 404-410.
[27] L. A. Gordon, M. P. Leob, W. Lucyshyn, R. Richardson, CSI/FBI Computer Crime and Security Survey. Computer Security Institute, Available at: www.gocsi.com, 2005.
[28] M. Gorge, USB and other portable storage device usage: Be aware of the risks to your corporate data in order to take pre-emptive and/or corrective action, Computer Fraud & Security 2005 (8), 2005, pp.15-17.
[29] S. M. Huang, W. H. Hung, D. C. Yen, I. C. Chang, D. Chiang, Building the evaluation model of the IT general control for CPAs under enterprise risk management, Decision Support Systems 50 (4), 2011, pp. 692-701.
[30] P. Hunter, Card systems: Four million Hack – under the spotlight, Computer Fraud & Security 2005 (11), 2005, pp. 8-9.
[31] J. E. Hunton, A. M. Wright, S. Wright, Are financial auditors overconfident in their ability to assess risks associated with enterprise resource planning systems?, Journal of Information Systems 18 (2), 2004, pp.7-28.
[32] IT Governance Institute (ITGI). Board briefing on IT governance. Available at: http:// www.itgi.org. 2003.
[33] IT Governance Institute (ITGI), Control Objectives, Management Guidelines, Maturity Models in CobiT 4.0., IT Governance Institute, Illinois, 2005.
[34] Y. Jo, J. Lee, J. Kim, Influential factors for COBIT adoption intention: An empirical analysis. International Journal of Contents 6(4), 2010, pp.79-89.
[35] A. Jones, The convergence of physical and electronic security, Computer Fraud & Security 2006 (3), 2006, pp.12-14.
[36] B.K. Klamm, M.W. Watson, SOX 404 reported internal control weakness: A test of COSO framework components and information technology, Journal of Information Systems 23(2), 2009, pp.1-23.
[37] C. H. Lawshe, A quantitative approach to content validity, Personnel Psychology 28 (4), 1975, pp. 563-575.
[38] C. M. Lehmann, Internal controls: A compendium of short cases, Issues in Accounting Education 25 (4), 2010, pp. 741-754.
[39] C. Li, J. H. Lim, Q. Wang, Internal and external influences on IT control governance, International Journal of Accounting Information Systems 8 (4), 2007, pp.225-239.
[40] F. Lin, L. Guan, W. Fang, Critical factors affecting the evaluation of information control systems with the COBIT framework: A study of CPA firms in Taiwan. Emerging Markets Finance & Trade 46(1), 2010, pp.42-55.
[41] A. Mancuso, Auditing standard board issues SAS No. 80, The CPA Journal 66, 1997, pp. 74-74.
[42] Market Intelligence and Consulting Institute (MIC), Analysis of IT Applications for Large Companies in Taiwan, Institute for Information Industry, Taipei, 2009.
[43] N. Marks, The more things change, Internal Auditor 61 (4), 2004, pp.60-64. [44] T. J. Mock, L. Sun, R. P. Srivastava, M. Vasarhelyi, An evidential reasoning approach to
Sarbanes-Oxley mandated internal control risk assessment. International Journal of Accounting Information Systems 10(2), 2009, pp. 65-78.
[45] J. J. Morris, The impact of enterprise resource planning (ERP) systems on the effectiveness of internal controls over financial reporting, Journal of Information Systems 25 (1), 2011, pp.129-157.
[46] E. Myler, G. Broadbent, ISO 17799: Standard for security. Information Management Journal 40 (6), 2006, pp. 43-52.
[47] C. S. Norman, M. D. Payne, V. P. Vendrzyk, Assessing information technology general control risk: An instructional case, Issues in Accounting Education 24 (1), 2009, pp. 63-76.
Page 26 of 44
Accep
ted
Man
uscr
ipt
[48] J. D. Novak, D. B. Gowin, Learning how to learn. Cambridge University Press, NY, 1989.
[49] J. B. O’Donnell, Y. Rechtman, Navigating the standards for information technology controls, The CPA Journal 75 (7), 2005, pp. 64-69.
