Readiness of Low Complexity ERP for Continuous Auditing in SMEs: The Brazilian Case Study

Goncalves, Rosana Carmen M. Grillo; Imoniana, Joshua Onome

doi:10.2478/candc-2022-0022

Abstract

The continuous auditing technology assures integrity of accounting systems and consequently improves the decision-making process of the small and medium-sized enterprises (SMEs) that implement it. Considering that SMEs located in developing countries function within a more risk prone environment and do not have resources to implement all layers of customized corporate functions in information systems, one argues for their reliance on the features of low complexity of enterprise resource planning (ERP) software to benefit from continuous auditing (CA). The purpose of this study is to relate the understanding of the CA demands and low complexity ERP systems’ technical functionalities in SMEs. Thus, to fulfill this objective, a conceptual model has been drawn to integrate the key concepts related to CA. Four pillars are the core of this model, namely: segregation of duties (SoD) with role-based access control centered on process-based approach (PBA); internal checkpoints; audit trails; and the level of integration of the continuous auditing software. This model was validated through the benchmarking of the implementation of the pillars in three cases of low complexity ERP systems adopted by SMEs in a developing country. The benchmarking/results of the study show significant differences between operational mechanisms of the three ERP software. Namely, the role-based access control exists in the two of the ERP_LC but not in the Brazilian one. Also, there is no check-point in the Brazilian ERP_LC and it does not integrate with continuous audit features. This study distinguishes between the low complexity ERP’s functionalities and the features of a more complex environment, thus bringing an important contribution to the study of low complexity ERP’s readiness for continuous monitoring in SME’s internal auditing processes.

