Title: Internal Control Framework of a Compliant ERP System

Title: Internal Control Framework of a Compliant ERP System Author: Jing Fan Pengzhu Zhang David C. Yen PII: S0378-7206(13)00115-8 DOI: http://dx.doi.org/doi:10.1016/j.im.2013.11.002 Reference: INFMAN 2675 To appear in: INFMAN Received date: 1-2-2012 Revised date: 17-10-2013 Accepted date: 4-11-2013 Please cite this article as: J. Fan, P. Zhang, D.C. Yen, Internal Control Framework of a Compliant ERP System, Information & Management (2013), http://dx.doi.org/10.1016/j.im.2013.11.002 This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.

Internal Control Framework of a Compliant ERP System Abstract After the occurrence of numerous worldwide financial scandals, the importance of related issues such as internal control and information security has greatly increased. An internal control framework that can be applied within an enterprise resource planning (ERP) system is developed in this study. A literature review is first conducted to examine the necessary forms of internal control in information technology (IT) systems. The control criteria for the establishment of the internal control framework are then constructed. A case study is conducted to verify the feasibility of the established framework. This study proposes a 12- dimensional framework with 37 control items aimed at helping auditors perform effective audits by inspecting essential internal control points in ERP systems. The proposed framework allows companies to enhance IT audit efficiency and mitigates control risk. Moreover, companies that refer to this framework and consider the limitations of their own IT management can establish a more robust IT management mechanism. Keywords: internal control framework, enterprise resource planning, IT control Page 1 of 44

1. Introduction The popularity of information technology (IT) applications has increased reliance on computers in processing business transactions. Companies adopt IT systems to improve their operations. The surveys on the collaborative operations of IT systems conducted by the Market Intelligence and Consulting Institute [42] indicate that enterprise resource planning (ERP) system is the most adopted IT system among large companies. Given that ERP is a popular and all-encompassing information system utilized by many organizations and owing to the increased consideration of the risks associated with IT, information system security and internal control related to information systems have greatly increased [17, 45, 63, 75]. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines internal control as a process, effected by an entity s board, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives such as effectiveness and efficiency of operation, reliability of financial reporting, and compliance with regulation [15]. The internal control related to information systems is commonly referred to as IT control, which is composed of controls (i.e. policies and procedures) over organizational IT infrastructure and systems [47, 63]. IT control consists of general and application controls. General controls refer to these relevant controls designed to ensure an entity s control environment is well managed, and applied to all sizes of systems ranging from large mainframe systems to client/server systems and to desktop and/or laptop computer systems. Whereas application controls include input, processing, and output control based on the flow of data processing. In other words, application controls focused on the accuracy, completeness, validity, and authorization of the data captured, entered in the system, processed, stored, transmitted to other systems, and reported [54]. Further, general controls can be used to support the application controls and hence, allow information system be smoothly operated [22]. Given that financial reporting in many entities is based on information systems such as ERP systems, IT controls help entities achieve the objective of internal control. Similar to information security, IT controls can also Page 2 of 44

manage and protect information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction [68]. An attack on information generally leads to theft of confidential data, financial fraud, incapacitated web server, and corrupted operation data [27], which all influence the accuracy and reliability of financial data derived from the information system [75]. If entities fail to establish proper information security, they cannot guarantee the accuracy and reliability of financial data [51]. ERP built-in control features may prove to create a positive impact on the effectiveness of internal controls over financial reporting. However, ERP does not necessarily safeguard against some deliberated systems manipulations, for example, a few of the control features might not be activated in a timely manner on the implementation stage [45]. Further, in order to manipulate the date for performing the earning management, top managers may attempt to override some control features [6]. Following a number of reported business scandals, investors are beginning to question the accuracy of financial reports, including those generated by major companies in the world. In fact, the confidence of investors in the accuracy of financial reports and the shared holding positions of large companies has collapsed over the recent years [56]. Durfee [18] emphasizes that the announcement of material weakness in the internal control system may result in a drop in stock prices, increase in share volume, and loss of chief financial positions. Goel and Shawky [26] also indicate that announcements of security breaches would decrease the market share of firms. Conversely, effective internal control can help firms achieve their expected financial goals, maintain precise records of daily transactions, and produce accurate financial statements [20]. The accuracy and reliability of data within the ERP system are critical to ensure the transparency of the company s situation at all times, help rebuild investor confidence, and ensure low cost of capital [3]. Software vendors establish built-in control in ERP systems [45]. Companies also have an internal control framework in their ERP systems. Management is required to establish the framework, especially when a company is publicly listed. Companies constantly audit the Page 3 of 44

