Effective Internal Control Strategies for an Enterprise Resource Planning System

The lack of effective internal control over enterprise resource planning (ERP) increases risks associated with financial reporting and erroneous transactions. Business leaders who develop effective enterprise resource planning internal controls reduce the risk of fraud and improve the quality of financial reporting. Grounded in the COSO internal control framework, the purpose of this qualitative single case study was to explore strategies business leaders use for adequate internal controls. The participants were seven business leaders from a single business in Mississippi, the USA, who successfully employed enterprise resource planning and internal control strategies. Data were collected using semistructured interviews, observations, and a review of internal documents. Using Yin’s five-step thematic analysis process, three themes emerged, including internal control strategies, overcoming barriers to implementing internal control strategies, and addressing key internal control challenges. A key internal control recommendation is to routinely review role-based access controls to ascertain appropriate access to transactions. The implication for positive social change includes the potential to help a firm improve the social and cultural well-being of the community, leading to consistent employment opportunities

From the Stone Age to the Cloud: A Case Study of Risk-Focused Process Improvement

Organizations strive to continually improve organizational performance while maintaining compliance to increasingly complex rules and regulations. Several methods and techniques for the identification and management of operational risks in business processes have been proposed in the academic literature, yet there are few examples of practical applications. This paper addresses this gap through a case study of a process improvement project that employed some of the proposed risk and compliance management techniques. We describe a business process reengineering project within the purchasing and accounts payable operations of a university United States. The project focused on improving service quality by improving the transparency and predictability of operations through the introduction of a workflow management system. We outline the stepwise transformation of manual process operations through technology, and discuss the risk and compliance objectives identified throughout the project and their impact on process design. This case study illustrates how process re-engineering techniques can improve process designs while balancing performance and compliance objectives. It provides guidance for the selection of an appropriate level of abstraction during process analysis and demonstrates how process objectives and technology capabilities shape the design of to-be processes

Advanced Digital Auditing

This open access book discusses the most modern approach to auditing complex digital systems and technologies. It combines proven auditing approaches, advanced programming techniques and complex application areas, and covers the latest findings on theory and practice in this rapidly developing field. Especially for those who want to learn more about novel approaches to testing complex information systems and related technologies, such as blockchain and self-learning systems, the book will be a valuable resource. It is aimed at students and practitioners who are interested in contemporary technology and managerial implications

Advanced Digital Auditing

This open access book discusses the most modern approach to auditing complex digital systems and technologies. It combines proven auditing approaches, advanced programming techniques and complex application areas, and covers the latest findings on theory and practice in this rapidly developing field. Especially for those who want to learn more about novel approaches to testing complex information systems and related technologies, such as blockchain and self-learning systems, the book will be a valuable resource. It is aimed at students and practitioners who are interested in contemporary technology and managerial implications

The effectiveness and value of internal audit in financial institutions: Evidence from qualitative research.