References

Alaküla, M. L. and Matulevičius, R. (2015, November) An experience report of improving business process compliance using security risk-oriented patterns. In: IFIP Working Conference on The Practice of Enterprise Modeling, 271-285. Springer, Cham.
Search in Google Scholar Back to article
Alles, M. G., Brennan, G., Kogan, A. and Vasarhelyi, M. A. (2006a) Continuous monitoring of business process controls: A pilot implementation of a continuous auditing system at Siemens. International Journal of Accounting Information Systems, 7(2), 137-161.
Search in Google Scholar Back to article
Alles, M. G., Tostes, F., Vasarhelyi, M. A. and Riccio, E. L. (2006b) Continuous auditing: the USA experience and considerations for its implementation in Brazil. JISTEM - Journal of Information Systems and Technology Management, 3 (2), 211-224.
Search in Google Scholar Back to article
Alles, M. G., Kogan, A. and Vasarhelyi, M. A. (2008) Putting continuous auditing theory into practice: Lessons from two pilot implementations. Journal of Information Systems, 22(2), 195-214.
Search in Google Scholar Back to article
Antunes, M. T. P., Imoniana, J. O., Formigoni, H. and Alves, A. S. (2010) Preparedness of ERP systems to create intangible managerial accounting information: evidence from Brazil. International Journal of Economics and Accounting, 1 (4), 375-390.
Search in Google Scholar Back to article
Bagheri, A. and Hjorth, P. (2005) Monitoring for sustainable development: Systemic framework. Int. J. of Sustainable Development, 8(4), 280-301.
Search in Google Scholar Back to article
Baker, W. E., Grinstein, A. and Harmancioglu, N. (2016) Whose innovation performance benefits more from external networks: entrepreneurial or conservative firms? Journal of Product Innovation Management, 33(1), 104-120.
Search in Google Scholar Back to article
Batra, S., Sharma, S., Dixit, M. R., Vohra, N. and Gupta, V. K. (2015) Performance implications of industry appropriability for manufacturing SMEs. Journal of Manufacturing Technology Management, 26(5), 660-677.
Search in Google Scholar Back to article
Best, P. J., Rikhardsson, P. and Toleman, M. (2009) Continuous fraud detection in enterprise systems through audit trail analysis. Journal of Digital Forensics, Security and Law, 4(1), 1-6.
Search in Google Scholar Back to article
Bierstaker, J., Janvrin, D. and Lowe, D. J. (2014) What factors influence auditors’ use of computer-assisted audit techniques? Advances in Accounting, 30(1), 67-74.
Search in Google Scholar Back to article
Blessing, L. T. M. (1994) A process-based approach to computer-support engineering design. Dissertation, University of Twente, ISBN 0.9523504.0.8, Enschede. 369 pp.
Search in Google Scholar Back to article
Brennan, G. and Teeter, R. (2010) Aiding the Audit: Using the IT Audit as a Springboard for Continuous Controls Monitoring. Available at SSRN: https://ssrn.com/abstract=1668743 or http://dx.doi.org/10.2139/ssrn.1668743
Search in Google Scholar Back to article
Brown, C. E., Wong, J. A. and Baldwin, A. A. (2007) A review and analysis of the existing research streams in continuous auditing. Journal of Emerging Technologies in Accounting, 4(1), 1-28.
Search in Google Scholar Back to article
Bumgarner, N. and Vasarhelyi, M. (2015) Auditing—A New View. Audit analytics3(1), 2015.
Search in Google Scholar Back to article
Cahen, F. R., Lahiri, S. and Borini, F. M. (2016) Managerial perceptions of barriers to internationalization: An examination of Brazil’s new technology-based firms. Journal of Business Research, 69(6), 1973-1979.
Search in Google Scholar Back to article
Clausing, D. and Holmes, M. (2010) Technology readiness. Research-Technology Management, 53(4), 52-59.
Search in Google Scholar Back to article
COSO - Committee of Sponsoring Organizations of the Treadway Commission (2013). Internal Control-Integrated Framework.
Search in Google Scholar Back to article
Coyte, R., Ricceri, F. and Guthrie, J. (2012) The management of knowledge resources in SMEs: an Australian case study. Journal of Knowledge Management, 16(5), 789-807.
Search in Google Scholar Back to article
Daniels, B. W., Ellis, Y. and Gupta, R. D. (2013) Accounting educators and practitioners’ perspectives on fraud and forensic topics in the accounting curriculum. Journal of Legal, Ethical and Regulatory Issues, 16(2), 93.
Search in Google Scholar Back to article
Davidson, B. I., Desai, N. K. and Gerard, G. J. (2013) The effect of continuous auditing on the relationship between internal audit sourcing and the external auditor’s reliance on the internal audit function. Journal of Information Systems, 27(1), 41-59.
Search in Google Scholar Back to article
