Bradford 2014

ACCINF-00323; No of Pages 17
International Journal of Accounting Information Systems xxx (2014) xxx–xxx
Contents lists available at ScienceDirect
International Journal of Accounting

Information Systems
Centralized end-to-end identity and access

management and ERP systems: A multi-case
analysis using the Technology Organization
Environment framework
Marianne Bradford a,⁎, Julia B. Earp b,1, Severin Grabski c,2
a
Poole College of Management, North Carolina State University, Nelson Hall 3114, Raleigh, NC 27695-8113, United States
b
Poole College of Management, North Carolina State University, Nelson Hall 1344, Raleigh, NC 27695-7229, United States
c
Michigan State University, Department of Accounting and Information Systems, N270 Business College Complex, 632 Bogue Street,
East Lansing, MI 48824, United States
a r t i c l e i n f o a b s t r a c t
Article history: System security is a top issue facing global organizations. This study
Received 14 April 2013 investigates the constraints and benefits of a successful centralized
Received in revised form 22 January 2014 end-to-end identity and access management (CIAM) implementation
Accepted 27 January 2014
and the moderating role that ERP systems have in the implementation.
Available online xxxx
We apply the Technology Organization Environment (TOE) framework
to a case study approach. We find that organizational and technological
Keywords:
factors result in lapses in IT governance and act as barriers to CIAM.
Technology Organization Environment (TOE)
Framework
Environmental factors also hinder CIAM implementation. Additionally,
Identity and access management (IAM) ERP systems facilitate the development of a CIAM due to integration and
Enterprise Resource Planning System standardization of identities and automated provisioning. When the ERP
Case Study system supports CIAM, the organization and its employees experience
Centralized end-to-end identity and access significant benefits including single sign-on capabilities, increased
management security and privacy, efficiencies in user provisioning and password
management, and audit process improvement. Our results will be of
value to any organization implementing CIAM and ERP. Researchers can
also use our findings to further study IAM, ERP or extensions to the TOE
framework.
© 2014 Elsevier Inc. All rights reserved.
⁎ Corresponding author. Tel.: +1 919 513 1436 (office); fax: +1 919 515 4446.
E-mail addresses: marianne_bradford@ncsu.edu (M. Bradford), jbearp@ncsu.edu (J.B. Earp), grabski@msu.edu (S. Grabski).
1
Tel.: +1 919 513 1707; fax: +1 919 515 6943.
2
Tel.: +1 517 432 2922 (office); fax: +1 517 432 1101.
1467-0895/$ – see front matter © 2014 Elsevier Inc. All rights reserved.
http://dx.doi.org/10.1016/j.accinf.2014.01.003
Please cite this article as: Bradford M, et al, Centralized end-to-end identity and access management and
ERP systems: A multi-c..., Int J Account Inf Syst (2014), http://dx.doi.org/10.1016/j.accinf.2014.01.003
2 M. Bradford et al. / International Journal of Accounting Information Systems xxx (2014) xxx–xxx
1. Introduction
Identity and access management (IAM) is a key component of an organization's information technology (IT)
infrastructure (McQuaide, 2003). It is a cross-functional process comprised of traditional security measures
which provide protection against unauthorized access to information systems and can be automated for
increased efficiency and effectiveness. Without a proper functioning IAM, it is very difficult to prove, control,
and monitor which users access what information and to determine whether that access is in compliance with
internal and external regulations. Privacy concerns, various categories of system users and multiple business
systems compound these issues (Sullivan, 2009).
Currently, many organizations have distributed IAM infrastructures which can occur when each time a
new business system is implemented another identity infrastructure is added. A distributed IAM contributes
to system complexity, errors, and susceptibility to data breaches (Internet2 Middleware Initiative, 2007).
This layering on inherently causes the overall management of these systems to become more complex.
Consequently, the goal for many organizations is to move towards a centralized, end-to-end IAM infrastructure
(CIAM). In this context, centralized refers to “a single software solution with consistent processes clearly
documented and managed through a single implementation tool” (Institute of Internal Auditors, 2007). This
type of infrastructure strengthens IT governance in the organization as consistent principles and policies are
applied across all business systems. If a centralized IAM architecture is implemented, multiple security
technologies can be managed from a single console (or a minimal number of consoles) (Boyle and Panko, 2012).
End-to-end refers to a highly automated and compliant infrastructure containing the key activities of
identification, authentication, and authorization. End-to-end also refers to an infrastructure including
automated password resets, controls for segregation of duties (SoD) violations, and triggers from human
resources (e.g., hiring and employee actions) to protect the organization's information systems (IS) including
enterprise resource planning (ERP) systems (Sullivan, 2009). This research seeks to use unbiased academic
methods to explore both constraints and benefits to a CIAM in organizations using a validated framework,
Technology, Organization and Environment (TOE) (Tornatzky and Fleischer, 1990).
Internal controls, whether physical or digital, are a critical part of the accounting and auditing
environment. For example, external auditors verify their clients' internal controls, many of which are
IT-related, such as logical access. ISACA has provided guidance to auditors on how IAM should be
incorporated relative to the Sarbanes–Oxley Act of 2002 (SOX) and COBIT (Kaur, 2011). According to
ISACA, the IT auditor must assess the effectiveness of the IAM and understand the IAM workflow rather
than the access of each individual user (Rai and Chukwuma, 2011). Internal auditors receive guidance
from The Institute of Internal Auditors (IIA) which suggests breaking out IAM into topical areas:
administration, provisioning and enforcement (Institute of Internal Auditors, 2007). Thus, CIAM is a
critical area of study both for practitioners and IS researchers.
There has been limited research on IAM in the IS literature unless one considers its individual components.
This study seeks to fill this gap in research with an exploration of all components of IAM that together create a
state-of-the-art CIAM system. As well, ERP and CIAM have not been examined together. Most ERP-related
studies focus on critical success factors for implementation, while few examine ERP security. In practitioner
articles, CIAM has been discussed, and several benefits to CIAM have been suggested; fewer constraints to
CIAM are known.
Based on these motivations, the objectives of this study are 1) to explore constraints to a successful
CIAM implementation; 2) to understand the key benefits of a CIAM to organizations; and 3) to understand
the role that ERP systems play in the successful implementation of CIAM. We use two case studies to
answer our research questions. The organizations in our study have nearly implemented CIAM and have
successfully implemented ERP systems. We base our study on the TOE framework from the technology,
innovation, and information systems literature (Tornatzky and Fleischer, 1990). By applying this
framework, we find that organizational and technological factors result in lapses in IT governance which
serves as a barrier to CIAM. Environmental factors also hinder CIAM implementation. Additionally, ERP
systems facilitate the development of a CIAM by integrating and standardizing identities, providing triggers
for automated provisioning/de-provisioning and more factors.
The remainder of this paper consists of 5 sections. Section 2 provides an overview of the fundamental
terms used in the study. Section 3 outlines the TOE framework and relevant IAM and ERP research.
Section 4 presents our research questions, followed by the research method in Section 5. In Section 6 we
M. Bradford et al. / International Journal of Accounting Information Systems xxx (2014) xxx–xxx 3
present our research model based on the TOE framework and findings from our case studies. In Section 7,
we discuss the research findings before we conclude in Section 8.
2. Centralized end-to-end identity and access management
Baldwin et al. (2010) discusses the operations required in an IAM process. These operations, ranging
from the creation of the identity, to the ultimate destruction of the identity must be controlled at every
step in the process and risks identified. However, if the IAM process is primarily manual, controlled by
disparate units, or requires separated identity management systems for individual applications, errors can
occur resulting in users gaining rights that they should not possess.
A CIAM begins with an integrated process that performs the three main activities of IAM (see Fig. 1). The first,
identification, is the process of describing an individual to a system. The second activity, authentication, involves
verifying that a user's claim to a particular identity is, in fact, true. This is commonly done through the use of user
IDs and passwords. Authenticated identities then become the foundation for the third activity, authorization, or
the level of access that a particular authenticated user should have to resources controlled by the system
(Sullivan, 2009). In ERP systems, this is accomplished through role based access control (RBAC), which uses
organizational roles to assign access to individuals.
A centralized tool for IAM would also incorporate automated tools for virtually every area of IAM (i.e.
end-to-end) such as tools that approve and provision users, assist with password resets and multi-factor
authentication, facilitate enterprise single sign on, provide for user activity compliance management and
monitor SoD violations (Torres and Thomas, 2009). Policies and procedures are an important piece to a CIAM,
and automating key tasks based on business policies improves security and lowers the cost of meeting the
compliance requirements.
A CIAM enforces security policies by monitoring employee and third-party access and use of organizational
data in real time across multiple databases in numerous locations (Aldhizer, 2008). Costs skyrocket when
activities in the system user life cycle, such as granting or revoking access rights for system users and password
resets, are done manually. Manual processes consume personnel hours, create human error, decrease
productivity, and distract from more strategic tasks (Romer, 2008; Oracle Identity Management, 2009).
CIAM systems also facilitate privacy goals for the organization. Numerous security-related events have
been publicized over the past few years, causing individuals to be more concerned about how organizations
secure their personal information (Antón et al., 2010). As a result, over 45 states passed data-breach
notification laws requiring organizations to alert individuals when breaches involve their personal
information. These laws further emphasize the significance of how a lapse in organizational IT security can
negatively impact various stakeholders as well as the organization (Goel and Shawky, 2009). In addition, in
2006 the payment card industry (PCI) Security Standards was formed to develop standards for systems that
support credit card payment. Compliance obligations such as these will only increase as more IT-related
regulations and requirements are introduced. Combined together, these regulations highlight the need for
organizations to have effective security and IAM.
3. Framework and related research
A substantial amount of prior research has examined the use of technological innovations in firms. Several
theories have been proposed to study technological use in a variety of contexts. DePietro et al. (1990) in
Tornatzky and Fleischer's The Processes of Technological Innovation developed the TOE framework that presents
“three elements of a firm's context that influence the process by which it adopts and implements technological
innovations: organizational context, technological context, and environmental context”.3 The technology context
includes the internal and external technologies that are applicable to the firm. Technologies may include both
equipment as well as processes. The organizational context refers to the characteristics and resources of the firm,
such as degree of formalization, managerial structure, human resources, and linkages among employees. The
external task environment includes factors such as the size and structure of the industry, the firm's competitors,
the macroeconomic context, and the regulatory environment. TOE theory states that in addition to the qualities
3
Individual level theories such as technology acceptance (e.g., Davis, 1989; Davis et al., 1989) and unified theory of acceptance and use of
technology (e.g., Venkatesh et al. 2003) are not appropriate as the decision to implement a CIAM is made at the organizational level.
Fig. 1. A CIAM infrastructure.
of an innovation, there exist these broader contexts that influence innovation adoption, implementation, and
use. The influences can represent both constraints and benefits for technological innovation and can influence
each other (Fig. 2) (Tornatzky and Fleischer, 1990).
A number of studies have employed the TOE framework to understand IS and technology including ERP
(Bradford and Florin, 2003), RFID (Lee and Shim, 2007), E-Business (Zhu and Kraemer, 2005; Mishra et al.,
2007) and single sign-on and multifactor authentication (D'Costa-Alphonso and Lane, 2010). TOE has a
solid theoretical basis, consistent empirical support, and promise of application to other IS innovation
domains. Thus, we adopt and apply the TOE framework into the CIAM domain.
A review of the academic literature reveals a dearth of studies on the specific topic of CIAM. However,
IAM individual components have been studied. For instance, there is an area of security research on
rule-based access control models (Sandhu et al., 1996), design (Hitchens and Varadharajan, 2000) and
implementation (Wang et al., 2005). Identity management has also received a significant amount of
attention with regard to implementation (Wayman, 2008) and usability (Jones et al., 2007). CIAM as a
topic has appeared in practitioner articles (Gregory, 2013), white papers (e.g., Griffeth, 2010; Oracle
Identity Management, 2009), and minimally in IAM auditing guidelines where the IIA simply asks “Is the
IAM environment centralized or distributed …” (Institute of Internal Auditors, 2007).
Regarding ERP research, the majority of studies have focused on critical success factors for an implementation
(Bradford and Florin, 2003), the financial impact of ERP systems (Brazel and Dang, 2008), the business case
justification for ERP (Babey, 2006) and ERP benefits (O'Leary, 2004). Concerning ERP and security, there are
several studies worth noting. One study identifies the need for ERP control structures (Scapens and Jazayeri,
2003) and the ability for ERP access authorization to be based on profiles for role-based and transaction-based
access definitions (Van de Riet et al., 1998). Another study examines the testing for appropriate SoD in ERP
systems (Lightle and Vallario, 2003), while another states that ERP systems should lead to stricter forms of
authentication and increased automation of access controls (Chandra and Calderon, 2003). Finally, one study
compares risks across ERP modules and vendors and provides exploratory insight into factors to consider when
auditing ERP systems (Wright and Wright, 2002). However, the relationship between ERP and CIAM has not
been examined. A recent literature review of ERP has called for research to evaluate the adequacy of ERP control
mechanisms (Grabski et al., 2011).
4. Research questions
Based upon the TOE framework and prior research, we develop a series of three research questions. Our first
research question seeks to fill a current void in IS research by identifying the technology, organization and
environmental constraints that affect the successful implementation of CIAM in organizations. What we know
about implementing CIAM is that it is very costly and time-consuming to create and maintain, and many
companies have failed in their efforts (She and Thuraisingham, 2007). Torres and Thomas (2009) state that
organizations wanting to enable CIAM face long, complex implementations, especially in large organizations,
and must create new policies and procedures to use and maintain these secure systems. Additionally, since the
establishment of a CIAM will most likely occur in phases, this requires that both old and new systems that
support a CIAM be run simultaneously until the CIAM is fully implemented.
External Task Environment Technological Organization
-Industry Characteristics and Innovation Decision -Formal and Information Linking

