Information Systems Management, 25: 211–229 Copyright © Taylor & Francis Group, LLC ISSN: 1058-0530 print/1934-8703 online DOI: 10.1080/10580530802151145 UISM
The Development of a Computer Auditing System Sufficient for Sarbanes-Oxley Section 404— A Study on the Purchasing and Expenditure Cycle of the ERP System She-I Chang, Cheng-Chih Wu, and I-Cheng Chang Department of Accounting and Information Technology, National Chung Cheng University, Chia-Yi, Taiwan
A Study on the Purchasing and Expenditure Cycle of the ERP System
Abstract After Section 404 of the Sarbanes-Oxley Act (SOX 404) was released, developing a computer auditing system became more important for management and auditors. In this study, the researchers aim to: (1) explore the crucial control items of the purchasing and expenditure cycle in meeting the conditions of SOX 404; (2) develop a computer auditing system based on the recognized control items and requirements of SOX 404; and (3) validate the applicability of the system by using an ISO/IEC 9126 model in meeting organizational needs (ISO, 2001). The Gowin’s Vee research strategy developed by Novak & Gowin (1984) was used in the study. In theory, researchers have identified eight operational procedures and 34 critical control items for the purchasing and expenditure cycle. The prototype computer auditing system of this study was then developed. On the experimental side, the researchers conducted two case studies based on the ISO/IEC 9126 software assessment criteria, the result of which showed that the system can provide company internal auditing personnel and their external auditors with a simple, continuous, timely, and analytical tool, which may promptly and effectively help in detecting problem control issues. We believe this study can contribute to the development of a sufficient and manageable computer auditing system, and provide prospective researchers and businesses with future directions in this subject area.
Keywords computer auditing, internal control, purchasing and expenditure, SarbanesOxley Act, ISO/IEC 9126
The Enron scandal in 2001 unleashed a great impact on investors’ confidence. Pressured by investors and critics, the United States Congress hastily passed into federal law the Sarbanes-Oxley Act (SOX) of 2002, with US President George Bush signing the act on July 30, 2002. The most contentious aspect of SOX is Section 404 (SOX 404), which requires management and external auditors to report on the adequacy of the company’s Internal Control over Financial Reporting (ICFR). This is noted by companies as the most costly aspect of the legislation to implement since documenting and testing important financial manual and automated controls requires enormous effort (Chan, Farrell, & Lee, 2005). Both management and the external auditor become responsible for performing their assessment in the context of a topdown risk assessment, requiring the management to deliberate both the scope of its assessment and the evidences gathered concerning risks (Romney & Steinbart, 2006). Address correspondence to She-I Chang, Department of Accounting and Information Technology, National Chung Cheng University, Chia-Yi 62117, Taiwan. E-mail:
[email protected]
However, the validation and correctness of the internal control has remained an issue to management units and accountants since their key responsibilities revolve around fulfilling implementation and auditing of internal control. While many firms have resorted to computerization of their operations, auditing remains a manual task for some organizations. Similarly, firms that have adopted computer auditing techniques have not yet fully attained effectiveness and efficacy. As such, the need for a useful computer auditing system becomes critical because manual audits cannot immediately recognize significant discrepancies unlike in computers. It is in this light wherein a simple, continuous, timely, and analytical computer-support auditing system and the SOX compliance becomes necessary for auditing personnel (Goldsmith, 1999; Information System Audit and Control Association (ISACA), 2003; Huang & Chuang, 2005; Yen, Huang, Li, & Hsiah, 2006). When the Enterprise Resource Planning (ERP) system was introduced, firms begun to handle information more precisely and accurately, and thus changed and improved the quality of accounting and financial processes. Manual 211
212
Chang, Wu, and Chang
operation in firms has been gradually phased out by the computer system. One factor may be that under manual practice, data are distributed to various files and books, which make internal control difficult and complicated. In response to this, Yen et al. (2006) and Coppers & Lybrand (2002) pointed out that auditing personnel must properly deal with the change caused by the ERP system. Although many auditing software generated by the ERP system is considered reliable, auditing personnel find difficulty in using the system because of their insufficient knowledge concerning information technology. Apart from the lack of knowledge and unfamiliarity with the software, the ERP systems are complex enough for their application (Tsai & Feng, 2004; Lanza, 2005). Most firms deal with business processes through semi-manual methods, like the use of Microsoft Excel (Huang & Chuang, 2005). Therefore, an easy-to-use computer auditing system developed exclusively for a certain ERP system is deemed expected and needed. It is on this concern that this research was anchored. Specifically, this research aims to achieve the following purposes: (1) to explore the crucial control items of the purchasing and expenditure cycle in meeting the conditions of SOX 404; (2) to develop a computer auditing system based on the recognized control items and requirements of SOX 404; and (3) to validate the applicability of the system using an ISO/IEC 9126 model in meeting organizational needs.
Theoretical Background and Discussion This section discusses the core of this research, which ventures into three directions (Figure 1). The first section is a description of SOX 404, including the purchasing and expenditure cycle. The second section discusses Enterprise Resource Planning (ERP) and application control auditing. The third section presents the exploration of computer auditing and techniques. The implementation of the ERP system in public firms to meet the requirements of SOX 404 is now being considered. As such, researchers forecast a positive effect in the use of internal control auditing through a computer-support auditing system.
Figure 1.
Literature review scope and chart of research core.
SOX 404 and Purchasing and Expenditure Cycle The “Sarbanes Act of 2002” (SOX 404) includes three main provisions: 1. management units must construct, implement, and maintain effective Internal Control over Financial Reporting (ICOFR); 2. management units must propose an assessment report based on the effectiveness of ICOFR; and 3. firms must hire accountants who will propose the assessment report on the effectiveness of ICOFR and who will also report this to firms. In terms of the Financial Supervisory Commission (FSC), from Taiwanese government also passed the “Regulations for the Establishment of Internal Control Systems by Public Companies” (hereafter referred to as the Regulations). The general description of the Regulations, which was modified and announced, December 19, 2005, suggests that companies to adhere to the SOX 404. Furthermore, the Regulations suggest that the internal control system of public firms should include all operational activities. Apart from this, it also contains the eight cycles of business control, which are as follows: 1. 2. 3. 4. 5. 6. 7. 8.
sales and payment-receiving; procurement and payment; production; salary; finance; fixed assets; investment; and research and development.
These cycles of business control are implemented according to specific characteristics of concerned industries. Some industries, such as finance firms and department stores, do not necessarily have production cycles. The mode of sales and payment-receiving cycle for a construction firm or a tourism business also differ. Considering the peculiar characteristics of industries, researchers realize that the purchasing and expenditure cycle can be considered the more consistent internal control system cycle. It was further found that firms could further create additional value by acquiring product and labor for reasonable prices. Li & Lin (2004) support the claim that purchasing and expenditure is one key cycle affecting corporate performance. Therefore, this study treats the purchasing and expenditure cycle as an important example for a computing-auditing system development. Ma (2006), Romney & Steinbart (2006), and Wu (2007) have similar definition on the purchasing and expenditure cycle and its view of control items (see Table 1).
A Study on the Purchasing and Expenditure Cycle of the ERP System
Table 1.