Debreceny, R., Gray, G. L., Jun-Jin Ng, J., Lee, K. S.-P. and Yau, W.-F. (2005) Embedded audit modules in enterprise resource planning systems: Implementation and functionality. Journal of Information Systems, 19(2), 7–27.
Search in Google Scholar Back to article
Deep, A., Guttridge, P., Dani, S. and Burns, N. (2008) Investigating factors affecting ERP selection in made-to-order SME sector. Journal of Manufacturing Technology Management, 19(4), 430-446. https://doi.org/ 10.1108/17410380810869905
Search in Google Scholar Back to article
Denning, D. E. (1987) An Intrusion-Detection Model. IEEE Transactions on Software Engineering, 13(2), 222-232.
Search in Google Scholar Back to article
DeZoort, F. T. and Harrison, P. D. (2018) Understanding auditors’ sense of responsibility for detecting fraud within organizations. Journal of Business Ethics, 149(4), 857-874.
Search in Google Scholar Back to article
Eulerich, M. and Kalinichenko, A. (2018) The current state and future directions of continuous auditing research: An analysis of the existing literature. Journal of Information Systems, 32(3), 31-51.
Search in Google Scholar Back to article
Ferraiolo, D. F., Barkley, J. F. and Kuhn, D. R. (1999) A role-based access control model and reference implementation within a corporate intranet. ACM Transactions on Information and System Security, 2(1), 34-64.
Search in Google Scholar Back to article
Gershberg, T. (2016) Log4Audit: the application of logging in auditing and management. Doctoral dissertation, Rutgers University-Graduate School-Newark. Available at https://rucore.libraries.rutgers.edu/rutgers-lib/51554/PDF/1/play/
Search in Google Scholar Back to article
Gómez-López, M. T., Gasca, R. M. and Pérez-Álvarez, J. M. (2015). Compliance validation and diagnosis of business data constraints in business processes at runtime. Information Systems, 48, 26-43.
Search in Google Scholar Back to article
Gonzalez, G. C., Sharma, P. N. and Galletta, D. (2012) Factors influencing the planned adoption of continuous monitoring technology. Journal of Information Systems, 26(2), 53-69.
Search in Google Scholar Back to article
Groomer, S. M. and Murthy, U. S. (1989) Continuous auditing of database applications: An embedded audit module approach. Journal of Information Systems, 3(2), 53-67.
Search in Google Scholar Back to article
Guimarães, A. B. S., Carvalho, K. C. M. and Paixão, L. A. R. (2018) Micro, pequenas e médias empresas: conceitos e estatísticas. Revista Radar: tecnologia, produção e comércio exterior, 1(55), 21-26.
Search in Google Scholar Back to article
Gupta, H., Aye, K. T., Balakrishnan, R., Rajagopal, S. and Nguwi, Y. Y. (2014) Formulating, implementing and evaluating ERP in small and medium scale industries. International Journal, 3(6).
Search in Google Scholar Back to article
Gupta, J., Gregoriou, A. and Healy, J. (2015) Forecasting bankruptcy for SMEs using hazard function: To what extent does size matter? Review of Quantitative Finance and Accounting, 45(4), 845-869.
Search in Google Scholar Back to article
Haddara, M. and Zach, O. (2012) ERP systems in SMEs: An extended literature review. International Journal of Information Science, 2(6), 106–116.
Search in Google Scholar Back to article
Haynes, R. and Li, C. (2016) Continuous audit and enterprise resource planning systems: A case study of ERP rollouts in the Houston, TX oil and gas industries. Journal of Emerging Technologies in Accounting, 13(1), 171-179. https://doi.org/10.2308/jeta-51446
Search in Google Scholar Back to article
Hevner, A. and Chatterjee, S. (2010) Design science research in information systems. In: Design Research in Information Systems. Springer, Boston, MA, 9-22.
Search in Google Scholar Back to article
Illa, X. B., Franch, X. and Pastor, J. A. (2000) Formalising ERP selection criteria. In: Tenth International Workshop on Software Specification and Design. IWSSD-10 2000. IEEE, 115-122.
Search in Google Scholar Back to article
Imoniana, J.O., Perera, L. C. J., Lima, F. G. and Antunes, M. T. P. (2011) The dialectic of Control Culture in SMEs: A Case study. International Journal of Business Strategy, 11(2), 39-48.
Search in Google Scholar Back to article
Imoniana, J. O., Feitas, E. C. D. and Perera, L. C. J. (2016) Assessment of internal control systems to curb corporate fraud-evidence from Brazil. African Journal of Accounting, Auditing and Finance 5 (1), 1-24.
Search in Google Scholar Back to article
Jans, M., Alles, M. G. and Vasarhelyi, M. A. (2014) A field study on the use of process mining of event logs as an analytical procedure in auditing. The Accounting Review, 89(5), 1751-1773.
Search in Google Scholar Back to article