[50] D. O’Leary, Enterprise Resource Planning Systems: Systems, Life Cycle, Electronic Commerce, and Risk, Cambridge University Press, Cambridge, 2000.
[51] P. Proctor, J. Viganly, The security implications of Sarbanes-Oxley, Symantec Enterprise Solutions Webcast, Available at: www.symantec.com/press/2004/ n040218c.html, 2004.
[52] Public Company Accounting Oversight Board (PCAOB), An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statement, Auditing Standard No. 2, PCAOB, Washington, 2004.
[53] M. Ramos, Evaluate the control environment, Journal of Accountancy 197 (5), 2004, pp. 75-78.
[54] M. B. Romney, P. J. Steinbart, Accounting Information Systems, Pearson, Upper Saddle River, New Jersey, 2009.
[55] R. Saint-Germain, Information security management best practice based on ISO/IEC 17799, Information Management Journal 39 (4), 2005, pp. 60-66.
[56] W. Sally, M. W. Arnold, Information system assurance for enterprise resource planning system: Unique risk considerations, Journal of Information Systems 16 (1), 2002, pp. 99-113.
[57] W. She, B. Thurasingham, Security for enterprise resource planning systems, Information Systems Security 16 (3), 2007, pp. 152-163.
[58] M. Siponen, R.Willison, Information security management standards: Problems and solutions, Information & Management 46 (5), 2009, pp. 267-270.
[59] P. J. Steinbart, R. L. Raschke, G. Gal, W. N. Dilla, The relationship between internal audit and information security: An exploratory investigation, International Journal of Accounting Information Systems 13(3), 2012, pp. 228-243.
[60] P. Stephenson, Incident analysis and recovery, Computer Fraud & Security 2005 (3), 2005, pp. 17-19.
[61] P. Stephenson, Ensuring consistent security implementation within a distributed and federated environment, Computer Fraud & Security 2006 (11), 2006, pp. 12-14.
[62] A. Stewart, On Risk: Perception and direction, Computers and Security 23 (5), 2004, pp. 362-370.
[63] M. D. Stoel, W. A. Muhanna, IT internal control weaknesses and firm performance: An organizational liability lens, International Journal of Accounting Information Systems 12 (4), 2011, pp.208-304.
[64] A. Strauss, Qualitative Analysis for Social Scientists, Cambridge University Press, Cambridge, 1987.
[65] K. L. Thomson, R. Von Solms, Towards an information security competence maturity model, Computer Fraud & Security 2006 (5), 2006, pp. 11-15.
[66] B. Tuttle, S. D. Vandervelde, An empirical examination of CobiT as an internal control framework for information technology, International Journal of Accounting Information Systems 8 (4), 2007, pp. 240-263.
[67] S. Tyson, L. Bean, System access hotspots: Are auditors ignoring danger, Journal of Corporation Accounting and Finance 16 (4), 2005, pp. 3-9.
[68] United States Code, Public Printing and Documents: Definitions. Title 44, Section 3552, United States Code, Washington, D.C., 2008.
[69] R. Van De Riet, W. Janssen, P. De Gruijter, Security moving from database systems, Database and Expert System Applications Proceedings, 1998.
[70] A. Vance, M. Siponen, S. Pahnila, Motivating IS security compliance: Insights from habit and protection motivation theory, Information & Management 49 (3-4), 2012, pp. 190-198.
[71] L. Volonino, G. H. Gessner, Holistic compliance with Sarbanes- Oxley, Communication of AIS 14 (1), 2004, pp. 219-233.
Page 27 of 44
Accep
ted
Man
uscr
ipt
[72] S. H. Von Solms, Information security governance – compliance management vs. operational management, Computers and Security 24 (6), 2005, pp. 443-447.
[73] L. Wallace, H. Lin, M. A. Cefaratti, Information security and Sarbanes-Oxley compliance: An exploratory study, Journal of Information Systems 25 (1), 2011, pp. 185-211.
[74] L. Wallace, M. Keil, A. Rai, Understanding software project risk: A cluster analysis, Information & Management 42 (1), 2004, pp. 115-125.
[75] L. M. Walters, A draft of an information systems security and control course, Journal of Information Systems 21 (1), 2007, pp. 123-148.
