www.emeraldinsight.com/1832-5912.htm
JAOC
5,4 The role of internal auditors
in ERP-based organizations
Haider H. Madani
514 Department of Accounting and MIS, College of Industrial Management,
King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia
Received 9 April 2008
Revised 25 March 2009,
30 June 2009 Abstract
Accepted 10 July 2009 Purpose – The purpose of this paper is to develop a theoretical framework that will help to examine
the role of internal auditors (IAs) in enterprise resource planning (ERP) based organizations. An ERP
integrates all organizational functions in one powerful system that drives the organization
strategically and also presents new challenges to the internal audit function.
Design/methodology/approach – A literature review is undertaken to highlight the role of IAs in
an ERP environment.
Findings – The framework depicts the new relationships which the ERP system requires between
the IAs and five associated groups: software vendors, information systems, information technology
managers, ERP users, and consultants. ERP also gives interanl auditors an enabling technology to
advise management on the implications of ERP for risk-intelligence.
Research limitations/implications – This is a conceptual paper that has implications for internal
auditing practice. Academic researchers will find this framework to be useful for testing it in the field.
Practitioners will also benefit from this model when assessing the role of IAs in an ERP environment.
Originality/value – Prior research in the auditing field has overlooked this issue. This paper will
attempt to fill such an apparent gap in prior research and will help motivate further research in this
field.
Keywords Manufacturing resource planning, Internal auditing, Internal control
Paper type Conceptual paper
1. Introduction
An enterprise resource planning (ERP) system is a set of business application software
modules that integrates all organizational functions, including human resources,
finance, manufacturing, sales, and distribution. Examples of major ERP software
vendors are Oracle and SAP. The adoption of an ERP system brings about new
changes to the organization and its information systems (ISs). The ERP system with its
integrated built-in controls becomes an enabling technology for internal auditors (IAs)
to maintain effective controls over operations and provides assurance of reliable
transaction information consistent with the organization’s goals and objectives. While
the objectives of the internal control function remain the same, the mechanism of
controls and the control procedures change. Traditional controls, such as separation of
responsibilities, will not be cost-effective in the ERP system and may not be able to
deliver the required level of control (Chapman, 1998a).
Journal of Accounting & Previous studies of ERP focussed on implementation and post-implementation, with
Organizational Change particular emphasis on its impact on internal auditing, but offered only few insights
Vol. 5 No. 4, 2009
pp. 514-526
q Emerald Group Publishing Limited
1832-5912
The author gratefully acknowledges the logistical support provided by King Fahd University
DOI 10.1108/18325910910994702 of Petroleum and Minerals.
into the auditor’s role. This paper seeks to fill such an apparent gap in prior research Role of internal
by focusing on the role of IAs in ERP-based organizations. The remainder of the paper auditors
is organized as follows. Section 2 provides a literature review. Section 3 discusses ERP
threats and internal control procedures. Section 4 presents a framework for the role of
IAs in ERP-based organizations. Section 5 concludes the paper and outlines some
directions for future research.
515
2. Literature review
Previous studies in the area of ERP have focused on the implementatation phase and
the post-implementation phase (Esteves and Pastor, 2001; Verville, 2000). The key
ideas of those studies consist of problems and challenges during the implementation,
organizational change, political and management influence, and employees’
behavior. For example, Gibson et al. (1999) state that ERP implementation needs a
different approach which focuses on business process design, software configuration,
and project management by de-emphasizing the technical side of implementation.
Boudreau and Robey (1999), meanwhile, propose a framework to guide research
on ERP linked to organizational change as a process. Also, Koh et al. (2000) employ the
framework, based on a process theory approach, to understand and describe the ERP
implementation experiences of organizations. Davenport (1998) mentions that ERP
implementation process roles, responsibilities, and skill-sets are substantially different
from those related with a traditional implementation.
Series of studies also have been carried out to provide the critical success factors in
implementing ERP: namely Al-Mashari et al. (2003), Akkermans and van Helden
(2002), Hong and Kim (2002), Nah et al. (2001), Soliman et al. (2001) and Scott and
Vessey (2000). In more specific studies, Verville et al. (2005) and Verville and Halingten
(2003, 2002) discuss the critical factors for successful acquisitions of ERP softwares
and technologies. In addition, Al-Mashari and Zairi (2000) attempt to recommend a
model of best ERP practices in organizations.
