The current issue and full text archive of this journal is available at

www.emeraldinsight.com/1832-5912.htm

JAOC
5,4

The role of internal auditors

in ERP-based organizations

514

Department of Accounting and MIS, College of Industrial Management,

King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia

Haider H. Madani

Received 9 April 2008

Revised 25 March 2009,
30 June 2009
Accepted 10 July 2009

Abstract
Purpose The purpose of this paper is to develop a theoretical framework that will help to examine
the role of internal auditors (IAs) in enterprise resource planning (ERP) based organizations. An ERP
integrates all organizational functions in one powerful system that drives the organization
strategically and also presents new challenges to the internal audit function.
Design/methodology/approach A literature review is undertaken to highlight the role of IAs in
an ERP environment.
Findings The framework depicts the new relationships which the ERP system requires between
the IAs and five associated groups: software vendors, information systems, information technology
managers, ERP users, and consultants. ERP also gives interanl auditors an enabling technology to
advise management on the implications of ERP for risk-intelligence.
Research limitations/implications This is a conceptual paper that has implications for internal
auditing practice. Academic researchers will find this framework to be useful for testing it in the field.
Practitioners will also benefit from this model when assessing the role of IAs in an ERP environment.
Originality/value Prior research in the auditing field has overlooked this issue. This paper will
attempt to fill such an apparent gap in prior research and will help motivate further research in this
field.
Keywords Manufacturing resource planning, Internal auditing, Internal control
Paper type Conceptual paper

Journal of Accounting &

Organizational Change
Vol. 5 No. 4, 2009
pp. 514-526
q Emerald Group Publishing Limited
1832-5912
DOI 10.1108/18325910910994702

1. Introduction
An enterprise resource planning (ERP) system is a set of business application software
modules that integrates all organizational functions, including human resources,
finance, manufacturing, sales, and distribution. Examples of major ERP software
vendors are Oracle and SAP. The adoption of an ERP system brings about new
changes to the organization and its information systems (ISs). The ERP system with its
integrated built-in controls becomes an enabling technology for internal auditors (IAs)
to maintain effective controls over operations and provides assurance of reliable
transaction information consistent with the organizations goals and objectives. While
the objectives of the internal control function remain the same, the mechanism of
controls and the control procedures change. Traditional controls, such as separation of
responsibilities, will not be cost-effective in the ERP system and may not be able to
deliver the required level of control (Chapman, 1998a).
Previous studies of ERP focussed on implementation and post-implementation, with
particular emphasis on its impact on internal auditing, but offered only few insights
The author gratefully acknowledges the logistical support provided by King Fahd University
of Petroleum and Minerals.

into the auditors role. This paper seeks to fill such an apparent gap in prior research
by focusing on the role of IAs in ERP-based organizations. The remainder of the paper
is organized as follows. Section 2 provides a literature review. Section 3 discusses ERP
threats and internal control procedures. Section 4 presents a framework for the role of
IAs in ERP-based organizations. Section 5 concludes the paper and outlines some
directions for future research.