213
Reorganization of the Procedure of the Purchasing and Expenditure Cycle
Scholars Procedure
A
B
C
D
E
F
G
H
I
J
K
Times
Procurement request Procurement Checking and storage Payment request Return and compensation bill dealing Audit payment Payment Posting (general ledger)
ˆ ˆ ˆ ˆ ˆ ˆ ˆ
ˆ ˆ ˆ
ˆ ˆ ˆ ˆ
ˆ ˆ ˆ
ˆ ˆ ˆ
ˆ ˆ ˆ ˆ
ˆ ˆ ˆ ˆ
ˆ ˆ
ˆ ˆ ˆ ˆ
ˆ ˆ ˆ
ˆ ˆ ˆ
ˆ ˆ
ˆ ˆ
ˆ ˆ ˆ ˆ
ˆ ˆ ˆ
ˆ ˆ ˆ
ˆ ˆ ˆ
ˆ ˆ
ˆ ˆ
ˆ ˆ ˆ
ˆ ˆ ˆ
10 11 11 5 2 11 11 6
Source: A: Wu, 2007; B: Ma, 2006; C: Romney & Steinbart, 2006; D: Chen & Ke, 2005; E: Hall, 2004; F: Wilkinson, Cerullo, & Raval, 2000; G: Gelinas et al., 1999; H: Boockholdt, 1999; I: Robertson & Louwers, 1999; J: Bodnar & Hopwood, 1998; K: Wilkinson & Cerullo, 1997. Times: total numbers of the procedure
Table 1 shows that only domestic scholars consider “return and compensation bill dealing” as part of the purchasing and expenditure cycle. Proponents of this study posited that return and compensation bill dealings influence stock and the return of goods stock, and compensation and inventory. These two categories affect the balance sheet, profit, and loss statement. For this reason, this research included this aspect in the purchasing and expenditure cycle. Figure 2 illustrates the procedure of the purchasing and expenditure cycle.
The Enterprise Resource Planning (ERP) System and its Application Control The Enterprise Resource Planning (ERP) system is an enterprise-wide information system that integrates the information of all firms. In this system, the entire firm is based on identical database, identical application system, and a consistent interface. It also lumps together human resources, accounting, marketing, production, and the delivery and supply chain management (Bingi, Sharma, & Godla, 1999; Rosemann & Watson, 2002). With the implementation of the ERP system, the creation of a preventive measure for accounting and financial fraud, including a control system, becomes more important. A computer-aided auditing system has two components: general control and application control (Lin, 2002; Wu, 2007). Application control implies an accounting system and control procedure in the internal control structure. These controls target specific applications, such as procurement of materials, receiving and storage of materials, and invoice-payable dealings, which the
Figure 2.
computer system has properly recorded, managed, and reported. Application control has three kinds of functions: (1) input controls, (2) processing controls, and (3) output controls (Lin, 2002). The scope of each function includes various elements related to control procedure, such as those concerning authorization process, documents, records, and independent internal auditing. The specific control procedure is based on the expected control, such as effectiveness, completeness, record propriety, safety protection, and other accounting liabilities. According to the investigation conducted in 2005 by the Market Intelligence Center (MIC) of the Institute for Information Industry, the ERP system was identified as the most commonly used enterprise system in large-scale organizations in Taiwan having an implementation ratio of 67.7%. The data further revealed that in terms of the ERP software market in country, SAP R/3 (20.6%) and Oracle Business Suite (13.4%) have been most commonly used for ERP systems. For this reason, this study considered the Oracle ERP system as a base for developing the SOX 404 computer auditing system in compliance, which could fulfill organizations’ needs.
Computer Auditing and Generalized Audit Software Auditing can be classified into two types: internal and external auditing. The International Auditing Association (IAA) defines internal auditing as a method for independent and objective validation, and consultation. Because of its highly in-house nature, internal auditing cannot be managed outside of the organization. Apart
Flow chart of the purchasing and expenditure cycle.
214
from increasing the value and improving the operation of an organization, internal auditing also facilitates the effects of related processes to reach the objectives of the organization (Institute of Internal Auditors (IIA), 2007). External auditing, on the other hand, is conducted outside the organization. In this kind of auditing, the organization hires the services of external auditors who are mainly accountants (Wu, 2007). When the ERP system was introduced, firms developed high regard for computers because of the rapid calculation they can achieve, including the high precision and accuracy of information they provide, thus increasing the quality of revolutionizing accounting work. However, while computeraided auditing is beneficial, it also has some disadvantages. Besides changing the operation and process of auditing, computer-aided auditing involves the distribution of various files into different locations, thus making auditing even more difficult and complicated especially for those who do not have sufficient knowledge of the technology. In addition, many ERP systems involve journal recording. This means that those not involved in the operation department may not be able to identify the personnel responsible for some data they may need. Another setback may be that personnel from IT department can also modify the figures since they have access to the database. This could cause a company economic losses, which may not be identified right away. To gather fraudulent data from the database, companies should engage in the use of an advanced information technology technique that could help them acquire the data for validation and analysis. This information technology—though accessible to certain personnel not necessarily connected with auditing concerns—should include restricting measures so that the data may not be modified by anyone who wishes to do so. ISACA (2003) suggested that auditing personnel should have a complete access to computer-assisted auditing techniques (CAATs) and computer application, which includes using the generalized auditing software and advanced techniques such as testing data producer and integrating test facilities. Besides selecting the proper techniques, auditing personnel should recognize the importance of recording the test results for auditing. As large volumes of accounting transactions are recorded on electronic media and significant internal controls are imbedded in the computer program, CAATs may assist auditors in performing auditing procedures. CAATs involve computers being used to directly test the application controls, which can contain several techniques such as Systems Control Audit Review File (SCARF), Mapping, Tagging, Integrated Test Facility (ITF), Parallel Simulation, Flowcharting, etc. (Lovata, 1990). These tests are used in broadly testing input correction and programmed processing controls. However, the disadvantages of using CAATs include the requirement of
Chang, Wu, and Chang
specific knowledge and skills, and disruption may result from auditors’ testing (Guy, Alderman, & Winters, 1999). As mentioned earlier, the use of generalized audit software may not be advantageous to everyone in the auditing department of a company. For one reason, not everyone has ample knowledge of the technology one should use. In addition, Huang & Chuang (2005) suggested that auditing personnel might be able to handle the operational principle of generalized audit software used in a small-scale system, wherein auditing personnel deal with less data forms, but not in the ERP system because of the bulk of data forms. With such complicated database framework, auditing personnel without professional information background to manage computer auditing may find the work certainly difficult. In relation to this problem, this research also derived on scholars’ views on the disadvantages of generalized audit software (as reorganized in Table 2).
Control Items of the Purchasing and Expenditure Cycle Both local and foreign studies (Li & Lin, 2004; Chan et al., 2005; Li & Chou, 2006; Ma, Chang, & Chang, 2006; Wu, 2007) showed that fraud in firm auditing systems exist. Nevertheless, the provisions stipulated in SOX 404 will Table 2.
Description of the Disadvantages of Generalized Audit Software Scholars and experts
Disadvantages of generalized audit software
A
B
C
1. Because of the complexity of information tech niques and systems, auditing personnel cannot totally probe into the aspects of editing, such as different auditing environments, including different models, business system, program language, record and file arrangement, and the like. 2. Because they lack professional information, the personnel rely on experts, who may be advised to explain in writing how they accomplish specific audits that are out of the work scope of auditing personnel. 3. Auditing personnel do not participate in information system development. 4. Supervisors who make decisions do not value the importance of a computer-aided auditing system. 5. The background and experience of auditing personnel and the lack of related certificates will also influence the confidence in auditing. 6. Educational training cannot be carried out 7. Costs for developing generalized audit software are high, not to mention, the long time consumed to acquire auditing data.
ˆ
ˆ
ˆ
ˆ
ˆ
ˆ
ˆ ˆ ˆ
ˆ
ˆ ˆ
ˆ
Sources: A: Huang (2006); B: Tsai & Feng (2004); C: Lanza (2005).