effectiveness of the ERP system s internal control. Thus, an increasing number of companies have started to focus on the implementation of effective controls in their ERP systems while simultaneously providing the management and external auditor a suitable framework to assess the ERP system s internal control. COSO released a report entitled Internal Control- Integrated Framework [15] in 1992 in an attempt to illustrate a systematic framework for internal control. However, the report failed to list supplemental criteria in the implementation and assessment of IT controls [49]. Referring to specific control items would allow the management and auditor to execute IT control procedures [29]. However, IT control procedures not only consider the environment within the entity but also the control related to the external environment [66]. In addition, given the minimal compliance guidance in the use of IT sets by the government, the interpretation of the scope and nature of the IT environment is inconsistent [8]. These limitations increase the difficulty of compliance. Despite the importance of deploying proper internal control frameworks to fully develop the effectiveness of the ERP system, only a few academic studies have assessed this issue. Accordingly, this study derived the main research question, that is, what are the types of internal control that must be considered when auditing an ERP system? The primary objective of this study is to develop a preliminary internal control framework for application in an ERP system. 2. Research Background The growing awareness of IT s role in managing knowledge derived from information systems has caused the production of accurate and relevant information to become the focus of studies on information systems such as accounting information systems (AIS) and management information systems (MIS) [76]. IT governance has been discussed recently and has gained attention; IT governance is used to describe how those persons entrusted with governance of an entity will consider IT in this supervision, monitoring, control, and direction of the entity [32]. Well-defined controls are considered an imperative and necessary part of IT governance. This study attempts to establish good internal control standards for ERP systems by proposing an internal control framework for such systems. Three subtopics are discussed in this section. The first subsection describes the system security and internal Page 4 of 44

controls in the ERP system. The second subsection introduces the audit and inspection challenges associated with the ERP system. The third subsection presents and discusses the internal control framework. 2.1 System security and internal controls in the ERP system An increasing number of firms depend on ERP to address operational transactions. Therefore, information system security must be emphasized, especially in financial transactions [70, 73]. Walters [75] states that many information system threats, such as unauthorized access and system vulnerability attacks, influence the accuracy and reliability of financial data derived from information systems. Information security protects and controls IT resources and ensures the accuracy and reliability of information [1]. Van de Riet et al. [69] noted a number of security aspects associated with an ERP system; these aspects include security policy, user authentication, authorization, time restriction, log and trace, and database security. Information security control maintains the reliability of the information system resource and the availability and integrity of financial data. Thus, information security control is closely linked with information security and internal controls. After the occurrence of numerous worldwide financial scandals, company management teams and auditors are now required to take responsibility for their respective financial reports. The effectiveness of internal control has been emphasized in this decade [52]. If firms lack the proper level and type of information security, they cannot ensure the effectiveness of their internal controls and the integrity of their financial data [51]. Thus, identifying the necessary control-related considerations in an ERP system is an important initial task for management and auditors. 2.2 Audit and inspection challenges in the ERP system The introduction of a new information system in a company may generate a risk different from that initially associated with the legacy framework. The risks that accompany new framework operations may not be similar to those of the original system [50]. Reengineering of the business process and organizational changes brought about by the introduction of a new system may also lead to the changes in the control requirements of a company in terms of Page 5 of 44

ERP [11]. Problems frequently associated with the ERP system are generally contained. Such issues include business interruption, process interdependency, network security, database security, application security, and overall internal controls [31]. Therefore, many key aspects in the risk control environment must be considered [56]. Glover et al. [25] suggest that internal auditors consider the relevant risks and controls required for system planning based on knowledge of risk management and the internal risks present in the company during the introduction of the ERP system. Auditors and inspectors should first understand the basic architecture of the ERP system to effectively exert internal control over the ERP system [2, 9]. In the comprehensive application of the IT environment, owning the control framework can help auditors evaluate the effectiveness of IT control and decide on an auditing strategy and program. The control framework can also enhance the efficiency of IT control evaluation and mitigate the audit risk for auditors [29]. 2.3 Internal control framework The management and auditors must follow a suitable and holistic internal control framework to ensure the effectiveness of internal control in a firm. COSO released a report entitled Internal Control-Integrated Framework and recommended that this report be utilized by companies, auditors, regulating agencies, and educational institutions [15]. The conceptual model of the report indicates that internal control objectives require five components of control, namely, the control environment, risk assessment, control activities, information and communication, and monitoring. However, the framework provided by COSO focuses on high-level guidance of internal controls and does not provide the detailed control objectives that auditors require in the design of audit tests [49]. Moreover, the framework does not address the specific risks and complexities of IT [14]. An organization and its auditor require a comprehensive framework to adapt properly to the current IT auditing environment and to comply with regulations [66]. Transactions involving information systems require particular control standards and criteria because IT utilization presents difficulties in inspecting the audit trails of business operations. The computerization of business transactions leads to the digitization of audit Page 6 of 44

