the role of internal auditors in erp-based organizations

The role of internal auditorsin ERP-based organizations

Haider H. MadaniDepartment of Accounting and MIS, College of Industrial Management,King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia

Abstract

Purpose – The purpose of this paper is to develop a theoretical framework that will help to examinethe role of internal auditors (IAs) in enterprise resource planning (ERP) based organizations. An ERPintegrates all organizational functions in one powerful system that drives the organizationstrategically and also presents new challenges to the internal audit function.

Design/methodology/approach – A literature review is undertaken to highlight the role of IAs inan ERP environment.

Findings – The framework depicts the new relationships which the ERP system requires betweenthe IAs and five associated groups: software vendors, information systems, information technologymanagers, ERP users, and consultants. ERP also gives interanl auditors an enabling technology toadvise management on the implications of ERP for risk-intelligence.

Research limitations/implications – This is a conceptual paper that has implications for internalauditing practice. Academic researchers will find this framework to be useful for testing it in the field.Practitioners will also benefit from this model when assessing the role of IAs in an ERP environment.

Originality/value – Prior research in the auditing field has overlooked this issue. This paper willattempt to fill such an apparent gap in prior research and will help motivate further research in thisfield.

Keywords Manufacturing resource planning, Internal auditing, Internal control

Paper type Conceptual paper

1. IntroductionAn enterprise resource planning (ERP) system is a set of business application softwaremodules that integrates all organizational functions, including human resources,finance, manufacturing, sales, and distribution. Examples of major ERP softwarevendors are Oracle and SAP. The adoption of an ERP system brings about newchanges to the organization and its information systems (ISs). The ERP system with itsintegrated built-in controls becomes an enabling technology for internal auditors (IAs)to maintain effective controls over operations and provides assurance of reliabletransaction information consistent with the organization’s goals and objectives. Whilethe objectives of the internal control function remain the same, the mechanism ofcontrols and the control procedures change. Traditional controls, such as separation ofresponsibilities, will not be cost-effective in the ERP system and may not be able todeliver the required level of control (Chapman, 1998a).

Previous studies of ERP focussed on implementation and post-implementation, withparticular emphasis on its impact on internal auditing, but offered only few insights

The current issue and full text archive of this journal is available at

www.emeraldinsight.com/1832-5912.htm

The author gratefully acknowledges the logistical support provided by King Fahd Universityof Petroleum and Minerals.

JAOC5,4

514

Received 9 April 2008Revised 25 March 2009,30 June 2009Accepted 10 July 2009

Journal of Accounting &Organizational ChangeVol. 5 No. 4, 2009pp. 514-526q Emerald Group Publishing Limited1832-5912DOI 10.1108/18325910910994702

into the auditor’s role. This paper seeks to fill such an apparent gap in prior researchby focusing on the role of IAs in ERP-based organizations. The remainder of the paperis organized as follows. Section 2 provides a literature review. Section 3 discusses ERPthreats and internal control procedures. Section 4 presents a framework for the role ofIAs in ERP-based organizations. Section 5 concludes the paper and outlines somedirections for future research.

2. Literature reviewPrevious studies in the area of ERP have focused on the implementatation phase andthe post-implementation phase (Esteves and Pastor, 2001; Verville, 2000). The keyideas of those studies consist of problems and challenges during the implementation,organizational change, political and management influence, and employees’behavior. For example, Gibson et al. (1999) state that ERP implementation needs adifferent approach which focuses on business process design, software configuration,and project management by de-emphasizing the technical side of implementation.Boudreau and Robey (1999), meanwhile, propose a framework to guide researchon ERP linked to organizational change as a process. Also, Koh et al. (2000) employ theframework, based on a process theory approach, to understand and describe the ERPimplementation experiences of organizations. Davenport (1998) mentions that ERPimplementation process roles, responsibilities, and skill-sets are substantially differentfrom those related with a traditional implementation.

