Building the evaluation model of the IT general control for CPAs under enterprise risk management
Introduction
Recently, the essential tasks in the financial reporting processes are mainly performed and supported by utilizing information technology (IT). In order to ensure a reliable financial reporting, more and more companies emphasize the use and development of effective IT control in this dynamic environment. If the firm employs a weak internal control, managers can easily override the imposed controls to manipulate or bias accrual estimate to take advantage of the stakeholders [5]. This situation has created a unique challenge for auditors. Sarbanes–Oxley Act Section 404 (SOX 404 hereafter) requires independent auditors to attest if appropriate and effective IT control over financial reporting is in place in the company. Consequently, some foreign private issuers who want to be listed in the US are required to establish corresponding accounting policy and control procedures to comply with SOX 404 [44]. In addition, after SOX emerged, some other countries such as Australia, Germany and Japan have also developed their own regulations for corporate reporting and other related disclosure laws [8], [12], [39]. The Statement on Auditing Standards (SAS) No. 94 [6] declared that auditors must take into account the importance of IT processes and relevant controls to prepare the financial statements. In summary, auditors have responsibility to provide the assertion to the effectiveness of IT control established by the company.
In general, the risk of audit can be composed of three parts and they are inherent risk, control risk and detection risk. If the auditor has some evidences to demonstrate that the effectiveness of internal control is well designed and operated in its entity, the risk of material misstatement might be mitigated. To reduce the audit risk in the IT environment, the auditor should have a clear and thorough understanding for IT control. Since IT General Control (ITGC) supports application processing, it is important that ITGC works well in the context of IT control. Even if ITGC may not directly influence a financial statement, it has created an impact on/to the consistency and effectiveness of financial application in all systems. Auditing Standard No. 2 of Public Company Accounting Oversight Board (PCAOB) [41] noted that the adoption of IT automated application may help increase audit efficiency when ITGC is effective.
To fulfill SOX 404 compliance, it is important for auditors to select and implement a suitable internal control framework to assess IT control. Committee of the Sponsoring Organizations of the Treadway Commission (COSO) issued a report entitled “Internal Control — Integrated Framework” [10] which had been highly recommended for companies, auditors, regulating agencies and educational institutions. After extending and refining the original concept of risk analysis, COSO released “Enterprise Risk Management (ERM) — Integrated Framework” in 2004. ERM, which is a comprehensive and systematic framework for internal control, can help firms/organizations evaluate and respond to the risks that may influence their strategies and targets [11]. However, COSO does not provide the supplemental criteria to define the needed requirements for such IT control objectives and related activities [36]. On the other hand, when auditors perform the assessment of ITGC, they usually use the qualitative level such as “High”, “Moderate”, and “Low” to assess IT control risks based on their professional judgment and experience. However, inexperienced auditors may fail to measure the degree of risk precisely [23]. Hence, how to build up a quantitative evaluation model to aid auditors in assessing ITGC objectively is critical, and it is the main research question of this study.
There are three research objectives in this study. Firstly, this study wants to sort out the objectives of ITGC based on an ERM framework. Secondly, this study employs the Analytic Hierarchy Process (AHP) technique to analyze/rank the priority of control objectives and to construct a quantitative ITGC evaluation model. Finally, based on available data, the acceptance of the evaluation model for CPAs will be verified by conducting a case study and post hoc confirmation.
The rest of this article is divided into four sections. Section 2 describes the background of IT security, IT control, COSO-ERM, and auditors' responsibility in the internal control. In Section 3, the AHP methodology is discussed and then, development and verification of the evaluation model is covered after the introduction of research procedures by both quantitative and qualitative analyses of AHP and case study support are provided in Section 4. Finally, this paper concludes with the last section.