evidence, resulting in difficulties in following audit trails [41]. Thus, IT internal control usually includes the following procedures: (1) general controls, which refers to the relevant control measures associated with EDP; and (2) application controls or the division of input, processing, and output controls based on the flow of data processing. In this digital age, the absence of information security in a certain company implies that the entire company is built on a fragile foundation such that it cannot survive any related internal control tests [4]. Information systems in enterprises require many internal controls owing to the pervasive implementation of IT and the need to minimize problems. The complexity of modern systems can overwhelm auditors and the management if no appropriate guidance is provided [66]. Hence, auditors and the management should increase their understanding of the IT environment and related IT processes and controls because they must perform control procedures periodically [44, 47]. Given that the two control types utilized at present cannot effectively or completely regulate the robustness of an internal control framework especially when incorporated in present information systems, numerous institutions have established their own sets of criteria for information security. A series of standards and criteria such as the British Standard (BS7799) and the Control Objectives for Information and Related Technology (COBIT) is employed by organizations. COBIT complements the COSO enterprise framework in terms of assessing internal control and balanced risks in IT-intensive environments [33, 53]. Huang et al. [29] established an IT control evaluation model that includes control objectives. Referring to specific control items would allow the management and auditor to execute control procedures. However, despite the importance of deploying proper internal control frameworks, only a few academic studies have been conducted to fully develop the effectiveness of the ERP system. The present study aims to develop a preliminary internal control framework for application in ERP systems to bridge such gap. 3. Research methodology and design The research flow presented in this study utilized a theoretical strategy based on the V structure developed by Gowin [48] (Figure 1). The interactions between the two sides of the Page 7 of 44

structure (i.e. theoretical and methodological) merge relevant concepts and methods to achieve the proposed research goals [48]. Following the procedures listed on the theoretical side, the items related to IT control were summarized by studying the previous research. A literature review is thus conducted prior to the development of an internal control framework for ERP systems. To this end, two steps were performed in the literature review and they are collecting literature from the related sources and conducting coding procedures. In specific, relevant literature was gathered from the following sources. (1) IT controls for the internal use of companies. The data gathered are expected to be these within the scope of the internal use of companies and can be compiled with the current internal control bylaws of corporate information systems; (2) Information security organization bylaw. This study refers to the regulations and criteria of COBIT and BS7799 in particular and includes all information systems. Both references are important as they have been adopted by many companies worldwide [66]; and (3) Academic literature ----------------------------------------------- Insert Figure 1 here ----------------------------------------------- Upon the completion of the initially constructed theoretical model and prior to conducting the case study, the control items were established to meet the requirements needed in the application of the model to the ERP system. In fact, expert questionnaires were administered in this process. The main purpose of utilizing the expert questionnaires is to ensure and enhance the content validity of each of the measurement constructs and to bridge the gap between the presented literature for application and these in actual practice. The measurement constructs and item indicators were screened separately to determine the internal control issues prevalent in the ERP system as well as to enhance the quality of the Page 8 of 44

examination process and gain deeper insights. Following the procedures outlined on the practical side, an empirical case study was then conducted to investigate the feasibility of the proposed framework derived from literature review and the questionnaires. The case study included how and why questions [79] and a pre-identified company was selected for the case study. In addition, the case study included the steps related to design, preparation, collection, analysis, and sharing [79]. Not only the case design was identified in the design step, but also the unit of case study was described in detail in this step. 4. Construction of the preliminary framework for the internal controls of the ERP system The Science Direct database was utilized to search for academic literature. The main criteria for this search may include the following items. (1) Keywords or abstract sections must have the words information security or internal control ; (2) Literature must be related to information field; and (3) Studies should be published within 2003 to 2007 since numerous financial scandals emerged worldwide were mainly occurred after 2002 and the issue of internal control was happened during this aforementioned period. Consequently, several regulations which requested the management to assess their own enterprise internal control were proposed, and auditors were also asked to determine whether their client s internal control assessment report was adequate. Form the above discussion, the studies collected in this research are limited to this aforementioned period to investigate what have been discussed or explored during this specific time window. Conceptualized results from 30 relevant publications were collected based on the abovementioned criteria. The collected results are shown in Table 1. A detailed analysis was also performed to present a complete and consistent list of internal control items for ERP. The preliminary model was constructed based on the literature review. The entire process was roughly divided into three steps as follows: (1) open coding, (2) axial coding, and (3) Page 9 of 44