Series of studies also have been carried out to provide the critical success factors inimplementing ERP: namely Al-Mashari et al. (2003), Akkermans and van Helden(2002), Hong and Kim (2002), Nah et al. (2001), Soliman et al. (2001) and Scott andVessey (2000). In more specific studies, Verville et al. (2005) and Verville and Halingten(2003, 2002) discuss the critical factors for successful acquisitions of ERP softwaresand technologies. In addition, Al-Mashari and Zairi (2000) attempt to recommend amodel of best ERP practices in organizations.

Several other studies have investigated the impact of ERP on internal auditingactivities, internal control mechanisms and the quality of information generated fromthis initiative. For example, Xu et al. (2002), in a case-study in two large Australianorganizations, highlight the data quality issues in implementing ERP, and their studyresulted in the development of a framework for understanding those issues and applyingthis framework. Lightle and Vallario (2003) discuss the potential segregation of duties inERP-based organization. Little and Best (2003) furthermore built a framework toaddress the potential threat in the separation of duties in an ERP environment. Zhao et al.(2004) elaborate the auditing activities in electronic commerce, but their study does notspecifically discusses the role of IA in ERP-based organizations.

The above discussion suggests that previous studies have overlooked the role andfunction of IAs in an ERP environment. In this paper, I attempt to address why it isimportant to reassess the role of IAs in the ERP environment.

3. ERP threats and internal control proceduresHighly integrated and fully computerized ISs for instance in ERP, whilst offering manyadvantages to a business organization, are easily exposed to many potential threats.According to Little and Best (2003), such threats can come from internal or externalintruders attempting to access sensitive information, modify data, enter fraudulent

Role of internalauditors

515

changes to programs, enter fraudulent transactions, and commit other undesirable actswithin the system. Various methods have been engaged to attempt those unauthorizedfunctions (Lunt, 1993; Seeley, 1989; Spafford, 1989; Smaha, 1988; Stoll, 1988; Reid,1987). These can be categorized into five main methods, namely:

(1) passive techniques, such as wiretapping, electromagnetic pickup, concealedtransmitters, and electronic eavesdropping;

(2) attempted break-ins or password guessing;

(3) masquerading, such as logging in with the target user’s password andusername, tapping into the line between the authorized user’s workstation thathas been left logged on to the network;

(4) browsing, whereby authorized users attempt to access unauthorized functionsor sensitive data; and

(5) viruses and worms, which are programs that invade systems and are usedto gain access to the data, to destroy or manipulate data and applications, orsimply to use resources such as storage, memory, and processor time.

In order to counter those threats, Best et al. (1997) classified the following four majorstrategies:

(1) Authentication. This strategy aims to restrict entry into the system,authenticating the users properly by including usernames with passwords,and by challenge-response systems, biometrics, and smart cards (Pfleeger, 1989;Carroll, 1987).

(2) Access control. This strategy is designed to prevent unauthorized user activitiesthrough browsing. Its purpose is to restrict users’ access to data and functionswithin the system in order to prevent unauthorized use (Ferraiolo et al., 1992).

(3) Cryptography. This strategy involves encoding data so that it will not beunderstandable if it is revealed through unauthorized access. This techniquecan be applied to data files, passwords, online transactions, and other sensitivedata (Davies and Price, 1989).

(4) Audit trail analysis. This countermeasure strategy is a post hoc analysis of therecords of user activities in the detailed system logs to detect failed attempts toperform unauthorized functions and to highlight unusual patterns of userbehavior, such as logins after hours.

The preceding arguments describe potential threats and countermeasure strategies ingeneral computerized organization, which also apply in ERP. Those countermeasuresinvolve technical solutions, which are sometimes not sufficiently relevant to ensureinformation quality and integrity for an ERP-based organization. Thus, effective internalcontrol procedures are necessary to support the technical countermeasures for ERP.Their importance has been recognized by many scholars, for instance, see Maurizio et al.(2007), Brown and Nasuti (2005), Dittenhofer (2001), Srinidhi (1994), Ferraiolo et al. (1992)and Clark and Wilson (1987).

