Research Article: 2020 Vol: 24 Issue: 2
Ahmad Al-Tarawneh, Al-Balqa Applied University
Sulaiman Weshah, Al-Balqa Applied University
Mohammad Humeedat, Al-Balqa Applied University
The business experienced to implement ERP systems for improving operations then internal and external auditors facing new challenges need to improve their understanding within ERP environment, within ISA 610 does the external auditors mostly rely on the internal auditors’ work under ERP continuous auditing? The research depended on questionnaire designed from main questions related to evaluating risks and assessing controls for system’s data processing main steps (Inputs, Processing and Outputs), which distributed on internal auditors working inside companies adopting continuous internal audit for ERP systems (13 Jordanian Companies). In addition, for more reliability the designed questionnaire distributed on internal auditors working inside companies using ERP systems, but do not adopting continuous internal audit (44 Jordanian Companies). The research revealed that external auditor relies on continuous internal auditor work using ISA 610, which may indicate the need to improve external auditors’ abilities in understanding and auditing computerized systems in general, specially auditing ERP systems. The research recommended audit offices in Jordan to give more concern regarding auditor's training and developing skills related to modern electronic information systems and encouraging to have professional certifications related to information systems such as CISA – Certified Information Systems Auditor, CISSA - Certified Information Systems Security Auditor etc.
Enterprise Resources Planning (ERP), Continuous Internal Audit, External Auditor, ISA 610, Jordan.
Internal Continuous Audit
According to International Internal Audit Standards, continuous audit is a method to evaluate risks and controls frequently more than traditional way. Or it is a process of collecting audit evidences frequently by using internal audit (Caldwell, 2009).
Big four audit firms illustrate through research of (Searcy, 2003) their clients are increasing the using of continuous internal auditing. In addition, (Alles et al, 2006) developed an approach of Continuous Monitoring of Business Process Controls (CMBPC) for internal IT audit department of Siemens Corporation.
The following Figure 1 illustrates the difference between conventional and continuous internal audit effect on controls:
Several companies were already involved in some form of continuous auditing or control monitoring while others are attempting to adopt more advanced audit technologies (Vasarhelyi et al., 2010).
On one hand there is a direct relation between automation and the use of modern technologies in business processes with the expanded use of enterprise resource planning (ERP) systems, and a direct relation between automation and integrity of internal audits within continuous internal auditing on other hand (Vasarhelyi et al., 2004).
By applying a continuous audit, there are measurable differences in the risk of fraud and errors. Following are some benefits of using internal audit (Verver, 2008):
1. Provide management and internal audit a better understanding of risk priorities and needed controls against these risks.
2. Release the internal audit team from traditional procedures that focus on immediate risk areas.
3. Some of internal audit cases needs several weeks to be processed, under using of continuous internal audit need a fraction of this time.
The Institute of Internal Auditors-IIA within the Global Technology Audit Guide noted that the application of continuous auditing is based on:
1. Continuous risk assessment.
2. Continuous control assessment.
Whether it is for the traditional enterprise data-processing system or for enterprise resource planning (ERP) systems.
ISA 610 which deals with the external auditor's relationship with the internal auditor and the use of the external auditor for the internal auditor's work. The standard clarifies that, although the objectives of both internal and external audit are different, it may be similar the way achieving these objectives.
External auditors need to assess the adequacy of internal auditors and adequacy of the evidences obtained by the internal auditors when performing their work.
Therefore, in the case of using continuous internal audit by internal auditors, the external auditors' assessment of internal audit work quality increases, and the risk assessment of material misstatement decreases.
According to IIA’s recommendations, the ideal situation is when the internal and external auditors meet periodically to discuss common interests; benefit from their complementary skills, areas of expertise, and perspectives; gain understanding of each other's scope of work and methods; discuss audit coverage and scheduling to minimize redundancies; provide access to reports, programs and working papers; and jointly assess areas of risk (Pop et al., 2004).
Also, (Ramasawmy, 2012) emphasized that external auditors agreed that coordination with internal auditors leads to some benefits and they give ample importance to the internal auditors’ competence, work performance. This agreed with (Hajiha, 2011) who study “The Impact of Internal Audit Function Quality on Audit Delays”, and found many factors affect the number of days required to complete financial statement audits, these factors are mainly was competence and fieldwork quality.
The external auditors willing to rely more on internal audit work in a continuous audit environment than in a traditional environment, and this effect is magnified when the prior year audit report on the effectiveness of internal controls indicates that controls are working properly (Malaescu & Sutton, 2013).
Why ERP Audit is Different?
Implementation of enterprise resource planning systems is a complex technological and organizational business undertaking that requires the knowledge of a process approach to overcome its implementation constraints (Epizitone & Olugbara, 2019). Thus, through ERP Systems traditional batches controls and audit trails are no longer available, modules have automated entries for each other’s, all transactions are integrated and stored in one common database, need of extensive and complex access security and authority matrix, need also complex network and database access security matrix and controls needed should be different from traditional systems.