[76] C. L. Wilkin, R. H. Chenhall, A review of IT governance: A taxonomy to inform accounting information systems, Journal of Information Systems 24 (2), 2010, pp. 107-146.
[77] R. Williams, Performing a successful UNIX audit, Computer Fraud & Security 2003 (8), 2003, pp. 11-12.
[78] P. Wilson, Risk control: A technical view, Computer Fraud & Security 2005 (5), 2005, pp. 8-11.
[79] R. K. Yin, Case study research- Design and methods, Sage, California, 2009.
Page 28 of 44
Accep
ted
Man
uscr
ipt
Table 1. Related literature on IT internal control No. Author Literature Title Literature Source 1 A company Computerized Process: Internal Control A company 2 B company Computerized Process: Operation B company 3 C company Computerized Process: Internal Control C company 4 British Standards Institution
[7] Information Security Management Part 2: Specification for Information Security Management Systems; British Standards Institution.
British Standards Institution (BSI)
5 IT Governance Institute [33] Control Objectives for Information and Related Technology (COBIT 4.0) Information Systems Audit and Control Association 6 Cerullo and Cerullo [10] Business Continuity Planning: A Comprehensive Approach Information Systems Management 7 Chau [12] Application Security: It All Starts from Here Computer Fraud and Security 8 Coe [13] Trust Services: A Better Way to Evaluate IT Controls Journal of Accountancy 9 Daveiga and Eloff [16] An Information Security Governance Framework Information Systems Management 10 Eloff and Eloff [19] Information Security Architecture Computer Fraud and Security 11 Flowerday and Von Solms
[21] Continuous Auditing: Verifying Information Integrity and Providing Assurances for Financial Reports Computer Fraud and Security
12 Gorge [28] USB and Other Portable Storage Device Usage: Be Aware of the Risks to Your Corporate Data Take Pre-emptive and/or Corrective Action
Computer Fraud and Security
13 Hunter [30] Card Systems: Four Million Hacked – Under the Spotlight Computer Fraud and Security 14 Jones [35] The Convergence of Physical and Electronic Security Computer Fraud and Security 15 Marks [43] The More Things Change… Internal Auditor 16 Myler and Broadbent [46] ISO 17799: Standard for Security Information Management Journal 17 Saint-Germain [55] Information Security Management Best Practice Based on ISO/IEC 17799 Information Management Journal
18 Stephenson [60] Incident Analysis and Recovery Computer Fraud and Security 19 Stephenson [61] Ensuring Consistent Security Implementation within a Distributed and Federated Environment Computer Fraud and Security 20 Stewart [62] On risk: perception and direction Computers and Security 21 Thomson and Von Solms
[65] Toward an Information Security Competence Maturity Model Computer Fraud and Security
22 Tyson and Bean [67] System Access Hotspots: Are Auditors Ignoring Danger? Journal of Corporation Accounting & Finance 23 Volonino and Gessner [71] Holistic Compliance with Sarbanes: Oxley Communication of AIS 24 Von Solms [72] Information Security Governance: Compliance Management vs. Operational Management Computers and Security 25 Wallace et al. [74] Understanding software project risk: a cluster analysis Information and Management 26 Williams [77] Performing a Successful Unix Audit Computer Fraud & Security 27 Flowerday and Von Solms
[22] Real Time Information Integrity = System Integrity + Data Integrity + Continuous Assurances
Computers and Security
28 Walters [75] A Draft of an Information System Security and Control Course Journal of Information Systems 29 She and Thuraisingham [57] Security for Enterprise Resource Planning Systems Information System Security 30 Wilson [78] Risk Control: A Technical View Computer Fraud and Security Nos. 1 to 3 are classified as A (IT control for the internal use of companies)
Page 29 of 44
Accep
ted
Man
uscr
ipt
Nos. 4 to 5 are classified as B (information security organization bylaws) Nos. 6 to 30 are classified as C (academic literature)
Page 30 of 44
Accep
ted
Man
uscr
ipt
Table 2. Results of axial coding Category Domain Codes (From open coding) References
Whether clear definitions of the responsibilities of maintenance personnel in the MIS department exist