selective coding. ----------------------------------------------- Insert Table 1 here ----------------------------------------------- 4.1 Open coding Open coding was performed for the literature contents that satisfied the criteria mentioned above. Section extraction was performed, and the sections identified as relevant to the internal controls of the information operations or those that obviously indicate the components of the IT control of the information operations are coded. Coding was conducted to classify the studies from A to C. The codes derived from IT control for the internal use of companies, information security organization bylaws, and academic literature were classified as A, B, and C, respectively. For example, C Company Computerized Information System ICE includes a section that addresses internal regulations. More specifically, this section states, going online requires test reports or passing of tests. This description can thus be conceptualized and coded into three factors (i.e., A216 whether test documents exist, A217 whether independent test environments exist, or A218 whether they have been verified by users). A total of 670 concepts were derived by this process. Accurate and complex interpretations were established as certain phenomena. For instance, codes A78, A108, A114, A115, A177, A192, A252, B15, B16, B17, B31, B46, B104, B154, B162, C40, C61, C87, C114, C158, C170, and C219 describe anomalies in the information system, how the information department is contacted and informed, how the information department rules out anomalies, and how information security incidents are addressed. Thus, these codes (concepts) were grouped in the domain of whether procedures exist to report disasters. The other concepts were translated into domains according to the same rule; 66 domains were established as internal control key issues based on the 670 concepts determined in the open coding process. 4.2 Axial coding Axial coding is usually conducted after open coding. This stage aims to recompose the Page 10 of 44

distributed data into new methods such that the classifications and sub-classifications become related to one another. The 66 domains of the coded entries were further classified into dimensions. For example, the domains whether relevant control procedures exist regarding system outsourcing and whether contracts are signed for system outsourcing are related to the outsourcing operation control and are imperative in managing system outsourcing for an organization. Therefore, these domains were classified into the dimension of control of outsourced operations. The results of axial coding are summarized in Table 2. ----------------------------------------------- Insert Table 2 here ----------------------------------------------- 4.3 Selective coding Axial coding consolidates complex data and is the foundation of selective coding. Selective coding is conducted to explain a selected core category systematically, verify the relationship of the main and other classifications, and fill the gap for supplements or developments required for individual classifications [64]. Based on the internal controls and the analysis of relevant literature, 66 key domains that influence the internal control of information systems were identified. The domains integrated through axial coding were re-classified as single key domains in selective coding. For example, the domains whether anti-virus measures are used and whether firewalls are used, were merged into whether information equipment is protected with security measures given that both are related to the security measures of the information equipment. Subsequently, 51 key domains were established. These domains function as internal control items. 4.4 Expert Questionnaires Upon the construction of the preliminary internal control items based on literature, the methodology and validation process developed by Lawshe [37] was adopted. The adoption of this methodology and validation process enabled the collection of opinions from experts with Page 11 of 44

extensive experience in the establishment, maintenance, and auditing processes of the ERP system. Questionnaires were distributed to gather the opinions from experts who are responsible for the corporate functions (including internal audit and information), handle external audits (accounting firms), and work in some partner companies regarding the introduction of an ERP system. The backgrounds of the participating experts are shown in Table 3. The control dimensions and items were screened to determine those suitable for the ERP system. Both theoretical and actual application are expected to increase the validity, extent, and practicality of this study, thereby achieving the research purpose of constructing internal control in an ERP system. ----------------------------------------------- Insert Table 3 here ----------------------------------------------- The questionnaires utilized in this study measures the opinions of the respondents based on an ordinal scale of 5 as follows: very important (5), important (4), ordinary (3), unimportant (2), and very unimportant (1). Each dimension is semi-open so that the respondents can provide relevant feedback on the key items related to internal control in the ERP system. A total of 18 experts responded to the questionnaires. Following the methodology and validation process proposed by Lawshe [37], content validity ratio (CVR) can be calculated as CVR = (n-n/2)/(n/2) where n represents the number of times that experts categorized the items as either very important or important and N represents the total number of experts. The value of CVR should be greater than 0.43 to meet the targeted requirement. However, this study requires that CVR ratio be greater than 0.60 before a control item is adopted to ensure that the control items constructed in this study remain important and feasible for most companies. Table 4 provides a summary of the questionnaire results, including the statistics from the questionnaires and the calculation of CVR. As described previously, a literature review was conducted and 51 key items were Page 12 of 44