Market Structure Making Structures
-Technology Support Communication Processes
Infrastructure Size
-Government regulation Slack
Technology
-Availability
-Characteristics
Fig. 2. The context of technological innovation.

Tornatzky and Fleischer (1990, p. 153).
ERP systems include integration points with CIAM tools, such as provisioning tools (e.g., Oracle Waveset)
or SoD monitoring tools (e.g., SAP's Business Objects). But even in organizations that use an ERP system, there
often remain legacy business systems. However, most legacy systems do not easily integrate with IAM tools
and require custom development for integration (D'Costa-Alphonso and Lane, 2010). Another possible
challenge is balancing the need to mitigate security risks with users' legitimate need to access data to
complete their job responsibilities (Aldhizer, 2008). Much of the evidence addressing these issues is
anecdotal and noted in white papers and practitioner presentations. Therefore, we attempt to validate and
extend what is known in practice. Due to CIAM complexity, there are potentially additional, unidentified
barriers to implementation. Thus, our first research question is:
RQ1. What are the technological, organizational and environmental constraints to implementing a centralized,
end-to-end IAM infrastructure?
In the second research question we seek to gain insights into technological innovation decision-making
(see Fig. 2). We evaluate the benefits (versus perceived benefits) that these HEIs have already attained
through their ongoing CIAM implementation. According to practice, if an organization can reach the state
where they have a CIAM, this will have the overarching benefit of decreasing an organization's IT risk along with
reducing the costs to maintain user access rights. Specifically, risks associated with unauthorized access will be
reduced due to a consistent enforcement of access rights policies across all applications. This risk is reduced
across the access lifecycle for an individual, from the initial granting of rights and privileges, to the maintenance
of those rights as the individual moves into new jobs, to the eventual elimination of all rights when that
individual leaves the organization. Using tools that automatically approve and provision users improves
efficiency and helps reduce the error rates of these activities (Torres and Thomas, 2009). CIAM enforces security
policies by monitoring employee and third-party access and use of organizational data in real time across
multiple databases in numerous locations (Aldhizer, 2008). Other tools can assist users with activities such as
automatic password resets, thereby eliminating manual helpdesk intervention. The aforementioned are benefits
that have been proffered in practitioner research. We examine this issue in more detail using a scientific
methodology (case study approach using the TOE framework). Thus, our second research question is as follows:
RQ2. What are the organizational benefits to implementing a centralized, end-to-end IAM?
The third research question focuses on the effect that the current technology (i.e. ERP system) has on
the implementation of a CIAM. In reference to the TOE framework (see Fig. 2), there are two points of
interaction: 1) the interaction between the technology context and technological innovation decision-making;
and 2) the interaction between the technology and the external task environment (such as when legislation
requires changes to the ERP system in order to comply with new reporting requirements, although this
relationship is not the focal point of the question).
Little is known about how ERP systems affect the implementation of a CIAM. What is known is that
security problems exist in every layer of an ERP system: network, presentation, and application, which
include business processes, internal interfaces, and databases. The ERP database especially is a primary
target (Raywood, 2010). So while ERP systems enhance data availability, the “dark side” is that it also
increases the threat that trusted parties, especially employees, can steal intellectual property, personally
identifiable consumer and employee data, and financial information (Aldhizer, 2008).
ERP systems ensure process integrity by developing a secure infrastructure that includes transaction
logging and audit control (Wagner and Antonucci, 2009). However, as bolt-ons (e.g., CRM, SCM) and
legacy systems are integrated with an ERP system, customers and suppliers are provided identities and
authorizations that are outside the ERP system, yet linked to the ERP system (She and Thuraisingham,
2007). This may result in multiple passwords at a variety of login points, and without appropriate
controls, expose more data, rights or privileges than appropriate. Hence while the ERP system might have
excellent controls, the overall IAM might be weak (Pereira, 2007). However, the more that an ERP system
is integrated across the company (i.e. more modules implemented) theoretically the better the CIAM
becomes. Thus, our third research question is:
RQ3. How do ERP systems affect the effectiveness of a centralized end-to-end IAM infrastructure?
In the next section we present the research method employed.
5. Research method and model
We examine our research questions using a case study methodology, which is the ideal method when a
holistic, in-depth investigation is needed (Feagin et al., 1991). Case studies are also useful when trying to
understand when and why something works in complex environments, where variables may not be quantifiable
and actual practices or phenomena in which the context is crucial (Cooper and Morgan, 2008). Case studies focus
on bounded and particular organizations, events, or observable facts, and scrutinize the activities and
experiences of those involved, as well as the context in which these activities and experiences occur (Stake,
2000). In particular, we employ a theory-oriented case study, which proposes a theory as the basis of the study
and contributes to theory development (Cooper and Morgan, 2008). However, Cooper and Morgan (2008) also
note the value of case studies not only for theoretical work, but also for developing, and reflecting on professional
knowledge. The situational and specific focus of case studies has the advantage of insight into a type of
knowledge called “phronesis”, which Aristotle considered “practical wisdom”. This is the tacit knowledge or
wisdom that comes from applying scientific or technical knowledge in a particular context, with specific
purposes in mind. Thus, case studies should be used for informing practical knowledge, which is another goal of
this paper.
Due to the in-depth nature of case studies, a small number of sites are generally selected. In fact, IS case
studies frequently use between one and three cases (e.g., Dilnutt, 2002; Bowen et al., 2007; Jans et al., 2010).
We employed a criterion based, purposeful case selection process (Patton, 1990). This type of sampling is
used to pick cases that meet some predetermined criterion. First, the case setting was limited to two large
higher educational institutions (HEI). Second, each HEI needed to be quite far along in a CIAM
implementation so respondents could answer questions related to RQ1 and RQ2. Third, each institution
needed to have an ERP system implemented so respondents could answer the questions related to RQ3.
We use the case studies of these two similar HEIs in the U.S. as our research environment since: 1) HEIs
are experienced users of IT that must comply with a plethora of legislation such the Health Information
Technology for Economic and Clinical Health Act (HITECH) and the Family Educational Rights and Privacy
Act (FERPA); 2) The ERP market for HEIs is stable and represents a significant vertical market for ERP
vendors; 3) HEIs have formal approaches to action and, consequently, their activities are habitually
documented (Oliver and Romm, 2000); 4) The two HEIs participating in this research are public
institutions and are subject to yearly external audits as well as continuous review by internal audit. Table 1
presents an overview of the two HEIs. While the total enrollment is approximately 34 k and 48 k, these
numbers only represent student enrollment. Total user enrollment for the ERP system is much larger
(including faculty, staff etc.).
Table 1
Overview of participating HEIs.
University Control model Total enrollment Enrollment profile Size and setting Carnegie Foundation classification
HEI-A Public 34,340 HU L4/R RU/VH

HEI-B Public 47,800 HU L4/R RU/VH
Legend of Carnegie Foundation Codes: Enrollment profile: HU: high undergraduate; Size and setting: L4/R: large four-year, primarily
residential; Carnegie Foundation classification: RU/VH: research university — very high activity.
Data collection took place in late 2011 through mid-2012 primarily via face-to-face focused interviews,
in which respondents are interviewed for a short period (usually an hour), a set of questions are used, but
interviews are open-ended assuming a conversational manner (Yin, 2003). Where face-to-face interviews
are not possible, phone interviews were conducted. A common interview protocol was followed. To begin
each interview, the researchers explained the purpose of the study and why the participant was chosen for
the study. Each interview included either one or two participants (see Table 2 for a list of key personnel
interviewed). The same script was used for all interviews and consisted of three questions corresponding
to the research questions presented in the paper:
1. What are constraints to the implementation of the CIAM system at this institution?
2. What benefits have been realized so far from implementation of the CIAM system at this institution?
3. How has the ERP system affected the effectiveness of the CIAM implementation at this institution?
Information gathered during these meetings was transcribed (or recorded then transcribed) during the
interview. In the cases of ambiguity, the interviewer followed up via telephone or email to obtain clarification.
To better understand the implementation of the CIAM systems, interviewers also performed a comprehensive
review of documentation available through the HEI online portals (i.e. archival records) (Yin, 2003). It was
determined upon the start of this project that both HEIs were not completely finished with their CIAM
implementation, but had made significant progress.
Based on interviews of key personnel at both HEIs, we propose a model of CIAM implementation (Fig. 3).4
We adapt and extend the model in Fig. 2 consistent with the approach used by Zhu et al. (2003). Various
technological, organizational, and environmental barriers to a CIAM implementation emerged. From the
results, we classified each of the technology and organization variables under the heading of “Lapses in IT
Governance”. Using the definition of Enterprise Governance of IT, IT governance is seen as an “integral part of
corporate governance” through defining and implementing “processes, structures and relational mechanisms
in the organization that enable both business and IT people to execute their responsibilities in support of
business/IT alignment and creation of business value from IT-enabled business investments” (Van Grembergen
and De Haes, 2009, p. 3). IT governance is also used for “specifying the decision rights and accountability
framework to encourage desirable behavior in using IT” (Weill and Ross, 2004, p. 2). The Lapses in IT
Governance served as constraints (noted in Fig. 3 as “−”) which had to be overcome in order for both
organizations to make serious headway towards a CIAM. The interviews also revealed how the ERP system in
each organization enabled the initial implementation of CIAM (noted in Fig. 3 as “+”), as well as the benefits of
the CIAM to the HEIs. The following key findings from the interviews are placed within the context of the
adapted TOE framework below and are discussed in the subsequent sub-sections.
6. Case findings
6.1. Lapses in IT Governance
6.1.1. Technology
At both HEIs, the issue of non-integrated business systems was an impediment to a CIAM. At HEI-A various
departments oftentimes create their own ad-hoc “rogue” systems. According to the Systems Architect of IAM,
“Many of the colleges will bring up different systems without our knowledge or any interaction with OIT (Office of
4
Although the model was developed as a result of the interviews, we show it prior to discussing the results to better inform the
reader and give structure to the discussion.
Table 2
Key personnel interviewed.
Panel A — HEI-A Panel B — HEI-B
Office of Information Technology (OIT) Computing and Technology
Director of Enterprise Application Services Vice-Provost and Chief Information Officer