Hence, the strategic and tactical business requirements of an organization must bethe driving force for implementing ERP. An ERP system replaces the huge number ofdatabases in a company with one powerful system capable of integrating, analyzing,

JAOC5,4

516

and reporting on information from all of the company’s business functions. Programsand data files are fully integrated into one virtual system. There are no subsystems,partitions, or non-interfacing legacy systems that need to be reconciled. ERP alsoincludes advanced control and audit features, such as security profile administrationtools, logging capabilities, business workflow, and the fully traceable transactioncapabilities. Financial closing entries can be accomplished quickly, in a matter of hours(not weeks, as in the traditional environment). Since the sub-modules are fullyintegrated, there is no need to do reconciliation activities or journal voucher adjustingentries.

However, the reengineering associated with ERP implementation may lead toinadequate business controls, with the result that management objectives are notmet. Many organizational units and departments may have inadequate new controlsinstead of the controls from the traditional system. Furthermore, due to the real-timenature of an ERP system, many IAs may not be well prepared to accomplish theirmission in auditing the business. The traditional audit function would not besufficient under these circumstances. A detailed design of the business processes,management, and operations must therefore come before the implementation of anERP system.

It is essential to consider the integrated control procedures while the ERP system isbeing implemented. IAs have expertise in the area of risk-management, and theyhave the big-picture perspective of the organization’s business operations, and they arecapable of suggesting alternatives to reengineer the organization’s processes to increaseefficiency and effectiveness. A detailed analysis of internal controls should come aftera broad-based business and system analysis (Glover et al., 1999). Consequently, thisensures that the control processes solve the broader business objectives and mitigate thekey business risks.

Internal audit functions are redefined in terms of focus, scope, and range of services,in the light of strategic management, alliance with other appraisal functions, and theneed to audit “technical” applications. The IA is now open to a broad range of activitiesthat were not considered previously (Chapman, 1998b). I discuss this issue in turn.

4. Role of IAs in ERP-based organizationsIAs’ contributions are widely recognized in the literature in promoting goodcorporate governance and implementing a system of internal controls within theorganization. They help to reduce the cost of raising capital if the organization islooking for external financial assistance, and also to enhance the share price if it isseeking equity funds. IAs also carry out assurance activities at specific scheduledtimes to check the adequacy and effectiveness of internal control procedures in theorganization.

IAs also report to audit committees at the board level on their findings andopportunities for improvement as required. However, the use of ERP changes the roleand function of IAs. Figure 1 shows the framework of the relationship between the IAand the various associated groups in ERP implementation. These groups includesoftware vendors (V), IS and information technology (IT) managers, users (U), andconsultants (C).

During ERP implementation, the IA’s roles include the following, in order ofexecution:


517

. Strategists. Strategisists are involved with the strategic planning and decisionmaking of the organization. They develop an understanding of the businessprocess reengineering with users including management, and facilitates theconsultants’ work.

. ERP expertd. ERP experts evaluate the control features of an ERP system andassess current and future risk exposure. They also hghlight the importance ofsoft controls and delegates the accountability of control.

. Communicators. Communicators maintain the relationships among all partiesacross the organization and facilitate the adoption of audit controls with users, aswell as with consultants from outside the company.

. IT experts. IT experts update and unify terminology to take advantage of theintegrated nature of the ERP system. They share expertise, knowledge, and ideaswith IS/IT management.

As a strategist, the IA provides top management with advice that helps management toset the corporate objectives. According to the new Committee on SponsoringOrganizations Enterprise Risk Management, the organization’s mission and riskappetite drive its objective-setting process, which defines high-level strategic objectivesand the specific objectives required to accomplish them, namely the operating, financialreporting, and compliance objectives (Ramamoorthi and Weidenmier, 2006). Strategicobjectives affect the organization’s choice of ERP infrastructure and risk level.In addition, Pierce (2007) proposes five duties of the IA as a stategist in ensuring thesuccess of ERP implementation.

These five duties are:

(1) Secure executive sponsorship and create awareness for program riskmanagement. This helps to enlist the support and resources necessary for asuccessful risk management program.

(2) Take a holistic approach to identifying programs at risk. A broad strategicperspective helps the IA to better understand and prioritizes the program-risklandscape, with its wide-ranging and often disparate risk elements.