A company, B company, British Standards Institution [7], Cerullo and Cerullo [10], Eloff and Eloff [19], IT Governance Institute [33], Jones [35], She and Thuraisingham [57], Stephenson [61], Volonino and Gessner [71], Von Solms [72], Walters [75]
Whether application procedures exist for the system accounts (authorization)
A company, B company, C company, British Standards Institution [7], Cerullo and Cerullo [10], Gorge [28], Stephenson [60], Volonino and Gessner [71], Walters [75]
Whether system accounts (authorization) should be approved by related unit heads
A47, A210, A223, A237, C18, C48, C147 A company, C company, Cerullo and Cerullo [10], Jones [35], Von Solms [72]
Whether accounts are cancelled after employees leave
A46, A63, A153, A195, A225, B66, B117, C150, C197
A company, B company, C company, British Standards Institution [7], IT Governance Institute [33], Jones [35], Walters [75]
Whether accounts are modified simultaneously when employees change job responsibilities
A64, A196, A226, A228, B118, C47 A company, B company, C company, Cerullo and Cerullo [10], IT Governance Institute [33]
Whether user authorization is constantly reviewed
A62, A102, A126, A156, B69, B113, C34, C149, C199
A company, B company, British Standards Institution [7], Cerullo and Cerullo [10], IT Governance Institute [33], Jones [35], Walters [75]
Definition of functions and responsibilities of data processing department
Whether a dedicated team is responsible for the maintenance of the hardware and software of the system
A51, A73, A97, A107, A125, A200 A company, B company, C company
Whether application procedures exist for requests to modify system programs
A4, A23, A71, A127, A142, A212, B98 A company, B company, C company, British Standards Institution [7]
Whether modification specifications are confirmed by the MIS department and the department that submits such requests
A5, A8, A22, A24, A140, A143, B120, B127, B132, B142, C13 A company, B company, IT Governance Institute [33], Von Solms [72]
Whether system program modification documents are approved by related unit heads
A7, A21, A213, C50, C176 A company, C company, Marks [43], Walters [75]
Whether SA and SD program documents relevant to the modifications are available
A company, B company, C company, British Standards Institution [7], Chau [12], Flowerday and Von Solms [22], IT Governance Institute [33], Stewart [62], Walters [75]
Page 31 of 44
Accep
ted
Man
uscr
ipt
Category Domain Codes (From open coding) References
Whether updated (newly added) programs are assessed by users
A company, B company, C company. British Standards Institution [7], Flowerday and Von Solms [22], IT Governance Institute [33], She and Thuraisingham [57], Stewart [62], Walters [75]
Whether review documents are improved after the programs have been developed
A17, B83, B88, B125, C105, C124, C183 A company, British Standards Institution [7], Chau [12], IT Governance Institute [33], Stephenson [61], Walters [75]
Whether dedicated personnel safeguard the documents in relation to the systems
A company, B company, British Standards Institution [7], Cerullo and Cerullo [10], Chau [12], Coe [13], Daveiga and Eloff [16], Eloff and Eloff [19], IT Governance Institute [33], Jones [35], She and Thuraisingham [57], Stephenson [60], Stephenson [61], Volonino and Gessner [71], Walters [75]
British Standards Institution [7], Daveiga and Eloff [16], Flowerday and Von Solms [21], Myler and Broadbent [46], Stephenson [61], Walters [75], Williams [77]
Whether different access authorizations exist pursuant to the nature of users
A company, C company, British Standards Institution [7], Cerullo and Cerullo [10], Flowerday and Von Solms [21], Gorge [28], IT Governance Institute [33], Myler and Broadbent [46], Saint-Germain [55], Von Solms [72], Walters [75]
Whether the transfer of external data into the system has undergone verification by relevant programs
A56, B55, C193 A company, British Standards Institution [7], Walters [75]
Whether control over remote access to the system mainframes exists
C company, British Standards Institution [7], Cerullo and Cerullo [10], IT Governance Institute [33], Stewart [62], Stephenson [61], Walters [75], Williams [77]
Access control of programs and data
Whether dedicated personnel are responsible for the maintenance of the system databases