Role of internal
auditors

515
2. Literature review
Previous studies in the area of ERP have focused on the implementatation phase and
the post-implementation phase (Esteves and Pastor, 2001; Verville, 2000). The key
ideas of those studies consist of problems and challenges during the implementation,
organizational change, political and management influence, and employees
behavior. For example, Gibson et al. (1999) state that ERP implementation needs a
different approach which focuses on business process design, software configuration,
and project management by de-emphasizing the technical side of implementation.
Boudreau and Robey (1999), meanwhile, propose a framework to guide research
on ERP linked to organizational change as a process. Also, Koh et al. (2000) employ the
framework, based on a process theory approach, to understand and describe the ERP
implementation experiences of organizations. Davenport (1998) mentions that ERP
implementation process roles, responsibilities, and skill-sets are substantially different
from those related with a traditional implementation.
Series of studies also have been carried out to provide the critical success factors in
implementing ERP: namely Al-Mashari et al. (2003), Akkermans and van Helden
(2002), Hong and Kim (2002), Nah et al. (2001), Soliman et al. (2001) and Scott and
Vessey (2000). In more specific studies, Verville et al. (2005) and Verville and Halingten
(2003, 2002) discuss the critical factors for successful acquisitions of ERP softwares
and technologies. In addition, Al-Mashari and Zairi (2000) attempt to recommend a
model of best ERP practices in organizations.
Several other studies have investigated the impact of ERP on internal auditing
activities, internal control mechanisms and the quality of information generated from
this initiative. For example, Xu et al. (2002), in a case-study in two large Australian
organizations, highlight the data quality issues in implementing ERP, and their study
resulted in the development of a framework for understanding those issues and applying
this framework. Lightle and Vallario (2003) discuss the potential segregation of duties in
ERP-based organization. Little and Best (2003) furthermore built a framework to
address the potential threat in the separation of duties in an ERP environment. Zhao et al.
(2004) elaborate the auditing activities in electronic commerce, but their study does not
specifically discusses the role of IA in ERP-based organizations.
The above discussion suggests that previous studies have overlooked the role and
function of IAs in an ERP environment. In this paper, I attempt to address why it is
important to reassess the role of IAs in the ERP environment.
3. ERP threats and internal control procedures
Highly integrated and fully computerized ISs for instance in ERP, whilst offering many
advantages to a business organization, are easily exposed to many potential threats.
According to Little and Best (2003), such threats can come from internal or external
intruders attempting to access sensitive information, modify data, enter fraudulent

JAOC
5,4

516

changes to programs, enter fraudulent transactions, and commit other undesirable acts
within the system. Various methods have been engaged to attempt those unauthorized
functions (Lunt, 1993; Seeley, 1989; Spafford, 1989; Smaha, 1988; Stoll, 1988; Reid,
1987). These can be categorized into five main methods, namely:
(1) passive techniques, such as wiretapping, electromagnetic pickup, concealed
transmitters, and electronic eavesdropping;
(2) attempted break-ins or password guessing;
(3) masquerading, such as logging in with the target users password and
username, tapping into the line between the authorized users workstation that
has been left logged on to the network;
(4) browsing, whereby authorized users attempt to access unauthorized functions
or sensitive data; and
(5) viruses and worms, which are programs that invade systems and are used
to gain access to the data, to destroy or manipulate data and applications, or
simply to use resources such as storage, memory, and processor time.
In order to counter those threats, Best et al. (1997) classified the following four major
strategies:
(1) Authentication. This strategy aims to restrict entry into the system,
authenticating the users properly by including usernames with passwords,
and by challenge-response systems, biometrics, and smart cards (Pfleeger, 1989;
Carroll, 1987).
(2) Access control. This strategy is designed to prevent unauthorized user activities
through browsing. Its purpose is to restrict users access to data and functions
within the system in order to prevent unauthorized use (Ferraiolo et al., 1992).
(3) Cryptography. This strategy involves encoding data so that it will not be
understandable if it is revealed through unauthorized access. This technique
can be applied to data files, passwords, online transactions, and other sensitive
data (Davies and Price, 1989).
(4) Audit trail analysis. This countermeasure strategy is a post hoc analysis of the
records of user activities in the detailed system logs to detect failed attempts to
perform unauthorized functions and to highlight unusual patterns of user
behavior, such as logins after hours.
The preceding arguments describe potential threats and countermeasure strategies in
general computerized organization, which also apply in ERP. Those countermeasures
involve technical solutions, which are sometimes not sufficiently relevant to ensure
information quality and integrity for an ERP-based organization. Thus, effective internal
control procedures are necessary to support the technical countermeasures for ERP.
Their importance has been recognized by many scholars, for instance, see Maurizio et al.
(2007), Brown and Nasuti (2005), Dittenhofer (2001), Srinidhi (1994), Ferraiolo et al. (1992)
and Clark and Wilson (1987).
Hence, the strategic and tactical business requirements of an organization must be
the driving force for implementing ERP. An ERP system replaces the huge number of
databases in a company with one powerful system capable of integrating, analyzing,

