www.emeraldinsight.com/1832-5912.htm
JAOC
5,4
514
Haider H. Madani
Abstract
Purpose The purpose of this paper is to develop a theoretical framework that will help to examine
the role of internal auditors (IAs) in enterprise resource planning (ERP) based organizations. An ERP
integrates all organizational functions in one powerful system that drives the organization
strategically and also presents new challenges to the internal audit function.
Design/methodology/approach A literature review is undertaken to highlight the role of IAs in
an ERP environment.
Findings The framework depicts the new relationships which the ERP system requires between
the IAs and five associated groups: software vendors, information systems, information technology
managers, ERP users, and consultants. ERP also gives interanl auditors an enabling technology to
advise management on the implications of ERP for risk-intelligence.
Research limitations/implications This is a conceptual paper that has implications for internal
auditing practice. Academic researchers will find this framework to be useful for testing it in the field.
Practitioners will also benefit from this model when assessing the role of IAs in an ERP environment.
Originality/value Prior research in the auditing field has overlooked this issue. This paper will
attempt to fill such an apparent gap in prior research and will help motivate further research in this
field.
Keywords Manufacturing resource planning, Internal auditing, Internal control
Paper type Conceptual paper
1. Introduction
An enterprise resource planning (ERP) system is a set of business application software
modules that integrates all organizational functions, including human resources,
finance, manufacturing, sales, and distribution. Examples of major ERP software
vendors are Oracle and SAP. The adoption of an ERP system brings about new
changes to the organization and its information systems (ISs). The ERP system with its
integrated built-in controls becomes an enabling technology for internal auditors (IAs)
to maintain effective controls over operations and provides assurance of reliable
transaction information consistent with the organizations goals and objectives. While
the objectives of the internal control function remain the same, the mechanism of
controls and the control procedures change. Traditional controls, such as separation of
responsibilities, will not be cost-effective in the ERP system and may not be able to
deliver the required level of control (Chapman, 1998a).
Previous studies of ERP focussed on implementation and post-implementation, with
particular emphasis on its impact on internal auditing, but offered only few insights
The author gratefully acknowledges the logistical support provided by King Fahd University
of Petroleum and Minerals.
into the auditors role. This paper seeks to fill such an apparent gap in prior research
by focusing on the role of IAs in ERP-based organizations. The remainder of the paper
is organized as follows. Section 2 provides a literature review. Section 3 discusses ERP
threats and internal control procedures. Section 4 presents a framework for the role of
IAs in ERP-based organizations. Section 5 concludes the paper and outlines some
directions for future research.
Role of internal
auditors
515
2. Literature review
Previous studies in the area of ERP have focused on the implementatation phase and
the post-implementation phase (Esteves and Pastor, 2001; Verville, 2000). The key
ideas of those studies consist of problems and challenges during the implementation,
organizational change, political and management influence, and employees
behavior. For example, Gibson et al. (1999) state that ERP implementation needs a
different approach which focuses on business process design, software configuration,
and project management by de-emphasizing the technical side of implementation.
Boudreau and Robey (1999), meanwhile, propose a framework to guide research
on ERP linked to organizational change as a process. Also, Koh et al. (2000) employ the
framework, based on a process theory approach, to understand and describe the ERP
implementation experiences of organizations. Davenport (1998) mentions that ERP
implementation process roles, responsibilities, and skill-sets are substantially different
from those related with a traditional implementation.
Series of studies also have been carried out to provide the critical success factors in
implementing ERP: namely Al-Mashari et al. (2003), Akkermans and van Helden
(2002), Hong and Kim (2002), Nah et al. (2001), Soliman et al. (2001) and Scott and
Vessey (2000). In more specific studies, Verville et al. (2005) and Verville and Halingten
(2003, 2002) discuss the critical factors for successful acquisitions of ERP softwares
and technologies. In addition, Al-Mashari and Zairi (2000) attempt to recommend a
model of best ERP practices in organizations.
Several other studies have investigated the impact of ERP on internal auditing
activities, internal control mechanisms and the quality of information generated from
this initiative. For example, Xu et al. (2002), in a case-study in two large Australian
organizations, highlight the data quality issues in implementing ERP, and their study
resulted in the development of a framework for understanding those issues and applying
this framework. Lightle and Vallario (2003) discuss the potential segregation of duties in
ERP-based organization. Little and Best (2003) furthermore built a framework to
address the potential threat in the separation of duties in an ERP environment. Zhao et al.