Section snippets
Previous literature of IT controls
The utilization of IT in an organization can be a double-sided sword. It can help organization establish and maintain new governance processes [18], [21]. Yet, IT may also increase the organizational risk, if entities do not implement key process linkages and integrated controls [55]. Previous studies indicated that traditional controls may not detect the risks arising from customization, process reengineering, bolt-on software, and incompatibilities during ERP implement process [7], [56]. To
Analyze the priority of ITGC objectives
This study employed the AHP method to construct the quantitative ITGC evaluation model for IT auditors. The AHP is a multi-criteria decision making method introduced by Saaty [46], and can be applied to many areas such as accounting and social sciences [4], [47]. Vargas' study [52] also pointed out that the AHP can be applied in both private and public organizations. The study of Forman and Gass [19] suggested eight applications of the AHP: (1) choice; (2) prioritization/evaluation; (3)
The priority of ITGC objectives
As shown in Table 2, the “Activity-level IT Control” category was judged as more important in the ITGC. Its local priority is 0.58 which is higher than the local priority of “Entity-level IT Control” (local priority = 0.42). The study of Klamm and Watson [27] collected the data about the firms that are involved with material weakness, and found out that control activities contained much more types of material weakness than any other COSO components. Furthermore, ITGI [26] indicates that some
Conclusion
Nowadays, IT control assessment is increasingly emphasized by CPAs since more and more companies use IT to generate financial reports. The ITGC is relatively important because it supports application processing, and it may even influence financial statements and/or specific accounts. However, SOX 404 does not require any specific framework when auditors assess and report the effectiveness of internal control over financial reports annually. This study developed four levels of hierarchies of
Acknowledgements
The work presented in this paper has been supported by The National Science Council, Taiwan, R.O.C., under Grant No. NSC97-2410-H-194-074-MY3. The authors of this research appreciate deeply their financial support and encouragement.
Shi-Ming Huang received his PhD degree at the School of Computing and Information Systems, University of Sunderland, U.K. He is currently a Dean for College of Management and a Director for the Research Center of e-Manufacturing and e-Commerce at National Chung Cheng University, Taiwan. He has published five books, three business software and over 60 articles in refereed information system journals, such as Information and Management, Decision Support Systems, Journal of Computer Information
References (57)
- et al.
Evaluating combinations of ranked lists and visualizations of inter-document similarity
Information Processing and Management
(2001) - et al.
Real time information integrity = system integrity + data integrity + continuous assurances
Computers & Security
(2005) Visualization-based information retrieval on the web
Library & Information Science Research
(2006)Absolute and relative measurement with the AHP: the most livable cities in the United States
Socio-Economic Planning Science
(1986)How to make a decision: the analytic hierarchy process
European Journal of Operational Research
(1990)- et al.
An empirical examination of CobiT as an internal control framework for information technology
International Journal of Accounting Information Systems
(2007) An overview of the analytic hierarchy process and it applications
European Journal of Operational Research
(1990)- et al.
Visualizing criminal relationships: comparison of a hyperbolic tree and a hierarchical list
Decision Support Systems
(2005) - et al.