Several other studies have investigated the impact of ERP on internal auditing
activities, internal control mechanisms and the quality of information generated from
this initiative. For example, Xu et al. (2002), in a case-study in two large Australian
organizations, highlight the data quality issues in implementing ERP, and their study
resulted in the development of a framework for understanding those issues and applying
this framework. Lightle and Vallario (2003) discuss the potential segregation of duties in
ERP-based organization. Little and Best (2003) furthermore built a framework to
address the potential threat in the separation of duties in an ERP environment. Zhao et al.
(2004) elaborate the auditing activities in electronic commerce, but their study does not
specifically discusses the role of IA in ERP-based organizations.
The above discussion suggests that previous studies have overlooked the role and
function of IAs in an ERP environment. In this paper, I attempt to address why it is
important to reassess the role of IAs in the ERP environment.
In order to counter those threats, Best et al. (1997) classified the following four major
strategies:
(1) Authentication. This strategy aims to restrict entry into the system,
authenticating the users properly by including usernames with passwords,
and by challenge-response systems, biometrics, and smart cards (Pfleeger, 1989;
Carroll, 1987).
(2) Access control. This strategy is designed to prevent unauthorized user activities
through browsing. Its purpose is to restrict users’ access to data and functions
within the system in order to prevent unauthorized use (Ferraiolo et al., 1992).
(3) Cryptography. This strategy involves encoding data so that it will not be
understandable if it is revealed through unauthorized access. This technique
can be applied to data files, passwords, online transactions, and other sensitive
data (Davies and Price, 1989).
(4) Audit trail analysis. This countermeasure strategy is a post hoc analysis of the
records of user activities in the detailed system logs to detect failed attempts to
perform unauthorized functions and to highlight unusual patterns of user
behavior, such as logins after hours.
Figure 1. Communicators
The relationship between
the IA and various
associated groups in ERP
implementation C
.
Strategists. Strategisists are involved with the strategic planning and decision
making of the organization. They develop an understanding of the business
process reengineering with users including management, and facilitates the
consultants’ work.
.
ERP expertd. ERP experts evaluate the control features of an ERP system and
assess current and future risk exposure. They also hghlight the importance of
soft controls and delegates the accountability of control.
.
Communicators. Communicators maintain the relationships among all parties
across the organization and facilitate the adoption of audit controls with users, as
well as with consultants from outside the company.
.
IT experts. IT experts update and unify terminology to take advantage of the
integrated nature of the ERP system. They share expertise, knowledge, and ideas
with IS/IT management.
As a strategist, the IA provides top management with advice that helps management to
set the corporate objectives. According to the new Committee on Sponsoring
Organizations Enterprise Risk Management, the organization’s mission and risk
appetite drive its objective-setting process, which defines high-level strategic objectives
and the specific objectives required to accomplish them, namely the operating, financial
reporting, and compliance objectives (Ramamoorthi and Weidenmier, 2006). Strategic
objectives affect the organization’s choice of ERP infrastructure and risk level.
In addition, Pierce (2007) proposes five duties of the IA as a stategist in ensuring the
success of ERP implementation.
These five duties are:
(1) Secure executive sponsorship and create awareness for program risk
management. This helps to enlist the support and resources necessary for a
successful risk management program.
(2) Take a holistic approach to identifying programs at risk. A broad strategic
perspective helps the IA to better understand and prioritizes the program-risk
landscape, with its wide-ranging and often disparate risk elements.
(3) Create an active and ongoing program risk management process. Such an
ongoing process entails regular audits, the ability to track the trends relating
to a program, and faster follow-up on remediation plans. It allows IAs to Role of internal
identify the risks more quickly and to alert the stakeholders. auditors
(4) Build a program audit team with the necessary specialized skills and
experience. Having the right people with the right skills to focus on program
risk can make the difference between success and failure in risk management.
(5) Include program issues in a consolidated risk analysis. The prioritization of
programs, based on their inherent risk, assumes that all challenges facing those
519
programs are risks.
As an ERP expert, the IA is needed to ensure ERP system does not compromise the
internal control mechanism. Arens and Loebbecke (2000) further propose four general
guidelines for the separation of duties, which can be applied in an ERP-based
organization:
(1) Separation of the custody of assets from accounting. This prevents a person
with custody of an asset from disposing of the asset and adjusting the records to
conceal the action.
(2) Separation of the authorization of transactions from the custody of related
assets. The authorization of a transaction and the handling of the related asset
by the same person increases the opportunity for fraud.
(3) Separation of operational responsibility from record-keeping responsibility. If a
division is responsible for preparing its own records and reports, there may be a
tendency to bias the results to improve its reported performance.
(4) Separation of information technology duties from duties of key users outside IT.
Program modifications should be performed only by authorized IT personnel.
Users outside IT should be responsible for authorizing transactions, online data
entry, correction of errors in input, and reviews of output from the system.