Enterprise Application Services Assistant Director, Financial Systems Director, Enterprise Systems
Enterprise Application Services, Development Manager Director, Infrastructure
Assistant Director, Enterprise Application Services Associate Director, Academic Computing
Manager, Applications Development & Emerging Technologies University Internal Audit Staff
Enterprise Portal Administrator IT Audit Manager
Assistant Director for Research and Development
Assistant Director Security Standards and Compliance
Security & Compliance Manager, IAM
Student Financial Applications Development Manager
Systems Architect — Identity and Access Management
University Internal Audit Staff
Director of Internal Audit
IT Audit Manager
Office of General Counsel
University Records Officer
Information Technology). Only if a system interacts with the ERP system do we know about it because that group
needs to work with OIT to create a feed or file share to or from ERP. Otherwise, the system is out there and
university-wide IAM policies and procedures are not enforced. We try to make it easy for them to ‘plug into’ our
IAM infrastructure, but they aren't required to.” Similarly, at HEI-B, the Director of Infrastructure commented
“[a] federated system exists across units, with many colleges having their own servers, e-mail systems and identity
management approaches.”
Another barrier to CIAM is the lack of a centralized place for all identities where the data is consistent.
States the Director of IT Audit at HEI-A, the rogue systems discussed above led to “… all the other systems not
in ERP have people data in them as well. These systems they develop keep separate identities.” The more
fragmented business systems become, the easier it is for identities to become inconsistent.
Participants at both institutions also mentioned issues with data governance, which refers to the
possession of, and responsibility for, information. The control of information includes not just the ability to
access, create, modify, package, derive benefit from, sell or remove data, but also the right to assign these
access privileges to others (Loshin, 2002). For instance, at HEI-A, there was little control over setting up
person attributes in ERP and other systems, thus “leading to confusion for all involved,” states a member of
OIT.
Another issue is the organic growth of information systems resulting in non-standard processes across
organizations. This occurs whenever there is a significant devolution of rights and responsibilities in
organizations. At HEI-A, administrative systems were originally under the purview of the CFO, while
academic systems were under the control of the Provost. This organizational separation of systems meant
that each area could pursue its own identity management goals. States the Systems Architect of Identity
and Access Management (HEI-A), “Administrative people set up generic email accounts etc. and academic
people set up guest accounts for all sorts of workshops, seminars and life-long learning programs. All this has
been done in disparate ways; we need to rationalize these to a single set of processes and use a single system to
do this.” At HEI-B, the administrative and academic systems were operated by two different units. For
example, the student information system and ERP was controlled by the Registrar's Office and maintained
by the Administrative Information Systems group, while the course management system was maintained
by the Academic Technology Services group. Faculty/staff members used a University ID to access either
system, and students used a Student ID that allowed them access to all relevant student/course
information. If a student became an employee (or vice versa), he/she would be granted access to the
administrative system using their same Student ID. When trying to access college level resources, e-mail,
etc., the faculty/staff would also need a College ID. This problem increased in scope as more colleges and
administrative units set up their own calendaring, e-mail and file systems.
Technology
LAPSES IN INFORMATION TECHNOLOGY
-Ad-hoc/Rogue systems
-No centralized repository of IDs -
-Weak data governance
-Non standard processes across org.
-Lack of agreement on security rules
GOVERNANCE
across organization
ERP System
Organizational Enablement
-Lack of agreement on classification of -Integration and
users - standardization of
-Lack of strong executive leadership to - Centralized End-to
End-Identity and
+ identities
critical projects -Triggers for automatic
-Lack of committed resources to critical Access Management provisioning/de-
projects provisioning
-Security viewed as IT problem not -More granular definition of
business problem responsibilities
-Improved password
management
External Task Environment

+
-Vendor changes
-
-Government regulation
-Cloud Computing Organizational Benefits
-Increased privacy and security of