(3) Create an active and ongoing program risk management process. Such anongoing process entails regular audits, the ability to track the trends relating

Figure 1.The relationship betweenthe IA and variousassociated groups in ERPimplementation

U

Strategists

ERP expertsIT expertsVIAIT/IS

Communicators

C

JAOC5,4

518

to a program, and faster follow-up on remediation plans. It allows IAs toidentify the risks more quickly and to alert the stakeholders.

(4) Build a program audit team with the necessary specialized skills andexperience. Having the right people with the right skills to focus on programrisk can make the difference between success and failure in risk management.

(5) Include program issues in a consolidated risk analysis. The prioritization ofprograms, based on their inherent risk, assumes that all challenges facing thoseprograms are risks.

As an ERP expert, the IA is needed to ensure ERP system does not compromise theinternal control mechanism. Arens and Loebbecke (2000) further propose four generalguidelines for the separation of duties, which can be applied in an ERP-basedorganization:

(1) Separation of the custody of assets from accounting. This prevents a personwith custody of an asset from disposing of the asset and adjusting the records toconceal the action.

(2) Separation of the authorization of transactions from the custody of relatedassets. The authorization of a transaction and the handling of the related assetby the same person increases the opportunity for fraud.

(3) Separation of operational responsibility from record-keeping responsibility. If adivision is responsible for preparing its own records and reports, there may be atendency to bias the results to improve its reported performance.

(4) Separation of information technology duties from duties of key users outside IT.Program modifications should be performed only by authorized IT personnel.Users outside IT should be responsible for authorizing transactions, online dataentry, correction of errors in input, and reviews of output from the system.

In ERP environments with thousands of users accessing the system online, the onlyway to separate duties within the computer system is to assign authorizations andprofiles to users which prevent them from performing incompatible functions(Little and Best, 2003). Therefore, being an ERP expert, the IA should be involved at anearly stage in the planning process for the implementation of any ERP system. Duringthe system-design phase, management should charge cross-functional teams withcreating appropriate job authorization assignments before establishing system accessfor employees (Lightle and Vallario, 2003). Moreover, the IAs also help management todevelop the user authorization request and approval process by talking directly withbusiness process owners to review individual job responsibilities and to investigate therationale behind any dual assignments (Lightle and Vallario, 2003).

As mentioned above, IAs play the role of communicator. Lack of communicationmay cause data quality problems, thus affecting the data integrity in ERP. IAs ensurethat adequate documentation of the ERP system is prepared and provided to users tofollow. They must encourage multiple communication channels and ways to encouragefeedback and enable fast corrective measure when necessary. Xu et al. (2002) state thatsuccessful ERP implementation depends on understanding and communicationsbetween different systems and different functional divisions. It depends alsoon frequent commmunication among IT professionals and business professionals


519

to enhance their mutual understanding. Furthermore, the vital process of addressingthe potential risks or threats of ERP implementation depends on direct communicationbetween the IAs and the executives, the audit committee and the board of directors.

An IA also plays role in the organization as an IT expert. There may be difficulty inobtaining IAs with extensive information technology skills. However, a substantialunderstanding of those technical requirements will enhance the IA’s role inimplementing ERP. The IA assists IT experts to develop a reliable system, which canproduce highly reliable information quickly. A reliable system is one that operateswithout material error, fault or failure during a specified time in a specifiedenvironment (Zhao et al., 2004). Zhao et al. also state that a reliable system must achivethe following four principles:

(1) Availability. The system is available for operation and use at times set forth inservice agreements.

(2) Security. The system is protected against unauthorized physical and logicalaccess. Logical access is the ability to read or manipulate data through remoteaccess.

(3) Integrity. System processing is complete, accurate, timely and in accordancewith the entity’s transaction approval and output distribution policy.

(4) Maintainability. The sytem can be updated in a manner that providescontinuous availability, security and integrity.

These roles will continue to be experienced in the post-implementation phase but to alesser degree. In the post-ERP implementation phase, two questions arise:

(1) What will be the function of internal auditing, and what is the role of the IAs?

(2) What capabilities are required of IAs?

An ERP system drives the organization strategically, and it entails many changes tothe audit process.