In ERP environments with thousands of users accessing the system online, the only
way to separate duties within the computer system is to assign authorizations and
profiles to users which prevent them from performing incompatible functions
(Little and Best, 2003). Therefore, being an ERP expert, the IA should be involved at an
early stage in the planning process for the implementation of any ERP system. During
the system-design phase, management should charge cross-functional teams with
creating appropriate job authorization assignments before establishing system access
for employees (Lightle and Vallario, 2003). Moreover, the IAs also help management to
develop the user authorization request and approval process by talking directly with
business process owners to review individual job responsibilities and to investigate the
rationale behind any dual assignments (Lightle and Vallario, 2003).
As mentioned above, IAs play the role of communicator. Lack of communication
may cause data quality problems, thus affecting the data integrity in ERP. IAs ensure
that adequate documentation of the ERP system is prepared and provided to users to
follow. They must encourage multiple communication channels and ways to encourage
feedback and enable fast corrective measure when necessary. Xu et al. (2002) state that
successful ERP implementation depends on understanding and communications
between different systems and different functional divisions. It depends also
on frequent commmunication among IT professionals and business professionals
JAOC to enhance their mutual understanding. Furthermore, the vital process of addressing
5,4 the potential risks or threats of ERP implementation depends on direct communication
between the IAs and the executives, the audit committee and the board of directors.
An IA also plays role in the organization as an IT expert. There may be difficulty in
obtaining IAs with extensive information technology skills. However, a substantial
understanding of those technical requirements will enhance the IA’s role in
520 implementing ERP. The IA assists IT experts to develop a reliable system, which can
produce highly reliable information quickly. A reliable system is one that operates
without material error, fault or failure during a specified time in a specified
environment (Zhao et al., 2004). Zhao et al. also state that a reliable system must achive
the following four principles:
(1) Availability. The system is available for operation and use at times set forth in
service agreements.
(2) Security. The system is protected against unauthorized physical and logical
access. Logical access is the ability to read or manipulate data through remote
access.
(3) Integrity. System processing is complete, accurate, timely and in accordance
with the entity’s transaction approval and output distribution policy.
(4) Maintainability. The sytem can be updated in a manner that provides
continuous availability, security and integrity.
An ERP system drives the organization strategically, and it entails many changes to
the audit process.
These changes affect the business processes, the information technology, the ERP
software version. Ultimately, these changes affect the internal audit function, and they
oblige the IAs to develop new expertise. IAs need to identify internal and external
sources of risk and their effects on controls, to evaluate the adequacy of resources, and
to assess the effects on control procedures (Gibbs, 1998).
Figure 2 shows the revised role of the IA with the various associated groups in the
post-implementation phase of ERP.
As shown in Figure 2, the internal audit functions need to be seen in a fuller context,
which includes:
. Developers. Understand control processes and perhaps seek a consultant’s advice
in the case of continuous process reengineering. Review business workflow and
continue process monitoring. Ensure historical data warehousing is accurate,
consistent, and complete for future intelligent decisions.
.
Service providers. Share knowledge and expertise with and provide services to
both IS/IT managers and users.
.
Maintainers. Maintain close contact with the vendor to ensure the adequacy of
configuration change control of the ERP system.
U Role of internal
auditors
Service provider
IT/IS V
Service provider
IA
Maintainer 521
Developer Figure 2.
The role of the IA in
post-ERP implementation
C
There can be a number of directions for future research in the ERP field. For example, the
frameworks shown in this paper can be used for future research to empirically examine
the validity and usefulness of this proposed model in ERP-based organizations using
survey questionnaire and case-method approaches. This research would help in gaining
insights into the new roles and functions of IAs, in particular, assessing the relationship
between IAs and various associated groups: software venders, ISs, IT managers, ERP
users, and consultants, in pre- and post-ERP implementation stage.
Second, ERP systems while providing powerful technologies that capable of
integrating, analyzing and reporting information from all of the company’s functions
(technical, operational, and financial), they expose user organizations to various kinds
of risks and potential threats as illustrated in the paper. Future research can also be
directed to identify these new risks and threats and how countering these risks and
threats has impacted strategically on the role and functions of IAs in ERP-based
organizations. Importantly, this research can also investigate what countermeasure
strategies, risk control mechanisms and solutions ERP-based organizations have
developed and implemented and role of IAs in the design, implementation and
monitoring stages, in addition to the adequacy of these mechanisms and solutions.