data, resources
-Decreased cycle times for IAM
processes
-Single Sign-on
-Inter-organizational trust
-Improvements in the audit process
-Increased compliance
-Lower administrative costs
-Less chance for manual errors
Fig. 3. The context of CIAM implementation.
The lack of internal agreement about basic security rules on trust and authentication was another
technological barrier. According to the Assistant Director of Security Standards and Compliance (HEI-A), “We
still are lacking a set of rules that the University can agree on. For example, what would be the basis upon which we
would allow a person's User ID to be used by other organizations? We could agree that it should not leave our
intranet, but we could also agree that it could, but that certain rules for encryption both in transit and storage by
the other organization should apply.” The Internal Auditor at HEI-B also viewed this silo mentality within the
university where credentials in one area do not apply to another and vice versa “as a problem”. HEI-B is
exploring a single directory system. This system would allow all users to use a single user ID to access both
college and university level resources. Unfortunately, because of the strong federated environment, there is
not an official mandate for any unit to move and adopt this single sign-on process. Rather, different units must
“volunteer” to join this effort. Both HEI-A and HEI-B belong to the InCommon federation, which allows users
to gain access to other InCommon organizations' resources through the use of the local HEI user ID. The
InCommon federation provides a framework for trusted shared access management for on-line resources
(InCommon, 2003). Thus, while there is a silo mentality within the HEIs, they have determined that user
benefits of the single sign-on are significant, and have overcome the “silo mentality” on an institutional level.
6.1.2. Organizational
There are various organizational factors that our participants mentioned as barriers to CIAM. HEI-A
interviewees considered the lack of internal agreement on classification of users as a barrier. “There is a
notion on campus that there are three distinct sets of users: faculty, staff and students. But this is not the case.”
According to OIT members, “An application development manager could be a student in the library system, an
administrator in the ERP Student modules, and teach a course on campus.” Inconsistencies such as these often
lead to unnecessary redundancies, inaccuracies and vulnerabilities. At HEI-B the Director of Enterprise
Systems noted that this as a cultural issue: “this is the way we've always done this.”
Other barriers to CIAM cited by participants at HEI-A were the lack of executive leadership by the CFO
and Provost and lack of necessary resources. “[IAM] is nice but not viewed as essential [by leadership],” stated
the IT Audit Director. “Management viewpoints have a trickle-down effect and without executive buy-in,
system users will not fully embrace any new system. Without campus-wide buy-in, individual departments will
not realize the full advantages of an enterprise system and its potential security.” The lack of resources to fully
implement a CIAM was also noted at HEI-B. Funds were allocated for the ERP system implementation, but
“no additional resources” were allocated for CIAM development. A final organizational barrier mentioned
by participants from HEI-A referred to CIAM being viewed as an “IT issue” not a “business issue”. This
perception, separating IT from the rest of the business, is common in a variety of organizations and frequently
causes management and security challenges.
6.2. External task environment
The environment also plays a role in the implementation of CIAM. Participants from HEI-A stated that
the constantly changing ERP and IAM vendors' product support and fee structures slowed down progress
towards a CIAM. Adds the IT Audit Manager, “The ERP and CIAM system vendors are unpredictable about
when and how they make changes to their product, and we are left holding the bag when they make a change
that we hadn't planned on. As well, if they drastically change the pricing structure and we can't afford
something anymore, we have to go through another package selection and implementation process.”
Cloud computing presents another challenge with regard to the environment. The Internal Auditor
from HEI-B commented “[IAM] issues could result from cloud-based applications such as Google Apps and
others. Integration with these services from the university would result in significant challenges, and the risks
associated with these service offerings would vary based upon who was using the service” (e.g., students,
faculty, administrators) “and for what tasks” (e.g., writing a homework paper, writing a patent application).
Finally, keeping up with changes in government regulations are “constant challenges to CIAM implementation”.
For example, systems in HEI environments must comply with security requirements found in both FERPA and
HITECH. These regulations require data confidentiality, appropriate data access, firewall protection, email
protection and more. HEIs must also comply with industry standards, such as the PCI, as they accept credit card
transactions. CIAMs help organizations meet these regulations. Other industries are required to comply with
regulations that specify similar, if not the same, security requirements. The requirements from external sources
prompted the Director of Infrastructure from HEI-B to state that the institution “will eventually need two-factor
identity authentication.”
6.3. Benefits of centralized end-to-end identity and access management
In our study, we found numerous organizational benefits of a CIAM infrastructure. A primary benefit of
a CIAM, states participants, is the increased privacy and security of data and resources. According to the
Assistant Director of Security Standards and Compliance at HEI-A, “We are protecting individuals'
information so that other people cannot act as though they are that person. We need to be able to control access
to data, resources, people — everything about the University via the computer. We need to keep the integrity
tight and as clean as we can.” Security is heightened through the end-to-end characteristic. “An end to end
system would be more difficult for people to break into because there are multiple tools being used at multiple points
of the process.” The Director of Enterprise Systems at HEI-B had a similar perspective. He stated “[a CIAM]
provides the organization with the ability to define a single point of support for declaring the identities of all
users.” Reducing the number of entry points is key when trying to prevent an intruder from compromising
the system.
Another benefit of a CIAM is decreased cycle times in managing the various aspects of IAM. For
instance, the speed of provisioning and de-provisioning users into the systems is greatly reduced. “We are
already seeing this with the ERP system, but if all systems were connected through a CIAM, then the process
would speed up even more,” stated a member of OIT from HEI-A. Another example of reduced cycle time is
with password resets. Previously at HEI-A, if a user forgot a password, he/she had to make an in-person
appearance at the helpdesk to get it reset. According to members of the OIT security team, “That causes a
huge problem with distance students and people traveling.” Users now have the option to do automated
password resets but only if they have established a set of security questions beforehand (an automatic
password reset process already existed at HEI-B). With the CIAM infrastructure, this process will become
fully automated leading to reduced cycle time.
A 2008 survey of customers of a company that provides IAM cloud architectures found that 37% of the
organizations counted 7–12 passwords per employee while 12% had greater than 12 or more passwords per
employee (Kho, 2009). The CIO at HEI-B stated “single sign-on and associated capabilities of provisioning
appropriate access/rights is a significant benefit. This provides assurance that the appropriate users are accessing
the content, and also improves users' experiences, as they are not required to re-authenticate multiple times when
completing various business tasks.” HEI-A is still not experiencing this benefit fully. States members of the OIT
from HEI-A, “Right now we have a primary User ID for people for all 8 business systems (including ERP) on
campus, but anytime there is a change (user is added, deleted of changes password) all 8 systems have to be
updated. In a real single sign-on environment, a user signs on once and his/her authentication is passed to an
authentication system. This one system authenticates their identity and authorizes what they are allowed to see
and do. Right now we have to keep up with 8 different authentication systems.”
Other major benefits to a CIAM are improvements in the IT audit process and increased compliance.
Automating IAM controls makes the audit process more efficient because an application (IT-enabled)
control only has to be tested once in an audit — the control either works or it does not. Manual controls, on
the other hand, are subject to human error, thus sampling techniques must be utilized to test a population
of provisions and de-provisions and confirm appropriate access. CIAM also gives a standard way of
administering access and also allow for better traceability and accountability (who did what in the system
using what user ID). An area of IT audit focus is employees within the company who have privileged rights,
such as system administrators. According to members of OIT from HEI-A, “One of the items the State
auditors want to know is which users have access to “ALL” — meaning all students, all employees, etc. With all
this information being kept centralized, we can generate a list of these people, why these people need access
and who approved it. In the system, auditors can see who requested and approved the access instead of having
the security team merely explain it. The auditors also want to see people who have access across colleges, such
as an employee in one department or area having access to information in another department or area.” Adds the
Assistant Director of Security Standards and Compliance, “Traceability is important, we [the security team]
