Are Financial Auditors Overconfident in Their Ability to Assess Risks Associated with Enterprise Resource Planning Systems?
James E. Hunton
Bentley University - Department of Accountancy; Erasmus University
Northeastern University - Accounting Group
University of Massachusetts at Boston
Journal of Information Systems, Forthcoming
The first objective of the current study is to examine the extent to which financial auditors recognize heightened risks associated with an enterprise resource planning (ERP) system, as compared to non-ERP (legacy) system, in the presence of a control weakness over access privileges. The second objective is to assess the propensity of financial auditors to consult with information technology (IT) audit specialists within their firm when assessing ERP and non-ERP system risks in the planning stage of an audit. One hundred sixty five (165) auditors participate in an experiment in which we manipulate system type (ERP versus non-ERP) and measure auditor type (IT audit specialists versus financial auditors). Both auditor types indicate significantly higher business interruption, process interdependency and overall control risks with the ERP, as compared to the non-ERP, system. Additionally, while IT audit specialists assess significantly higher network, database and application security risks with the ERP system, financial audits do not recognize higher security risks in these areas. Perceived risk differentials from the non-ERP to the ERP system across all risk categories are significantly greater for IT audit specialists than financial auditors. Finally, financial auditors do not indicate a greater need to consult with IT audit specialists when auditing an ERP versus a non-ERP system, and, they are equally highly confident in the ability of financial audit teams to assess risks in both computing environments. Overall, evidence from this study suggests that financial auditors may be overconfident in their ability to assess ERP system risks.
Number of Pages in PDF File: 41
Keywords: enterprise resource planning, ERP, audit risks, business risks, audit specialists
JEL Classification: M40, M41, M49
Date posted: April 14, 2005