Building the evaluation model of the IT general control for CPAs under enterprise risk management

https://doi.org/10.1016/j.dss.2010.08.015Get rights and content

Abstract

The purpose of this study is to build the evaluation model of the Information Technology General Control (ITGC) for the certified public accountants (CPAs) under an Enterprise Risk Management (ERM) — Integrated Framework. First, this study investigates and sorts out the control objectives of ITGC over financial reporting under ERM. The control objectives were prioritized by Analytic Hierarchy Process (AHP) and then, the ITGC evaluation model was constructed accordingly. Finally, the study utilizes the case study approach to verify the CPAs' acceptance for the evaluation model of ITGC. According to case study and post hoc confirmations conducted with two experts, the evaluation model can be accepted by CPAs and employed to enhance the efficiency of ITGC assessment for CPAs to meet the challenges in a dynamic information technology environment.

Introduction

Recently, the essential tasks in the financial reporting processes are mainly performed and supported by utilizing information technology (IT). In order to ensure a reliable financial reporting, more and more companies emphasize the use and development of effective IT control in this dynamic environment. If the firm employs a weak internal control, managers can easily override the imposed controls to manipulate or bias accrual estimate to take advantage of the stakeholders [5]. This situation has created a unique challenge for auditors. Sarbanes–Oxley Act Section 404 (SOX 404 hereafter) requires independent auditors to attest if appropriate and effective IT control over financial reporting is in place in the company. Consequently, some foreign private issuers who want to be listed in the US are required to establish corresponding accounting policy and control procedures to comply with SOX 404 [44]. In addition, after SOX emerged, some other countries such as Australia, Germany and Japan have also developed their own regulations for corporate reporting and other related disclosure laws [8], [12], [39]. The Statement on Auditing Standards (SAS) No. 94 [6] declared that auditors must take into account the importance of IT processes and relevant controls to prepare the financial statements. In summary, auditors have responsibility to provide the assertion to the effectiveness of IT control established by the company.

In general, the risk of audit can be composed of three parts and they are inherent risk, control risk and detection risk. If the auditor has some evidences to demonstrate that the effectiveness of internal control is well designed and operated in its entity, the risk of material misstatement might be mitigated. To reduce the audit risk in the IT environment, the auditor should have a clear and thorough understanding for IT control. Since IT General Control (ITGC) supports application processing, it is important that ITGC works well in the context of IT control. Even if ITGC may not directly influence a financial statement, it has created an impact on/to the consistency and effectiveness of financial application in all systems. Auditing Standard No. 2 of Public Company Accounting Oversight Board (PCAOB) [41] noted that the adoption of IT automated application may help increase audit efficiency when ITGC is effective.

To fulfill SOX 404 compliance, it is important for auditors to select and implement a suitable internal control framework to assess IT control. Committee of the Sponsoring Organizations of the Treadway Commission (COSO) issued a report entitled “Internal Control — Integrated Framework” [10] which had been highly recommended for companies, auditors, regulating agencies and educational institutions. After extending and refining the original concept of risk analysis, COSO released “Enterprise Risk Management (ERM) — Integrated Framework” in 2004. ERM, which is a comprehensive and systematic framework for internal control, can help firms/organizations evaluate and respond to the risks that may influence their strategies and targets [11]. However, COSO does not provide the supplemental criteria to define the needed requirements for such IT control objectives and related activities [36]. On the other hand, when auditors perform the assessment of ITGC, they usually use the qualitative level such as “High”, “Moderate”, and “Low” to assess IT control risks based on their professional judgment and experience. However, inexperienced auditors may fail to measure the degree of risk precisely [23]. Hence, how to build up a quantitative evaluation model to aid auditors in assessing ITGC objectively is critical, and it is the main research question of this study.

There are three research objectives in this study. Firstly, this study wants to sort out the objectives of ITGC based on an ERM framework. Secondly, this study employs the Analytic Hierarchy Process (AHP) technique to analyze/rank the priority of control objectives and to construct a quantitative ITGC evaluation model. Finally, based on available data, the acceptance of the evaluation model for CPAs will be verified by conducting a case study and post hoc confirmation.