Jituri, S., Fleck, B. and Ahmad, R. (2018) A Methodology to Satisfy Key Performance Indicators for Successful ERP Implementation in Small and Medium Enterprises. International Journal of Innovation, Management and Technology, 9(2).
Search in Google Scholar Back to article
Kim, Y. and Kogan, A. (2014) Development of an anomaly detection model for a bank’s transitory account system. Journal of Information Systems, 28(1), 145-165.
Search in Google Scholar Back to article
Kobelsky, K. W. (2014) Conceptual Model for Segregation of Duties: Integrating Theory and Practice for Manual and IT-Supported Procedures. International Journal of Accounting Information Systems, 15(1), 304–322.
Search in Google Scholar Back to article
Kogan, A., Alles, M. G., Vasarhelyi, M. A. and Wu, J. (2010) Analytical Procedures for Continuous Data Level Auditing: ContinuityEquations 1. Available at http://raw.rutgers.edu/docs/Innovations/Continuity%20 Equations.pdf
Search in Google Scholar Back to article
Kogan, A., Alles, M. G., Vasarhelyi, M. A. and Wu, J. (2014) Design and evaluation of a continuous data level auditing system. Auditing: A Journal of Practice & Theory, 33(4), 221-245.
Search in Google Scholar Back to article
Kuhn, J. R. and Sutton, S. G. (2006) Learning from WorldCom: Implications for fraud detection through continuous assurance. Journal of Emerging Technologies in Accounting, 3(1), 61-80.
Search in Google Scholar Back to article
Kuhn, J. R. and Sutton, S. G. (2010) Continuous Auditing in ERP System Environments: The Current State and Future Directions. Journal of Information Systems, 24(1), 91–112.
Search in Google Scholar Back to article
Lee, C. H., Kim, Y. H. and Rhee, P. K. (2001) Web personalization expert with combining collaborative filtering and association rule mining techniques. Expert Systems with Applications, 21(3), 131-137.
Search in Google Scholar Back to article
Lenz, R. and Hahn, U. (2015) A synthesis of empirical internal audit effectiveness literature pointing to new research opportunities. Managerial Auditing Journal, 30(1), 5-33.
Search in Google Scholar Back to article
Li, S. H., Huang, S. M. and Lin, Y. C. G. (2007) Developing a continuous auditing assistance system based on information process models. Journal of Computer Information Systems, 48(1), 2-13.
Search in Google Scholar Back to article
Li, H., Dai, J., Gershberg, T. and Vasarhelyi, M. A. (2018) Understanding usage and value of audit analytics for internal auditors: An organizational approach. International Journal of Accounting Information Systems, 28, 59-76.
Search in Google Scholar Back to article
Lu, J. W. and Beamish, P. W. (2006) SME internationalization and performance: Growth vs. profitability. Journal of International Entrepreneurship, 4(1), 27–48.
Search in Google Scholar Back to article
Ly, L. T., Maggi, F. M., Montali, M., Rinderle-Ma, S. and van Der Aalst, W. M. (2015) Compliance monitoring in business processes: Functionalities, application, and tool-support. Information Systems, 54, 209-234.
Search in Google Scholar Back to article
Manolova, T. S., Manev, I. M. and Gyoshev, B. S. (2010) In good company: The role of personal and inter-firm networks for new-venture internationalization in a transition economy. Journal of World Business, 45(3), 257–265.
Search in Google Scholar Back to article
Mokhitli, M. and Kyobe, M. (2019) Examining factors that impede internal auditors from leveraging information technology for continuous auditing. In: Proceedings of Conference on Information, Communications, Technology and Society (ICTAS), Durban, South Africa, 1-6.
Search in Google Scholar Back to article
Muhrtala, T. O. and Ogundeji, M. (2013) Computerized accounting information systems and perceived security threats in developing economies: The Nigerian case. Universal Journal of Accounting and Finance, 1(1), 9-18.
Search in Google Scholar Back to article
Mulig, L. and Prachyl, C. L. (2017) Identifying Red Flags in an Accounts Payable Environment: The Importance of Controls in the Detection of Fraudulent Activity. Journal of Forensic & Investigative Accounting, 9(3), 941-952.
Search in Google Scholar Back to article
Munro, D. (2013) A Guide to SME Financing. Springer.
Search in Google Scholar Back to article
OSI (2016) Open Source Initiative. Available at https://opensource.org/osd
Search in Google Scholar Back to article
Poba-Nzaou, P. and Raymond, L. (2011) Managing ERP system risk in SMEs: A multiple case study. Journal of Information Technology, 26(3), 170-192.
Search in Google Scholar Back to article
Powell, D., Riezebos, J. and Strandhagen, J. O. (2013) Lean production and ERP systems in small-and medium-sized enterprises: ERP support for pull production. International Journal of Production Research, 51(2), 395-409.