These changes affect the business processes, the information technology, the ERPsoftware version. Ultimately, these changes affect the internal audit function, and theyoblige the IAs to develop new expertise. IAs need to identify internal and externalsources of risk and their effects on controls, to evaluate the adequacy of resources, andto assess the effects on control procedures (Gibbs, 1998).

Figure 2 shows the revised role of the IA with the various associated groups in thepost-implementation phase of ERP.

As shown in Figure 2, the internal audit functions need to be seen in a fuller context,which includes:

. Developers. Understand control processes and perhaps seek a consultant’s advicein the case of continuous process reengineering. Review business workflow andcontinue process monitoring. Ensure historical data warehousing is accurate,consistent, and complete for future intelligent decisions.

. Service providers. Share knowledge and expertise with and provide services toboth IS/IT managers and users.

. Maintainers. Maintain close contact with the vendor to ensure the adequacy ofconfiguration change control of the ERP system.

JAOC5,4

520

Implementing an ERP system in the organization is perceived as business processreengineering (Zairi and Sinclair, 1995). IAs together with appointed consultantsdevelop systematic and structured methodology that offers the necessary workingplans, techniques and software tools to help redesign business processes, mappingthem and ensuring their alignment with ERP processes (Al-Mashari and Zairi, 2000).Stevens (1997) studied Kodak’s success in implementing business processreengineering through an ERP system, and highlighted the use of a well-disciplined“phases and gates” approach that moves projects through a series of steps ofassessment and planning, design and prototyping, and delivery and absorption. Thisapproach enforces a review of the efforts at certain checkpoints with very specifieddeliverable expectations in order to make sure the efforts fulfil the commitments withinthe expected time and budget.

The above activities require work by both IAs and consultants. Sharing expertisebetween IAs, IT professionals and other employees from different functional divisionhelps to integrate the ERP system fully, thus allowing information to flow quicklythroughout the organization. Such an integration protects the organization from beingbogged down by information fragmentation and bottlenecks. It thus enablesmanagement to keep up with the rate of change in the organization’s internal andexternal environment (Ramamoorthi and Weidenmier, 2006). Sharing initiative can beenhanced by the establishment of extensive internal communication channels, includingfocus groups, newsletters, e-mail, and web-based archives (Bancroft et al., 1998).

These help to inform employees about new developments, and answer theirquestions about ERP implementation (Romei, 1996). In addition, the IAs have a rolein the on-going monioring process, particularly to maintain segregation of duties,and any suspicious changes can be logged automatically for further check or review.With regard to control activities, IAs may use audit software as a detective control toidentify incomplete, inaccurate and fraudulent data. Corrective control enablesauditors to continuously monitor the control effectiveness and the changes within theERP system.

5. Conclusion and future researchInternal controls are established to help achieve management objectives and tomaintain effective control over organizational activities and operations. An ERP

Figure 2.The role of the IA in

post-ERP implementation

U

Service provider

Service providerV

MaintainerIAIT/IS

Developer

C


521

system drives the organization strategically and replaces the huge number ofdatabases in a company with one powerful system capable of integrating, analyzing,and reporting on information from all of the company’s business functions. ERPchanges the business processes and the hardware/software configuration, which allaffect the internal audit function. This paper presents a framework for the new role ofIAs in ERP-based organizations.

The internal audit function needs to be redefined in terms of focus, scope, and rangeof services in light of strategic management, alliance with other appraisal functions,and the need to audit “technical” applications. In order to cope with new tasks in ERP,IAs must enhance their technical knowlede and practical experience in the area ofinformation technology and ISs. This new expertise can be obtained through courses,on-the-job training, and attachment in the data-processing department. Up-to-datetechnical knowledge and practical experience are essential, since the audit activities forERP will no longer be at the end of each financial cycle, but in “real” time. Vice versa,technical staff also should be encouraged to acquire a knowledge of auditing andaccounting.

Furthermore, in an ERP environment, IAs must be able to share their expertise ininternal control areas with other users and consultants. For instance, in developingsoftware to support ERP implementation, the developers or engineers should be madeaware of the importance of effective internal control, so that they can produce softwarethat provides not only high capability but also high integrity.