A company, B company, C company, British Standards Institution [7], Chau [12], IT Governance Institute [33], Myler and Broadbent [46], Stephenson [61], Walters [75]
Whether appropriate control measures are present for output confidential data
A company, B company, British Standards Institution [7], Cerullo and Cerullo [10], Coe [13], Gorge [28], IT Governance Institute [33], Myler and Broadbent [46], Stephenson [61]
Control of data inputs and outputs
Whether records exist for any changes in data additions (modifications)
A48, A161, B77, B157, C80, C208 A company, B company, British Standards Institution [7], Eloff and Eloff [19], IT Governance Institute [33], Walters [75]
Whether relevant flows exist to manage the changes in data modification
A company, B company, C company, British Standards Institution [7], IT Governance Institute [33], Myler and Broadbent [46], Stephenson [60], Von Solms [72], Tyson and Bean [67], Walters [75]
Control of data processing
Whether backup data are supported by another location
A88, A168, A245, B152, B170, C93, C159
A company, B company, C company, IT Governance Institute [33], Stephenson [60], Tyson and Bean [67]
Whether information equipment is listed and managed
A company, B company, C company, Cerullo and Cerullo [10], Coe [13], Flowerday and Von Solms [22], Saint-Germain [55], Stephenson [61], Stewart [62], Walters [75]
Whether anti-virus measures are present B102, C7, C112, C116, C212 British Standards Institution [7], Hunter [30], Saint-Germain [55], Von Solms
British Standards Institution [7], Daveiga and Eloff [16], Eloff and Eloff [19], Hunter [30], IT Governance Institute [33], Myler and Broadbent [46], Saint-Germain [55], Stephenson [60], Stephenson [61], Thomson and Von Solms [65], Von Solms [72]
Whether the system mainframe is placed in facility rooms B18, B20, C85, C132, C171, C221 British Standards Institution [7], Eloff and Eloff [19], Saint-Germain [55],
Williams [77], Walters [75]
Security control of files and equipment
Whether access control over facility rooms is present
A company, B company, C company, British Standards Institution [7], Eloff and Eloff [19], IT Governance Institute [33], Saint-Germain [55], Tyson and Bean [67], Walters [75], Williams [77]
Page 33 of 44
Accep
ted
Man
uscr
ipt
Category Domain Codes (From open coding) References Whether fire, water, and temperature control facilities are present in facility rooms
A87, A91, A92, A93, A174, A175, A239, A246, C153, C155, C222 A company, B company, C company, Saint-Germain [55], Tyson and Bean [67]
Whether UPS facilities are present B22, B23, B172, C10, C152, C173 British Standards Institution [7], IT Governance Institute [33], Tyson and Bean [67], Von Solms [72], Walters [75]
Whether control procedures exist to destroy the backup data A169, A229, B26, B50, C175, C191 B company, C company, British Standards Institution [7], Walters [75]
Whether the “prevent abnormal invasion” measure exists
A company, B company, British Standards Institution [7], Cerullo and Cerullo [10], IT Governance Institute [33], Myler and Broadbent [46], Saint-Germain [55], Stephenson [60], Wilson [78]
Whether dedicated personnel responsible for the maintenance of software updates are present
A74, A80, A188, A238, B96, B139 A company, B company, C company, British Standards Institution [7], IT Governance Institute [33], Wallace et al. [74]
Whether regular inspections of hardware daily logs are conducted
A company, British Standards Institution [7], IT Governance Institute [33] , Myler and Broadbent [46], Stephenson [61], Von Solms [72], Wilson [78], Walters [75]
Whether the software and hardware are regularly maintained
A company, B company, C company, British Standards Institution [7], Coe [13] , Flowerday and Von Solms [22], IT Governance Institute [33], Hunter [30] Volonino and Gessner [71], Von Solms [72], Walters [75]
Whether records exist to note the maintenance of and changes in hardware
A company, B company, C company, British Standards Institution [7], Cerullo and Cerullo [10], Coe [13], Hunter [30], IT Governance Institute [33], Saint-Germain [55], She and Thuraisingham [57], Stephenson [60], Tyson and Bean [67], Walters [75]
System recovery plans/systems and control of testing programs
Whether relevant maintenance records and documents exist in case of abnormal situations