must be able to account for why people have a role, and who approved it.” Similarly, the Internal Auditor from
HEI-B concurs that a CIAM would provide a more consistent review and monitoring process. “[A CIAM]
would make it easier to look for and identify anomalies that would need further investigation. Currently, with
different systems in place across units at the university, it is not possible to have a consistent approach that can
be used everywhere.”
Much of what has been discussed concerns the elimination of manual intervention. This results in
reduction of human error and lower administrative costs to the organization, two additional organizational
benefits included in the model (see Fig. 3).
6.4. ERP systems and CIAM
According to practice, one of the key ways that ERP systems facilitate the implementation of a CIAM is
through integration and standardization of identities as it serves as the authoritative data source for all
other systems. A CIAM will manage identities separately, but must by synced to the ERP system since this
is where the initial data resides. According to HEI-A's OIT, “IT processes can only be improved if identities are
centralized. From an audit standpoint we need one place to go. It is very easy to run the reports that we need for
auditors in the ERP system.” The CIO at HEI-B states that “having an ERP system forces you to be better at
identity management.” The Associate Director of Academic Technology Services notes “the ERP system was
used to populate the data warehouse which is used to populate the directory needed for shibboleth
authorizations. Combined with rights and access management, shibboleth authorization supports the single
sign-on process.” An ERP system should not be the owner of the identities, but identity information is
pulled from ERP.
To illustrate, at HEI-A, during the Student modules implementation (the most recently implemented
modules), members of the ERP project team reviewed the people data in both the legacy student systems
and the ERP HR module (that was already live), decided what was relevant from the source systems and
consolidated and updated the information into one identity entry for each person. Before the Student
modules implementation, a person could have multiple identity records in the legacy HR and student
systems. For instance, of 7000 graduate students, nearly 50% were employed by the University and
therefore had HR records in addition to student records. Without the integration of Student and HR
modules in the ERP system, OIT had written software to synchronize the multiple identity records with
common ID numbers, but it was imperfect. Users were simultaneously creating “person records” in the
legacy HR system without first checking the legacy student system; therefore, the two systems would
inevitably get out of sync. Several members of the ERP project team explained the data redundancy issue:
“The old legacy systems had processes in place that would check to see if a new student had an existing ID in the
HR system before creating a new ID in the student system. If an ID existed, the student system would use the
same ID as the HR system, and thus that person would be “in sync” between the two systems. However, the HR
system had no such processes, so students who later became employees received new IDs in the HR system that
were not associated with the corresponding student IDs. When people encountered problems as a result of the
data asymmetry, employees in Registration and Records and/or HR had to review the associated records in both
systems and manually adjust one of the two systems. This was a very time consuming and error prone process.
During the ERP student module implementation, we scrubbed 400,000+ people records. When it was done, it
was a thing of beauty. Everyone realized that we are in one world now.”
The Director of Enterprise Systems at HEI-B believes that they have a good understanding of the
difficulties associated with identity management. The university has multiple domains and has “long life
histories for many users, for student to donor to employee to patient” as the university has a medical college
and clinic. The ERP system required the university to “fill in certain gaps in the IAM and access provisioning
systems”. The university is still working to get better, as the business domain is believed to be relatively
well defined and controlled and the academic usage is relatively well defined. Unfortunately, these two
domains are not well integrated. The key limitation preventing a more complete integration is with
“casual users,” that is, individuals who are not enrolled in a degree program but enrolled in non-credit
courses, and distance courses, and are members of the general public, and so on. A casual user (student)
could have multiple identities, one for each course in which they enroll, and this cannot be easily
controlled at this point. This is based upon these casual users creating a “community ID” that allows
limited access to resources, but does not require a formal authentication of the user (all that is needed is a
valid e-mail account provided by a service provider). Also, there is the need for assurance that the identity
matches the legal identity of these casual users. This is not a problem for employees and students taking
courses for credit as they must present a form of identification.
Once an organization consolidates the identities of its employees, business partners, customers and
suppliers, access management activities become more straightforward and less time consuming. Legacy
systems are not necessarily designed to facilitate the separation of duties (i.e. disseminating the tasks and
associated privileges for a specific business process among multiple users), and thus a user's screen can
contain multiple processes. If a user does any process on a screen in the legacy systems, by default he or she
gets access to that screen. “Obviously, this gives away more access than appropriate,” states the ERP Project
Manager from HEI-A. In the ERP system, roles are based on functional responsibilities and grant access to
groupings of pages called “permission lists”, with each process being on a separate webpage. The ERP system
will also establish “row level” access in a user's profile, which further restricts the types of records that can be
accessed by the user. Because of these enhanced security measures, access management is more defined. This,
in turn, facilitates the implementation of a CIAM. States the Enterprise Portal Administrator at HEI-A, “The ERP
system gave us a more granular definition of job responsibilities and security access. Users now get only what they
need to do their jobs and are able to request access based on a logical name that makes sense to them versus having
to know the screen names on the legacy mainframe system. Roles and profiles are used to group individual
transaction access together, making it easier for security personnel to grant and monitor user access and facilitate
approvals by data owners.”
Many organizations are moving towards automation of the user provisioning and de-provisioning
process that involves creating, updating, and deleting user accounts across multiple systems. A delay in
provisioning and de-provisioning is risky as fellow employees may share their passwords so coworkers
can access the necessary data quickly in violation of security policies (Aldhizer, 2008). It is also inefficient
and costly to manually provision and de-provision users. Additionally, with multiple identity management
systems in place at HEIs, a user is unlikely to be de-provisioned in a timely manner. Thus, another key way
that ERP systems facilitate IAM for HEI-A is that transactions in the HR and Student modules such as a hire
or admit action will cause a message to be sent to the IAM provisioning tool, which is part of the IAM
infrastructure. This HEI uses Oracle Waveset for provisioning and de-provisioning users, but others are
available. The organization's Enterprise Portal Administrator emphasized the significant role of the ERP HR
module with regard to the IAM infrastructure “HR actions now drive what happens in the system. A batch job
runs nightly and checks ERP HR module for actions that will affect access of all staff and faculty on campus. We
also can now do provisioning at different points in the student life-cycle. Whereas provisioning of students was
done as soon as the university was aware of their presence, which usually meant they had applied. Therefore,
many accounts were set up for students before really knowing whether they would attend. Now, provisioning
rules dictate that although the student has applied, they do not get set up in the system until they are actually
admitted and have confirmed their intent to enroll. This granularity is possible because of the new ERP Student
functionality.”
The ERP system at HEI-A was also leveraged to improve the authentication policies, specifically in the
area of password management. Realizing that a User ID and password were not ideal, but that superior
alternatives were too expensive and intrusive for widespread use, ERP was used as a reengineering tool by
tying the functional ERP user roles to how often each user must change his or her password. The
University's IT security team went through each of the ERP roles and assigned priorities based on the
sensitivity and volume of data that the role could access. All roles were put into five categories, each tied to
a password change frequency. A security team member described these categories: “Category one is for
people who just need self service to their own data, so they only have to change passwords every 365 days;
Category five is for administrative level access to all data and they are required to reset their passwords every
30 days. We have a process that runs each night and evaluates every person's role category and prompts a
password change if need be.”
7. Discussion
Fig. 3 summarizes our findings. First, CIAM has many barriers that might hinder implementation unless
managed properly. These barriers can be categorized as technological, organizational and environmental,
with more technology and organizational barriers cited by interviewees. Technology and organizational
barriers can be seen as lapses in IT governance, an issue that must be addressed and managed at the top