and reporting on information from all of the companys business functions. Programs
and data files are fully integrated into one virtual system. There are no subsystems,
partitions, or non-interfacing legacy systems that need to be reconciled. ERP also
includes advanced control and audit features, such as security profile administration
tools, logging capabilities, business workflow, and the fully traceable transaction
capabilities. Financial closing entries can be accomplished quickly, in a matter of hours
(not weeks, as in the traditional environment). Since the sub-modules are fully
integrated, there is no need to do reconciliation activities or journal voucher adjusting
entries.
However, the reengineering associated with ERP implementation may lead to
inadequate business controls, with the result that management objectives are not
met. Many organizational units and departments may have inadequate new controls
instead of the controls from the traditional system. Furthermore, due to the real-time
nature of an ERP system, many IAs may not be well prepared to accomplish their
mission in auditing the business. The traditional audit function would not be
sufficient under these circumstances. A detailed design of the business processes,
management, and operations must therefore come before the implementation of an
ERP system.
It is essential to consider the integrated control procedures while the ERP system is
being implemented. IAs have expertise in the area of risk-management, and they
have the big-picture perspective of the organizations business operations, and they are
capable of suggesting alternatives to reengineer the organizations processes to increase
efficiency and effectiveness. A detailed analysis of internal controls should come after
a broad-based business and system analysis (Glover et al., 1999). Consequently, this
ensures that the control processes solve the broader business objectives and mitigate the
key business risks.
Internal audit functions are redefined in terms of focus, scope, and range of services,
in the light of strategic management, alliance with other appraisal functions, and the
need to audit technical applications. The IA is now open to a broad range of activities
that were not considered previously (Chapman, 1998b). I discuss this issue in turn.
4. Role of IAs in ERP-based organizations
IAs contributions are widely recognized in the literature in promoting good
corporate governance and implementing a system of internal controls within the
organization. They help to reduce the cost of raising capital if the organization is
looking for external financial assistance, and also to enhance the share price if it is
seeking equity funds. IAs also carry out assurance activities at specific scheduled
times to check the adequacy and effectiveness of internal control procedures in the
organization.
IAs also report to audit committees at the board level on their findings and
opportunities for improvement as required. However, the use of ERP changes the role
and function of IAs. Figure 1 shows the framework of the relationship between the IA
and the various associated groups in ERP implementation. These groups include
software vendors (V), IS and information technology (IT) managers, users (U), and
consultants (C).
During ERP implementation, the IAs roles include the following, in order of
execution:

Role of internal
auditors

517

JAOC
5,4

U
Strategists
IT experts

518

IT/IS

Figure 1.
The relationship between
the IA and various
associated groups in ERP
implementation

ERP experts
V

IA
Communicators

C
.

Strategists. Strategisists are involved with the strategic planning and decision
making of the organization. They develop an understanding of the business
process reengineering with users including management, and facilitates the
consultants work.
ERP expertd. ERP experts evaluate the control features of an ERP system and
assess current and future risk exposure. They also hghlight the importance of
soft controls and delegates the accountability of control.
Communicators. Communicators maintain the relationships among all parties
across the organization and facilitate the adoption of audit controls with users, as
well as with consultants from outside the company.
IT experts. IT experts update and unify terminology to take advantage of the
integrated nature of the ERP system. They share expertise, knowledge, and ideas
with IS/IT management.

As a strategist, the IA provides top management with advice that helps management to
set the corporate objectives. According to the new Committee on Sponsoring
Organizations Enterprise Risk Management, the organizations mission and risk
appetite drive its objective-setting process, which defines high-level strategic objectives
and the specific objectives required to accomplish them, namely the operating, financial
reporting, and compliance objectives (Ramamoorthi and Weidenmier, 2006). Strategic
objectives affect the organizations choice of ERP infrastructure and risk level.
In addition, Pierce (2007) proposes five duties of the IA as a stategist in ensuring the
success of ERP implementation.
These five duties are:
(1) Secure executive sponsorship and create awareness for program risk
management. This helps to enlist the support and resources necessary for a
successful risk management program.
(2) Take a holistic approach to identifying programs at risk. A broad strategic
perspective helps the IA to better understand and prioritizes the program-risk
landscape, with its wide-ranging and often disparate risk elements.
(3) Create an active and ongoing program risk management process. Such an
ongoing process entails regular audits, the ability to track the trends relating

