قالب کنترل داخلی برای سیستم موافق برنامه ریزی منابع سازمانی

After the occurrence of numerous worldwide financial scandals, the importance of related issues such as internal control and information security has greatly increased. This study develops an internal control framework that can be applied within an enterprise resource planning (ERP) system. A literature review is first conducted to examine the necessary forms of internal control in information technology (IT) systems. The control criteria for the establishment of the internal control framework are then constructed. A case study is conducted to verify the feasibility of the established framework. This study proposes a 12-dimensional framework with 37 control items aimed at helping auditors perform effective audits by inspecting essential internal control points in ERP systems. The proposed framework allows companies to enhance IT audit efficiency and mitigates control risk. Moreover, companies that refer to this framework and consider the limitations of their own IT management can establish a more robust IT management mechanism.

The popularity of information technology (IT) applications has increased reliance on computers for processing business transactions. Companies adopt IT systems to improve their operations. Surveys on the collaborative operations of IT systems conducted by the Market Intelligence and Consulting Institute [42] indicate that the enterprise resource planning (ERP) system is the most widely adopted IT system among large companies. Given that ERP is a popular and all-encompassing information system utilized by many organizations and because of the increased consideration of the risks associated with IT, information system security and internal control related to information systems have greatly increased [17], [45], [63] and [75]. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines internal control as “a process, effected by an entity's board, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives such as effectiveness and efficiency of operation, reliability of financial reporting, and compliance with regulation” [15]. The internal control related to information systems is commonly referred to as IT control and is composed of controls (i.e., policies and procedures) over the organizational IT infrastructure and systems [47] and [63]. IT control consists of general and application controls. General controls refer to the relevant controls designed to ensure that an entity's control environment is well managed and applied to all sizes of systems ranging from large mainframe systems to client/server systems and to desktop and/or laptop computer systems. Application controls include input, processing, and output control based on the flow of data processing. In other words, application controls focus on the accuracy, completeness, validity, and authorization of the data captured, entered in the system, processed, stored, transmitted to other systems, and reported [54]. Further, general controls can be used to support the application controls and, hence, allow the smooth operation of the information system [22]. Given that financial reporting in many entities is based on information systems such as ERP systems, IT controls help entities achieve the objective of internal control. Similar to information security, IT controls can also manage and protect information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction [68]. An attack on information generally leads to the theft of confidential data, financial fraud, incapacitated web servers, and corrupted operational data [27], which all influence the accuracy and reliability of the financial data derived from the information system [75]. If entities fail to establish proper information security, they cannot guarantee the accuracy and reliability of their financial data [51]. ERP built-in control features may positively impact the effectiveness of internal controls over financial reporting. However, ERP does not necessarily safeguard against some deliberate system manipulations, for example, a few control features might not be activated in a timely manner in the implementation stage [45]. Further, to manipulate the date to perform earnings management, top managers may attempt to override some control features [6]. Following a number of reported business scandals, investors are beginning to question the accuracy of financial reports, including those generated by major companies around the world. In fact, investor confidence in the accuracy of financial reports and the shared holding positions of large companies has collapsed over recent years [56]. Durfee [18] emphasizes that an announcement of material weakness in the internal control system may result in a drop in stock prices, an increase in share volume, and the loss of chief financial positions. Goel and Shawky [26] also indicate that announcements of security breaches would decrease the market share of firms. Conversely, effective internal control can help firms to achieve their expected financial goals, maintain precise records of daily transactions, and produce accurate financial statements [20]. The accuracy and reliability of data within the ERP system are critical to ensure the transparency of the company's situation at all times, to help rebuild investor confidence, and to ensure low cost of capital [3]. Software vendors establish “built-in” control within ERP systems [45]. Companies also have an internal control framework in their ERP systems. Management is required to establish the framework, especially when a company is publicly listed. Companies constantly audit the effectiveness of their ERP system's internal control. Thus, an increasing number of companies have started to focus on the implementation of effective controls in their ERP systems while simultaneously providing management and external auditors a suitable framework within which to assess the ERP system's internal control. COSO released a report entitled “Internal Control-Integrated Framework” [15] in 1992 in an attempt to illustrate a systematic framework for internal control. However, the report failed to list supplemental criteria in the implementation and assessment of IT controls [49]. Referring to specific control items would allow management and auditors to execute IT control procedures [29]. However, IT control procedures not only consider the environment within the entity but also control as it relates to the external environment [66]. In addition, given the minimal compliance guidance in the use of IT established by the government, the interpretation of the scope and nature of the IT environment is inconsistent [8]. These limitations increase the difficulty of compliance. Despite the importance of deploying proper internal control frameworks to fully develop the effectiveness of the ERP system, only a few academic studies have assessed this issue. Accordingly, this study derives its primary research question: what are the types of internal control that must be considered when auditing an ERP system? The primary objective of this study is to develop a preliminary internal control framework for application in an ERP system.