Moreover, IAs need to share and teach users from various departments within theorganization the methods of effective internal control for ERP. In this way, potentialproblems such as fraud, data manipulation, unauthorized approval, and hardwarefailure can be avoided from the beginning of the process rather than being identifiedand addressed at the end of the audit trail, which may be disastrous to theorganization. In short, with the implementation of ERP, effective internal control is nolonger the function of IAs exclusively, but it becomes responsibility of all partiesinvolved.

In an ERP environment, the IAs’ role is proactive and on-going. To overcomepotential problems due to segregation of duties in the ERP-based organizations,IAs must repeat the testing procedures periodically (Lightle and Vallario, 2003). Theseprocedures include checks on the software integrity, the hardware capability, andthe manual or operating procedure guideline comprehensiveness. As businesses arebecoming more dynamic today, employees, and managers come and go, suppliers andvendors change constantly; and therefore, transaction codes, database profiles, andidentification numbers may need to be added or deleted. Such changes may cause risksto an ERP-based organization, and they oblige the IAs to carry out continuouschecking.

Looking ahead of a highly integrated ERP organization, IAs are engaged inrisk-intelligence activities. These allow the organization to protect itself from anypotential interuption or loss, from either internal or external factors. In addition,involvement in risk-intelligence will supplement the organization’s internal control,compliance, and good governance practices. While a business organization investsheavily in information communication technology to reduce costs and to enhanceeffectiveness and efficiency, such iniative also attracts risks which are seldom foreseen

JAOC5,4

522

in the planning or implementation stages of ERP. The IA’s role in risk-intelligence foran ERP-based organization include:

. recognizing the full spectrum of risks;

. connecting the identified risks with potential implications;

. advising the management on optimal resource allocation;

. anticipating and suggesting integrated responses to risks; and

. providing risk-management advice to maximize the upside as well as minimizethe downside (Hespenheide et al., 2007).

There can be a number of directions for future research in the ERP field. For example, theframeworks shown in this paper can be used for future research to empirically examinethe validity and usefulness of this proposed model in ERP-based organizations usingsurvey questionnaire and case-method approaches. This research would help in gaininginsights into the new roles and functions of IAs, in particular, assessing the relationshipbetween IAs and various associated groups: software venders, ISs, IT managers, ERPusers, and consultants, in pre- and post-ERP implementation stage.

Second, ERP systems while providing powerful technologies that capable ofintegrating, analyzing and reporting information from all of the company’s functions(technical, operational, and financial), they expose user organizations to various kindsof risks and potential threats as illustrated in the paper. Future research can also bedirected to identify these new risks and threats and how countering these risks andthreats has impacted strategically on the role and functions of IAs in ERP-basedorganizations. Importantly, this research can also investigate what countermeasurestrategies, risk control mechanisms and solutions ERP-based organizations havedeveloped and implemented and role of IAs in the design, implementation andmonitoring stages, in addition to the adequacy of these mechanisms and solutions.

Third, ERP systems has strategically changed or impacted not only the roles andfunctions of IAs, but also internal audit environment. Future research can be directedto study the skills, knowledge, capabilities and experiences IAs must have in order tocarry out their roles and functions in ERP organizations and to what extent theseorganizations were successful in this respect.

References

Akkermans, H. and van Helden, K. (2002), “Vicious and virtuous cycles in ERP implementation:a case study of interrelations between critical success factors”, European Journal ofInformation System, Vol. 11 No. 1, pp. 35-46.

Al-Mashari, M. and Zairi, M. (2000), “The effective application of SAP R/3: a proposed model ofbest practice”, Logistics Information Management, Vol. 13 No. 3, pp. 156-66.

Al-Mashari, M., Al-Mudimigh, A. and Zairi, M. (2003), “Enterprise resource planning:a taxonomy of critical factors”, European Journal of Operational Research, Vol. 146 No. 2,pp. 352-64.

Arens, A.A. and Loebbecke, J.K. (2000), Auditing: An Integrated Approach, 8th ed., Prentice-Hall,Upper Saddle River, NJ.

Bancroft, N., Seip, H. and Sprengel, A. (1998), Implementing SAP R/3: How to Introduce a LargeSystem into a Large Organization, Manning, Greenwich, CT.