to a program, and faster follow-up on remediation plans. It allows IAs to

identify the risks more quickly and to alert the stakeholders.
(4) Build a program audit team with the necessary specialized skills and
experience. Having the right people with the right skills to focus on program
risk can make the difference between success and failure in risk management.
(5) Include program issues in a consolidated risk analysis. The prioritization of
programs, based on their inherent risk, assumes that all challenges facing those
programs are risks.
As an ERP expert, the IA is needed to ensure ERP system does not compromise the
internal control mechanism. Arens and Loebbecke (2000) further propose four general
guidelines for the separation of duties, which can be applied in an ERP-based
organization:
(1) Separation of the custody of assets from accounting. This prevents a person
with custody of an asset from disposing of the asset and adjusting the records to
conceal the action.
(2) Separation of the authorization of transactions from the custody of related
assets. The authorization of a transaction and the handling of the related asset
by the same person increases the opportunity for fraud.
(3) Separation of operational responsibility from record-keeping responsibility. If a
division is responsible for preparing its own records and reports, there may be a
tendency to bias the results to improve its reported performance.
(4) Separation of information technology duties from duties of key users outside IT.
Program modifications should be performed only by authorized IT personnel.
Users outside IT should be responsible for authorizing transactions, online data
entry, correction of errors in input, and reviews of output from the system.
In ERP environments with thousands of users accessing the system online, the only
way to separate duties within the computer system is to assign authorizations and
profiles to users which prevent them from performing incompatible functions
(Little and Best, 2003). Therefore, being an ERP expert, the IA should be involved at an
early stage in the planning process for the implementation of any ERP system. During
the system-design phase, management should charge cross-functional teams with
creating appropriate job authorization assignments before establishing system access
for employees (Lightle and Vallario, 2003). Moreover, the IAs also help management to
develop the user authorization request and approval process by talking directly with
business process owners to review individual job responsibilities and to investigate the
rationale behind any dual assignments (Lightle and Vallario, 2003).
As mentioned above, IAs play the role of communicator. Lack of communication
may cause data quality problems, thus affecting the data integrity in ERP. IAs ensure
that adequate documentation of the ERP system is prepared and provided to users to
follow. They must encourage multiple communication channels and ways to encourage
feedback and enable fast corrective measure when necessary. Xu et al. (2002) state that
successful ERP implementation depends on understanding and communications
between different systems and different functional divisions. It depends also
on frequent commmunication among IT professionals and business professionals

Role of internal
auditors

519

JAOC
5,4

520

to enhance their mutual understanding. Furthermore, the vital process of addressing

the potential risks or threats of ERP implementation depends on direct communication
between the IAs and the executives, the audit committee and the board of directors.
An IA also plays role in the organization as an IT expert. There may be difficulty in
obtaining IAs with extensive information technology skills. However, a substantial
understanding of those technical requirements will enhance the IAs role in
implementing ERP. The IA assists IT experts to develop a reliable system, which can
produce highly reliable information quickly. A reliable system is one that operates
without material error, fault or failure during a specified time in a specified
environment (Zhao et al., 2004). Zhao et al. also state that a reliable system must achive
the following four principles:
(1) Availability. The system is available for operation and use at times set forth in
service agreements.
(2) Security. The system is protected against unauthorized physical and logical
access. Logical access is the ability to read or manipulate data through remote
access.
(3) Integrity. System processing is complete, accurate, timely and in accordance
with the entitys transaction approval and output distribution policy.
(4) Maintainability. The sytem can be updated in a manner that provides
continuous availability, security and integrity.
These roles will continue to be experienced in the post-implementation phase but to a
lesser degree. In the post-ERP implementation phase, two questions arise:
(1) What will be the function of internal auditing, and what is the role of the IAs?
(2) What capabilities are required of IAs?
An ERP system drives the organization strategically, and it entails many changes to
the audit process.
These changes affect the business processes, the information technology, the ERP
software version. Ultimately, these changes affect the internal audit function, and they
oblige the IAs to develop new expertise. IAs need to identify internal and external
sources of risk and their effects on controls, to evaluate the adequacy of resources, and
to assess the effects on control procedures (Gibbs, 1998).
Figure 2 shows the revised role of the IA with the various associated groups in the
post-implementation phase of ERP.
As shown in Figure 2, the internal audit functions need to be seen in a fuller context,
which includes:
.
Developers. Understand control processes and perhaps seek a consultants advice
in the case of continuous process reengineering. Review business workflow and
continue process monitoring. Ensure historical data warehousing is accurate,
consistent, and complete for future intelligent decisions.
.
Service providers. Share knowledge and expertise with and provide services to
both IS/IT managers and users.
.
Maintainers. Maintain close contact with the vendor to ensure the adequacy of
configuration change control of the ERP system.