Therefore, within using of ERP systems, auditors need to understand and assess all of the following:
1. Computerized Information flow.
2. Computerized Information interaction.
3. Computerized Information risks.
4. Computerized Information controls.
This will improve ability to assess risks and needed controls upon these risks within ERP environment.
(Hunton et al., 2001) examined the extent to which financial auditors recognize differences in the nature and extent of unique business and audit risks associated with enterprise resource planning (ERP) systems, as compared to traditional computerized (non-ERP) systems and investigate financial auditors' level of confidence in assessing such risks and their propensity to seek consultation with information systems (IS) audit specialists in their firm and found that financial auditors were significantly less concerned than IS audit specialists with risks of the ERP environment.
The process of electronic data processing has become necessary in large and small enterprises that aim to achieve greater effectiveness in their activities (Romney et al., 2018). Through ISA 200, international audit standards emphasized the importance of external auditor work quality; in addition, Public Company Accounting Oversight Board (PCAOB, 2013) emphasized the audit quality definition, which reflect the needs of investor and decision makers. (ERP) systems have institutional logics in controlling business process that pressure the IAF to change
The changes in auditing processing effected by business globalization, modern technologies acceleration and demand on audit added value. It is necessary nowadays in all sizes of organizations to use electronic data processing for more effectiveness and efficiency (Romney et al., 2018). As (Elbardan & Ali, 2012) emphasized that internal Audit function faces a pressure to change controlling business process under using of Enterprise Resources Planning (ERP) systems.
One of the most important issues related to auditors recently is to have a fair enough technology background (Moorthy et al., 2011). ERP systems aim to consolidate all organization’s information systems under one system, which definitely affected the workflow of internal and external auditors. The use of (ERP) systems has become an essential part of conducting business for many small, medium, and large companies (Haynes & Li, 2016).
Linking the ERP system, which companies are now looking to apply more widely with continuous audit on these system’s needs in the future towards ongoing studies and research to explore continuous audit in the ERP environment (Kuhn, 2010).
ISA 401 (Auditing in a Computer Information Systems Environment) aimed to guide external auditor within computerized environment. This led us to clarify the importance of modern audit within modern skills in addition to traditional skills and it the extending of external auditor relying on internal auditor.
Also, International Internal Audit Standard (IIAS 1230) illustrated the needs of internal audit to strengthen their knowledge, skills and efficiency through continuous professional development, such as using of continuous internal audit.
Due to significant changes in the risk environment of organizations as a result of globalization and digitalization a continuous perspective in audit activities is required (Eulerich et al., 2019).
(Chen et al., 2011) concluded that accountants must have certain degree of knowledge in the realm of traditional finance accounting. In addition, accounting supervisors think implementing an ERP system changes the role of accountants.
Within the last decades, the acceleration growth of information age, there is a gab growing between external auditors and implemented information systems inside client’s organizations, where the external auditor's current technological skills need to be improved to match the acceleration growth (Abu Lehiah, 2015).
The knowledge and relevant expertise in particular areas of the internal auditors while they are the employees of the entity, this may effect on external auditor to rely more on internal auditor's work to provide direct assistance.
Depending on the previous illustration, as the continuous internal audit includes (continuous assessment of controls and continues evaluation of risks) which the external auditor relies on when expressing an opinion on financial statements.
At the same time, continuous analytic monitoring will intrude into the internal control arena, especially since it is built on the firm’s own ERP systems.
This will create concerns within the relationship between internal and external auditing (Vasarhelyi et al., 2004).
External auditors need to have enough knowledge in informatics fields. In addition, they should have enough skills parallel with new technologies.
Vinatoru & Calota, (2014) revealed that ERP system is usually followed by an increase in internal audit procedures as a result the organization may reach a higher level of integration in business processes and to improve the quality of the reports also (Haynes & Li, 2016) concluded that ERP is an invaluable tool for businesses that need to comply with federal and international accounting standards and practices, because it offers increased monitoring, reporting, and risk identification, as well as the enhanced implementation and meta-analysis of internal controls and continuous internal audit benefits of speed, reliability and standardization. This formed the main question(s) of current study about external auditor relying on internal auditor work through these circumstances of ERP continuous internal audit.
Thus, Research problem focusing on answering the following two questions:
1. Does the internal auditor's use of continuous risk assessment work affect the extent of external auditor's relying on this assessment?
2. Does the internal auditor's use of continuous control assessment work affect extent of external auditor's rely on this assessment?
The survey conducted with the use of designed questionnaire as a primary research instrument aimed the internal auditors, where aiming external auditors may reflect biased feedback.