identified for the internal control of ERP systems. Fourteen items were considered unimportant and were deleted after calculating and comparing the CVR values derived from the questionnaires. The remaining 37 control items were generalized and consolidated. The preliminary internal control items were further modified by referring to the suggestions provided by the expert respondents. Table 5 shows the modified internal control framework. ----------------------------------------------- Insert Table 4 here ----------------------------------------------- ----------------------------------------------- Insert Table 5 here ----------------------------------------------- 5. Empirical findings on internal control for the ERP system This section provides a brief description of the practices employed by the case company. The selected company was established in 1996 and is dedicated to the development and manufacturing of wireless telecommunication products. The company aspires to become the world leader in the area of wireless telecommunications by exerting efforts in research and development (R&D) which is aimed at improving technology. Its products are divided into three lines; and they are namely, satellite telecommunications, mobile telecommunications, and wireless network equipment. The managers in the company can keep abreast of the key technologies associated with their product lines in accordance with the changes occurred in the marketplace through their extensive experience and background in technology. The company is thus capable of developing the relevant niche products to meet the market demands by quickly integrating telecommunication technologies into their product lines. This company provides the comprehensive wireless and telecommunication products and timely after-sale services to its customers. With its focus on the R&D of new technologies and extensive in-house development of accompanied software and hardware, the company designs Page 13 of 44

and develops its own products effectively. In fact, the company has achieved their best economies of scale by establishing an increasingly comprehensive product line. As a result, the company is capable of maintaining its competitive advantage in the wireless telecommunications industry. The computer auditors working for the accountant were invited to participate in this study. Interviews were also conducted to study the actual company s operations with collecting the current internal control information as primary data. The company was asked to provide secondary data (i.e., relevant operation documents and files) for the analysis and synthesis of the research findings. Table 6 summarizes the background of all the interviewees. ----------------------------------------------- Insert Table 6 here ----------------------------------------------- A select group of public companies that introduced ERP systems was filtered for the case study. The company targeted for interview is the one engaged in the tasks of R&D and manufacturing of wireless telecommunication products. The company actually replaced its Baan computer system with the Oracle ERP system in 2006. The interviewees comprised an internal auditing supervisor who facilitates two different ERP systems, an assistant manager in the MIS Department who maintains and deploys these two different systems, and a computer auditing manager who works for the accounting firm to audit the information system of this company. In other words, these three individuals are responsible for the ERP audit. All the three interviewees have relevant experience and background in the auditing and maintenance of ERP systems. A case study on a public company with the obtained audited financial reports was conducted. A manufacturing firm similar to this telecommunications company can be regarded as a representative case of companies in other industries. For this reason, this case result can be employed and justified as a rationale for the use of a single case [79]. In specific, the case study protocol was developed in the preparation step. Primary data about the actual operations of the company were gathered on-site in the collection step, while secondary data Page 14 of 44

were utilized to address the main objectives of this research. Further, data were gathered, analyzed, and collated prior to conducting the interviews with personnel who are experts in IT control and have worked with the independent accounting firm maintaining a relationship with the company selected in the case study. The feasibility of the internal control items that were applied in the planning of the ERP system was evaluated in the analysis and sharing steps. Finally, the results and findings were presented. The control items and information auditing of the ERP system in the case company were reviewed. The feasibility of the control items constructed for the company were also evaluated. (1) Practices within the case company Two auditors are employed in the audit department of the case company. Their tasks include inspecting domestic and overseas affiliates in the same group. In addition to adjusting the internal control framework originally based on the eight major cycles, the two auditors also perform internal audits and execute special projects assigned by their supervisors because these tasks are part of their job description. In auditing ERP systems, the focus is on soft control. The company s MIS department has established a division called ERP System Services. All seven employees in this division are responsible for the maintenance of the ERP system. Their major responsibilities include maintaining the normal operations of the system, solving all problems raised by users, and meeting the operational demands of users. These employees perform ordinary control tests and passive checks on requests from the auditing department as ERP system audits. (2) Control items within the case company The current audit checklist for ERP systems was originally based on the control items listed by the company headquarters. The checklist was later modified in accordance with the actual situations experienced by the company. The key control items comply with the criteria set by the authority. However, these control items are not fixed and are regularly reviewed for appropriateness. Director Chen said, After the introduction of the new Oracle ERP system in 2006, the Page 15 of 44

company conducted timely adjustments to ascertain control items. (3) Information auditing of the ERP system The internal auditors of the case company focus their audit on soft control items in the ERP system such as accounts, passwords, authorization, and remote access. The auditors are equipped to perform only soft audits. Other forms of audits are delegated to the MIS department as the internal auditors perform these tasks through collaborative procedures. The definition of the items pertaining to overall control is modified by referring to previous audit records. For example, each audit is performed on a regular basis (i.e., once a year) to minimize risk. However, the items with poor records have a high-risk profile and are therefore analyzed under strict standards (i.e., conducted quarterly or every semester). Given that financial reports are generated by the company s ERP system, the reporting accounts must be spot-checked as a form of internal control to reduce confirmatory audit risks. The computer audit personnel of the accounting firm check the system setups and the ordinary control measures of the company. Manager Li said, Basically, auditing for the ERP system within the company is mainly focused on general and basic checking of the Oracle ERP architecture in the UNIX operating system, Oracle database, and network. These are the critical points of our audit. If audit results indicate that the internal control of a company is proper, then the accountants may reduce the required number of spot-checking procedures. Auditing procedures should be modified on a timely basis in accordance with the actual demands of companies. The company under study was able to amend system faults and failures pointed out by its external auditors. This review process should be performed continuously to establish a robust internal control structure. The difficulties encountered by the company s ERP system auditors are caused by lack of IT training. Consequently, the company can focus only on software controls. With regard to the other forms of audits, the auditors remain dependent on the MIS department for effectiveness. However, despite the sufficient IT knowledge of the personnel in the MIS department, these personnel cannot perform audits effectively owing to control issues posed Page 16 of 44