Search in Google Scholar Back to article
Rikhardsson, P. and Dull, R. (2016) An exploratory study of the adoption, application and impacts of continuous auditing technologies in small businesses. International Journal of Accounting Information Systems, 20, 26-37.
Search in Google Scholar Back to article
Rikhardsson, P., Singh, K. and Best, P. (2019) Exploring Continuous Auditing Solutions and Internal Auditing: A Research Note. Journal of Accounting and Management Information Systems, 18(4), 614-639. https://doi.org/10.24818/jamis.2019.04006
Search in Google Scholar Back to article
Santos, L. M., Silva, G. M. and Neves, J. A. B. (2011) Risk of Survival of Commercial Micro and Small Enterprises. Revista de Contabilidade e Organizações, 5(11), 107-124.
Search in Google Scholar Back to article
Schultz, M. (2013) Enriching process models for business process compliance checking in ERP environments. In: Proceedings of International Conference on Design Science Research in Information Systems. Springer, Berlin.
Search in Google Scholar Back to article
Shin, I. H., Lee, M. G. and Park, W. (2013) Implementation of the continuous auditing system in the ERP-based environment. Managerial Auditing Journal, 28(7), 592–627.
Search in Google Scholar Back to article
Shin, M. S., Jeon, H. S., Ju, Y. W., Lee, B. J. and Jeong, S. P. (2015) Constructing RBAC based security model in u-healthcare service platform. The Scientific World Journal, 2015.
Search in Google Scholar Back to article
Singh, K. H. et al. (2011) Proactive fraud detection in enterprise systems. In: Proceedings of the 2nd International Conference on Business and Information: Steering Excellence of Business Knowledge. University of Kelaniya, Faculty of Commerce and Management Studies.
Search in Google Scholar Back to article
Singh, K. H. et al. (2013). Automating vendor fraud detection in enterprise systems. The Journal of Digital Forensics, Security and Law, 8(2), 7-28.
Search in Google Scholar Back to article
Singh, K. H., Best, P. J., Bojilov, M. and Blunt, C. (2014) Continuous Auditing and Continuous Monitoring in ERP Environments: Case Studies of Application Implementations. Journal of Information Systems, 28(1), 287–310.
Search in Google Scholar Back to article
Valarini, E. and Pohlmann, M. (2019) Organizational crime and corruption in Brazil; a case study of the “Operation Carwash” court records. International Journal of Law, Crime and Justice, 59, 1-15.
Search in Google Scholar Back to article
Van der Aalst, W., Van Hee, K., Van der Werf, J. M., Kumar, A. and Verdonk, M. (2011) Conceptual model for online auditing. Decision Support Systems, 50(3), 636-647.
Search in Google Scholar Back to article
Vasarhelyi, M. A., Alles, M. A. and Kogan A. (2004) Principles of analytic monitoring for continuous assurance. Journal of Emerging Technologies in Accounting, 1(1), 1-21.
Search in Google Scholar Back to article
Vasarhelyi, M. A., Alles, M. G., Kuenkaikaew, S. and Littley, J. (2012) The acceptance and adoption of continuous auditing by internal auditors: A micro analysis. International Journal of Accounting Information Systems, 13(3), 267-281.
Search in Google Scholar Back to article
Vaz, P. V. C. and Espejo, M. M. S. B. (2015) From text to context: management accounting use in micro and small companies under the theoretical perspective of Bakhtin. Revista de Contabilidade e Organzações, 9(24), 31-41.
Search in Google Scholar Back to article
Veasey, T. J. and Dodson, S. J. (2014) Anomaly detection in application performance monitoring data. International Journal of Machine Learning and Computing, 4(2), 120.
Search in Google Scholar Back to article
Wang, J., Shan, Z., Gupta, M. and Rao, H. R. (2019) A Longitudinal Study of Unauthorized Access Attempts on Information Systems: The Role of Opportunity Contexts. MIS Quarterly, 43(2).
Search in Google Scholar Back to article
Wolter, C., Miseldine, P. and Meinel, C. (2009) Verification of Business Process Entailment Constraints Using SPIN. In: F. Massacci, S. T. Redwine Jr. and N. Zannone (eds.) ESSoS 2009 - LNCS 5429, Springer, 1-15.
Search in Google Scholar Back to article
Xia, H. Et al. (2014) Role Refinement in Access Control: Model and Analysis. INFORMS Journal on Computing, 26(4), 866-884.
Search in Google Scholar Back to article
Zadeh, A. H., Akinyemi, B. A., Jeyaraj, A. and Zolbanin, H. M. (2018) Cloud ERP Systems for Small-and-Medium Enterprises: A Case Study in the Food Industry. Journal of Cases on Information Technology, 20(4), 53-70.
Search in Google Scholar Back to article

Readiness of Low Complexity ERP for Continuous Auditing in SMEs: The Brazilian Case Study

Abstract

Paradigm

My account