(2004) elaborate the auditing activities in electronic commerce, but their study does not
specifically discusses the role of IA in ERP-based organizations.
The above discussion suggests that previous studies have overlooked the role and
function of IAs in an ERP environment. In this paper, I attempt to address why it is
important to reassess the role of IAs in the ERP environment.
3. ERP threats and internal control procedures
Highly integrated and fully computerized ISs for instance in ERP, whilst offering many
advantages to a business organization, are easily exposed to many potential threats.
According to Little and Best (2003), such threats can come from internal or external
intruders attempting to access sensitive information, modify data, enter fraudulent
JAOC
5,4
516
changes to programs, enter fraudulent transactions, and commit other undesirable acts
within the system. Various methods have been engaged to attempt those unauthorized
functions (Lunt, 1993; Seeley, 1989; Spafford, 1989; Smaha, 1988; Stoll, 1988; Reid,
1987). These can be categorized into five main methods, namely:
(1) passive techniques, such as wiretapping, electromagnetic pickup, concealed
transmitters, and electronic eavesdropping;
(2) attempted break-ins or password guessing;
(3) masquerading, such as logging in with the target users password and
username, tapping into the line between the authorized users workstation that
has been left logged on to the network;
(4) browsing, whereby authorized users attempt to access unauthorized functions
or sensitive data; and
(5) viruses and worms, which are programs that invade systems and are used
to gain access to the data, to destroy or manipulate data and applications, or
simply to use resources such as storage, memory, and processor time.
In order to counter those threats, Best et al. (1997) classified the following four major
strategies:
(1) Authentication. This strategy aims to restrict entry into the system,
authenticating the users properly by including usernames with passwords,
and by challenge-response systems, biometrics, and smart cards (Pfleeger, 1989;
Carroll, 1987).
(2) Access control. This strategy is designed to prevent unauthorized user activities
through browsing. Its purpose is to restrict users access to data and functions
within the system in order to prevent unauthorized use (Ferraiolo et al., 1992).
(3) Cryptography. This strategy involves encoding data so that it will not be
understandable if it is revealed through unauthorized access. This technique
can be applied to data files, passwords, online transactions, and other sensitive
data (Davies and Price, 1989).
(4) Audit trail analysis. This countermeasure strategy is a post hoc analysis of the
records of user activities in the detailed system logs to detect failed attempts to
perform unauthorized functions and to highlight unusual patterns of user
behavior, such as logins after hours.
The preceding arguments describe potential threats and countermeasure strategies in
general computerized organization, which also apply in ERP. Those countermeasures
involve technical solutions, which are sometimes not sufficiently relevant to ensure
information quality and integrity for an ERP-based organization. Thus, effective internal
control procedures are necessary to support the technical countermeasures for ERP.
Their importance has been recognized by many scholars, for instance, see Maurizio et al.
(2007), Brown and Nasuti (2005), Dittenhofer (2001), Srinidhi (1994), Ferraiolo et al. (1992)
and Clark and Wilson (1987).
Hence, the strategic and tactical business requirements of an organization must be
the driving force for implementing ERP. An ERP system replaces the huge number of
databases in a company with one powerful system capable of integrating, analyzing,
and reporting on information from all of the companys business functions. Programs
and data files are fully integrated into one virtual system. There are no subsystems,
partitions, or non-interfacing legacy systems that need to be reconciled. ERP also
includes advanced control and audit features, such as security profile administration
tools, logging capabilities, business workflow, and the fully traceable transaction
capabilities. Financial closing entries can be accomplished quickly, in a matter of hours
(not weeks, as in the traditional environment). Since the sub-modules are fully
integrated, there is no need to do reconciliation activities or journal voucher adjusting
entries.
However, the reengineering associated with ERP implementation may lead to
inadequate business controls, with the result that management objectives are not
met. Many organizational units and departments may have inadequate new controls
instead of the controls from the traditional system. Furthermore, due to the real-time
nature of an ERP system, many IAs may not be well prepared to accomplish their
mission in auditing the business. The traditional audit function would not be
sufficient under these circumstances. A detailed design of the business processes,
management, and operations must therefore come before the implementation of an
ERP system.