levels in an organization. One institution in the study assuaged some of its challenges by initiating proper
IT leadership with the hiring of its first CIO. The finding that CIAM is dependent upon the overarching IT
governance of the organization is consistent with Etges (2011, p. 2), who places Identity Management
Governance at the Executive Committee level. An effective IT governance structure addresses three issues:
the decisions that must be made to ensure effective use and management of IT; the determination of who
should make those decisions; and a consideration of how decisions are made and monitored (Weill and
Ross, 2004).
Second, CIAM results in significant benefits, including increased security and privacy, efficiencies in user
provisioning and password management, and audit process improvement. Third, we found that the ERP
infrastructure inherently supports the goal of IAM — providing the right access to the right people in order to
protect information. While ERP systems themselves do not establish a CIAM, they can be used to leverage
CIAM through standardization and integration of identities and triggers for automated provisioning. Our
results also suggest that TOE factors might influence each other. These relationships appear as dashed lines in
Fig. 3. For example, vendor changes could lead to the development of rogue systems, and nonstandard
processes could lead to lack of agreement on classification of users. Furthermore, increased government
regulation will most likely change the mentality of security from an IT problem to a business problem.
The external environment must be considered when implementing CIAM. In particular, our findings
shed new light on the significance of legislation and vendor selection. HEIs must adhere to governmental
regulations such as FERPA and HITECH; however, these organizations are involved in numerous other
transactions ranging from tuition payments to bookstore receipts, to sporting, cultural and other fund
raising events that require compliance with PCI regulations.
Third, ERP systems can help overcome lapses in IT governance that existed in the HEIs. One of the main
barriers to the CIAM was that there was no centralized repository of identities because they had been
duplicated across multiple business systems. ERP systems help to standardize and integrate organizational
identities. Currently, organizations are working towards using the same IAM system for all of their
business systems, including ERP, and applying the same policies and procedures throughout, thereby
consolidating the IAM infrastructure and reducing security headaches from overwhelming to manageable.
However, many organizations that have invested in ERP are still using multiple IAM systems to manage
their other systems and are incorporating manual procedures and controls. While our HEIs used different
ERP systems (PeopleSoft and SAP), one finding was that this did not affect the nature of the results of
interviews. Both HEIs mentioned similar ways that ERP systems facilitate CIAM.
IAM represents the convergence of technical and business procedures designed to enable workers to have
access to all the information that they need to do their jobs at any point in time. Done properly, an enterprise's
IAM system should automate, accelerate and simplify account access and management while keeping data
protected (Kho, 2009). With this study, we have provided a first step in providing guidance as an increasing
number of organizations are working to implement CIAM to address the legal and organizational requirements.
This study has paved the way for a more effective CIAM implementation as well as further research pertaining to
ERP security.
8. Conclusions and future research
This research uses TOE as a framework to analyze the implementation of a CIAM at two HEIs. Consistent
with D'Costa-Alphonso and Lane (2010), this research has shown TOE to be a robust framework that can be
applied to the area of CIAM. Furthermore, the results obtained in this study allow for the refinement of TOE so
that it explicitly addresses CIAM. This is the first study to address CIAM and how ERP and CIAM intersect. The
current study looks at how ERP systems are being used to improve an organization's IAM infrastructure, a
topic lacking in the literature. Therein lies the significance and novelty of this work in that we examine the
challenges of a CIAM infrastructure and how an ERP system can address these issues.
The results of this study have practical implications for organizations that are considering embarking upon
a CIAM implementation for protecting data and information, complying with laws and regulations and
improving associated IT processes. Furthermore, the results advance the fields of IT security management and
enterprise systems by supplementing the current knowledge about security strategies in an ERP environment
with real-world, detailed experiences.
Our findings have practical implications for IT professionals and managers involved in the implementation
of ERP systems as well as those involved with ERP security. Establishing policies and processes to support the
implementation and security of ERP can be challenging, yet our findings suggest such governance is necessary
and greatly influences CIAM. For example, when involved in an ERP implementation or upgrade, IT managers
should ensure that adequate funds are included for CIAM implementation or upgrade and not leave security
as an “afterthought” (Dhillon, 2004).
Although we gained much insight from this study, there are limitations. The primary limitation is the small
sample size of n = 2. While not uncommon for case study research (e.g., Dilnutt, 2002; Bowen et al., 2007), a
small sample size prohibits the use of statistical methods for analysis. Furthermore, a small sample size limits
the generalizability of results to other organizations and environments. Additionally, both case studies took
place in HEI settings; however, a follow-up study that applies our extended model to other environments will
be valuable in understanding the relationships between CIAM, users, IT governance and external stimuli.
Additionally, using a survey methodology administered to a cross-section of companies and industries could
help researchers determine the relative significance of the model components.
While CIAMs have not been fully implemented at the HEIs studied in this research, the organizations
are well on their way to completing this goal. Future research is needed to determine whether refinements
can be made to our model (e.g., what other barriers might be present in organizations). Furthermore, the
linkages could be tested as hypotheses in using a cross-section of industries. The dashed lines representing
the impact of each of the TOE factors to one another could also be examined.
This research only examined CIAMs from the perspective of the organization. Future research should
examine the development impact of a CIAM from outside parties, such as customers. Questions to consider
could include: Are they willing to pay a premium? Are they more willing to do business with an organization
that has a CIAM? Research can also focus on auditors by exploring questions such as the following: Are the
audits completed in a more timely fashion? Are there fewer audit issues that need to be discussed with the
audit committee? Yet other research can examine the impact on business performance and the value of the
organization (Is the business more agile and able to address change? Do shareholders value companies with a
CIAM more highly than other firms, all other things being equal)?
More research is needed to discover best practices for IT audit when a CIAM exists. For example, with a
CIAM, less manual testing of controls is done, which requires less staff and audit hours; however, there
must be some manual review to determine if the automated controls are working properly. We found that
at HEI-A, an access management report is sent to department heads and deans of each college to certify
employee access. This manual control is a check on automated controls functioning properly. Further
investigation is needed to evaluate this aspect of the relationship between CIAM and IT governance.
Our study reveals that ERP systems facilitate the implementation of a CIAM; however, there could be
factors that actually mitigate the constraints noted in the model. For example, how could we develop an
atmosphere to facilitate standard processes for IAM and strong data governance? Mitigation strategies
should be identified and validated.
Future research could use the knowledge gained from this study to build more IAM frameworks and
models that could be validated among a variety of disparate organizations. As an example, from a practical
standpoint, models are lacking with regard to changing access when there is an HR status change. As
mentioned by our interviewees, for instance, if someone is an accountant in one department but then
becomes an accountant in another department, many times there are not generic rules that exist across an
organization to require the exact same access for that role. Many organizations still allow permutations of
access. This speaks to issues mentioned earlier regarding standardizing authorization across an organization.
In an ERP implementation, one of the main truisms is that the implementing company should standardize
business processes. This should also apply to security processes surrounding the ERP system.
This work contributes to the body of research on ERP by extending the knowledge into the increasingly
significant area of system security. By investigating the relationship between ERP and CIAM, we are able to
provide insight for researchers who are studying ERP security infrastructure or considering embarking upon
research in this promising area. We have also developed a conceptual framework for examining the factors
that affect the implementation of a CIAM using TOE theory as a basis. Many of these factors are lapses in IT
governance. Additionally, our results offer much practical advice to IT professionals and managers as they are
involved with considering implementing or have already implemented CIAM systems. Due to the common
challenges such as system security, mounting compliance mandates and the need to decrease costs, we
expect interest in CIAM to continue.
References
Aldhizer G. The insider threat. Intern Audit 2008;65(2):71–3.