A Study on the Purchasing and Expenditure Cycle of the ERP System
help find the firms with unsatisfactory financial statements and demonstrate the necessity and effectiveness of implementing an internal control system in firms. The popularity of information technology has increased the competitive advantages of corporate operation of most firms. However, as has already been pointed out, computer fraud is one major drawback. Offenses stemming from computer fraud offer great impact on the business environment as a whole. Such a situation makes the changing of traditional auditing systems necessary. During the process of auditing, auditing personnel must acquire satisfactory evidences related to the objectives to achieve the desired effectiveness and efficiency, as well as the validity and accuracy of their outputs. To recognize immediately the influences of “intentional fraud” or “careless mistakes” on corporate operation and financial reporting, auditing personnel should not engage in traditional methods of collecting evidences because such a measure cannot be applied to treating fraudulent computer data as these are saved in electronic media and can be checked only by CAATs. When managing computer auditing of the purchasing and expenditure cycle in an information environment, auditing personnel must not only understand the structure of the ERP system database but also pay attention to specific points in the output that may be prone to modifications or alterations. Based on various materials produced by local and foreign scholars and accountants, the researchers of this study reorganized the control factors as shown in Table 3. The last two auditing points (“balance of PPV item listed in the auditing personnel system” and “balance of IPV item listed in the auditing personnel system”) are not cited in the publications of experts and scholars. However, to meet the needs of a business circle, this research included these auditing points and examined their validity using expert questionnaires.
215
and solve the question using this mapping (Novak & Gowin, 1984). The goal of this research is to develop a computer auditing system. In the conceptual side, this study reorganized the auditing control items complied with SOX 404 in the purchasing and expenditure cycle, which were collected from literature and revised by expert questionnaire. For the methodology side, we developed the system and implemented two case studies to validate the system. The design of this research process is shown in Figure 3.
Initiation of the ERP Auditing System With regard to the expert questionnaire, the researchers adopted the methods and validation process proposed by Lawshe (1975). The opinions of experts from both academic and business circles were solicited by making them answer an expert questionnaire. The researchers examined the different measurement constructs and indices to arrive at computer auditing items suitable for the purchasing and expenditure cycle; moreover, the researchers carried out further study on the subject. With the combination of theory and practice, the researchers anticipated that the validity, scope, and practicability of this research would increase, thus make it accomplish one of its primary purposes: To explore the auditing items in the auditing personnel system of the purchasing and expenditure cycle, which meets the requirements provided for in SOX 404. The expert questionnaires were distributed to university professors, public accountants, and auditing personnel. Eighteen valid expert questionnaires were returned. The background of respondents is shown in Table 4, while the statistical results are in Table 5.
Research Method and Design
Development of the Computer Auditing System
The study employs Gowin’s Vee as its research strategy. Gowin’s Vee is a diagram to assist knowledge construction and attainment. Beginning its conception, it has been applied in many fields and helped researchers to clarify their concepts. The diagram includes two domains to develop its “V” shape. One part is the conceptual side that guides researcher on “how to think,” and the other is the methodology side that guides researcher on “how to do.” During the initial stage, researchers would define the type of phenomena or research question they want to observe, and they can follow necessary steps from each domain to accomplish the theoretical development. Via the interaction of the two domains, researchers can attain knowledge
In the field of computers, people tend to generalize the overall process of the management software system based on the proposal of special projects to implement and evaluate “system development.” The process is sometimes called “system analysis and design” or “system design.” Valacich, George, & Hoffer (2001) suggested that the System Development Life Cycle (SDLC) has four critical phases: system planning and selection, system analysis, system design, and implementation and practice. This research accomplished the analysis and design of the auditing personnel system with due consideration to these four phases, and thereby attaining another of its primary purposes: To construct the auditing personnel system of important auditing or control points in the
216
Chang, Wu, and Chang
Table 3. Content Purchase requests
Purchasing
Receive and store goods
Control Items of the Purchasing and Expenditure Cycle
Auditing points 1. Is the procurement request approved by proper levels? 2. Are economic procurement quantity and re-purchase locations marked for each category of products? 3. Is procurement request repetitive? 4. Is the distribution of procurement request to avoid authorization practiced? 1. Is there ordering from unqualified suppliers? 2. Is the procurement request approved by proper levels? 3. Are there new suppliers during the period? 4. Is the date of expected goods stock earlier than actual date on the procurement form? 5. Does not receiving the goods after the expected delivery date happen? 6. Is the unit price of urgent procurement reasonable? 7. Is the pricing of units with more procurement and purchase materials reasonable? 8. Are there unwanted products or excess procurement? 9. Do suppliers cancel order repetitively or is unit price changing frequently? 10. Do giving of fake suppliers and forging of quotation of prices happen to avoid procurement regulation? 11. Do some personnel favor certain suppliers to clarify some specifications to control the prices?
A B C D E F G H I J K L M N O P Q R Total ˆ
ˆ
ˆ
ˆ
ˆ
ˆ
ˆ
ˆ
ˆ ˆ
ˆ
ˆ ˆ
ˆ
ˆ
ˆ
ˆ ˆ ˆ
ˆ ˆ ˆ ˆ ˆ ˆ
ˆ ˆ ˆ ˆ ˆ
ˆ ˆ ˆ ˆ ˆ
ˆ
ˆ
ˆ
ˆ ˆ
ˆ ˆ ˆ ˆ ˆ ˆ
ˆ
2 2
ˆ
ˆ
ˆ ˆ ˆ ˆ ˆ
ˆ ˆ
ˆ ˆ
ˆ
ˆ ˆ ˆ
10 2
ˆ ˆ
ˆ
ˆ
Purchase discounts
1. Are returned goods paid for?
Approve invoice
1. Is the account year of accounts payable analyzed? 2. Is the checking date later than account payable date? 3. Is the supplier account with the debtor’s balance?
ˆ
1. Is payment of certain items repetitive? 2. Is there payment even without orders, checking forms, or materials? 3. Is there any error in the calculation of payment? 4. Is there loan without reducing deposit? 5. Is payment for specific suppliers early? 6. Is there payment for fake suppliers?
ˆ
ˆ
ˆ
ˆ
ˆ ˆ ˆ
ˆ
ˆ
ˆ
ˆ
ˆ
ˆ ˆ ˆ
ˆ
ˆ
ˆ ˆ ˆ
ˆ ˆ
ˆ
ˆ ˆ
ˆ ˆ ˆ ˆ ˆ
ˆ
ˆ
ˆ
ˆ ˆ
ˆ
ˆ ˆ
ˆ
ˆ ˆ
ˆ ˆ ˆ
ˆ ˆ
ˆ ˆ ˆ ˆ ˆ ˆ
ˆ
ˆ
ˆ
ˆ ˆ ˆ ˆ ˆ ˆ
ˆ ˆ ˆ ˆ
ˆ ˆ
ˆ
ˆ
ˆ
ˆ ˆ ˆ ˆ
ˆ
ˆ ˆ ˆ
ˆ ˆ
ˆ
ˆ
ˆ ˆ ˆ ˆ
ˆ ˆ
ˆ
2 3 9
ˆ
ˆ
ˆ
11 11 ˆ
ˆ
ˆ ˆ
12 3 2 5
ˆ ˆ ˆ
ˆ
10
ˆ
ˆ ˆ ˆ
8 11 4
ˆ
ˆ ˆ
ˆ
ˆ
ˆ ˆ ˆ
ˆ
5 5 2
ˆ
ˆ
ˆ
12
10
ˆ
ˆ ˆ ˆ ˆ
ˆ ˆ ˆ ˆ ˆ ˆ
ˆ
8
ˆ
ˆ
3 1
ˆ ˆ
3 2
1 10
ˆ ˆ
ˆ
10 12
6
ˆ
ˆ
14 8
ˆ
ˆ
ˆ
ˆ ˆ
ˆ
1. Is there receiving of the goods without procurement forms? 2. Is the quantity correct—not more or less than the spec- ˆ ified quantity? 3. Are the quantities for delivery, receiving, and ˆ checking different? 4. Is checking for unqualified materials done? 5. Is error checking of goods stock quantity done? ˆ 6. Does goods stock meet regulations?