It is essential to consider the integrated control procedures while the ERP system is
being implemented. IAs have expertise in the area of risk-management, and they
have the big-picture perspective of the organizations business operations, and they are
capable of suggesting alternatives to reengineer the organizations processes to increase
efficiency and effectiveness. A detailed analysis of internal controls should come after
a broad-based business and system analysis (Glover et al., 1999). Consequently, this
ensures that the control processes solve the broader business objectives and mitigate the
key business risks.
Internal audit functions are redefined in terms of focus, scope, and range of services,
in the light of strategic management, alliance with other appraisal functions, and the
need to audit technical applications. The IA is now open to a broad range of activities
that were not considered previously (Chapman, 1998b). I discuss this issue in turn.
4. Role of IAs in ERP-based organizations
IAs contributions are widely recognized in the literature in promoting good
corporate governance and implementing a system of internal controls within the
organization. They help to reduce the cost of raising capital if the organization is
looking for external financial assistance, and also to enhance the share price if it is
seeking equity funds. IAs also carry out assurance activities at specific scheduled
times to check the adequacy and effectiveness of internal control procedures in the
organization.
IAs also report to audit committees at the board level on their findings and
opportunities for improvement as required. However, the use of ERP changes the role
and function of IAs. Figure 1 shows the framework of the relationship between the IA
and the various associated groups in ERP implementation. These groups include
software vendors (V), IS and information technology (IT) managers, users (U), and
consultants (C).
During ERP implementation, the IAs roles include the following, in order of
execution:
Role of internal
auditors
517
JAOC
5,4
U
Strategists
IT experts
518
IT/IS
Figure 1.
The relationship between
the IA and various
associated groups in ERP
implementation
ERP experts
V
IA
Communicators
C
.
Strategists. Strategisists are involved with the strategic planning and decision
making of the organization. They develop an understanding of the business
process reengineering with users including management, and facilitates the
consultants work.
ERP expertd. ERP experts evaluate the control features of an ERP system and
assess current and future risk exposure. They also hghlight the importance of
soft controls and delegates the accountability of control.
Communicators. Communicators maintain the relationships among all parties
across the organization and facilitate the adoption of audit controls with users, as
well as with consultants from outside the company.
IT experts. IT experts update and unify terminology to take advantage of the
integrated nature of the ERP system. They share expertise, knowledge, and ideas
with IS/IT management.
As a strategist, the IA provides top management with advice that helps management to
set the corporate objectives. According to the new Committee on Sponsoring
Organizations Enterprise Risk Management, the organizations mission and risk
appetite drive its objective-setting process, which defines high-level strategic objectives
and the specific objectives required to accomplish them, namely the operating, financial
reporting, and compliance objectives (Ramamoorthi and Weidenmier, 2006). Strategic
objectives affect the organizations choice of ERP infrastructure and risk level.
In addition, Pierce (2007) proposes five duties of the IA as a stategist in ensuring the
success of ERP implementation.
These five duties are:
(1) Secure executive sponsorship and create awareness for program risk
management. This helps to enlist the support and resources necessary for a
successful risk management program.
(2) Take a holistic approach to identifying programs at risk. A broad strategic
perspective helps the IA to better understand and prioritizes the program-risk
landscape, with its wide-ranging and often disparate risk elements.
(3) Create an active and ongoing program risk management process. Such an
ongoing process entails regular audits, the ability to track the trends relating
Role of internal
auditors
519
JAOC
5,4
520
Role of internal
auditors
U
Service provider
IT/IS
Service provider
IA
Maintainer
Developer
C
521
Figure 2.
The role of the IA in
post-ERP implementation
JAOC
5,4
522
system drives the organization strategically and replaces the huge number of
databases in a company with one powerful system capable of integrating, analyzing,
and reporting on information from all of the companys business functions. ERP
changes the business processes and the hardware/software configuration, which all
affect the internal audit function. This paper presents a framework for the new role of
IAs in ERP-based organizations.
The internal audit function needs to be redefined in terms of focus, scope, and range
of services in light of strategic management, alliance with other appraisal functions,
and the need to audit technical applications. In order to cope with new tasks in ERP,
IAs must enhance their technical knowlede and practical experience in the area of
information technology and ISs. This new expertise can be obtained through courses,
on-the-job training, and attachment in the data-processing department. Up-to-date
technical knowledge and practical experience are essential, since the audit activities for
ERP will no longer be at the end of each financial cycle, but in real time. Vice versa,
technical staff also should be encouraged to acquire a knowledge of auditing and
accounting.