Role of internal
auditors

U
Service provider

IT/IS

Service provider

IA

Maintainer

Developer
C

Implementing an ERP system in the organization is perceived as business process

reengineering (Zairi and Sinclair, 1995). IAs together with appointed consultants
develop systematic and structured methodology that offers the necessary working
plans, techniques and software tools to help redesign business processes, mapping
them and ensuring their alignment with ERP processes (Al-Mashari and Zairi, 2000).
Stevens (1997) studied Kodaks success in implementing business process
reengineering through an ERP system, and highlighted the use of a well-disciplined
phases and gates approach that moves projects through a series of steps of
assessment and planning, design and prototyping, and delivery and absorption. This
approach enforces a review of the efforts at certain checkpoints with very specified
deliverable expectations in order to make sure the efforts fulfil the commitments within
the expected time and budget.
The above activities require work by both IAs and consultants. Sharing expertise
between IAs, IT professionals and other employees from different functional division
helps to integrate the ERP system fully, thus allowing information to flow quickly
throughout the organization. Such an integration protects the organization from being
bogged down by information fragmentation and bottlenecks. It thus enables
management to keep up with the rate of change in the organizations internal and
external environment (Ramamoorthi and Weidenmier, 2006). Sharing initiative can be
enhanced by the establishment of extensive internal communication channels, including
focus groups, newsletters, e-mail, and web-based archives (Bancroft et al., 1998).
These help to inform employees about new developments, and answer their
questions about ERP implementation (Romei, 1996). In addition, the IAs have a role
in the on-going monioring process, particularly to maintain segregation of duties,
and any suspicious changes can be logged automatically for further check or review.
With regard to control activities, IAs may use audit software as a detective control to
identify incomplete, inaccurate and fraudulent data. Corrective control enables
auditors to continuously monitor the control effectiveness and the changes within the
ERP system.
5. Conclusion and future research
Internal controls are established to help achieve management objectives and to
maintain effective control over organizational activities and operations. An ERP

