11.1 Introduction

This book has focused on the adaptation in the IAF’s practice and structure as a response to the new control assumptions carried by ERP systems and the increased IAF-related governance pressures, in order to maintain its legitimacy.

This book attempted to address the voids in the literature by proposing and empirically verifying a conceptual framework that can explain the adaptation of the IAF. The proposed framework is based on a consistent set of institutional theoretical perspectives. The conceptual framework can be used as a tool to support organisations and allow researchers to apprehend and analyse the IAF adaptation after ERP systems introduction.

The researchers claim and empirically verify through the cases study that the proposed framework can be used for understanding and interpreting the IAF change and adaptation. The empirical data collected from four organisations in Egypt were analysed using the proposed framework and presented in Chap. 5. In doing this, the proposed conceptual framework was verified and evaluated. Overall, the empirical research findings in Chaps. 5 and 6 validated the predictions from the institutional framework. The institutional theoretical lens to study the phenomenon under investigation provided good understanding and interpretations of the practical findings.

This chapter summarises the key findings of the research and draws a conclusion about the contribution and limitations of the study. The final section offers suggestions for future research.

11.2 Key Findings

The key findings are discussed in the context of the research questions.

RQ1. What is the macro-governance pressure associated with the IAF and how do these pressures direct the IAF practice and structure in the sub-organisational level?

  • The review of the literature suggested that there is an absence of theoretical frames that describe the pressures on the IAF from external governance pressures and from ERP systems implementation within organisations. The reason for this is attributed to the fact that the link between ERP systems implementation and the IAF is a new research area with many topics remaining unexplored. The researchers reviewed several theoretical perspectives reported in this domain and identified the institutional theoretical perspective as a lens to investigate the phenomenon under study.

  • Governance pressures related to the IAF determine the legitimisation criteria for the IAF. The legitimisation of the IAF is to be mainly achieved through the ability of the IAF to provide an internal control assurance and help in risk management.

RQ2. What are the control assumptions of ERP systems that have an impact on the IAF and how do the participants perceive these assumptions?

  • The literature review suggested that ERP systems impose a new control principle which threatens the IAF’s legitimacy as a governance mechanism.

  • ERP systems carry a new institutional control logic, which is based on some investigated interlinked assumptions. These assumptions have affected the IAF as internal auditors are not used to dealing with such assumptions.

RQ3. How has the alignment between ERP systems logic and governance been made?

  • ERP systems’ control logic and assumptions are, by default, in alignment with the corporate governance goals and objectives. However, some alignment efforts are needed to make the best use of and utilise the ERP systems in enhancing the internal control system. These efforts include:

    • First, preparing a good change management plan, before introducing an ERP system. This plan takes into considerations the adaptation of the IAF, the required training and skills and the risk of resistance to the change.

    • Second, reengineering of process, systems customisation or workaround is needed where appropriate to make the business process auditable.

    • Third, involve internal auditors in the ERP system implementation team from the early stages of the project. This helps in two ways, providing internal auditors with the necessary system knowledge and understanding of the business process through the system; providing the implementation process with the proper advice from a control assurance perspective about the controllability of the process after ERP systems and in making the process auditable.

RQ4. How does the IAF adapt after ERP system introduction and how does this relate to the governance pressures?

  • ERP systems introduction causes uncertainty about the acceptability of the IAF’s practice and structure. This is because of the new internal control logic and assumptions of ERP systems.

  • The IAF adapts as a response to the ERP systems introduction by changing practice and structure, as follows:

    • The scope of the IAF is extended to cover the whole business with more IT-related responsibilities and offers comprehensive auditing with an integrated internal audit plan. When the IAF cannot extend its scope, other professional groups could take over its job.

    • The IA team is increased and turned into an integrated team that gathers a more diverse mixture of expertise, where IT auditors become an essential component.

    • When there are insufficient IT skills in the IA team, the IT auditing is outsourced to an external provider. Then, the IA team is reduced to some comprehensive auditors who are able to audit across functions.

    • Qualified and younger internal auditors are needed to work in the ERP systems working environment.

  • The changes in the IAF are dependent on the strategic response adopted by the auditors, which range from acquiescence to defiance. These responses are found to be changing over time. The adopted response is guided by the governance pressures and alignment efforts.

RQ5. How do these adaptations affect the legitimacy of the IAF?