by individuals, control measure requirements, and related auditing concepts. External auditors continue to believe that most companies do not have any personnel dedicated to computer audits. Manager Li said, Currently, the competent authority or relevant institutions are not certified with regard to computer audits. In addition, most auditors claim they lack sufficient IT training. Given the limited computer audit talents, very few companies have established a stable computer audit department. In sum, the challenges involving ERP systems include whether auditors can clearly understand the operational flows of the company and its overall information system environment to effectively manage both the behavioral risks caused by human factors and the technical risks integrated in a system. For auditors who do not have expertise in both audit (accounting) and IT, the auditing processes in an ERP environment pose imminent obstacles and challenges. (4) Understanding the feasibility of the control items Both interviewees concurred that the control items constructed in this study meet most of the requirements. However, a suitable list of control items should consider the infrastructure of the company, including the company scale and number of MIS employees. These considerations are important because individual control points have important roles in legacy information architecture. Accordingly, a number of control items cannot completely meet the specifications of the company under study owing to limitations in identifying infrastructure concepts such as whether the responsibilities of MIS personnel are clearly defined. Assistant Manager Lin said, This proposed framework seems suitable for my company, but the premise must consider the company's structure. For example, the company did not do well in distinguishing the responsibilities of IT personnel. The main reason is due to the lack of manpower and information unit personnel. Therefore, some control items within this proposed framework may be excluded. Nevertheless, the framework is still useful for my company. The case company suggested that several control items be transformed to attainable Page 17 of 44

targets in the future. The interviewees were requested to state their opinions regarding the appropriateness and importance of the control items to understand the feasibility of the proposed framework. Table 7 provides a summary of the company s evaluation of the control items constructed in this study. The list shows that the MIS department is particularly focused on system development and control over program modifications and access control of programs and data, further proving that the list is applicable and can thus serve as future reference. With respect to the dimension system development and control over program modifications, Assistant Manager Lin said, If the MIS department could manage developed or modified system programs effectively, it could help improve the credibility of information and preciseness of data. Two interviewees presented their views on the dimension access control of programs and data. Director Chen said, Because of the critical nature of the data and program within the company, appropriate control strategies and controls should be set for IT systems through access control policies. Only authorized users should be provided access to information system assets. Assistant Manager Lin said, The current system login in the company is appropriately controlled by access control procedures such as passwords. This form of logical access control over information is primarily required within the company to protect information against acts such as unauthorized creation and modification as well as inadvertent errors. With respect to the audit of control items, auditors believe that in principle, general audits should be conducted annually. However, several dimensions such as access control of programs and data require timely system auditing procedures. Jointly auditing these dimensions and those for the eight-cycle operations is sometimes necessary. Auditing in such situations is conducted not only annually but also rather promptly in conjunction with other procedures. External auditors believe that the current self-control mechanisms of the company s internal IT department involve two dimensions (i.e., system development and control over program modifications and access control of programs and data ), which Page 18 of 44

should be audited internally at least on a quarterly basis. As for the other dimensions, auditing may be conducted every semester depending on the impact on the company processes. The interviewees in the case study agreed that the constructed control items could effectively assist the company in the audit and control of its ERP system. Director Chen said, This proposed framework is great and comprehensive. A few control items are not available in the company at the moment, and this framework can be utilized to adjust the present version of the company. ----------------------------------------------- Insert Table 7 here ----------------------------------------------- (5) Discussion of Findings As per earlier discussion, several findings are rather interesting. In general, internal control framework for ERP existed in this case company could help related personnel to perform an effective management and track the outcomes of IT control. This proposed framework is relatively rigorous, complete and more easily acceptable logic-wise. Although some control items are not suitable in the case company, this proposed framework can be used repeatedly to adjust/improve the present version. According to the results of case study, IT general control has reasonably been emphasized since it supports the resulting application processing. However, different industries and company size may provide different perspectives about determining the priority of control items. For instance, small-sized companies often use Office software package to handle business processing, and in this case, some of control items within this proposed framework may need to be amended. Nonetheless, this proposed framework still can be employed to greatly assist the entity to execute IT control and perform IT governance in the case company. 6. Conclusions Given that the ERP system is widely utilized in many organizations, relevant information on security and internal controls must be continuously prioritized. Stakeholders wish to feel Page 19 of 44