521
Figure 2.
The role of the IA in
post-ERP implementation

JAOC
5,4

522

system drives the organization strategically and replaces the huge number of
databases in a company with one powerful system capable of integrating, analyzing,
and reporting on information from all of the companys business functions. ERP
changes the business processes and the hardware/software configuration, which all
affect the internal audit function. This paper presents a framework for the new role of
IAs in ERP-based organizations.
The internal audit function needs to be redefined in terms of focus, scope, and range
of services in light of strategic management, alliance with other appraisal functions,
and the need to audit technical applications. In order to cope with new tasks in ERP,
IAs must enhance their technical knowlede and practical experience in the area of
information technology and ISs. This new expertise can be obtained through courses,
on-the-job training, and attachment in the data-processing department. Up-to-date
technical knowledge and practical experience are essential, since the audit activities for
ERP will no longer be at the end of each financial cycle, but in real time. Vice versa,
technical staff also should be encouraged to acquire a knowledge of auditing and
accounting.
Furthermore, in an ERP environment, IAs must be able to share their expertise in
internal control areas with other users and consultants. For instance, in developing
software to support ERP implementation, the developers or engineers should be made
aware of the importance of effective internal control, so that they can produce software
that provides not only high capability but also high integrity.
Moreover, IAs need to share and teach users from various departments within the
organization the methods of effective internal control for ERP. In this way, potential
problems such as fraud, data manipulation, unauthorized approval, and hardware
failure can be avoided from the beginning of the process rather than being identified
and addressed at the end of the audit trail, which may be disastrous to the
organization. In short, with the implementation of ERP, effective internal control is no
longer the function of IAs exclusively, but it becomes responsibility of all parties
involved.
In an ERP environment, the IAs role is proactive and on-going. To overcome
potential problems due to segregation of duties in the ERP-based organizations,
IAs must repeat the testing procedures periodically (Lightle and Vallario, 2003). These
procedures include checks on the software integrity, the hardware capability, and
the manual or operating procedure guideline comprehensiveness. As businesses are
becoming more dynamic today, employees, and managers come and go, suppliers and
vendors change constantly; and therefore, transaction codes, database profiles, and
identification numbers may need to be added or deleted. Such changes may cause risks
to an ERP-based organization, and they oblige the IAs to carry out continuous
checking.
Looking ahead of a highly integrated ERP organization, IAs are engaged in
risk-intelligence activities. These allow the organization to protect itself from any
potential interuption or loss, from either internal or external factors. In addition,
involvement in risk-intelligence will supplement the organizations internal control,
compliance, and good governance practices. While a business organization invests
heavily in information communication technology to reduce costs and to enhance
effectiveness and efficiency, such iniative also attracts risks which are seldom foreseen

in the planning or implementation stages of ERP. The IAs role in risk-intelligence for
an ERP-based organization include:
.
recognizing the full spectrum of risks;
.
connecting the identified risks with potential implications;
.
advising the management on optimal resource allocation;
.
anticipating and suggesting integrated responses to risks; and
.
providing risk-management advice to maximize the upside as well as minimize
the downside (Hespenheide et al., 2007).
There can be a number of directions for future research in the ERP field. For example, the
frameworks shown in this paper can be used for future research to empirically examine
the validity and usefulness of this proposed model in ERP-based organizations using
survey questionnaire and case-method approaches. This research would help in gaining
insights into the new roles and functions of IAs, in particular, assessing the relationship
between IAs and various associated groups: software venders, ISs, IT managers, ERP
users, and consultants, in pre- and post-ERP implementation stage.
Second, ERP systems while providing powerful technologies that capable of
integrating, analyzing and reporting information from all of the companys functions
(technical, operational, and financial), they expose user organizations to various kinds
of risks and potential threats as illustrated in the paper. Future research can also be
directed to identify these new risks and threats and how countering these risks and
threats has impacted strategically on the role and functions of IAs in ERP-based
organizations. Importantly, this research can also investigate what countermeasure
strategies, risk control mechanisms and solutions ERP-based organizations have
developed and implemented and role of IAs in the design, implementation and
monitoring stages, in addition to the adequacy of these mechanisms and solutions.
Third, ERP systems has strategically changed or impacted not only the roles and
functions of IAs, but also internal audit environment. Future research can be directed
to study the skills, knowledge, capabilities and experiences IAs must have in order to
carry out their roles and functions in ERP organizations and to what extent these
organizations were successful in this respect.
References
Akkermans, H. and van Helden, K. (2002), Vicious and virtuous cycles in ERP implementation:
a case study of interrelations between critical success factors, European Journal of
Information System, Vol. 11 No. 1, pp. 35-46.
Al-Mashari, M. and Zairi, M. (2000), The effective application of SAP R/3: a proposed model of
best practice, Logistics Information Management, Vol. 13 No. 3, pp. 156-66.
Al-Mashari, M., Al-Mudimigh, A. and Zairi, M. (2003), Enterprise resource planning:
a taxonomy of critical factors, European Journal of Operational Research, Vol. 146 No. 2,
pp. 352-64.
Arens, A.A. and Loebbecke, J.K. (2000), Auditing: An Integrated Approach, 8th ed., Prentice-Hall,
Upper Saddle River, NJ.
Bancroft, N., Seip, H. and Sprengel, A. (1998), Implementing SAP R/3: How to Introduce a Large
System into a Large Organization, Manning, Greenwich, CT.