Third, ERP systems has strategically changed or impacted not only the roles and
functions of IAs, but also internal audit environment. Future research can be directed
to study the skills, knowledge, capabilities and experiences IAs must have in order to
carry out their roles and functions in ERP organizations and to what extent these
organizations were successful in this respect.
References
Akkermans, H. and van Helden, K. (2002), “Vicious and virtuous cycles in ERP implementation:
a case study of interrelations between critical success factors”, European Journal of
Information System, Vol. 11 No. 1, pp. 35-46.
Al-Mashari, M. and Zairi, M. (2000), “The effective application of SAP R/3: a proposed model of
best practice”, Logistics Information Management, Vol. 13 No. 3, pp. 156-66.
Al-Mashari, M., Al-Mudimigh, A. and Zairi, M. (2003), “Enterprise resource planning:
a taxonomy of critical factors”, European Journal of Operational Research, Vol. 146 No. 2,
pp. 352-64.
Arens, A.A. and Loebbecke, J.K. (2000), Auditing: An Integrated Approach, 8th ed., Prentice-Hall,
Upper Saddle River, NJ.
Bancroft, N., Seip, H. and Sprengel, A. (1998), Implementing SAP R/3: How to Introduce a Large
System into a Large Organization, Manning, Greenwich, CT.
JAOC Best, P., Mohay, G. and Anderson, A. (1997), “MIATA: a machine independent audit trail
analyser”, Australian Computer Journal, Vol. 29 No. 2, pp. 57-63.
5,4
Boudreau, M.C. and Robey, D. (1999), “Critical issues affecting an ERP implementation”,
Information Systems Management, Vol. 16 No. 3, pp. 7-14.
Brown, W. and Nasuti, F. (2005), “What ERP systems can tell us about Sarbanes-Oxley”,
Information Management & Computer Security, Vol. 13 No. 4, pp. 311-23.
524 Carroll, J.M. (1987), Computer Security, 2nd ed., Butterworths, Stoneham, MA.
Chapman, C. (1998a), “Just do it: an interview with Michael Hammer”, Internal Auditor, Vol. 55
No. 3, pp. 38-41.
Chapman, C. (1998b), “Update”, Internal Auditor, Vol. 55 No. 1, pp. 11-12.
Clark, D. and Wilson, D. (1987), “A comparison of commercial and military computer security
policies”, paper presented at the IEEE Symposium on Security and Privacy, IEEE
Computer Society Press, Oakland, CA.
Davenport, T. (1998), “Putting the enterprise into the enterprise system”, Harvard Business
Review, Vol. 76 No. 4, pp. 121-31.
Davies, D.W. and Price, W.L. (1989), Security for Computer Network, 2nd ed., Wiley,
New York, NY.
Dittenhofer, M. (2001), “Reegineering the internal auditing organization”, Managerial Auditing
Journal, Vol. 16 No. 8, pp. 458-68.
Esteves, J. and Pastor, J. (2001), “Enterprise resource planning systems research: an annotated
bibliography”, Communications of the AIS, Vol. 7 No. 8, pp. 1-52.
Ferraiolo, D.F., Gilbert, M.D. and Lynch, N. (1992), Assessing Federal and Commercial
Information Security Needs (USA), National Institute of Standards and Technology,
Gaithersburg, MD.
Gibbs, J. (1998), “Going live with SAP”, Internal Auditor, Vol. 55 No. 3, pp. 70-5.
Gibson, J., Holland, C. and Light, B. (1999), “Enterprise resource planning: a business approach to
systems development”, Proceedings of the 32nd Hawaii International Conference on
System Sciences, Vol. 7, pp. 163-8.
Glover, S.M., Prawitt, D.F. and Romney, M.B. (1999), “Implementing ERP”, Internal Auditor,
Vol. 56 No. 4, pp. 47-53.
Hespenheide, E., Pundmann, S. and Corcoran, M. (2007), “Risk intelligence: internal auditing in a
world of risk”, Internal Auditing, Vol. 22 No. 4, pp. 3-10.
Hong, K.-K. and Kim, Y.-G. (2002), “The critical success factors for ERP implementation:
an organizational fit perspective”, Information & Management, Vol. 40 No. 1, pp. 25-40.
Koh, C., Soh, C. and Markus, L. (2000), “A process theory approach to analyzing ERP
implementation and impacts: the case of Revel Asia”, Journal of Information Technology
Cases and Applications, Vol. 2 No. 1, pp. 4-23.
Lightle, S. and Vallario, C. (2003), “Segregation of duties in ERP”, Internal Auditor, Vol. 60 No. 5,
pp. 27-31.
Little, A. and Best, P.J. (2003), “A framework for separation of duties in an SAP R/3
environment”, Managerial Auditing Journal, Vol. 18 No. 5, pp. 419-30.