The rest of this article is divided into four sections. Section 2 describes the background of IT security, IT control, COSO-ERM, and auditors' responsibility in the internal control. In Section 3, the AHP methodology is discussed and then, development and verification of the evaluation model is covered after the introduction of research procedures by both quantitative and qualitative analyses of AHP and case study support are provided in Section 4. Finally, this paper concludes with the last section.

Section snippets

Previous literature of IT controls

The utilization of IT in an organization can be a double-sided sword. It can help organization establish and maintain new governance processes [18], [21]. Yet, IT may also increase the organizational risk, if entities do not implement key process linkages and integrated controls [55]. Previous studies indicated that traditional controls may not detect the risks arising from customization, process reengineering, bolt-on software, and incompatibilities during ERP implement process [7], [56]. To

Analyze the priority of ITGC objectives

This study employed the AHP method to construct the quantitative ITGC evaluation model for IT auditors. The AHP is a multi-criteria decision making method introduced by Saaty [46], and can be applied to many areas such as accounting and social sciences [4], [47]. Vargas' study [52] also pointed out that the AHP can be applied in both private and public organizations. The study of Forman and Gass [19] suggested eight applications of the AHP: (1) choice; (2) prioritization/evaluation; (3)

The priority of ITGC objectives

As shown in Table 2, the “Activity-level IT Control” category was judged as more important in the ITGC. Its local priority is 0.58 which is higher than the local priority of “Entity-level IT Control” (local priority = 0.42). The study of Klamm and Watson [27] collected the data about the firms that are involved with material weakness, and found out that control activities contained much more types of material weakness than any other COSO components. Furthermore, ITGI [26] indicates that some

Conclusion

Nowadays, IT control assessment is increasingly emphasized by CPAs since more and more companies use IT to generate financial reports. The ITGC is relatively important because it supports application processing, and it may even influence financial statements and/or specific accounts. However, SOX 404 does not require any specific framework when auditors assess and report the effectiveness of internal control over financial reports annually. This study developed four levels of hierarchies of

Acknowledgements

The work presented in this paper has been supported by The National Science Council, Taiwan, R.O.C., under Grant No. NSC97-2410-H-194-074-MY3. The authors of this research appreciate deeply their financial support and encouragement.

Shi-Ming Huang received his PhD degree at the School of Computing and Information Systems, University of Sunderland, U.K. He is currently a Dean for College of Management and a Director for the Research Center of e-Manufacturing and e-Commerce at National Chung Cheng University, Taiwan. He has published five books, three business software and over 60 articles in refereed information system journals, such as Information and Management, Decision Support Systems, Journal of Computer Information

References (57)

  • B. Apostolou et al.

    An overview of the analytic hierarchy process and its use in accounting research

    Journal of Accounting Literature

    (1993)
  • H. Ashbaugh-Skaife et al.

    The effect of SOX internal control deficiencies and their remediation on accrual quality

    The Accounting Review

    (2008)
  • B. Bae et al.

    Implementation of ERP systems: accounting and auditing implications

    Information Systems Control Journal

    (2004)
  • U. Breandle et al.

    A fig leaf for the naked corporation

    Journal of Management and Governance

    (2005)
  • M.J. Coe

    Trust services: a better way to evaluate I.T. controls

    Journal of Accountancy

    (2005)
  • Internal Control-Integrated Framework

    (1992)
  • Enterprise Risk Management — Integrated Framework

    (2004)
  • Commonwealth of Australia

    Corporate Disclosure: Strengthening the Financial Reporting Framework

    (2002)
  • F.D. Davis

    Perceived usefulness, perceived ease of use, and user acceptance of information technology

    MIS Quarterly

    (1989)
  • F.D. Davis et al.

    User acceptance of computer technology: a comparison of two theoretical models

    Management Science

    (1989)
  • G. Dhillon

    Principles of Information System Security: Text and Cases

    (2007)
  • S.M. Edelstein

    Sarbanes–Oxley compliance for nonaccelerated filers

    CPA Journal

    (2004)
  • R.J. Elder et al.