523

Best, P., Mohay, G. and Anderson, A. (1997), “MIATA: a machine independent audit trailanalyser”, Australian Computer Journal, Vol. 29 No. 2, pp. 57-63.

Boudreau, M.C. and Robey, D. (1999), “Critical issues affecting an ERP implementation”,Information Systems Management, Vol. 16 No. 3, pp. 7-14.

Brown, W. and Nasuti, F. (2005), “What ERP systems can tell us about Sarbanes-Oxley”,Information Management & Computer Security, Vol. 13 No. 4, pp. 311-23.

Carroll, J.M. (1987), Computer Security, 2nd ed., Butterworths, Stoneham, MA.

Chapman, C. (1998a), “Just do it: an interview with Michael Hammer”, Internal Auditor, Vol. 55No. 3, pp. 38-41.

Chapman, C. (1998b), “Update”, Internal Auditor, Vol. 55 No. 1, pp. 11-12.

Clark, D. and Wilson, D. (1987), “A comparison of commercial and military computer securitypolicies”, paper presented at the IEEE Symposium on Security and Privacy, IEEEComputer Society Press, Oakland, CA.

Davenport, T. (1998), “Putting the enterprise into the enterprise system”, Harvard BusinessReview, Vol. 76 No. 4, pp. 121-31.

Davies, D.W. and Price, W.L. (1989), Security for Computer Network, 2nd ed., Wiley,New York, NY.

Dittenhofer, M. (2001), “Reegineering the internal auditing organization”, Managerial AuditingJournal, Vol. 16 No. 8, pp. 458-68.

Esteves, J. and Pastor, J. (2001), “Enterprise resource planning systems research: an annotatedbibliography”, Communications of the AIS, Vol. 7 No. 8, pp. 1-52.

Ferraiolo, D.F., Gilbert, M.D. and Lynch, N. (1992), Assessing Federal and CommercialInformation Security Needs (USA), National Institute of Standards and Technology,Gaithersburg, MD.

Gibbs, J. (1998), “Going live with SAP”, Internal Auditor, Vol. 55 No. 3, pp. 70-5.

Gibson, J., Holland, C. and Light, B. (1999), “Enterprise resource planning: a business approach tosystems development”, Proceedings of the 32nd Hawaii International Conference onSystem Sciences, Vol. 7, pp. 163-8.

Glover, S.M., Prawitt, D.F. and Romney, M.B. (1999), “Implementing ERP”, Internal Auditor,Vol. 56 No. 4, pp. 47-53.

Hespenheide, E., Pundmann, S. and Corcoran, M. (2007), “Risk intelligence: internal auditing in aworld of risk”, Internal Auditing, Vol. 22 No. 4, pp. 3-10.

Hong, K.-K. and Kim, Y.-G. (2002), “The critical success factors for ERP implementation:an organizational fit perspective”, Information & Management, Vol. 40 No. 1, pp. 25-40.

Koh, C., Soh, C. and Markus, L. (2000), “A process theory approach to analyzing ERPimplementation and impacts: the case of Revel Asia”, Journal of Information TechnologyCases and Applications, Vol. 2 No. 1, pp. 4-23.

Lightle, S. and Vallario, C. (2003), “Segregation of duties in ERP”, Internal Auditor, Vol. 60 No. 5,pp. 27-31.

Little, A. and Best, P.J. (2003), “A framework for separation of duties in an SAP R/3environment”, Managerial Auditing Journal, Vol. 18 No. 5, pp. 419-30.

Lunt, T.F. (1993), “A survey of intrusion detection techniques”, Computers & Security, Vol. 12No. 4, pp. 405-18.

Maurizio, A., Girolami, L. and Jones, P. (2007), “EAI and SOA: factors and methods influencingthe integration of multiple ERP systems (in an SAP environment) to comply with

JAOC5,4

524

the Sarbanes-Oxley Act”, Journal of Enterprise Information Management, Vol. 20 No. 1,pp. 14-31.