confident that internal control within the organization is executed effectively to reduce the possibility of business failure or fraudulent financial reporting [38]. However, improper management of control procedures in the computer environment of a company may result in significant financial reporting errors and financial losses for the same company. Thus, this study developed an ERP internal control framework to assist stakeholders in verifying the effectiveness of their respective companies internal control mechanisms. Literature related to IT controls for the internal use of companies, various information security organization bylaws, and academic literature were reviewed. Open, axial, and selective coding were performed to finalize the 51 key items associated with ERP internal control. Questionnaires were administered to confirm whether the abovementioned items are suitable for and essential to the ERP system. Out of the 51 control items, only 37 were utilized in the preliminary model. A case study was then conducted to verify the feasibility of the proposed framework. Our findings have provided some implications on/to future research. The internal control matrix could be regarded as a common method to represent internal controls for specific business processes within the SOX audit environment, which includes the internal control objectives [24]. Only a few studies have developed a structured, systematic approach that stakeholders can utilize. The proposed framework was derived from several rigorous methods and contained necessary control dimensions and items that can be utilized for ERP control and improvement of IT governance. Comparing with the previous studies on internal control frameworks including Jo et al. [34] and Lin et al. [40], case study approach has been recommended for this stream of studies and this is simply because of the need for detailed and contextual information from the entity stakeholders. Further, more extant researches utilized experts from CPA firms as a research subject, this study yet recruited several participants from the case company to disseminate their thoughts. Since this study embraced the application controls to broaden the IT control domain, the obtained outcome may complete Huang s [29] work because of its only focus is placed on the IT general controls. A previous study indicated that existing internal control frameworks do not consider Page 20 of 44

important control aspects such as the environment outside the organization [66]. The dimension control of outsourced operations in the proposed framework strengthens the ERP internal control points. A few empirical studies examined IT control weakness and IT operation risk [5, 36, 39]. The study of Li et al. [39] provided empirical evidence regarding IT-related material weakness based on internal and external governance. Further, Klamm and Watson [36] examined IT material weakness based on the internal control-integrated framework proposed by COSO. In summary, this proposed framework may be utilized to assess ERP control. The proposed framework can also be applied to the external auditing profession. External auditors can communicate logically with their clients through this framework. The responsibility of the certified public accountants in attesting to the effectiveness of their clients internal control system has been clearly regulated. An auditor in an IT environment must have a good understanding of internal control. If an auditor does not have a proper understanding of such concept, auditing work may incur many uncertainties and risks. From the perspective of a business entity, acquiring effective internal control is a complex task. However, internal control can be facilitated and maintained if a proper framework is adopted. The proposed framework is a supplement to the COSO framework [15] and provides a comprehensive framework to facilitate the construction of detailed controls for ERP systems. Among the 12 dimensions constructed in this study, only the dimension access control of program and data was unanimously recognized by all interviewees as an important criterion in information risk management. This finding is similar to that of Wallace et al. [73], thereby proving that access control is the most common and prioritized control in practice. When an entity establishes proper access control, the probability of an attacker obtaining unauthorized system access decreases [59]. However, most of the items in the proposed framework were regarded as moderately important. The listed company under study should therefore exercise compliance, and its stakeholders should assume more responsibility to protect the information system. This result confirms the results of Wallace et al. [73]. With the proposed framework, which includes comprehensive control dimensions or Page 21 of 44

items, internal auditors and MIS department chiefs can verify the effectiveness of internal control through a complete mechanism to comply with government regulations. In other words, internal auditors and MIS department chiefs can develop their relationship and communicate the effectiveness of internal control by referring to the proposed framework. According to Wallace et al. [73], a good relationship between an organization s internal auditors and MIS department chiefs helps the organization comply with IT-related internal control requirements. Several control items are considered high-priority items. Perhaps stakeholders should prioritize high-risk control points. This process not only enhances audit efficiency also easily identifies the weakness of internal control. Companies must consider the limitations inherent in their infrastructures in terms of internal control management to determine the most important control points [58]. These recommended improvements can enable companies to build robust auditing structures. Small and medium-sized enterprises (SMEs) need to implement information systems in their operations to cooperate with large firms. Most large firms request to review and audit downstream SMEs to ensure system security. SMEs may therefore consider the proposed framework and adjust several control items following their own characteristics to determine their IT control weaknesses in advance. The present study has limitations. Thirty relevant studies were selected and reviewed to construct the ERP system internal control framework. This study did not prove that the coding process reached saturation; other control items might have been missed. Furthermore, despite recruiting 18 qualified experts to confirm the control items derived from the literature review, other experts might have concluded otherwise. Another limitation of this study is external validity. The explanatory power of this study may be limited because single case method is adopted herein. This proposed framework with control items developed in this study is generic in nature. In other words, it could be applied to the majority of entities regardless of the size or industry. A few industries with a higher security consideration of IT environment (i.e., banking sector) will be able to expand this framework and add other new control Page 22 of 44