Auditor risk assessment: insights from the academic literature
Accounting Horizons
(2006)
An overview of the analytic hierarchy process and its use in accounting research
Journal of Accounting Literature
The effect of SOX internal control deficiencies and their remediation on accrual quality
The Accounting Review
Implementation of ERP systems: accounting and auditing implications
Information Systems Control Journal
A fig leaf for the naked corporation
Journal of Management and Governance
Trust services: a better way to evaluate I.T. controls
Journal of Accountancy
Internal Control-Integrated Framework
Enterprise Risk Management — Integrated Framework
Corporate Disclosure: Strengthening the Financial Reporting Framework
Perceived usefulness, perceived ease of use, and user acceptance of information technology
MIS Quarterly
User acceptance of computer technology: a comparison of two theoretical models
Management Science
Principles of Information System Security: Text and Cases
Sarbanes–Oxley compliance for nonaccelerated filers
CPA Journal
A longitudinal field investigation of audit risk assessments and sample size decisions
The Accounting Review
The analytic hierarchy process — an exposition
Operations Research
Information Technology Controls
Principles of IT governance
Information Systems Control Journal
Application of fuzzy analytic hierarchy process in the selection of advertising media
Journal of Management & Systems
Cited by (34)
IT governance and IT controls: Analysis from an internal auditing perspective
2024, International Journal of Accounting Information SystemsThe effect of enterprise risk management competencies on students’ perceptions of their work readiness
2022, International Journal of Management EducationImpact of IT governance process capability on business performance: Theory and empirical evidence
2022, Decision Support SystemsCitation Excerpt :Therefore, and in contrast to behavioral concepts, usually modeled as common factor (reflective) models, composite constructs are not assumed to exist in nature because they are human or firm-made creations (e.g., IT capability or IT ambidexterity) [4,7]. IT governance process capability is operationalized as a first-order composite construct whose five indicators are the average of the following ingredients: IT decision-making, IT planning, IT infrastructure modernization, IT services delivery, and IT monitoring [24,26]. IT performance is operationalized as a first-order composite construct whose four indicators are the average of the perceived achievement level of IT goals: internal IT goals, learning and growth IT goals, customer IT goals, and financial IT goals [15,32].
Group decision making with incomplete intuitionistic fuzzy preference relations based on additive consistency
2019, Computers and Industrial EngineeringAn information security control assessment methodology for organizations' financial information
2015, International Journal of Accounting Information Systems
Shi-Ming Huang received his PhD degree at the School of Computing and Information Systems, University of Sunderland, U.K. He is currently a Dean for College of Management and a Director for the Research Center of e-Manufacturing and e-Commerce at National Chung Cheng University, Taiwan. He has published five books, three business software and over 60 articles in refereed information system journals, such as Information and Management, Decision Support Systems, Journal of Computer Information Systems, European Journal of Operational Research, Journal of Database Management, ACM SIGMOD, etc. He has received over 10 achievement awards in information system area. He has served as an editorial board member in several international journals and has acted as a consultant for a variety of Taiwan government departments, software companies and commercial companies.
Wei-Hsi Hung is an Assistant Professor of Information Management at National Chung Cheng University, Taiwan. He received his Ph.D. and Master's degree (with 1st Class Hons) from the Department of Management Systems at the University of Waikato, New Zealand. Prior to his postgraduate studies, his major was industrial engineering. His research interests are in the areas of B2B e-commerce, IS alignment, knowledge management, and supply chain management. His research papers appeared in journals such as Decision Support Systems, Journal of Information Management, and Pacific Asian Journal of Association for Information Systems.
David C. Yen is currently a Raymond E. Glos Professor in Business and a Professor of MIS of the Department of Decision Sciences and Management Information Systems at Miami University. Professor Yen is active in research and has published books and articles which have appeared in Communications of the ACM, Decision Support Systems, Information & Management, Information Sciences, Computer Standards and Interfaces, Government Information Quarterly, Information Society, Omega, International Journal of Organizational Computing and Electronic Commerce, and Communications of AIS among others. Professor Yen's research interests include data communications, electronic/mobile commerce, database, and systems analysis and design.
I-Cheng Chang is currently a PhD student at the Department of Accounting and Information Technology, National Chung Cheng University (Taiwan). His direction is focusing on information technology governance and computer auditing. He has published research papers in journal such as Information Systems Management and Information Systems Frontier.
Dino Jiang is a Senior Audit Controller at Charoen Pokphand Group in China. He received his Master's degree from the Department of Accounting and Information Technology at the University of Chung Cheng, Taiwan. He has 12 years of experience in various fields as a financial assurance, IT audit, performance audit and ERP improvement. He also holds the CISA, CIA, MCDBA, MCSA and MCSE certifications.
- 1
Tel.: + 886 5 2720411#16810; fax: + 886 5 2723943.
- 2
Tel.: + 886 5 2720411#24620; fax: + 886 5 2721501.
- 3
Tel.: + 886 5 2720411#34513; fax: + 886 5 2721197.