1. Are accounts payable and balance of general ledger compared? 2. Are the top ten transaction amounts and suppliers listed in order by computers? 3. Should the auditing personnel system list turnover rate of accounts payable? 4. Should the auditing personnel system list payment days of accounts payable? 5. Should the auditing personnel system list credit level? 6. Should the auditing personnel system list accounts payable in total capital?
ˆ
ˆ
1. Are there errors in the invoices of suppliers’ goods stock? 2. Are the names of brands and quantity of goods stock invoice and checking file different?
General ledger andtest of analytical validation
ˆ
ˆ ˆ
Suppliers’ payment request
Payment
ˆ ˆ ˆ
ˆ
1
ˆ
2
ˆ
1
ˆ ˆ
1 2
(Continued)
A Study on the Purchasing and Expenditure Cycle of the ERP System
Table 3. Content
Auditing points
217
(Continued) A B C D E F G H I J K L M N O P Q R Total
7. Should the auditing personnel system include current ratio? 8. Should the auditing personnel system include acid ratio? 9. Is the balance of PPV item listed in the auditing personnel system? 10. Is the balance of IPV item listed in the auditing personnel system?
ˆ
ˆ ˆ
2 1 0 0
Total: Total number of the items. Sources: A: Wu, 2007; B: Chen & Ke, 2005; C: Tsai & Feng, 2004; D: Li & Lin, 2004; E: Su, 2003; F: Wu & Hong, 2006; G: Romney & Steinbart, 2006; H: Wilkinson et al., 2000; I: Wilkinson & Cerullo, 1997; J: Boockholdt, 1999; K: Robertson & Louwers, 1999; L: Boynton, Johnson, & Kell, 2001; M: Yen, 2002; N: Lin, 2002, O: Messier, 2000, P:Romney & Steinbart, 2000, Q:Arens, Elder, & Beasley, 2005, R: Guy et al., 1999.
Figure 3.
Research framework and flow chart.
purchasing cycle based on Oracle ERP with consideration of the requirements set by SOX 404.
System Planning and Selection The first phase of SDLC is system planning and selection. This phase intends to analyze the present environment,
probe into the background of the problems, inquire on users’ principal needs and ideas, and target on their demands and proposals. The first phase also aims to propose system planning and to select based on system judgment and other business considerations, or on management framework of data, network, and hardware. The auditing system proposed in this study should not only improve the disadvantages of the generalized audit
218
Chang, Wu, and Chang
Table 4. Fields
Expert codes
Public accountants
Auditing personnel
Academia
E01
Background of Participating Experts Service institutions PWC
E02 E03 E04 E05
PWC Deloitte & Touche accountant office Ernest and Young accountants office KPMG
E06
Lien Chen Accountants Office
E07 E08 E09 E10 E11 E12 E13
Ai Tzu Wei Limited, Co. Enfield Medical Ta Chen Chang Corporation Chang Hua Bank Sampo Corporation Teco Image System Accounting department, National Chengchi University Accounting department, national Chang Hsing University Information Management department of National Chung Cheng University Accounting and Information Department, National Taipei College of Business Accounting department, Feng Chia University Accounting department, National Changhua University of Education
E14 E15
E16
E17 E18
software, but also consider the use of prevalence and propriety of the system. Based on this idea, the researchers described the system and framework adopted by this research as follows. ■
■
Experience and position
This auditing system must be developed using Microsoft Windows-2000 or Windows-XP operating system. This research used Microsoft Visual Studio 2005 as the development tool and Visual Basic as main system development language. It also treated SQL as the second auditing program language of auditing items. (The program language for developing auditing system will not influence the auditing personnel’s operation of this auditing system).
Length of service
Manager of computer auditing department Manager Experienced consultant Auditing chief Manager of computer auditing department Person in charge/ accountants Auditing manager Auditing personnel Auditing personnel Auditing personnel Auditing personnel Auditing deputy manager Professor
9 years
22 years 18 years 15 years 10 years 3 years 17 years 11 years
Assistant professor
4 years
Associate professor
16 years
Assistant professor
9 years
Associate professor
5 years
Professor
14 years
7 years 4 years 4 years 4 years 12 years
probe into the completed phases of system analysis in this research.
System Design The third phase of SDLC is system design. The researchers planned the overall system framework upon the main targets related to the design and defined the details of different functions. Figure 5 shows the system layout and framework planning chart of this research. The system operation and flow chart of operational logic are shown in Figure 5,6, and 7.
Implementation and Operation System Analysis The second phase of SDLC is system analysis. The system analysis personnel must thoroughly learn all the processes of the organization and the information system applied at work. The analysis includes several sub-stages. Based on this, this research compared the process according to the definitions proposed by Valacich et al. (2001) to
Once the auditing personnel system is implemented, users will be asked to key in the account numbers and secret codes of the Oracle ERP database for validation. If validation fails, the selection will not appear and all extended selection, buttons, and functions cannot be used. If the validation succeeds, the system will start in two processes: (1) downloading of the auditing items
A Study on the Purchasing and Expenditure Cycle of the ERP System
Table 5.
219
Data Analysis of Expert Questionnaire Statistics (Number of people) Is it suitable for computer auditing items
Procedure Procurement request
Procurement
Checking and storage
Payment request
Auditing items 1. Is the procurement request approved by proper levels? 2. Are economic procurement quantity and re-purchase locations marked for each category of products? 3. Is the procurement request repetitive? 4. Is the distribution of procurement request to avoid authorization practiced? 1. Is there ordering from unqualified suppliers? 2. Is the procurement request approved by proper levels? 3. Are there new suppliers during the period? 4. Is the date of expected goods stock date earlier than the actual date on procurement form? 5. Does not receiving the goods after the expected delivery date happen? 6. Is the unit price of urgent procurement reasonable? 7. Is the pricing of units with more procurement and purchase materials reasonable? 8. Are there unwanted products or excess procurement? 9. Do suppliers cancel order repetitively and does unit price change frequently? 10. Are giving of fake suppliers and forging of quotation prices done to avoid procurement regulation? 1. Is there receiving the goods without procurement forms? 2. Is the quantity correct—not more or less than the specified quantity? 3. Are the quantities for delivery, receiving, and checking different? 4. Is checking for the unqualified materials done? 5. Is error checking for goods stock quantity done? 6. Does goods stock meet regulations? 1. Are there errors in the invoices of suppliers’ goods stock?
Validity calculation(CVR) Is it suitable for computer auditing items
Does it meet SOX 404
No Indirect Direct influence influence influence
Does it meet SOX 404 Indirect and direct influence
No
Yes
No influence
6
−0.76
0.76
−1.00
1.00
12
2
−0.29
0.29
−0.65
0.65
2
6
9
−0.76
0.76
−0.76
0.76
13
2
11
4
−0.53
0.53
−0.76
0.76
4
13
4
8
5
−0.53
0.53
−0.53
0.53
0
17
0
9
8
−1.00
1.00
−1.00
1.00
3
14
10
7
0
−0.65
0.65
0.18
−0.18
2
15
5
9
3
−0.76
0.76
−0.41
0.41
3
14
7
7
3
−0.65
0.65
−0.18
0.18
7
10
2
9
6
−0.18
0.18
−0.76
0.76
6
11
2
8
7
−0.29
0.29
−0.76
0.76
7
10
3
5
9
−0.18
0.18
−0.65
0.65
5
12
5
10
2
−0.41
0.41
−0.41
0.41
6
11
2
4
11
−0.29
0.29
−0.76
0.76
3
14
4
5
8
−0.65
0.65
−0.53
0.53
1
16
0
12
5
−0.88
0.88
−1.00
1.00
0
17
1
9
7
−1.00
1.00
−0.88
0.88
7
10
3
6
8
−0.18
0.18
−0.65
0.65
8
9
0
8
9
−0.06
0.06
−1.00
1.00
8
9
3
7
7
−0.06
0.06
−0.65
0.65
6
11
3
6
8
−0.29
0.29
−0.65
0.65
No
yes
2
15
0
11
6
11
3
2
15
4
(Continued)
220
Chang, Wu, and Chang
Table 5.