Role of internal
auditors

523

JAOC
5,4

524

Best, P., Mohay, G. and Anderson, A. (1997), MIATA: a machine independent audit trail
analyser, Australian Computer Journal, Vol. 29 No. 2, pp. 57-63.
Boudreau, M.C. and Robey, D. (1999), Critical issues affecting an ERP implementation,
Information Systems Management, Vol. 16 No. 3, pp. 7-14.
Brown, W. and Nasuti, F. (2005), What ERP systems can tell us about Sarbanes-Oxley,
Information Management & Computer Security, Vol. 13 No. 4, pp. 311-23.
Carroll, J.M. (1987), Computer Security, 2nd ed., Butterworths, Stoneham, MA.
Chapman, C. (1998a), Just do it: an interview with Michael Hammer, Internal Auditor, Vol. 55
No. 3, pp. 38-41.
Chapman, C. (1998b), Update, Internal Auditor, Vol. 55 No. 1, pp. 11-12.
Clark, D. and Wilson, D. (1987), A comparison of commercial and military computer security
policies, paper presented at the IEEE Symposium on Security and Privacy, IEEE
Computer Society Press, Oakland, CA.
Davenport, T. (1998), Putting the enterprise into the enterprise system, Harvard Business
Review, Vol. 76 No. 4, pp. 121-31.
Davies, D.W. and Price, W.L. (1989), Security for Computer Network, 2nd ed., Wiley,
New York, NY.
Dittenhofer, M. (2001), Reegineering the internal auditing organization, Managerial Auditing
Journal, Vol. 16 No. 8, pp. 458-68.
Esteves, J. and Pastor, J. (2001), Enterprise resource planning systems research: an annotated
bibliography, Communications of the AIS, Vol. 7 No. 8, pp. 1-52.
Ferraiolo, D.F., Gilbert, M.D. and Lynch, N. (1992), Assessing Federal and Commercial
Information Security Needs (USA), National Institute of Standards and Technology,
Gaithersburg, MD.
Gibbs, J. (1998), Going live with SAP, Internal Auditor, Vol. 55 No. 3, pp. 70-5.
Gibson, J., Holland, C. and Light, B. (1999), Enterprise resource planning: a business approach to
systems development, Proceedings of the 32nd Hawaii International Conference on
System Sciences, Vol. 7, pp. 163-8.
Glover, S.M., Prawitt, D.F. and Romney, M.B. (1999), Implementing ERP, Internal Auditor,
Vol. 56 No. 4, pp. 47-53.
Hespenheide, E., Pundmann, S. and Corcoran, M. (2007), Risk intelligence: internal auditing in a
world of risk, Internal Auditing, Vol. 22 No. 4, pp. 3-10.
Hong, K.-K. and Kim, Y.-G. (2002), The critical success factors for ERP implementation:
an organizational fit perspective, Information & Management, Vol. 40 No. 1, pp. 25-40.
Koh, C., Soh, C. and Markus, L. (2000), A process theory approach to analyzing ERP
implementation and impacts: the case of Revel Asia, Journal of Information Technology
Cases and Applications, Vol. 2 No. 1, pp. 4-23.
Lightle, S. and Vallario, C. (2003), Segregation of duties in ERP, Internal Auditor, Vol. 60 No. 5,
pp. 27-31.
Little, A. and Best, P.J. (2003), A framework for separation of duties in an SAP R/3
environment, Managerial Auditing Journal, Vol. 18 No. 5, pp. 419-30.
Lunt, T.F. (1993), A survey of intrusion detection techniques, Computers & Security, Vol. 12
No. 4, pp. 405-18.
Maurizio, A., Girolami, L. and Jones, P. (2007), EAI and SOA: factors and methods influencing
the integration of multiple ERP systems (in an SAP environment) to comply with

the Sarbanes-Oxley Act, Journal of Enterprise Information Management, Vol. 20 No. 1,