Antón A, Earp JB, Young J. How internet users' privacy concerns have evolved since 2002. IEEE Security and Privacy 2010;8:21–7.
Babey E. Costs of enterprise resource planning system implementation — and then some. New Dir High Educ 2006;136:21–33.
Baldwin A, Mont MC, Beres Y, Shiu S. Assurance for federated identity management. J Computer Sec 2010;18(4):519–50.
Bowen PL, Cheung MD, Rohde FH. Enhancing IT governance practices: a model and case study of an organization's efforts. Int J
Account Inf Syst 2007;8:191–221.
Boyle RJ, Panko RR. Corporate computer security. 3rd ed. Pearson; 2012.
Bradford M, Florin J. Examining the role of innovation diffusion factors on the implementation success of enterprise resource
planning systems. Int J Account Inf Syst 2003;4(3):205–25.
Brazel J, Dang L. The effect of ERP system implementations on the management of earnings and earnings release dates. J Inf Syst
2008;22(2):1–21.
Chandra A, Calderon TG. Toward a biometric security layer in accounting systems. J Inf Syst 2003;17(2):51–70.
Cooper DJ, Morgan W. Case study research in accounting. Account Horizons 2008;22(2):159–78.
D'Costa-Alphonso M, Lane M. The adoption of single sign-on and multifactor authentication in organisations — a critical evaluation
using TOE framework. Issues Informing Sci Inf Technol 2010;7:161–89.
Davis FD. Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Q 1989;13(3):319–39.
Davis FD, Bagozzi RP, Warshaw PR. User acceptance of computer technology: a comparison of two theoretical models. Manag Sci
1989;35(8):982–1003.
DePietro R, Wiarda E, Fleischer M. The context for change: organization, technology, and environment. In: Tornatzky Fleischer,
editor. The processes of technological innovation. New York (NY): Lexington Books; 1990. p. 151–75.
Dhillon G. Guest Editorial: the challenge of managing information security. Int J of Info Mgmt 2004;24:3–4.
Dilnutt R. Knowledge management in practice: three contemporary case studies. Int J Account Inf Syst 2002;3:75–81.
Etges R. The impact of governance on identity management programs. ISACA J 2011;5:1–4. [Available:http://www.isaca.org/Journal/
Past-Issues/2011/Volume-5/Pages/The-Impact-of-Governance-on-Identity-Management-Programs.aspx. Accessed:29.09.2013].
Feagin J, Orum A, Sjoberg G, editors. A case for case study. Chapel Hill (NC): University of North Carolina Press; 1991.
Goel S, Shawky HA. Estimating the market impact of security breach announcements on firm values. Inf Manag 2009;46:404–10.
Grabski SV, Leech SA, Schmidt PJ. A review of ERP research: a future agenda for accounting information systems. J Inf Syst 2011;25:
37–78.
Gregory PH. Managing identities in hybrid worlds. Info Sec. 2013;15(3):14–9. [http://media.techtarget.com/deu/april_ism_109109.html].
Griffeth D. Making the case for enterprise IAM centralized access control. Technical guide on managing identities and access control;
2010. p. 3–4. [http://viewer.media.bitpipe.com/1276198763_637/1293124694_93/1217_ISM_eB_ManagingIdentityAccess.pdf].
Hitchens M, Varadharajan V. Design and specification of role based access control policies. Software IEEE Proc 2000;147(4):117–29.
InCommon. InCommon Federation. 2003. [Available: http://www.incommonfederation.org/federation/. Accessed:20.08.13].
Institute of Internal Auditors. Global technology audit guide. http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/
Privacy/DownloadableDocuments/GTAG9IdentAccessMgmt.pdf. [Available, Accessed:22.08.2013].
Internet2 Middleware Initiative. Identity and access management. 2007. [Available: http://www.internet2.edu/pubs/200703-IS-
MW.pdf. Accessed:21.08.13].
Jans M, Lybaert N, Vanhoof K. Internal fraud risk reduction: Results of a data mining case study. International Journal of Accounting
Information Systems 2010;11(1):17–41.
Jones L, Antón AI, Earp JB. Towards understanding user perceptions of digital identity technologies, sixth workshop on privacy in the
electronic society (WPES'07); 2007. p. 91–8. [Arlington, (VA)].
Kaur H. Identity and access management: its role in Sarbanes–Oxley compliance. ISACA J 2011;6:1–6.
Kho N. The changing face of identity management. Econtent 2009;32(3):20–5.
Lee CP, Shim JP. An exploratory study of radio frequency identification (RFID) adoption in the healthcare industry. Euro J Inf Syst
2007;16(6):712–24.
Lightle SS, Vallario CW. Segregation of duties in ERP. Intern Audit 2003;60(5):27.
Loshin D. Knowledge integrity: data ownership. 2002. [Available: http://www.datawarehouse.com/article/?articleid=3052. Accessed:
21.08.13].
McQuaide B. Identity and access management: transforming e-security into a catalyst for competitive advantage. Inf Syst Control J
2003:4.
Mishra AN, Konana P, Barua A. Antecedents and consequences of internet use in procurement: an empirical investigation of U.S.
manufacturing firms. Inf Syst Res 2007;18:103–20.
O'Leary D. Enterprise resource planning (ERP) systems: an empirical analysis of benefits. J Emerg Technol Account 2004;1:63–72.
Oliver D, Romm E. Issues in university administrative systems: a regional Australian case. Proceedings of the 15th annual conference
of the International Academy for Information Management; 2000. [Brisbane, Australia].
Oracle Identity Management. Information secured: manage the end to end user identity lifecycle. Oracle identity management. 2009.
[Available: http://www.oracle.com/ru/products/middleware/identity-management/026095.pdf. Accessed: 20.08.13].
Patton MQ. Qualitative evaluation and research methods. Newbury Park (CA): Sage Publications; 1990.
Pereira J. Breaking the code: how credit-card data went out the wireless door. Wall Str J 2007. p. A1 [Available: http://online.wsj.
com/article/SB117824446226991797.html. Accessed:21.08.13].
Rai S, Chukwuma P. Top 10 security and privacy topics for IT auditors. ISACA J 2011;6:1–5. [Available:http://www.isaca.org/Journal/
Past-Issues/2010/Volume-2?pages?Top-10Security-and-Privacy-Topics-for-IT-Auditors1.aspx. Accessed:20.08.13].
Raywood D. As the insider threat has increased over 2010, warnings made that more efficient technology is needed. 2010. [Available:
http://www.scmagazineuk.com/as-the-insider-threat-has-increased-over-2010-warnings-made-that-more-efficient-technology-
is-needed/printarticle/192889/. Accessed: 21.08.13].
Romer H. Security inside out. 2008. [Available:http://www.oracle.com/us/products/059502.pdf. Accessed: 20.08.13].
Sandhu RS, Coyne EJ, Feinstein HL, Youman CE. Role-based access control models. Computer 1996;29(2):38–47.
Scapens RW, Jazayeri M. ERP systems and management accounting change: opportunities or impact. Eur Account Rev 2003;12(1):
201–33.
She W, Thuraisingham B. Security for enterprise resource planning systems. Inf Syst Security 2007;16:152–63.
Stake REIn: Denzin N, Lincoln Y, editors. Handbook of qualitative research. 2nd ed. Thousand Oaks (CA): Sage Publications; 2000.
Sullivan D. The definitive guide to security management. Channel partner real time publications. 2009. [Available:http://www2.tech.
purdue.edu/cit/courses/cpt443/resources/assignments/ca_security_mgmt.pdf 2007. Accessed: 23.08.13].
Tornatzky LG, Fleischer M. The processes of technological innovation. Lexington (MA): Lexington Books; 1990.
Torres J, Thomas B. Best practices for technology enablement of internal controls. Presentation at the American Accounting
Association Information Systems Section Midyear Conference; January 2009.
Van de Riet R, Janssen W, de Gruijter P. Security moving from database systems to ERP systems. Database and expert systems
applications. Proceedings. Ninth International Workshop on 9th Intl Workshop on DB and Expert Systems Applications; 1998.
p. 273–80.
Van Grembergen W, De Haes S. Enterprise governance of information technology: achieving strategic alignment and value. Springer;
2009.
Venkatesh V, Morris MG, Davis GB, Davis FD. User acceptance of information technology: toward a unified view. MIS Q 2003;27(3):
425–78.
Wagner W, Antonucci YL. The imaginePA project: the first large-scale public sector ERP implementation. Inf Syst Manage 2009:
275–84.
Wang H, Cao J, Zhang Y. A flexible payment scheme and its role-based access control. IEEE Trans Knowl Data Eng 2005;17(3):425–36.
Wayman JL. Biometrics in identity management systems. Security Privacy IEEE 2008;6(2):30–7.
Weill P, Ross J. IT governance: how top performers manage IT decision rights for superior results. Boston (MA): Harvard Business
Review Press; 2004.
Wright A, Wright S. Information systems assurance for enterprise resource planning systems: unique risk considerations. J Inf Syst
2002;16:99–113.
Yin RK. Case study research: design and methods. Thousand Oaks (CA): Sage Publications; 2003.
Zhu K, Kraemer K. Post-adoption variation in usage and value of e-business by organizations: cross-country evidence from the retail
industry. Inf Syst Res 2005;16(1):61–84.
Zhu K, Kraemer K, Sean Xu K. Electronic business adoption by European firms: a cross-country assessment of the facilitators and
inhibitors. Euro J Inf Syst 2003;12(4):251–68.