(Continued) Statistics (Number of people)
Is it suitable for computer auditing items
Procedure
Return and compensation bill dealing Auditing payment
Payment
General ledger and analytical validation test
Validity calculation(CVR) Is it suitable for computer auditing items
Does it meet SOX 404
Does it meet SOX 404
Yes
No influence
Indirect and direct influence
No
yes
No Indirect Direct influence influence influence
2. Are the names of brands and quantity of goods stock invoice and checking file different? 1. Are returned goods paid for?
5
12
9
7
−0.41
0.41
−0.88
0.88
0
17
0
3
14
−1.00
1.00
−1.00
1.00
1. Is the account year of accounts payable analyzed? 2. Is the checking date later than accounts payable date? 3. Is the supplier account with the debtor’s balance? 1. Is payment of certain items repetitive? 2. Is there payment even without orders, checking forms, or materials? 3. Is there any error calculation of payment? 4. Is there loan without reducing deposit? 5. Is payment for specific suppliers early? 6. Is there payment for fake suppliers? 1. Are accounts payable and balance of general ledger compared? 2. Are the top 10 transaction amounts and suppliers listed in order by computer? 3. Should the auditing personnel system list turnover rate of accounts payable? 4. Should the auditing personnel system list payment days of accounts payable? 5. Should the auditing personnel system list credit levels? 6. Should the auditing personnel system list accounts payable in total capital? 7. Should the auditing personnel system include current ratio? 8. Should the auditing personnel system include acid ratio? 9. Is the balance of PPV item listed in the auditing personnel system? 10. Is the balance of IPV item listed in the auditing personnel system?
1
16
2
6
9
−0.88
0.88
−0.76
0.76
0
17
1
6
10
−1.00
1.00
−0.88
0.88
1
16
2
5
10
−0.88
0.88
−0.76
0.76
0
17
0
1
16
−1.00
1.00
−1.00
1.00
1
16
1
3
13
−0.88
0.88
−0.88
0.88
1
16
1
2
14
−0.88
0.88
−0.88
0.88
0
17
1
3
13
−1.00
1.00
−0.88
0.88
3
14
3
5
9
−0.65
0.65
−0.65
0.65
4
13
1
2
14
−0.53
0.53
−0.88
0.88
0
17
1
3
13
−1.00
1.00
−0.88
0.88
1
16
5
6
6
−0.88
0.88
−0.41
0.41
0
17
4
10
3
−1.00
1.00
−0.53
0.53
0
17
3
11
3
−1.00
1.00
−0.65
0.65
5
12
6
8
3
−0.41
0.41
−0.29
0.29
1
16
6
9
2
−0.88
0.88
−0.29
0.29
0
17
6
8
3
−1.00
1.00
−0.29
0.29
0
17
6
8
3
−1.00
1.00
−0.29
0.29
1
16
2
13
2
−0.88
0.88
−0.76
0.76
1
16
2
13
2
−0.88
0.88
−0.76
0.76
Auditing items
No
A Study on the Purchasing and Expenditure Cycle of the ERP System
Figure 4.
221
Adapted Control Items of the Modified Purchasing and Expenditure Cycle.
recorded in LoadMenu.XML file which the auditors can select, and then showing the auditing items in the selection; and (2) reading the information of all account books, organizations, and plants in the Oracle ERP database, and then showing them in the auditing organization selection for the auditing personnel to select the account books audited to find the organizations and plants. Auditing personnel can set the duration of auditing dates via auditing parameter setting. By pressing the auditing bottom after validation at execution, users will find that the system will start executing the auditing program. Should there be any abnormal auditing the system will highlight this by showing it in the auditing data. The system will also record the auditing items and the results of auditing personnel, and save them in XML format. After working on the auditing items, users will then press print for a hard copy of the audited item. All the files in the system use XSLT file format. Another option for the auditing personnel is to view the contents in HTML format. They can choose to re-execute this system to audit other organizations or other auditing dates (Figure 8).
Validation of Applicability of the Computer Auditing System The study evaluated six aspects of the proposed auditing system (function, reliability, utility, efficiency, maintenance, and portability) and 20 sub-characteristic evaluation items of the “ISO/IEC 9126 software quality assessment criteria model” proposed by International Organization for Standardization (ISO) (2001) and Punter, Solingen, and Trienekens (1997). The software quality assessment criteria model provides a conceptual guidance, which quantitatively and qualitatively suggests a concrete observation base and objective indexing. The case study approach for the system validation was used, and the researchers identified the best practices and their views of the computer auditing system from the case firms. Through the interviewees and system testing, the cause-and-effect relationship of the users and system were collected and analyzed. The case study, therefore, addressed the suitability and effectiveness of the computer auditing system.
222
Chang, Wu, and Chang
Table 6. Phases
Definition or items included
Comparison between System Analytical Phases and the Process in this Research Step description of this research or output
Phase
Definition or items included
Step description of this research or output
Phase 3 It produces the replaceable The second chapter of this The second chapter of this Phase 1 It targets on the requireresearch reorganizes the risk initial design to meet research explores the requirement of the system. The of ERP and the disadvanthe requirements set by ment of SOX 404, internal conphase includes the comtages of generalized audit SOX 404. After compartrol system, risk of the ERP plete study of any software. It was found that ing the substitute plans, system, the effect of computerpresent systems, manualthough auditing personthe researchers came up support auditing techniques, als, and computer nel can support daily auditwith the best solution, the disadvantage of generalaspects. Certain parts can ing using the generalized in which organizations ized audit software, and the be replaced or increased. audit software, they tend to are willing to pay the like. The researchers reorgagive up using it since the expense, manpower, nize 8 activities and 43 audittechnique is difficult. and technique costs during items based on the ing the development of domestic and foreign scholars’ the system. studies and experts’ opinions. In the fourth chapter, this Phase 4 It analyzes the output of Phase 2 According to the relations The regulation of SOX 404 research analyzes the validthe phase. Once the emphasizes that management mentioned in Phase 1, it ity of 43 auditing items plan is supported, what units must effectively impleeliminates any repetibased on the responses of will follow is the prepament an internal control systions to study their experts from various sectors ration for the hardware tem and validate its requirements and to the expert questionnaire. and software needed. effectiveness. It relies on auditstructures. In addition, the chapter dising methods. When auditing cusses the validity of 34 personnel face problems with auditing items of purchastime, they have to rely on coming and expenditure cycle puter-support auditing techneeded for the development niques and the generalized of the auditing software for audit software for quick audit use by auditing personnel. internal control. But, given the complicatedness of computer applications, accountants might not be able to acquire data directly from the database.
Figure 6. Figure 5.
System layout and framework.
Flow chart of system operation and operational logic.
A Study on the Purchasing and Expenditure Cycle of the ERP System
223
Figure 7.
Main layout of the ERP auditing system.
Figure 8.
Draft of auditing in this auditing system.
Case Data Analysis and Discussion As discussed earlier, the target subjects of this case study were public firms in Taiwan. Among them were two wellknown public firms involved in the industry of metal fur-
niture and decoration manufacturing (A Firm), and telecommunications and communications (B Firm). A brief description of these two case firms is shown in Table 7. Table 8 shows the background information of the interviewee from the two firms.
224
Chang, Wu, and Chang
Table 7.