Effective and value generating internal audit activities have long been contested because they play a key part in the achievement of a financial institution’s objectives. Internal audit’s systematic risk‐orientated approach to evaluate and improve a financial institution’s risk management and governance processes pro‐ vides theoretical and methodological room for discussion. The Three Lines of Defense (3‐LoD) model is found in financial institutions. This calls for interaction and cooperation to enhance the overall risk management in order to create effective and value generating internal audit activities. An analysis is undertaken on the current state, the state of the art, and the future state of the internal audit discipline to determine how it can evolve to achieve the desired state of providing effective and value generating activities. By making use of grounded theory and conducting qualitative content analyses, key concepts and categories surrounding the internal audit discipline are extracted in a mixed‐method approach. Starting points for effective internal audit activities are derived from the literature and its value generation is investigated in an interview study. Scientific relevant questions are derived from the literature study which are investigated in semistructured in‐depth interviews. Evidence is collected on the role of internal audit and its fields of relevance. The exogenous interest groups are positioned outside the financial institution and do not maintain a relationship with actors inside the financial institution. The exogenous perception of the internal audit discipline is essentially shaped by the regulatory supervision body, external audit and, to a lesser extent, of other interest groups. The findings from the conducted qualitative content analysis conclude that beneficial effects of internal audit mainly arise from the interaction with the management body and the financial institution’s internal governance framework. The evolvement of effective activities depends on internal audit’s ability to serve these endogenous and exogenous interest groups. Three dimensions are used to categorize the generation of value: (1) profession and organization, (2) cooperation, and (3) output. (1) Regular and indepth assessments, advisory, project management support, and assurance are contributing internal audit activities that relate to quantitative and qualitative measurands. (2) Reporting, assurance, independence, taking on a sparring partner role, and advisory are the most valuable activities for the management body. (3) An appropriate set‐up of the 3‐LoD for internal audit to maintain its independence requires a level of cooperation, sharing commonalities with the first and second line of defense, intensifying the exchange with the second line to avoid redundancies, the establishment of sparring partner roles, and a meaningful reporting. Explanatory hypotheses are formulated that infer the generation of value. Internal audit maintains causal relationships with exogenous and endogenous interest groups that shape the perception of the discipline. The thesis concludes by discussing that value is generated from the concentration of internal audit’s activities on the first and second line, internal governance to prevent findings from the regulatory supervision body, and the management body. The evolvement of the internal audit discipline depends on the importance assigned to it by the management body. The research contributes to the literature by providing insights on how the internal audit discipline needs to evolve to be effective and generate value for the financial institution’s interest groups.Administración y Dirección de Empresa

A framework to investigate risk management in commercial banks

Businesses are continuously exposed to a changing business environment which may either exert positive or negative influences on profitability. The banking industry, in particular, is highly competitive and bank failures can have significant consequences for customers. Commercial banks, therefore, have a responsibility to protect their customers by implementing sound risk management strategies. In light of the recent financial crises (since 2007), risk management has once again become a popular topic of discussion since adequate risk management should have prevented or minimised the impact of the risks faced by failed banks. The primary objective of this study was to develop a framework that could be used by South African commercial banks to investigate risk management. Qualitative research was conducted in this regard. From this, findings and recommendations were derived in order to provide banks with a tool by which they could assess their exposure to risk. Various journals, websites, newspapers, bank reports and textbooks were consulted in support of the literature. The literature provided background information on the history and development of the risk management process. Considerable attention was given to the categories of risk that an adequate risk management framework should address. Furthermore, the current models used to manage risk in commercial bank were provided, as well as the specific reasons for bank failures. The main findings of this study were the identification of the most significant reasons for banking failures. These were identified as capital inadequacy, credit risk due to non-performing loans and a lack of banking supervision. In addition to these reasons, several other contributing principles were identified as important factors to be included in a risk management framework. A risk management framework was thus constructed in Table 5.1 based on the literature regarding global banking failures and the relevant conclusions made by the researcher

Forensic auditing as a powerful tool to enhance non-government organisations’ fraud risk management: a study of selected NGOs in eThekwini region, South Africa.