Given that the ERP system is widely utilized in many organizations, the relevant information on security and internal controls must be continuously prioritized. Stakeholders wish to feel confident that internal control within the organization is executed effectively to reduce the possibility of business failure or fraudulent financial reporting [38]. However, improper management of control procedures in the computer environment of a company may result in significant financial reporting errors and financial losses. Thus, this study developed an ERP internal control framework to assist stakeholders in verifying the effectiveness of their respective companies’ internal control mechanisms. Literature related to IT controls for the internal use of companies, various information security organization bylaws, and academic literature were reviewed. Open, axial, and selective coding were performed to finalize the 51 key items associated with ERP internal control. Questionnaires were administered to confirm whether the abovementioned items are suitable for and essential to the ERP system. Out of the 51 control items, only 37 were utilized in the preliminary model. A case study was then conducted to verify the feasibility of the proposed framework. Our findings have provided some implications for future research. The internal control matrix could be regarded as a common method to represent internal controls for specific business processes within the SOX audit environment, which includes internal control objectives [24]. Only a few studies have developed a structured, systematic approach that stakeholders can utilize. The proposed framework was derived from several rigorous methods and contained necessary control dimensions and items that can be utilized for ERP control and improvement of IT governance. Compared with previous studies on internal control frameworks, including Jo et al. [34] and Lin et al. [40], the case study approach has been recommended for this stream of studies simply because of the need for detailed and contextual information from the entity stakeholders. Further, the extant research utilized experts from CPA firms as a research subject; this study recruited several participants from the case company to disseminate their thoughts. Because this study embraced the application controls to broaden the IT control domain, the obtained outcome may complete Huang's [29] work because its only focus is placed on the general IT controls. A previous study indicated that existing internal control frameworks do not consider important control aspects such as the environment outside of the organization [66]. The dimension “control of outsourced operations” in the proposed framework strengthens the ERP internal control points. A few empirical studies examined IT control weakness and IT operation risk [5], [36] and [39]. The study of Li et al. [39] provided empirical evidence regarding IT-related material weakness based on internal and external governance. Further, Klamm and Watson [36] examined IT material weakness based on the internal control-integrated framework proposed by COSO. In summary, this proposed framework may be utilized to assess ERP control. The proposed framework can also be applied to the external auditing profession. External auditors can use this framework to communicate logically with their clients. The responsibility of the certified public accountants to attest to the effectiveness of their clients’ internal control system is clearly regulated. An auditor in an IT environment must have a good understanding of internal control. If an auditor does not have a proper understanding of this concept, auditing work may incur many uncertainties and risks. From the perspective of a business entity, acquiring effective internal control is a complex task. However, internal control can be facilitated and maintained if a proper framework is adopted. The proposed framework is a supplement to the COSO framework [15]. This comprehensive framework facilitates the construction of detailed controls for ERP systems. Among the 12 dimensions constructed in this study, only the dimension “access control of program and data” was unanimously recognized by all interviewees as an important criterion in information risk management. This finding is similar to that of Wallace et al. [73], thereby proving that access control is the most common and highest priority control in practice. When an entity establishes proper access control, the probability of an attacker obtaining unauthorized system access decreases [59]. However, most of the items in the proposed framework were regarded as being moderately important. The listed company under study should therefore exercise compliance, and its stakeholders should assume more responsibility for protecting the information system. This result confirms the results of Wallace et al. [73]. With the proposed framework, which includes comprehensive control dimensions or items, internal auditors and MIS department chiefs can verify the effectiveness of internal control through a complete mechanism to comply with government regulations. In other words, internal auditors and MIS department chiefs can develop their relationship and communicate the effectiveness of internal control by referring to the proposed framework. According to Wallace et al. [73], a good relationship between an organization's internal auditors and MIS department chiefs helps the organization comply with IT-related internal control requirements. Several control items are considered to be high-priority items. Perhaps stakeholders should prioritize high-risk control points. This process not only enhances audit efficiency but also easily identifies the weakness of internal control. Companies must consider the limitations inherent in their infrastructures in terms of internal control management to determine the most important control points [58]. These recommended improvements can enable companies to build robust auditing structures. Small and medium-sized enterprises (SMEs) need to implement information systems in their operations to cooperate with large firms. Most large firms ask to review and audit downstream SMEs to ensure system security. SMEs may therefore consider the proposed framework and adjust several control items according to their own characteristics to determine their IT control weaknesses in advance. The present study has limitations. Thirty relevant studies were selected and reviewed to construct the ERP system internal control framework. This study did not prove that the coding process reached saturation; other control items might have been missed. Furthermore, despite recruiting 18 qualified experts to confirm the control items derived from the literature review, other experts might have concluded otherwise. Another limitation of this study is external validity. The explanatory power of this study may be limited because it adopts the single case method. This proposed framework with control items is generic in nature. In other words, it could be applied to the majority of entities regardless of their size or industry. A few industries with a higher security consideration for their IT environment (i.e., the banking sector) will be able to expand this framework and add other new control dimensions and items to provide additional insights to this subject area. Several future research avenues are discussed as follows. First, given the increasing number of published studies on ERP internal control, follow-up research could analyze these streamed studies to add control items and refine the proposed framework. Second, several control items in the proposed framework may be extended to other systems, organizations (i.e., government agencies), and industries. Future studies could examine the usefulness and feasibility of the proposed framework.