pp. 14-31.
Nah, F.F.-H., Lau, J.L.-S. and Kuang, J. (2001), Critical success factors for successful
implementation of enterprise systems, Business Process Management Journal, Vol. 7 No. 3,
pp. 285-96.
Pfleeger, C.P. (1989), Security in Computing, Prentice-Hall, Englewood Cliffs, NJ.
Pierce, T. (2007), Taming program risk: five critical success factors, Internal Auditing, Vol. 22
No. 5, pp. 3-8.
Ramamoorthi, S. and Weidenmier, M.L. (2006), ERM under construction: is IT next for ERM?,
The Internal Auditor, Vol. 63 No. 2, pp. 45-50.
Reid, B. (1987), Reflections on some recent widespread computer break-ins, Communications of
the ACM, Vol. 30 No. 2, pp. 103-5.
Romei, L. (1996), New technology strengthens new commitment, Managing Office Technology,
Vol. 41 No. 7, pp. 18-20.
Scott, J.E. and Vessey, I. (2000), Implementing enterprise resource planning systems: the role of
learning from failure, Information Systems Frontiers, Vol. 2 No. 2, pp. 213-32.
Seeley, D. (1989), Password cracking a game of wits, Communications of the ACM, Vol. 32 No. 6,
pp. 700-4.
Smaha, S.E. (1988), Haystack: an intrusion detection system, 4th Aerospace Computer Security
Applications Conference, Orlando, FL, December, pp. 37-44.
Soliman, F., Clegg, S. and Tantoush, T. (2001), Critical success factors for integration of
CAD/CAM systems with ERP systems, International Journal of Operations & Production
Management, Vol. 21 Nos 5/6, pp. 609-29.
Spafford, E.H. (1989), The internet worm: crisis and aftermath, Communications of the ACM,
Vol. 32 No. 6, pp. 678-87.
Srinidhi, B. (1994), The influence of segregation of duties on internal control judgements,
Journal of Accounting, Auditing & Finance, Vol. 9 No. 3, pp. 423-44.
Stevens, T. (1997), Kodak focuses on ERP, Industry Week, Vol. 246 No. 15, pp. 130-5.
Stoll, C. (1988), Stalking the Wiley Hacker, Communications of the ACM, Vol. 31 No. 5,
pp. 484-97.
Verville, J. (2000), An empirical study of organizational buying behavior: a critical investigation
of the acquisition of ERP software, dissertation, Universite Lavel, Quebec City.
Verville, J. and Halingten, A. (2002), A qualitative study of influencing factors on the decision
process for acquiring ERP software, Qualitative Market Research: An International
Journal, Vol. 5 No. 3, pp. 188-98.
Verville, J. and Halingten, A. (2003), A six-stage model of the buying process for ERP software,
Industrial Marketing Management, Vol. 32 No. 7, pp. 585-94.
Verville, J., Bernadas, C. and Halingten, A. (2005), So youre thinking of buying an ERP?
Ten critical factors for successful acquisitions, Journal of Enterprise Information
Management, Vol. 18 No. 6, pp. 665-77.
Xu, H.-J., Nord, J.H., Brown, N. and Nord, G.D. (2002), Data quality issues in implementing an
ERP, Industrial Management & Data System, Vol. 102 No. 1, pp. 47-58.
Zairi, M. and Sinclair, D. (1995), Business process re-engineering and process management:
a survey of current practice and future trends in integrated management, Management
Decisions, Vol. 33 No. 3, pp. 3-16.

Role of internal
auditors

525

JAOC
5,4

526

Zhao, N., Yen, D.C. and Chang, I.-C. (2004), Auditing in the e-commerce era, Information
Management & Computer Security, Vol. 12 No. 5, pp. 389-400.
Further reading
Gupta, A. (2000), Enterprise resource planning: the emerging organizational value systems,
Industrial Management & Data Systems, Vol. 100 No. 3, pp. 114-8.
Corresponding author
Haider H. Madani can be contacted at: madani@kfupm.edu.sa

To purchase reprints of this article please e-mail: reprints@emeraldinsight.com

Or visit our web site for further details: www.emeraldinsight.com/reprints