Doctoral Degree. University of KwaZulu-Natal, Durban.Financial statement fraud is of serious concern to professional auditors, funders, and regulators. Although responsibility for fraud prevention and detection falls on management and those in charge of governing entities, external auditors are likely to come under strong criticism if fraud is not detected. This study empirically investigated the relationship between forensic auditing and fraud risk management, focusing on financial statement fraud among non-government organisations (NGOs). It aimed to determine whether forensic auditors prevent, detect, investigate, and respond to the risk of financial statement fraud among these organisations. To achieve these objectives, the study explored the significance of various fraud risk factors to propose how forensic auditors could respond to this risk using proactive forensic auditing techniques. It also explored the motivation for financial statement fraud. Four research questions guided the study, and four hypotheses were tested. Thirty large NGOs in the eThekwini region, South Africa constituted the sample, and the study population was 87 staff (internal auditors, forensic auditors, managers, accountants and bookkeepers, audit committees, finance officers, Chief Operations Officers, Chief Executive Officers, and directors). Data were gathered by means of an online questionnaire and semi-structured interviews via Zoom. Structural Equation Modelling (SEM) and Confirmatory Factor Analysis (CFA) were employed to test the fitness of the model and to evaluate the independent variables. Robustness analysis was performed using Analysis of Moment Structures (AMOS) software version 27 for CFA (alongside SPSS Version 27) to estimate statistical models. Structural Equation Modelling was simultaneously used to estimate the link between fraud risk management factors, preventive fraud practices, detective fraud practices, responsive fraud practices and proactive forensic auditing techniques among NGOs. The responses to the interview questions were analysed using conventional thematic analysis via qualitative data analytic software NVivo 12. The study’s results revealed that the proactive approach to forensic auditing has a significant impact on fraud risk management among NGOs in eThekwini region. A new, holistic fraud combination theory is proposed to address the shortcomings of the fraud triangle theory and improve fraud prevention, identification, and detection, and it is recommended that NGO governance structures adopt proactive forensic audit techniques. As the first to explore financial statement fraud and the extent to which forensic auditors could assist in the NGO context, this study deepens understanding of forensic auditing as the main driver of fraud risk management among NGOs by providing field-based evidence. It also contributes to the application of critical realism, interpretivism and positivism to accounting and auditing research

International Law in the Boardroom

Conventional wisdom expects that international law will proceed through a “state pathway” before regulating corporations: it binds national governments that then bind corporations. But recent corporate practices confound this story. American corporations complied with international laws even when the state pathway broke down. This unexpected compliance leads to three questions: How did corporations comply? Why did they do so? Who enforced international law? These questions are important for two reasons. First, many international laws depend on corporate cooperation in order to succeed. Second, the state pathway is not robust, then or now. It is therefore vital to identify alternatives to the state pathway in order for international laws – on human rights, climate change, labor rights, corruption, and other issues – to reach corporate boardrooms, C-Suites, offices, and supply chains. This Article synthesizes two traditionally separate fields – public international law and corporate governance – to offer a descriptive account of how corporations incorporate international law into board governance, management decision making, and contractual relationships. It offers three case studies in climate change, human rights, and sustainable development that reveal important incentives and mechanisms for international law compliance that are neglected under the traditional view. It explains that corporations comply in order to manage risks, appease stakeholders, and advance corporate purpose and strategy. Proxy advisors, investors, civil society actors, and even peer corporations enforce international law when a government actor will not. Normatively, these insights enrich academic debates concerning the operation and effectiveness of international law. On a policy level, this Article offers three recommendations for designing international agreements in order to encourage corporate compliance: facilitate comparability, create indicators, and identify corporate-purpose compatibility. It applies these lessons to two international agreements in development: (a) treaty on business and human rights, and (b) treaty on pandemic prevention and preparedness