Lunt, T.F. (1993), “A survey of intrusion detection techniques”, Computers & Security, Vol. 12
No. 4, pp. 405-18.
Maurizio, A., Girolami, L. and Jones, P. (2007), “EAI and SOA: factors and methods influencing
the integration of multiple ERP systems (in an SAP environment) to comply with
the Sarbanes-Oxley Act”, Journal of Enterprise Information Management, Vol. 20 No. 1, Role of internal
pp. 14-31.
auditors
Nah, F.F.-H., Lau, J.L.-S. and Kuang, J. (2001), “Critical success factors for successful
implementation of enterprise systems”, Business Process Management Journal, Vol. 7 No. 3,
pp. 285-96.
Pfleeger, C.P. (1989), Security in Computing, Prentice-Hall, Englewood Cliffs, NJ.
Pierce, T. (2007), “Taming program risk: five critical success factors”, Internal Auditing, Vol. 22 525
No. 5, pp. 3-8.
Ramamoorthi, S. and Weidenmier, M.L. (2006), “ERM under construction: is IT next for ERM?”,
The Internal Auditor, Vol. 63 No. 2, pp. 45-50.
Reid, B. (1987), “Reflections on some recent widespread computer break-ins”, Communications of
the ACM, Vol. 30 No. 2, pp. 103-5.
Romei, L. (1996), “New technology strengthens new commitment”, Managing Office Technology,
Vol. 41 No. 7, pp. 18-20.
Scott, J.E. and Vessey, I. (2000), “Implementing enterprise resource planning systems: the role of
learning from failure”, Information Systems Frontiers, Vol. 2 No. 2, pp. 213-32.
Seeley, D. (1989), “Password cracking a game of wits”, Communications of the ACM, Vol. 32 No. 6,
pp. 700-4.
Smaha, S.E. (1988), “Haystack: an intrusion detection system”, 4th Aerospace Computer Security
Applications Conference, Orlando, FL, December, pp. 37-44.
Soliman, F., Clegg, S. and Tantoush, T. (2001), “Critical success factors for integration of
CAD/CAM systems with ERP systems”, International Journal of Operations & Production
Management, Vol. 21 Nos 5/6, pp. 609-29.
Spafford, E.H. (1989), “The internet worm: crisis and aftermath”, Communications of the ACM,
Vol. 32 No. 6, pp. 678-87.
Srinidhi, B. (1994), “The influence of segregation of duties on internal control judgements”,
Journal of Accounting, Auditing & Finance, Vol. 9 No. 3, pp. 423-44.
Stevens, T. (1997), “Kodak focuses on ERP”, Industry Week, Vol. 246 No. 15, pp. 130-5.
Stoll, C. (1988), “Stalking the Wiley Hacker”, Communications of the ACM, Vol. 31 No. 5,
pp. 484-97.
Verville, J. (2000), “An empirical study of organizational buying behavior: a critical investigation
of the acquisition of ERP software”, dissertation, Universite Lavel, Quebec City.
Verville, J. and Halingten, A. (2002), “A qualitative study of influencing factors on the decision
process for acquiring ERP software”, Qualitative Market Research: An International
Journal, Vol. 5 No. 3, pp. 188-98.
Verville, J. and Halingten, A. (2003), “A six-stage model of the buying process for ERP software”,
Industrial Marketing Management, Vol. 32 No. 7, pp. 585-94.
Verville, J., Bernadas, C. and Halingten, A. (2005), “So you’re thinking of buying an ERP?
Ten critical factors for successful acquisitions”, Journal of Enterprise Information
Management, Vol. 18 No. 6, pp. 665-77.
Xu, H.-J., Nord, J.H., Brown, N. and Nord, G.D. (2002), “Data quality issues in implementing an
ERP”, Industrial Management & Data System, Vol. 102 No. 1, pp. 47-58.
Zairi, M. and Sinclair, D. (1995), “Business process re-engineering and process management:
a survey of current practice and future trends in integrated management”, Management
Decisions, Vol. 33 No. 3, pp. 3-16.
JAOC Zhao, N., Yen, D.C. and Chang, I.-C. (2004), “Auditing in the e-commerce era”, Information
Management & Computer Security, Vol. 12 No. 5, pp. 389-400.
5,4
Further reading
Gupta, A. (2000), “Enterprise resource planning: the emerging organizational value systems”,
Industrial Management & Data Systems, Vol. 100 No. 3, pp. 114-8.
526
Corresponding author
Haider H. Madani can be contacted at: madani@kfupm.edu.sa