B company, C company, British Standards Institution [7], Coe [13], Eloff and Eloff [19], Hunter [30], IT Governance Institute [33], Saint-Germain [55], Stephenson [61], Thomson and Von Solms [65], Von Solms [72], Wilson [78], Walters [75]
Whether dedicated personnel responsible for the regular audits on information security exist
British Standards Institution [7], Cerullo and Cerullo [10], Hunter [30], IT Governance Institute [33], Saint-Germain [55], Stephenson [60], Von Solms [72], Walters [75], Wilson [78]
Independent information audit units
Whether promotions and training programs targeted at internal staff on information security exist
A company, B company, C company, British Standards Institution [7], Daveiga and Eloff [16], Eloff and Eloff [19], Hunter [30], IT Governance Institute [33], Stephenson [60], Thomson and Von Solms [65], Von Solms [72], Walters [75], Saint-Germain [55]
Whether control procedures on hardware outsourcing exist
A96, A103, A105, A110, A170, A240, B10, B25, B37, C63 A company, B company, C company, British Standards Institution [7], Coe [13]
Whether evaluations of system outsourcing are conducted
B8, B119, B121, B150, C128, C165, C184
British Standards Institution [7], Chau [12], IT Governance Institute [33], Walters [75]
Whether the contracts are signed for system outsourcing B9, B36, B149, C129, C166, C177, C185 British Standards Institution [7], Chau [12], IT Governance Institute [33], Walters
[75]
Control of outsourced operations
Whether relevant control procedures regarding system outsourcing exist
1 Whether clear definitions of the responsibilities of maintenance personnel in the MIS department exist 1.00 0.60 1.00 1.00 0.89 Yes 1.00 0.82 No
2 Whether application procedures for the system accounts (authorization) exist 1.00 1.00 1.00 1.00 1.00 Yes 1.00 1.00 No
3 Whether accounts are cancelled after employees leave 0.60 0.60 1.00 1.00 0.78 Yes 0.71 0.82 No 4 Whether user authorization is constantly reviewed 1.00 0.20 1.00 0.00 0.67 Yes 0.71 0.64 No
Definition of functions and responsibilities of
data processing department
5 Whether a dedicated team responsible for the maintenance of the hardware and software of the system exists -0.20 1.00 0.67 1.00 0.56 No 0.14 0.82 Yes
1 Whether application procedures are present for requests to modify system programs 1.00 1.00 1.00 1.00 1.00 Yes 1.00 1.00 No
2 Whether modification specifications are confirmed by the MIS department and the department that submits such requests 1.00 1.00 0.67 1.00 0.89 Yes 1.00 0.82 No
3 Whether SA and SD program documents relevant to the modifications exist 0.60 1.00 1.00 0.00 0.78 Yes 0.43 1.00 Yes
4 Whether independent environments for development and tests exist 1.00 1.00 1.00 1.00 1.00 Yes 1.00 1.00 No
5 Whether relevant test documents and records on program developments are present 0.20 0.60 0.67 0.00 0.44 No 0.14 0.64 Yes
6 Whether updated (newly added) programs are assessed by users 1.00 1.00 1.00 1.00 1.00 Yes 1.00 1.00 No
System development and control over
program modifications
7 Whether relevant control measures for changes in system flows are present 0.60 1.00 1.00 1.00 0.89 Yes 0.71 1.00 No
1 Whether coding management is executed on the documents in relation to program modifications (updates) 0.60 0.60 0.00 0.00 0.33 No 0.43 0.27 No
2 Whether documents are updated and modified by version after the modifications (additions) of programs 1.00 1.00 1.00 0.00 0.89 Yes 0.71 1.00 No
3 Whether dedicated personnel safeguarding the documents in relation to the systems are present -0.20 1.00 0.67 -1.00 0.33 No -0.43 0.82 Yes
Control over the compilation of system
documents
4 Whether only certain personnel can access (modify) the documents in relation to the system programs or the original library 0.20 0.60 1.00 0.00 0.56 No 0.14 0.82 Yes
2 Whether reports are pursuant to the regulations 0.60 1.00 1.00 1.00 0.89 Yes 0.71 1.00 No
Control over the processes of
information disclosure on the assigned
websites 3 Whether backups of the reporting data exist 0.20 1.00 0.67 1.00 0.67 Yes 0.43 0.82 Yes
1 Whether system security planning exists 0.20 1.00 0.67 0.00 0.56 No 0.14 0.82 Yes
2 Whether dedicated personnel responsible for regular audits on information security are present 0.60 0.60 1.00 1.00 0.78 Yes 0.71 0.82 No Independent