Web attack risk awareness with lessons learned from high interaction honeypots

Tese de mestrado, Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2009Com a evolução da web 2.0, a maioria das empresas elabora negócios através da Internet usando aplicações web. Estas aplicações detêm dados importantes com requisitos cruciais como confidencialidade, integridade e disponibilidade. A perda destas propriedades influencia directamente o negócio colocando-o em risco. A percepção de risco providencia o necessário conhecimento de modo a agir para a sua mitigação. Nesta tese foi concretizada uma colecção de honeypots web de alta interacção utilizando diversas aplicações e sistemas operativos para analisar o comportamento do atacante. A utilização de ambientes de virtualização assim como ferramentas de monitorização de honeypots amplamente utilizadas providencia a informação forense necessária para ajudar a comunidade de investigação no estudo do modus operandi do atacante, armazenando os últimos exploits e ferramentas maliciosas, e a desenvolver as necessárias medidas de protecção que lidam com a maioria das técnicas de ataque. Utilizando a informação detalhada de ataque obtida com os honeypots web, o comportamento do atacante é classificado entre diferentes perfis de ataque para poderem ser analisadas as medidas de mitigação de risco que lidam com as perdas de negócio. Diferentes frameworks de segurança são analisadas para avaliar os benefícios que os conceitos básicos de segurança dos honeypots podem trazer na resposta aos requisitos de cada uma e a consequente mitigação de risco.With the evolution of web 2.0, the majority of enterprises deploy their business over the Internet using web applications. These applications carry important data with crucial requirements such as confidentiality, integrity and availability. The loss of those properties influences directly the business putting it at risk. Risk awareness provides the necessary know-how on how to act to achieve its mitigation. In this thesis a collection of high interaction web honeypots is deployed using multiple applications and diverse operating systems in order to analyse the attacker behaviour. The use of virtualization environments along with widely used honeypot monitoring tools provide the necessary forensic information that helps the research community to study the modus operandi of the attacker gathering the latest exploits and malicious tools and to develop adequate safeguards that deal with the majority of attacking techniques. Using the detailed attacking information gathered with the web honeypots, the attacking behaviour will be classified across different attacking profiles to analyse the necessary risk mitigation safeguards to deal with business losses. Different security frameworks commonly used by enterprises are analysed to evaluate the benefits of the honeypots security concepts in responding to each framework’s requirements and consequently mitigating the risk

Embedding risk management within new product and service development of an innovation and risk management framework and supporting risk processes, for effective risk mitigation : an action research study within the Information and Communication Technology (ICT) Sector

At first glance, innovation and risk management seem like two opposing disciplines with diverse objectives. The former seeks to be flexible and encourages enhanced solutions and new ideas, while the latter can be seen as stifling such innovative thinking. Since there is a failure rate of as many as eight out of every ten products launched, it is perhaps necessary for organisations to consider applying more structured approaches to innovation, in order to better manage risks and to increase the chances of delivering improved goods and services. A risk management approach is well suited to address the challenge of failure, as it focuses not only on the negative impact of risks but also on the opportunities they present. It aligns these with the strategic objectives of the organisation to increase the chances of its success. The research objective of this study was to establish how to embed risk management within the innovation divisions of an organisation to ensure that more efficient products and services are delivered to customers. To achieve this end, action research was conducted in a large organisation operating in a high-technology environment that launches many diverse products and services and rapidly expanding service offerings to other industries. The study took four years to complete and delivered multiple interventions that successfully embedded risk management within the organisation, leading to changed behaviours and double-loop learning. Two main knowledge contributions are offered by the study. Firstly, a generic and empirically validated integrated Innovation and Risk Management Framework (IRMF) is developed and guides new product and service development by considering both best practices and risks. Secondly, a risk dashboard is designed as a design science artefact within the action research cycles, which consolidates all the knowledge that was generated during the study. This is ultimately a visual interface to support stage-gate decision making. Since the context of the study was broad, extensive and complicated, the use of mixed-method research complemented and expanded on the findings by providing another layer of support and validation. This thesis highlights the complexity of innovation and presents the need for an organising framework that will encourage innovation but is sufficiently flexible to cater for diverse needs and risks. The study delivers several other, valuable contributions regarding what, how and why incidents occur within the real-world context of new product and service development. Several generic artefacts, such as risk processes and maturity frameworks, are also developed, which can guide risk and new product and service development practitioners to deliver more efficient product and services. This study offers several novel approaches to evaluating risks and provides practical support and recommendations, addressing shortcomings of fragmented research in similar, but smaller-scale studies that have been conducted in information systems. It is the premise of this research that a much wider number of risks need to be managed as new products and services are developed, than was noted in previous studies. Effective risk management in new product and service development could lead to competitive advantage for organisations by increasing knowledge and facilitating sustainable, informed risk decision-making