Furthermore, in an ERP environment, IAs must be able to share their expertise in
internal control areas with other users and consultants. For instance, in developing
software to support ERP implementation, the developers or engineers should be made
aware of the importance of effective internal control, so that they can produce software
that provides not only high capability but also high integrity.
Moreover, IAs need to share and teach users from various departments within the
organization the methods of effective internal control for ERP. In this way, potential
problems such as fraud, data manipulation, unauthorized approval, and hardware
failure can be avoided from the beginning of the process rather than being identified
and addressed at the end of the audit trail, which may be disastrous to the
organization. In short, with the implementation of ERP, effective internal control is no
longer the function of IAs exclusively, but it becomes responsibility of all parties
involved.
In an ERP environment, the IAs role is proactive and on-going. To overcome
potential problems due to segregation of duties in the ERP-based organizations,
IAs must repeat the testing procedures periodically (Lightle and Vallario, 2003). These
procedures include checks on the software integrity, the hardware capability, and
the manual or operating procedure guideline comprehensiveness. As businesses are
becoming more dynamic today, employees, and managers come and go, suppliers and
vendors change constantly; and therefore, transaction codes, database profiles, and
identification numbers may need to be added or deleted. Such changes may cause risks
to an ERP-based organization, and they oblige the IAs to carry out continuous
checking.
Looking ahead of a highly integrated ERP organization, IAs are engaged in
risk-intelligence activities. These allow the organization to protect itself from any
potential interuption or loss, from either internal or external factors. In addition,
involvement in risk-intelligence will supplement the organizations internal control,
compliance, and good governance practices. While a business organization invests
heavily in information communication technology to reduce costs and to enhance
effectiveness and efficiency, such iniative also attracts risks which are seldom foreseen
in the planning or implementation stages of ERP. The IAs role in risk-intelligence for
an ERP-based organization include:
.
recognizing the full spectrum of risks;
.
connecting the identified risks with potential implications;
.
advising the management on optimal resource allocation;
.
anticipating and suggesting integrated responses to risks; and
.
providing risk-management advice to maximize the upside as well as minimize
the downside (Hespenheide et al., 2007).
There can be a number of directions for future research in the ERP field. For example, the
frameworks shown in this paper can be used for future research to empirically examine
the validity and usefulness of this proposed model in ERP-based organizations using
survey questionnaire and case-method approaches. This research would help in gaining
insights into the new roles and functions of IAs, in particular, assessing the relationship
between IAs and various associated groups: software venders, ISs, IT managers, ERP
users, and consultants, in pre- and post-ERP implementation stage.
Second, ERP systems while providing powerful technologies that capable of
integrating, analyzing and reporting information from all of the companys functions
(technical, operational, and financial), they expose user organizations to various kinds
of risks and potential threats as illustrated in the paper. Future research can also be
directed to identify these new risks and threats and how countering these risks and
threats has impacted strategically on the role and functions of IAs in ERP-based
organizations. Importantly, this research can also investigate what countermeasure
strategies, risk control mechanisms and solutions ERP-based organizations have
developed and implemented and role of IAs in the design, implementation and
monitoring stages, in addition to the adequacy of these mechanisms and solutions.
Third, ERP systems has strategically changed or impacted not only the roles and
functions of IAs, but also internal audit environment. Future research can be directed
to study the skills, knowledge, capabilities and experiences IAs must have in order to
carry out their roles and functions in ERP organizations and to what extent these
organizations were successful in this respect.
References
Akkermans, H. and van Helden, K. (2002), Vicious and virtuous cycles in ERP implementation:
a case study of interrelations between critical success factors, European Journal of
Information System, Vol. 11 No. 1, pp. 35-46.
Al-Mashari, M. and Zairi, M. (2000), The effective application of SAP R/3: a proposed model of
best practice, Logistics Information Management, Vol. 13 No. 3, pp. 156-66.
Al-Mashari, M., Al-Mudimigh, A. and Zairi, M. (2003), Enterprise resource planning:
a taxonomy of critical factors, European Journal of Operational Research, Vol. 146 No. 2,
pp. 352-64.
Arens, A.A. and Loebbecke, J.K. (2000), Auditing: An Integrated Approach, 8th ed., Prentice-Hall,
Upper Saddle River, NJ.
Bancroft, N., Seip, H. and Sprengel, A. (1998), Implementing SAP R/3: How to Introduce a Large
System into a Large Organization, Manning, Greenwich, CT.