Questions within questionnaire asked to internal auditors inside organizations using ERP systems and adopting internal continues audit, for concluding from given answers if the external auditors are (Never Rely, Rarely Rely, Sometimes Rely, Often Rely, and Always Rely) on the internal auditors.
The number of organizations using ERP systems in Jordan and have internal audit department is 68 (Received feedback from 44 Companies), but number of organizations using ERP systems and adopting internal continues audit is 16 only (Received feedback from 13 Companies).
For more reliability on research results, the same questions within same questionnaire distributed to the internal auditors inside organizations using ERP systems in Jordan and have internal audit department, but do not adopting continuous internal audit, which lead to have a comparison between the feedbacks received in two cases.
First: Results related to internal auditors inside organizations using ERP systems and adopting continuous audit (13 Companies):
As Table 1 declared that external auditor rarely relies on internal continuous auditor’s work in evaluating ERP internal procedures and policies, evaluating employees’ compliance with ERP internal procedures and policies plus assessing controls of ERP systems outputs, where the mean of previous questions was below study mean (3.00) and calculated (T) for the previous questions were negative.
|Table 1 Data Analysis for Internal Auditor's Answers for Companies with ERP Continuous Internal Audit|
|Rarely Rely||Sometimes Rely||Often Rely||Always Rely||Total||Mean||Std||T||Sig|
|Evaluating internal procedures and policies related to ERP systems||1||7||4||1||0||13||2.38||0.768||-2.889||0.014|
|Evaluating employees’ compliance with internal procedures and policies related to ERP systems||0||6||7||0||0||13||2.54||0.519||-3.207||0.008|
|Evaluating risks related to ERP systems inputs||0||1||2||7||3||13||3.92||0.862||3.860||0.002|
|Evaluating risks related to ERP systems processing||0||0||4||2||7||13||4.23||0.927||4.788||0.00|
|Evaluating risks related to ERP systems outputs||1||8||3||1||0||13||2.31||0.751||-3.323||0.006|
|Assessing controls related to ERP systems inputs||0||1||3||8||1||13||3.69||0.751||3.233||0.006|
|Assessing controls related to ERP systems processing||0||0||3||3||7||13||4.31||0.855||5.516||0.00|
|Assessing controls related to ERP systems outputs||1||6||5||1||0||13||2.46||0.776||-2.501||0.028|
In addition, Table 1 illustrate that external auditor sometimes rely on internal continuous auditor’s work in evaluating risks and assessing controls related to ERP systems input, where the mean of previous questions was above study mean (3.00) and calculated (T) for the previous questions were positive.
But, Table 1 declared that external auditor almost relies on internal continuous auditor’s work in evaluating risks and assessing controls related to ERP systems processing, where the mean was above (4.00) and calculated (T) for the previous dimensions’ questions were positive.
Second: Results related to internal auditors inside organizations using ERP systems but not adopting continuous audit (44 Companies):
As Table 2 declared that external auditor rarely relies on internal auditor’s work in evaluating ERP internal procedures and policies, evaluating employees’ compliance with ERP internal procedures and policies plus evaluating risks and Assessing controls of ERP systems outputs, where the mean of previous questions was below study mean (3.00) and calculated (T) for the previous questions were negative.
|Table 2 Data Analysis for Internal Auditor's Answers for Companies without ERP Continuous Internal Audit|
|Rarely Rely||Sometimes Rely||Often Rely||Always Rely||Total||Mean||Std||T||Sig|
|Evaluating internal procedures and policies related to ERP systems||3||17||20||1||3||44||2.64||0.917||-2.630||0.012|
|Evaluating employees’ compliance with internal procedures and policies related to ERP systems||3||22||16||0||3||44||2.50||0.902||-3.676||0.001|
|Evaluating risks related to ERP systems inputs||0||4||9||15||16||44||3.98||0.976||6.641||0.00|
|Evaluating risks related to ERP systems processing||0||1||17||12||14||44||3.89||0.895||6.570||0.00|
|Evaluating risks related to ERP systems outputs||5||20||11||5||3||44||2.57||1.065||-2.689||0.010|
|Assessing controls related to ERP systems inputs||0||0||7||30||7||44||4.00||0.571||11.625||0.00|
|Assessing controls related to ERP systems processing||0||0||12||25||7||44||3.89||0.655||8.980||0.00|
|Assessing controls related to ERP systems outputs||8||16||11||5||4||44||2.57||1.189||-2.409||0.020|
In addition, Table 2 illustrate that external auditor sometimes rely on internal auditor’s work in evaluating risks related to ERP systems input, evaluating risks and assessing controls related to ERP system processing, where the mean of previous questions was above study mean (3.00) and calculated (T) for the previous dimensions’ questions were positive.
Where the Table 2 declared that external auditor almost relies on internal continuous auditor’s work in assessing controls related to ERP systems inputs, where the mean was above study mean and equal (4.00), calculated (T) for the previous question was positive.