Bradford 2014

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Bradford 2014

Diunggah oleh

Hak Cipta:

Format Tersedia

ACCINF-00323; No of Pages 17

International Journal of Accounting Information Systems xxx (2014) xxx–xxx

Contents lists available at ScienceDirect

International Journal of Accounting

Centralized end-to-end identity and access

2. Centralized end-to-end identity and access management

3. Framework and related research

Fig. 1. A CIAM infrastructure.

External Task Environment Technological Organization

-Industry Characteristics and Innovation Decision -Formal and Information Linking

Fig. 2. The context of technological innovation.

In the next section we present the research method employed.

5. Research method and model

HEI-A Public 34,340 HU L4/R RU/VH

6.1. Lapses in IT Governance

Panel A — HEI-A Panel B — HEI-B

Ofﬁce of Information Technology (OIT) Computing and Technology

Director of Enterprise Application Services Vice-Provost and Chief Information Ofﬁcer

External Task Environment

-Increased privacy and security of

Fig. 3. The context of CIAM implementation.

6.2. External task environment

6.3. Beneﬁts of centralized end-to-end identity and access management

6.4. ERP systems and CIAM

8. Conclusions and future research

Aldhizer G. The insider threat. Intern Audit 2008;65(2):71–3.

Anda mungkin juga menyukai