Background Information of Case Firms
Target firms Corporate scale
Main products
Corporate vision of operational idea
A Firm
B Firm
• Public firm • Capital: NT$1.91 billion • Annual business volume: NT$5.94 billion • 1,200 employees • Metal furniture manufacturing and sales • Lock and door metal (door closure), manufacturing, sales, and surface dealing industry
• Public firm • Capital: NT$1.62 billion • Annual business volume: NT$18.9 billion • 1,900 employees • Wireless personal communication system • Satellite direct aerial (including flat aerial) • Products such as Bluetooth, IEEE 802.11b Becoming [the pioneer of wireless internet technique]
To accelerate the development of innovative products with high techniques upon three corporate spirits “innovation, service, and quality.” It provides more reliable high-quality products and develops the bases around the world to provide more rapid and complete services. 2006/7/1 PWC
On-line date of ERP system Accountant office
Table 8. Target firms
Interview date
Number of respondents
A
2007/4/27
3
B
2007/5/1
3
2006/1/1 KPMG
Background of the Interviewees Positions
Seniority in the field
General manager Chief auditor Wu Information director Tsai Chief auditor Chen Information personnel Chan External auditing manager Lee
24 years 5 years 12 years 8 years 8 years 6 years
The proponents of a computer auditing system interviewed target firms as shown in the following section of this paper. The researchers initially explained the purposes and methods of the study and then described the background of the public firms. In the analysis and discussion of case interviews, the researchers dealt with the implementation of the internal control system in public firms. In doing so, they attempted to answer the following questions: What are the difficulties in the auditing implementation of an internal control system? Can the accountants or auditing personnel’s use of “computer-support auditing technique” effectively accomplish the auditing and reduce the fraud risk of firms to demonstrate the effectiveness of the internal control system? Based on the results of the interviews, the researchers concluded that the auditing personnel system is ready for implementation. Specifically, the interviews yielded responses detailed in the succeeding sub-sections.
Average seniority
Total average seniority
14 years
10 years
7 years
Internal Control and Challenge of Case Firms Chief auditor, Wu, of Case Firm A explained the process of purchasing cycle in his firm: After executing MRP material demand project, we then produce procurement request forms and transfer procurement forms for the suppliers’ price inquiry. We receive the materials by quality control with the approved procurement forms and construct the related payment conditions of account payable. Subsequently, we pay the transfer bill payable on the date of payment. When we find bad materials on production line, we return them. The accounting unit is in charge of the return compensation. The related account book data is then transferred to the general ledger module, completing the whole transaction cycle.
Chief auditor, Chen, of Case Firm B detailed the same process followed in his firm:
A Study on the Purchasing and Expenditure Cycle of the ERP System
Forecast is downloaded to the MRP module. We distribute procurement request forms and transfer procurement forms. The suppliers will acquire the information through supplier platform and then acquire a price quotation. After the firm decides on the suppliers, we place our orders. We receive the goods usually before the due date. Then, we construct the account payable and pay before the deadline. Sometimes the parent company does not check the materials since the suppliers send them to the subsidiary companies. However, the invoice is primarily dealt by the mother company, and when there are returned goods after checking, we issue the suppliers return compensation forms. Finally, the account books will be transferred to then general ledger module.
Based on the above statements, the two target firms follow similar procurement activities. If Taiwan implements SOX 404 and consider all aspects, the public firms, which will be strictly supervised, will face a considerable challenge. The internal control system of the firms will be directly influenced. With regard to this, the two firms had this to say: “The regulations of SOX 404 and [internal control system dealing principles of public firms] established in Taiwan are similar and the impact on the firms is not as enormous as expected. Every year, we must have internal control declaration in the annual reports. We also inform the investors of our internal control implementation meeting and related acts,” the general manager of Case Firm A explained. He further suggested that internal control system is restricted: “Even if the design is complete, the effective internal control can only guarantee the accomplishment of three targets of internal control. Besides, because of the changes of environments and situations, effectiveness of internal control system might also be changed. Internal control system in our firm is based on a mechanism of self-supervision. We will modify the errors when they are validated.” Similarly, Mr. Wu suggested, “[that] in order to meet the regulation of Sarbanes-Oxley Act of 2002, we must follow the regulations established by the governmental units. However, we will surely be adjusting once the law is implemented. We will reinforce the implementation of internal auditing during this time and discuss the related measures to respond to the requirements of the governments.” Mr. Chen said, “generally speaking, we understand SOX 404. However, it seems that the significance of the act is similar to the internal control declaration we conduct every year. We must demonstrate the effectiveness of the implementation of internal control system.” The statements above imply that SOX 404 is no different from present internal control regulations. However, the external auditing manager of Case Firm B offered a different idea: “Comparing with traditional auditing, SOX 404 emphasizes more on the importance of internal control. It even requires the firms to have self-evaluation
225
and strengthen more business details. At present, the internal business of many firms significantly depends on the system. Thus, after U.S. introduced Sarbanes-Oxley Act of 2002, the overall computer auditing business has become vigorous. In the past, Taiwan also required using the internal control system; however, after the firms became public, they stopped following the system. Many audits were only constructed to meet the requirements and the supervision was not carried out. The following promotion of corporate management and present Sarbanes-Oxley Act of 2002 are generated to reinforce the internal control. For the vigorous development of the capital market, the investors will certainly require monitoring reinforcement. However, frauds nowadays are changeable and it is difficult to prevent them only by the governments. Thus, Sarbanes-Oxley Act of 2002 is promoted by different countries when they wish to aggressively develop the capital market. In order to attract foreign capital, Japan, China, Hong Kong, Singapore, and South Korea started actively planning and modifying the related regulations. How about Taiwan? We believe that in the near future, Taiwan will follow the trend and implement the act.” In computer systems, however, audits using manual transaction paper and documents are reduced. With such change, the control needed by firms might be changed. In this regard, auditing personnel should have in-depth understanding and recognition of computer auditing. Through this research, therefore, the proponents aim to help auditors work more efficiently by introducing computer-support auditing. Accounting Research and Development Foundation (1997) and Institute of Internal Auditors (IIA) (2007) also suggested that auditing personnel should completely understand computer-support auditing techniques. When computers process voluminous data, auditing personnel can manage the auditing work of the generalized audit software or related computer auditing techniques and tools. Their knowledge should include understanding of the generalized audit software and its advanced techniques, such as testing data producer and integrating test measures. Indeed, the persons interviewed in this research recognize the benefit and critical influence of computer auditing in audits given that firms accomplish daily auditing using computer-support auditing techniques. When doing the computer-auditing process, auditing personnel must acquire satisfactory evidences related to auditing targets to validate the effectiveness and efficiency of the auditing system and, of course, the accuracy of the desired output. Should there be fraudulent data or intentional errors that come with the auditing work, auditing personnel should not employ traditional methods in gathering evidences to back up such fraud or errors as these methods may not prove to be effective and
226
Chang, Wu, and Chang
reliable. Mr. Wu said, “[that] after introducing ERP system, we support the audits by computer-support auditing techniques. If we still use traditional auditing, the audits will be inefficient and we cannot immediately determine the abnormal situations.” In a similar manner, Mr. Chen suggested, “since we have plants in foreign countries and we have few auditing personnel, without the support of computer auditing, we will not fulfill the audits.” These two firms have analytical auditing using the interface of the ERP system and Excel software. Compounding to such a debacle is the low utility rate of the auditing software because of disadvantages or obstacles (see Table 2). Both Mr. Wu and Mr. Chen suggested that their firms have encountered serious problems when acquiring data through the generalized audit software. Since the ERP system incorporates a large information system that integrates corporate data, the database structure is considered complicated. When auditing personnel download the database using the Excel software, they will not succeed because of the large data volume and the restriction of pieces of Excel (65536 instances). In addition, due to the complexity of the ERP system and database, auditing personnel must rely on information personnel to acquire the database. However, when information personnel refuse to cooperate, the auditing not only becomes deferred but also difficult, making it hard to recognize fallacies and discrepancies in the auditing work. Thus, the auditing chiefs of the two case firms suggested that the auditing personnel system must not only increase auditing efficiency but also ensure the correctness and accuracy of auditing results.