Finally: The previous discussion may indicate the conclusion of the needs to improve auditors’ abilities to understand and audit computerized systems in general, specially auditing ERP systems. But, more specifically auditing ERP systems processing.
This agree with (Haynes & Li, 2016) conclusion that ERP system has a significant impact on the efficiency, fraud risk reduction, knowledge application, as well as the credibility of the auditing team, the most important factors for the successful use of fraud mitigation techniques rely on ERP systems, which have continuous audit functions. Also, agree with (Eulerich et al., 2019) which emphasized that the use of continuous audit information for the internal audit function’s point of view influence the collaboration with the external auditor.
The study recommends audit offices in Jordan to give more concern regarding auditor's training and developing skills related to modern computerized and electronic information systems. In addition, encourage them to have professional certifications related to information systems such as CISA, CISSA... etc.
For researchers, the study recommends giving more concern about researches related to the modern information systems implementation and it is effect within acceleration and growth of information systems technologies.
Alles, M. (2006). Continuous monitoring of business process controls: A pilot implementation of a continuous auditing system at Siemens. International Journal of Accounting Information Systems, 5(7).
Caldwell, F., & Proctor, P.E. (2009). Continuous controls monitoring for transactions: The next frontier for GRC Automation. Gartner.
Chen, H.J., Yan Huang, S., Chiu, A.A., & Pai, F.C. (2012). The ERP system impact on the role of accountants. Industrial Management & Data Systems , 112(1), 83-101
Elbardan, H., & Ali, M. (2012). Internal audit function response to ERP Systems Implementation. Association for Information Systems.
Epizitone, A., & Olugbara, O. (2019). Critical success factors for ERP system implementation to support financial functions. Academy of Accounting and Financial Studies Journal, 23(6).
Eulerich, M., Georgi, C., & Schmidt, A. (2019). Continuous auditing and risk-based audit planning. Available at SSRN: https://ssrn.com/abstract=3330570
Hajiha, Z., & Rafiee, A. (2011). The impact of internal audit function quality on audit delays. Middle East Journal of Scientific Research, 10(3), 389-397.
Haynes, R., & Li, C. (2016) Continuous audit and enterprise resource planning systems: A case study of erp rollouts in the Houston, TX oil and gas industries. Journal of Emerging Technologies in Accounting, 13(1), 171-179.
Hunton, J., Wright, A., & Wright, S. (2001). Business and audit risks associated with ERP systems: Knowledge differences between information systems audit specialists and financial auditors. Retrieved from http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.529.8296&rep=rep1&type=pdf
Verver, J. (2008). Continuous Monitoring and Auditing: What is the Difference? Protiviti.
Kuhn, J.R. (2010). Continuous auditing in ERP system, environments: The current state and future directions. Journal of Information Systems, 5(24).
Lehiah, A., & Salem, A.F. (2015), The Adequacy of External Auditor's Skills in Obtaining and Evaluating Audit Evidence in Computerized Accounting Information Systems Environment, Master thesis, Islamic University, Ghaza, Palestine.
Malaescu, I., & Sutton, S.G. (2013). The Reliance of External Auditors on Internal Audit’s Use of Continuous Audit. Journal of Information Systems, 29(1).
Moorthy, M.K., Seetharaman, A., Mohamed, Z., Gopalan, M., & San, L.H. (2011). The impact of information technology on internal auditing. African Journal of Business Management, 5(9).
Pop, A., Boţa-Avram, C., & Boţa-Avram, F. (2004). The Relationship between Internal and External Audit. University of Cluj-Napoca.
Public Company Accounting Oversight Board-PCAOB (2013). Standing Advisory Group Meeting, Discussion-Audit Quality Indicators. Retrieved from: www.pcaobus.org.
Ramasawmy, D. (2012). An evaluation on how external auditors can benefit from the good work relationship with internal auditors for audit assignments. International Conference on Applied and Management Sciences (IAMS'2012), Bangkok.
Romney, M.B., & Steinbart, P.J. (2018). Accounting Information System. E14, Pearson - USA.
Searcy, D.W. (2003). Continuous Audit: The Motivation, Benefits, Problems, and Challenges Identified by Partners of Big 4 Accounting Firm. Proceeding of the 36th Hawaii International Conference on System Sciences.
Vasarhelyi, M.A., Alles, M., Kuenkaikaew, S., & Littely, J. (2010). The Acceptance and Adoption of Continuous Auditing by Internal Auditors: A Micro Analysis. International Journal of Accounting Information Systems, 13(3), 267-281.
Vasarhelyi, M.A., Alles, M.G., & Kogan, A. (2004). Principle of analytic monitoring of continuous assurance. Journal of Emerging Technologies in Accounting, 5(1).