Role of internal
auditors
523
JAOC
5,4
524
Best, P., Mohay, G. and Anderson, A. (1997), MIATA: a machine independent audit trail
analyser, Australian Computer Journal, Vol. 29 No. 2, pp. 57-63.
Boudreau, M.C. and Robey, D. (1999), Critical issues affecting an ERP implementation,
Information Systems Management, Vol. 16 No. 3, pp. 7-14.
Brown, W. and Nasuti, F. (2005), What ERP systems can tell us about Sarbanes-Oxley,
Information Management & Computer Security, Vol. 13 No. 4, pp. 311-23.
Carroll, J.M. (1987), Computer Security, 2nd ed., Butterworths, Stoneham, MA.
Chapman, C. (1998a), Just do it: an interview with Michael Hammer, Internal Auditor, Vol. 55
No. 3, pp. 38-41.
Chapman, C. (1998b), Update, Internal Auditor, Vol. 55 No. 1, pp. 11-12.
Clark, D. and Wilson, D. (1987), A comparison of commercial and military computer security
policies, paper presented at the IEEE Symposium on Security and Privacy, IEEE
Computer Society Press, Oakland, CA.
Davenport, T. (1998), Putting the enterprise into the enterprise system, Harvard Business
Review, Vol. 76 No. 4, pp. 121-31.
Davies, D.W. and Price, W.L. (1989), Security for Computer Network, 2nd ed., Wiley,
New York, NY.
Dittenhofer, M. (2001), Reegineering the internal auditing organization, Managerial Auditing
Journal, Vol. 16 No. 8, pp. 458-68.
Esteves, J. and Pastor, J. (2001), Enterprise resource planning systems research: an annotated
bibliography, Communications of the AIS, Vol. 7 No. 8, pp. 1-52.
Ferraiolo, D.F., Gilbert, M.D. and Lynch, N. (1992), Assessing Federal and Commercial
Information Security Needs (USA), National Institute of Standards and Technology,
Gaithersburg, MD.
Gibbs, J. (1998), Going live with SAP, Internal Auditor, Vol. 55 No. 3, pp. 70-5.
Gibson, J., Holland, C. and Light, B. (1999), Enterprise resource planning: a business approach to
systems development, Proceedings of the 32nd Hawaii International Conference on
System Sciences, Vol. 7, pp. 163-8.
Glover, S.M., Prawitt, D.F. and Romney, M.B. (1999), Implementing ERP, Internal Auditor,
Vol. 56 No. 4, pp. 47-53.
Hespenheide, E., Pundmann, S. and Corcoran, M. (2007), Risk intelligence: internal auditing in a
world of risk, Internal Auditing, Vol. 22 No. 4, pp. 3-10.
Hong, K.-K. and Kim, Y.-G. (2002), The critical success factors for ERP implementation:
an organizational fit perspective, Information & Management, Vol. 40 No. 1, pp. 25-40.
Koh, C., Soh, C. and Markus, L. (2000), A process theory approach to analyzing ERP
implementation and impacts: the case of Revel Asia, Journal of Information Technology
Cases and Applications, Vol. 2 No. 1, pp. 4-23.
Lightle, S. and Vallario, C. (2003), Segregation of duties in ERP, Internal Auditor, Vol. 60 No. 5,
pp. 27-31.
Little, A. and Best, P.J. (2003), A framework for separation of duties in an SAP R/3
environment, Managerial Auditing Journal, Vol. 18 No. 5, pp. 419-30.
Lunt, T.F. (1993), A survey of intrusion detection techniques, Computers & Security, Vol. 12
No. 4, pp. 405-18.
Maurizio, A., Girolami, L. and Jones, P. (2007), EAI and SOA: factors and methods influencing
the integration of multiple ERP systems (in an SAP environment) to comply with
Role of internal
auditors
525
JAOC
5,4
526
Zhao, N., Yen, D.C. and Chang, I.-C. (2004), Auditing in the e-commerce era, Information
Management & Computer Security, Vol. 12 No. 5, pp. 389-400.
Further reading
Gupta, A. (2000), Enterprise resource planning: the emerging organizational value systems,
Industrial Management & Data Systems, Vol. 100 No. 3, pp. 114-8.
Corresponding author
Haider H. Madani can be contacted at: madani@kfupm.edu.sa