information audit units 3 Whether promotions and training programs targeted at internal staff
on information security exist -0.20 0.60 0.67 0.00 0.33 No -0.14 0.64 Yes
1 Whether relevant control procedures regarding system outsourcing exist 0.60 0.60 0.67 1.00 0.67 Yes 0.71 0.64 No
2 Whether evaluations of system outsourcing are present 0.20 0.60 0.67 1.00 0.56 No 0.43 0.64 Yes Control of outsourced
operations 3 Whether contracts are signed for system outsourcing 0.60 0.60 1.00 1.00 0.78 Yes 0.71 0.82 No
Page 39 of 44
Accep
ted
Man
uscr
ipt
Table 5. Modified internal control framework Dimension Control Items
Whether clear definitions of the responsibilities of maintenance personnel in the MIS department exist Whether application procedures exist for system accounts (authorization) Whether accounts are cancelled after employees leave
Definition of functions and responsibilities of data processing department
Whether user authorization is constantly reviewed Whether application procedures exist for requests to modify system programs Whether modification specifications are confirmed by the MIS department and the department that submits such requests Whether SA and SD program documents relevant to the modifications exist Whether independent environments for development and tests exist Whether updated (newly added) programs are assessed by users
System development and control over program modifications
Whether relevant control measures for changes in system flows exist Control over the compilation of system documents
Whether the documents are updated and modified by version after the modifications (additions) of programs
Whether password controls exist Whether different access authorizations pursuant to the nature of users exist Whether the transfer of external data into the system has undergone verification by relevant programs Whether control over the remote access to the system mainframes exists
Access control of programs and data
Whether dedicated personnel responsible for the maintenance of the system databases exist Whether original documents for input data are present Whether numbering of the documents generated by the system is present Whether verification procedures for the data input/output interface exist Whether appropriate control measures for confidential output data exist
Control of data inputs and outputs
Whether records for any changes in data additions (modifications) exist Whether relevant flows exist to manage the changes in data modification Whether data are regularly backed up Control of data
processing Whether backup data are supported by another location Whether information equipment is protected with security measures Whether access control over facility rooms is present Whether facility rooms are protected with security measures
Security control of files and equipment
Whether control procedures to destroy backup data exist
Control over the procurement, use, and maintenance of hardware and system software
Whether the system software is legal
Whether regular tests on system recovery procedures in the face of disaster are conducted System recovery plans/systems and control of testing programs Whether relevant maintenance records and documents exist in case of abnormal situations
Whether dedicated personnel responsible for reporting procedures are present Whether reports are pursuant to the regulations
Control over the processes of information disclosure on the assigned websites
Whether backups of the reporting data exist
Independent information audit units Whether dedicated personnel responsible for regular audits on information security exist
Whether relevant control procedures regarding system outsourcing exist Control of outsourced operations Whether contracts are signed for system outsourcing
Page 40 of 44
Accep
ted
Man
uscr
ipt
Table 6. Background of the interviewees Case Study
Function
Title
Interviewee
Experience
Audit room Audit supervisor Director Chen Six years in the audit department of the company; eight
years of audit experience Company MIS Assistant
manager Assistant Manager Lin
More than four years of experience in the maintenance and introduction of the ERP system utilized by the company
Reporting accounting
firm
Information risk management and services
Manager Manager Li More than six years of experience in computer audit; served more than 200 companies