Assessment of the Computer Auditing System To test the usability and practicability of this system for both case firms, the researchers installed the system and invited the auditing chiefs of both firms to test the system. The test showed that the system is reliable. Moreover, it was also assessed to have passed the national ISO/IEC 9126, the criterion internationally used to assess the software product quality model and software index. The criteria not only include the maintenance of software but also involve other characteristics of software, which are function, reliability, usability, efficiency, maintenance, probability, and the incorporation of 20 sub-characteristics. Software characteristics and sub-characteristics including related scales can be applied not only to the assessment of software products but also to the definition of quality requirement and other uses. Software development organizations can follow the ISO/IEC 9126 criteria to establish specifications or models required for any software product.
Bevan (1999) studied quality development of software products and pointed out that ISO/IEC 9126 included internal quality (static characteristics) and external quality, which is noted to be generally useful in ergonomics. The quality items are based on cultural, strategic, and technical issues of user-centered design processes. Jung (2007) showed that ISO/IEC 9126 efficiently increases users’ measurement quality of software satisfaction. Losavio, Chirinos, Matteo, Lévy, & Ramdane-Cherif (2004) also suggested that ISO/IEC 9126 assisted software analysts or designers to select the key models in software construction. In consonance with those findings, the researchers of the present study considered the respondents’ views on the propriety of this system by “ISO/IEC 9126 software product assessment criteria.” As has been pointed out, the criteria could help users assess the quality of this system. The interview focused on the 20 subcharacteristics of ISO/IEC 9126 and focused on providing questions answerable by “Yes” or “No.” The respondents’ answers are thoroughly presented in Table 9.
Influence and Contribution of the Computer Auditing System on Case Firms Apart from software quality, Mr. Wu and Mr. Chen believed that the software can actually save plenty of time and money. Mr. Wu said, “if the software has satisfying logic and design, then it is more convenient than Excel. When using Excel, we must continuously acquire data from information personnel. With this new system, we can audit the abnormal data with few auditing items, not to mention saving time and money while ensuring accuracy of the work.” Mr. Chen further commented, “when using this system, we only needed to press the button for the result of the related auditing in so short a time. We did not have to ask data from information personnel because of the change of auditing zones. When information personnel are busy, it sometimes takes a long time to successfully finish the auditing.” With regard to the comparison between this system and the generalized audit software, Mr. Wu commented that this system is actually more practical. Mr. Chen likewise said, “This system is excellent. We did not find the auditing software suitable in accomplishing the audits. With the new system, auditing personnel can set up the selection of account books, business units, and plants and auditing zones in software to audit the data in the system . . . Auditing personnel do not have to ask for data from information personnel given the inconsistent auditing time. They also do not need to worry about the suspension of auditing when someone from the information department is on leave. In addition, the software also provides for the shift of data in Excel format to another format with the same desired statistical function.”
A Study on the Purchasing and Expenditure Cycle of the ERP System
Table 9.
227
Record on the Interview of this System Examined by ISO/IEC 9126 Software Assessment Criterion The respondents opinions
Quality characteristics Function
Reliability
Sub-characteristics: characteristic description Propriety: Do the existing functions meet the requirements? Preciseness: Can the system provide accurate answers? Exchange: Can the system exchange with designated systems? Compliance: Can the system follow the related criteria, switch or regulations? Security: Can the system establish non-authorized saving program or data? Maturity: Is the executive failure due to the errors in the system frequent? Error tolerance: Is the system capable to maintain software efficacy with the errors in the system or input error against interface definition? Recovery: Is the system quick enough to recover efficacy and data in case of errors?
Usability
Efficiency
Maintenance
portability
Comprehension: Do the users’ assessments meet the logic and application of the software? Learning: Do the users exert efforts in learning software program? Operation: Do the users find it easy to use and control the system? Time performance: Is the system fast and output rate satisfactory? Resource use: Is the function continuously using the resources efficient? Analysis: Can the system analyze errors or analyze their causes?
A Firms Yes After small-scale test, the present system can provide proper information to support auditing Yes
Yes Yes
Yes
Yes
Yes
Yes
Yes
According to the report of IT test, there were no errors in the system. It was stable. Yes
We did not find any failure execution of the system. Yes
This system did not meet the assess- This system did not meet ment of this item. the assessment of this item. Yes Yes Yes
Yes
Yes
Yes
Good!
Not bad.
It will require long-term observaIt will not influence other tion in implementation. business. Yes The message related to human-computer interface in the system is still unclear. For example, after implementation, the system cannot inform the users of proper information when there is not abnormal data. Yes Yes
Modification: Does the system have the capacity to comply with the modified environment Stability: Can the system meet the modification Yes and lead to unexpected results? Test: Is it easy to test the system after modification? Yes Adaption: Can the software system be transferred to Yes other environments without modification? Installation: Is it easy to install the system in Yes different environments? Replacement: Is it easy to replace the system? There is no substitute software if the system is replaced.
Mr. Lee, external auditor of Target Firm B, had this to say: “This auditing system is excellent. It is the software we expect. I understand it is not easy to construct such an auditing system and that it requires in-depth knowledge on ERP system, yet we believe that it will be the star in the field of computer auditing.” As to whether or not
B Firms
Yes Yes Yes Yes There is no substitute software if the system is replaced.
the system is complaisant to the requirements set by the Sarbanes-Oxley Act of 2002, Mr. Wu said that SOX 404 mainly requires the implementation of an internal control system and a demonstration of the effectiveness of implementation: “We can actually audit the abnormal data by this system and immediately modify
228
Chang, Wu, and Chang
the abnormality. This system, indeed, conforms to SOX 404 provisions.” Mr. Chen said, “If we can continue developing other business cycles, auditing will certainly be accelerated and accomplished more accurately correctly. We can also properly modify some irregularities that deviate from the requirements of pertinent laws. Thus, auditing by this system can demonstrate the implementation effectiveness of internal control system to meet the regulation of SOX 404.” Finally, the personnel in the target firms also suggested that the system be improved. Mr. Wu said, “It will be better to construct eight cycles. In my overall auditing, I figured only one cycle was not helpful. Besides, the system should give cues during and at the end of auditing work to inform users of the present auditing.” Mr. Chen suggested that “the complete auditing items of eight cycles will help the auditing personnel. We could recommend this software to internal auditing association, which can promote this useful auditing software.” Mr. Lee said: “Besides the complete auditing items of eight cycles, we suggest the construction of auditing on the authorization of some programs. For example, we might want to know if a concerned personnel who is not in the procurement department fills in procurement forms or the personnel not from the financial department use the functions in payment module.”
Conclusions and Suggestions The SOX 404 requires that management must construct, implement, and maintain effective ICOFR. In addition, SOX 404 requires that the external auditor must propose an assurance report on the effectiveness of ICOFR. In this study, the development of the computer auditing system used was based on the Gowin’s Vee research strategies, which suggest the combined knowledge of accounting and information technology to yield more positive results and generate better performance. The theatrical results show eight proposed activity constructs and 34 auditing control items in the purchasing and expenditure cycle, which are necessary for system development. The researchers then established this system using the four phases of SDLC by further employing the case study method on two chosen public firms to validate the applicability of the system. The interview results obtained from the case firms agreed on the usefulness of the system to facilitate their company internal control. The system was found it can provide management and external auditors with the ability to identify incorrect financial statements and fraudulent activities. In conclusion, the suggested computer auditing system complies with the requirements set forth by SOX 404. It also improves the correctness of the auditing activities, thereby increasing the reliability of the company’s investment and management
environment. Finally, we believe this study can contribute to the development of a sufficient and manageable computer auditing system and provide prospective researchers and business with future directions in this subject area.