Nah, F.F.-H., Lau, J.L.-S. and Kuang, J. (2001), “Critical success factors for successfulimplementation of enterprise systems”, Business ProcessManagement Journal, Vol. 7 No. 3,pp. 285-96.

Pfleeger, C.P. (1989), Security in Computing, Prentice-Hall, Englewood Cliffs, NJ.

Pierce, T. (2007), “Taming program risk: five critical success factors”, Internal Auditing, Vol. 22No. 5, pp. 3-8.

Ramamoorthi, S. and Weidenmier, M.L. (2006), “ERM under construction: is IT next for ERM?”,The Internal Auditor, Vol. 63 No. 2, pp. 45-50.

Reid, B. (1987), “Reflections on some recent widespread computer break-ins”, Communications ofthe ACM, Vol. 30 No. 2, pp. 103-5.

Romei, L. (1996), “New technology strengthens new commitment”, Managing Office Technology,Vol. 41 No. 7, pp. 18-20.

Scott, J.E. and Vessey, I. (2000), “Implementing enterprise resource planning systems: the role oflearning from failure”, Information Systems Frontiers, Vol. 2 No. 2, pp. 213-32.

Seeley, D. (1989), “Password cracking a game of wits”, Communications of the ACM, Vol. 32 No. 6,pp. 700-4.

Smaha, S.E. (1988), “Haystack: an intrusion detection system”, 4th Aerospace Computer SecurityApplications Conference, Orlando, FL, December, pp. 37-44.

Soliman, F., Clegg, S. and Tantoush, T. (2001), “Critical success factors for integration ofCAD/CAM systems with ERP systems”, International Journal of Operations & ProductionManagement, Vol. 21 Nos 5/6, pp. 609-29.

Spafford, E.H. (1989), “The internet worm: crisis and aftermath”, Communications of the ACM,Vol. 32 No. 6, pp. 678-87.

Srinidhi, B. (1994), “The influence of segregation of duties on internal control judgements”,Journal of Accounting, Auditing & Finance, Vol. 9 No. 3, pp. 423-44.

Stevens, T. (1997), “Kodak focuses on ERP”, Industry Week, Vol. 246 No. 15, pp. 130-5.

Stoll, C. (1988), “Stalking the Wiley Hacker”, Communications of the ACM, Vol. 31 No. 5,pp. 484-97.

Verville, J. (2000), “An empirical study of organizational buying behavior: a critical investigationof the acquisition of ERP software”, dissertation, Universite Lavel, Quebec City.

Verville, J. and Halingten, A. (2002), “A qualitative study of influencing factors on the decisionprocess for acquiring ERP software”, Qualitative Market Research: An InternationalJournal, Vol. 5 No. 3, pp. 188-98.

Verville, J. and Halingten, A. (2003), “A six-stage model of the buying process for ERP software”,Industrial Marketing Management, Vol. 32 No. 7, pp. 585-94.

Verville, J., Bernadas, C. and Halingten, A. (2005), “So you’re thinking of buying an ERP?Ten critical factors for successful acquisitions”, Journal of Enterprise InformationManagement, Vol. 18 No. 6, pp. 665-77.

Xu, H.-J., Nord, J.H., Brown, N. and Nord, G.D. (2002), “Data quality issues in implementing anERP”, Industrial Management & Data System, Vol. 102 No. 1, pp. 47-58.

Zairi, M. and Sinclair, D. (1995), “Business process re-engineering and process management:a survey of current practice and future trends in integrated management”, ManagementDecisions, Vol. 33 No. 3, pp. 3-16.


525

Zhao, N., Yen, D.C. and Chang, I.-C. (2004), “Auditing in the e-commerce era”, InformationManagement & Computer Security, Vol. 12 No. 5, pp. 389-400.

Further reading

Gupta, A. (2000), “Enterprise resource planning: the emerging organizational value systems”,Industrial Management & Data Systems, Vol. 100 No. 3, pp. 114-8.

Corresponding authorHaider H. Madani can be contacted at: [email protected]

JAOC5,4

526

To purchase reprints of this article please e-mail: [email protected] visit our web site for further details: www.emeraldinsight.com/reprints

the role of internal auditors in erp-based organizations

Documents