Page 41 of 44
Accep
ted
Man
uscr
ipt
Table 7. Appropriateness and importance of control items Appropriateness Importance Audit dimensions Control items Yes No High Medium Low
Whether clear definitions of the responsibilities of maintenance personnel in the MIS department exist
☆◎ ☆◎
Whether application procedures for system accounts (authorization) exist ☆◎ ☆◎
Whether accounts are cancelled after employees leave ☆◎ ☆◎
Definition of functions and
responsibilities of data processing
department
Whether user authorization is constantly reviewed ☆◎ ☆◎ Whether application procedures for requests to modify system programs exist ☆◎ ☆◎
Whether modification specifications are confirmed by the MIS department and the department that submits such requests
☆◎ ☆◎
Whether SA and SD program documents relevant to the modifications exist ☆◎ ◎ ☆
Whether independent environments for development and tests exist ☆◎ ◎ ☆
Whether updated (newly added) programs are assessed by users ☆◎ ☆◎
System development and
control over program
modifications
Whether independent environments for development and tests exist ☆◎ ☆ ◎
Control over the compilation of
system documents
Whether the documents are updated and modified by version after the modifications (additions) of programs
☆◎ ☆◎
Whether password controls exist ☆◎ ☆◎ Whether different access authorizations pursuant to the nature of users are present ☆◎ ☆◎
Whether the transfer of external data into the system has undergone verification by relevant programs
☆◎ ☆◎
Whether control over the remote access to the system mainframes exists ☆◎ ☆ ◎
Access control of programs and data
Whether dedicated personnel responsible for the maintenance of the system databases exist ☆◎ ◎ ☆
Whether original documents for input data are available ☆◎ ☆ ◎
Whether numbering of the documents generated by the system is available ☆◎ ☆◎ Control of data
inputs and outputs Whether records for changes in data additions (modifications) are available ☆◎ ☆◎
Whether relevant flows to manage the changes in data modification exist ☆◎ ☆◎
Whether data are regularly backed up ☆◎ ☆◎ Control of data processing
Whether backup data are supported by another location ☆◎ ☆ ◎
Whether information equipment is protected with security measures ☆◎ ☆◎
Whether access control over facility rooms exists ☆◎ ☆◎ Whether the facility rooms are protected with security measures ☆◎ ☆ ◎
Security control of files and equipment
Whether control procedures are available to destroy backup data ☆◎ ☆ ◎
Control over the procurement, use,
and maintenance of hardware and
software systems
Whether the system software is legal ☆◎ ☆◎
Page 42 of 44
Accep
ted
Man
uscr
ipt
Appropriateness Importance Audit dimensions Control items Yes No High Medium LowWhether regular tests are conducted for system recovery procedures in the face of disaster ☆◎ ◎ ☆ System recovery
plans/systems and control of testing
programs
Whether relevant maintenance records and documents are available in case of abnormal situations
☆◎ ☆◎
Whether dedicated personnel responsible for reporting procedures exist ☆◎ ☆◎
Whether reports are pursuant to the regulations ☆◎ ☆◎
Control over the processes of information
disclosure on the assigned websites Whether backups of the reporting data exist ☆◎ ☆◎
Independent information audit
units
Whether dedicated personnel responsible for regular audits on information security exist ☆◎ ☆◎
Whether relevant control procedures regarding system outsourcing are available ☆◎ ☆◎ Control of
outsourced operations Whether contracts are signed for system
outsourcing ☆◎ ◎ ☆
☆Director Chen; ◎Assistant Manager Lin
Page 43 of 44
Accep
ted
Man
uscr
ipt
Prototype Construction
Research Question and Purpose
Theoretical
Philosophies
Theories
Principles
Concepts
Methodological
Knowledge Claims
Interpretations
Transformations
Data Gathering
Comparison and
Revision
Case StudyLiterature ReviewExpert Questionnaire
Figure 1. Research flow
Page 44 of 44
Accep
ted
Man
uscr
ipt
Authors
Jing Fan
Management School, Shanghai Jiaotong University, China International Business School, Beijing Foreign Studies University, China [email protected]
Pengzhu Zhang
Management School, Shanghai Jiaotong University, China [email protected]
David C. Yen
School of Economics and Business, SUNY College at Oneonta, USA [email protected]