Author Bios SHE-I CHANG received his M.S. and PhD degrees in Computer Science and Information Systems Management from Bond University and Queensland University of Technology (Australia) respectively. He is currently an associate professor at the Department of Accounting and Information Technology, National Chung Cheng University (Taiwan). Focusing on ERP systems, with a particular emphasis on the issues, challenges and benefits realization associated with ERP life cycle-wide implementation, management and support are his research interests. He also has interest in the application of qualitative research methodology. Currently at CCU, Taiwan, his extended research interest around the arena of information technology governance, information security management and computer auditing. CHENG-CHIH WU received his Master degree from Department of Accounting and Information Technology at National Chung Cheng University, Taiwan. He is currently working as a chief engineer at the Chi Mei Optoelectronics, a leading global producer of LCD panel (Taiwan). I-CHENG CHANG is currently a PhD student at the Department of Accounting and Information Technology, National Chung Cheng University (Taiwan). His direction is focusing on information technology governance and computer auditing. He has presented and published his research papers and articles at several IS conferences and journals.
References Accounting Research and Development Foundation. (1997). No. 31 Auditing Report. Taipei: Accounting Research and Development Foundation. Arens, A. A., Elder, R. J., & Beasley, M. S. (2005). Auditing and Assurance Services: Auditing: An Integrated Approach. New Jersey: Prentice Hall. Bevan, N. (1999). Quality in Use: Meeting User Needs for Quality. Journal of Systems and Software, 49(1), 89–96. Bingi, P., Sharma, M. K., & Godla, J. K. (1999), Critical Issues Affecting an ERP Implementation. Information System Management, 16(5), 7–14. Bodnar, G. H., & Hopwood, W. S. (1998). Accounting Information Systems. New Jersey: Prentice Hall Inc. Boockholdt, J. L. (1999). Accounting Information Systems. Boston: McGraw-Hill Companies. Boynton, W. C., Johnson, R. N., & Kell, W. G. (2001). Modern Auditing. New York: Wiley.
A Study on the Purchasing and Expenditure Cycle of the ERP System
Chan, K. C., Farrell, B., & Lee, P. (2005). Earnings Management and Return-Earnings Association of Firms Reporting Material Internal Control Weaknesses under Section 404 of the Sarbanes-Oxley Act. Working paper. New York: Pace University. Chen, C.T., & Ke, C.F. (2005). Accounting Information System –Information Integration Competitive Innovation (5th ed.). Taipei: Hsin Lu Publisher Inc. Coppers, C., & Lybrand, L. L. P. (2002). Security, Audit and Control Features SAP R/3: A Technical and Risk Management Reference Guide. Illinois: IT Governance Institute. Gelinas, U. J., Sutton, S., & Oram, A. E. (1999). Accounting Information Systems. Ohio: South-Western College Publishing. Goldsmith, J. (1999). Using Audit Tools - Part 1, Audit Software Packages. IT Audit. Retrieved February 8, 2007 from http:// www.theiia.org/ITAudit/index.cfm?act=itaudit.archive&fid=59 Guy, D. M., Alderman, C. W., & Winters, A. J. (1999). Auditing. Texas: The Dryden Press. Hall, J. A. (2004). Accounting Information Systems. Kentucky: South-Western. Huang, S. M. (2006). Handout of computer auditing course. Introduction of Computer Auditing, Institute of Accounting and Information Technology. National Chung Cheng University, Chia–Yi. Huang, S. M., & Chuang, S. C. (2005). ACL Data Analysis and Computer Auditing Guide. Chia–Yi: OpenTech Inc. Institute of Internal Auditors (IIA). (2007). Definition of Internal Auditing. Retrieved April 5, 2007 from http://www. theiia.org/ guidance/standards-and-practices/professional-practicesframework/definition-of-internal-auditing/ Information System Audit and Control Association (ISACA). (2003). CISA Review Manual. Illinois: Information System Audit and Control Association. International Organization for Standardization (ISO) (2001). ISO/ IEC 9126-1:2001. Retrieved January 15, 2006 from http:// www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CS NUMBER=22749 Jung, H. W. (2007). Validating the External Quality Sub Characteristics of Software Products According to ISO/IEC 9126. Computer Standards & Interfaces, 29 (6), 653–661. Lanza, R. B. (2005). What Are the Common Reasons to NOT Use Audit Software? AuditSoftware.Net. Retrieved December 19, 2006 from http://www.auditsoftware.net/community/why/ articles/ commonNOT.htm Lawshe, C. H. (1975). A Quantitative Approach to Content Validity. Personnel Psychology, 28(4), 563–575. Li, C. L., & Lin, H. C. (2004). New auditing. Taipei: Career Just Accounting Service. Li, R. C., & Chou, Y. C. (2006). Implementing the Prevention and Management Mechanism of Fraud. Accounting Studies Monthly, 247(June), 83–87.
229
Lin, B. C. (2002). Theory and Practice of Internal Auditing. Taipei: Tzu Hsing Publisher. Losavio, F., Chirinos, L., Matteo, A., Lévy, N., & Ramdane-Cherif, A. (2004). ISO Quality Standards for Measuring Architectures. Journal of Systems and Software, 72(2), 209–223. Lovata, L. M. (1990). Audit Technology and the Use of Computer Assisted Audit Techniques. Journal of Information Systems, 4(2) 60–68. Ma, J. Y., Chang, H. C., & Chang, L. (2006). Research on the Application and Practice of Internal Control System (I). Accounting Studies Monthly, 243(Feb), 110–118. Ma, C. Y. (2006). Auditing. Taipei: Wu-Nan Book Inc. Market Intelligence Center of the Institute for Information Industry (Mic). (2005). Tendency of E-Business in Taiwan. Retrieved December 17, 2005 from http://cpro.com.tw. Messier, W. F. (2000). Auditing & Assurance Services- A Systematic Approach. Irwin: McGraw-Hill Companies, Inc. Novak, J. D., & Gowin, D. B. (1984). Learning How to Learn. Cambridge: Cambridge University. Punter, T., Solingen, R. V., & Trienekens, J. (1997). Software Product Evaluation. In Proceedings of 4th European Conference on Evaluation of Information Technology (pp.1–11). Delft: The Netherlands. Robertson, J. C., & Louwers, T. J. (1999). Auditing. Boston: The McGraw-Hill Companies, Inc. Romney, M. B., & Steinbart, P. J. (2000). Accounting Information Systems. New Jersey: Prentice-Hall, Inc. Romney, M. B., & Steinbart, P. J. (2006). Accounting Information Systems. New Jersey: Prentice-Hall. Rosemann, M., & Watson, E. E. (2002). Special Issue on the AMCIS 2001 Workshops: Integrating Enterprise Systems in the University Curriculum. Communications of the Association for Information Systems, 8(15), 200–218. Su, S. M. (2003). Internal Auditing Process. Reference book of CIA test. Tsai, H. F., & Feng, C. R. (2004). Concept and Application of auditing. Taipei: Hsin Lu Publisher Inc. Valacich, J. S., George, J. F., & Hoffer, J. A. (2001). Essentials of Systems Analysis and Design. New Jersey: Prentice Hall. Wilkinson, J. W., & Cerullo, M. J. (1997). Accounting Information Systems. New York: John Wiley & Sons. Wilkinson, J. W., Cerullo, M. J., & Raval, V. (2000). Accounting Information Systems. New York: Wiley. Wu, S. H., & Hong, C. L. (2006). Controlling Key Point Auditing by Computers –Fraud of procurement cycle. Accounting Studies Monthly, 244(March), 93–99. Wu, C. P. (2007). New Concept and Localization of Auditing. Best-Wise Publishing Co., Ltd. Yen, Y.C. (2002). Auditing. Taipei: Wu-Nan Book Inc. Yen, C. C., Huang, S. M., Li, C.L., & Hsiah, Y. C. (2006). Application, Influence, and Impact of Sarbanes-Oxley Act. Computer Auditing Journal, 15(September), 1–11.