dimensions and items to provide additional insights to this subject area. Several future research avenues are discussed as follows. First, given the increasing number of published studies on ERP internal control, follow-up research may analyze these streamed studies to add control items and refine the proposed framework. Second, several control items in the proposed framework may be extended to other systems, organizations (i.e., government agencies), and industries. Future studies could examine the usefulness and feasibility of the proposed framework. Page 23 of 44

References [1] American Institute of Certified Public Accountants (AICPA), Audit Risk and Materiality in Considering an Audit, SAS No.94, AICPA, New York, 1983. [2] American Institute of Certified Public Accountants (AICPA), the Effect of Information Technology on the Auditors Consideration of Internal Control in a Financial Statement Audit. SAS No. 94. AICPA, New York, 2001. [3] H. Ashbaugh-Skaife, The effect of SOX internal control deficiencies on firm risk and cost of equity, Journal of Accounting Research 47(1), 2009, pp. 1 43. [4] J. C. Bedard, L. E. Graham, The effects of decision aid orientation on risk factor identification and audit test planning, Auditing 21 (2), 2002, pp. 39-65. [5] M. Benaroch, A. Chernobai, J. Goldstein, An internal control perspective on the market value consequences of IT operational risk events. International Journal of Accounting Information Systems 13 (4), 2012, pp. 357 381. [6] J. Brazel, L. Dang, The effect of ERP system implementations on the management of earnings and earnings release dates, Journal of Information Systems 22 (2), 2008, pp. 1 21. [7] British Standards Institution (BSI), Information Security Management- Part 2: Specification for Information Security Management Systems, British Standards Institution, London, 2002. [8] W. Brown, F. Nasuti, Sarbanes-Oxley and enterprise security: IT governance What it takes to get the job done, Security Management Practices 14(5), 2002, pp. 15 28. [9] L. Calabro, Looking under the hood, CFO, 20 (6), 2004, pp. 97-98. [10] V. Cerullo, M. J. Cerullo, Business continuity planning: A comprehensive approach, Information Systems Management 21(3), 2004, pp.70-78. [11] S. I. Chang, G. G. Gable, A comparative analysis of major ERP lifecycle implementation, management and support issues in Queensland government, Journal of Global Information Management 10 (3), 2002, pp. 36-54. [12] J. Chau, Application security it all starts from here, Computer Fraud & Security 2006 (6), 2006, pp. 7-9. [13] M. Coe, Trust services: A better way to evaluate IT controls, Journal of Accountancy 199 (3), 2005, pp. 69-75. [14] J. L. Colbert, P. L. Bowen. A comparison of internal controls: COBIT, SAC, COSO, and SAS 55/78, IS Audit and Control Journal 4, 1996, pp. 26-35. [15] Committee of Sponsoring Organizations of the Treadway Commission (COSO), Internal Control - Integrated Framework. AICPA, New York, 1992. [16] A. Daveiga, J. H. P. Eloff, An information security governance framework, Information Systems Management 24 (4), 2007, pp. 361-372. [17] G. Dhillon, Principles of Information System Security: Text and cases, John Wiley and Sons, New Jersey, 2007. [18] D. Durfee, The 411 on 404: Reporting a material weakness in controls can cost shareholders millions and some CFOs their jobs. CFO Magazine, 2005. [19] J. H. P. Eloff, M. M. Eloff, Information security architecture, Computer Fraud & Security 2005 (11), 2005, pp.10-16. [20] Ernst & Young, Preparing for internal control reporting: A guide for management s assessment under section 404 of the Sarbanes-Oxley Act, Ernst, Young LLP, 2002. [21] S. Flowerday, R. Von Solms, Continuous auditing: Verifying information integrity and providing assurances for financial reports, Computer Fraud & Security 2005 (7), 2005, pp. 12-16. [22] S. Flowerday, R. Von Solms, Real-time information integrity= system integrity+ data integrity+ continuous assurance, Computers and Security 24 (8), 2005, pp. 604-613. [23] C. Fox, P. C. Zonneveld, IT Control Objectives for Sarbanes-Oxley: The Importance of IT in the Design, Implementation and Sustainability of Internal Control over Disclosure and Financial Reporting, IT Governance Institute, Illinois, 2003. Page 24 of 44