    A longitudinal field investigation of audit risk assessments and sample size decisions

    The Accounting Review

    (2003)
  • E.H. Forman et al.

    The analytic hierarchy process — an exposition

    Operations Research

    (2001)
  • Information Technology Controls

    (2005)
  • S. Hamaker

    Principles of IT governance

    Information Systems Control Journal

    (2004)
  • T.H. Hsu et al.

    Application of fuzzy analytic hierarchy process in the selection of advertising media

    Journal of Management & Systems

    (2000)
  • Cited by (34)

    • IT governance and IT controls: Analysis from an internal auditing perspective

      2024, International Journal of Accounting Information Systems
    • Impact of IT governance process capability on business performance: Theory and empirical evidence

      2022, Decision Support Systems
      Citation Excerpt :

      Therefore, and in contrast to behavioral concepts, usually modeled as common factor (reflective) models, composite constructs are not assumed to exist in nature because they are human or firm-made creations (e.g., IT capability or IT ambidexterity) [4,7]. IT governance process capability is operationalized as a first-order composite construct whose five indicators are the average of the following ingredients: IT decision-making, IT planning, IT infrastructure modernization, IT services delivery, and IT monitoring [24,26]. IT performance is operationalized as a first-order composite construct whose four indicators are the average of the perceived achievement level of IT goals: internal IT goals, learning and growth IT goals, customer IT goals, and financial IT goals [15,32].

    View all citing articles on Scopus

    Shi-Ming Huang received his PhD degree at the School of Computing and Information Systems, University of Sunderland, U.K. He is currently a Dean for College of Management and a Director for the Research Center of e-Manufacturing and e-Commerce at National Chung Cheng University, Taiwan. He has published five books, three business software and over 60 articles in refereed information system journals, such as Information and Management, Decision Support Systems, Journal of Computer Information Systems, European Journal of Operational Research, Journal of Database Management, ACM SIGMOD, etc. He has received over 10 achievement awards in information system area. He has served as an editorial board member in several international journals and has acted as a consultant for a variety of Taiwan government departments, software companies and commercial companies.

    Wei-Hsi Hung is an Assistant Professor of Information Management at National Chung Cheng University, Taiwan. He received his Ph.D. and Master's degree (with 1st Class Hons) from the Department of Management Systems at the University of Waikato, New Zealand. Prior to his postgraduate studies, his major was industrial engineering. His research interests are in the areas of B2B e-commerce, IS alignment, knowledge management, and supply chain management. His research papers appeared in journals such as Decision Support Systems, Journal of Information Management, and Pacific Asian Journal of Association for Information Systems.

    David C. Yen is currently a Raymond E. Glos Professor in Business and a Professor of MIS of the Department of Decision Sciences and Management Information Systems at Miami University. Professor Yen is active in research and has published books and articles which have appeared in Communications of the ACM, Decision Support Systems, Information & Management, Information Sciences, Computer Standards and Interfaces, Government Information Quarterly, Information Society, Omega, International Journal of Organizational Computing and Electronic Commerce, and Communications of AIS among others. Professor Yen's research interests include data communications, electronic/mobile commerce, database, and systems analysis and design.

    I-Cheng Chang is currently a PhD student at the Department of Accounting and Information Technology, National Chung Cheng University (Taiwan). His direction is focusing on information technology governance and computer auditing. He has published research papers in journal such as Information Systems Management and Information Systems Frontier.

    Dino Jiang is a Senior Audit Controller at Charoen Pokphand Group in China. He received his Master's degree from the Department of Accounting and Information Technology at the University of Chung Cheng, Taiwan. He has 12 years of experience in various fields as a financial assurance, IT audit, performance audit and ERP improvement. He also holds the CISA, CIA, MCDBA, MCSA and MCSE certifications.

    1

    Tel.: + 886 5 2720411#16810; fax: + 886 5 2723943.

    2

    Tel.: + 886 5 2720411#24620; fax: + 886 5 2721501.

    3

    Tel.: + 886 5 2720411#34513; fax: + 886 5 2721197.

    View full text