  • The adopted IAF’s legitimacy-maintaining strategies depend on coercive and normative governance pressures, which give directions about how to maintain legitimacy. Maintaining legitimacy could be through complying with the pressures and adapting to satisfy the requirements of being able to assure the efficiency of controls in mitigating risks or through adhering to the conventional inherited traditions such as working to please the management or inspecting.

  • The maintenance of IAF legitimacy was based on aligning new ideas within prevailing normative prescriptions as the right thing to do, thus giving them moral legitimacy, or based on asserting their functional superiority aligning new ideas with self-interested calculations as pragmatic legitimacy.

ERP systems work as a motive for the IAF to change and give indications as to how to change the internal audit practice and structure. Although ERP systems implementation is not by itself the only driver of IAF change , ERP-related control assumptions have changed the business landscape in which the IAF practises.

ERP systems’ logic is in line with the ultimate goals of governance and has a significant and direct impact on controlling the business. ERP can be considered as a part of the corporate governance system.

ERP implementation is one of the key factors that forces internal auditors to reassess their practice and structure. Other factors that direct the adaptation are the evolving regulations and audit standards calling for improving the IAF. These forces create a new audit environment and auditors who understand how to adapt their function can be invaluable to their organisations.

ERP systems have eliminated several traditional internal auditing assignments and expanded internal auditors’ capabilities. The focus of the internal audit has been shifted from manual detection of errors to technology-based prevention. ERP systems help internal auditors in preventing errors and irregularities through identifying areas of concern when unusual relationships exist. Internal auditors share the methods of effective internal control with users from various departments.

ERP systems implementation increases the scope of the IAF and the need for convergence among financial, operational and IT auditors. In other words, all financial, operational auditors and IT auditors should be part of the one integrated internal audit in order to be able to conduct comprehensive audits effectively. The study reveals that there is agreement that better control assurance results can be achieved when financial, operational and IT auditors’ efforts are combined to conduct integrated audits. The IAF provides financial, IT audits, risk management support, consultancy and management support activities. This means that the IAF becomes a service that provides multi-audits. ERP systems implementation accelerates the tendency for the IAF to offer comprehensive integrated auditing.

ERP systems offer tools that are considered to be good resources for internal auditors that should be exploited to obtain information in real time, evaluate access, identify risks and recommend ways to mitigate them. However, when the IAF is not adapted to benefit from the ERP systems, the IT professionals take over many audit responsibilities.

Governance coercive and normative pressures give legitimatising directions to the IAF adaptation after ERP systems introduction. Therefore, the IAF may maintain its legitimacy through emphasising its ability to offer internal control assurance and risk management after ERP systems introduction. This is through the adaptation to increase the scope to be a comprehensive and integrated IAF. Whenever the governance normative pressures have a negative impact on the IAF, they may maintain its legitimacy through sticking to the traditional accepted normative practice even if this is not the best way to offer better assurance.

Internal auditors realise the significance of aligning their practice with the ERP requirements, because they are under pressure to do better governance and because they are able to get better jobs through mastering the new technology. It could be said that the relationships of internal auditors and ERP system have become increasingly entwined. Missing linkages between the ERP system’s capabilities and IAF practice may lead to the inefficiency of internal control activities and even the failure of corporate governance.

The accomplishment of the research objectives, discussed in this section, was made possible after developing a research framework to examine the effect of governance and ERP on the IAF. Thereafter, the novel contributions are stated.

11.3 Contribution of the Study

The elements of the contributions made by this research stem from different components in this book. The reliability of these findings and contributions is enhanced by ensuring its consistency and maximising the repeatability of the research. An auditing approach was developed based on preparing a case study protocol that includes all the procedures applied in the data collection stage, a case study database where the raw data of the case studies are available for external review and records of all interviews for an iterative process of analysis. The findings are transferable, reliable and demonstrate validity through using the replication logic by testing the results through multiple-case studies (Yin 2009); by developing a thick description to the cases facilitating the comparison with other circumstances (Bryman and Bell 2007, p. 413) and through the analytical generalisation (Yin 2009) by generalising a particular set of findings to a similar circumstances (see Sects. 5.7.5. for more details). The conclusion of the research offers transferable understanding, themes and meanings that can facilitate the understanding of similar settings. This study has suggested a number of contributions at the theoretical, methodological and empirical levels. These can be summarised as follows:

11.3.1 Contributions to Theory

This study contributes to the literature by providing a conceptual framework that explains the factors that determine the IAF adaption following implementation of an ERP system taking into the considerations the corporate governance pressures. This study extends previous literature through exploring the IAF in Egypt as one of the developing countries . This framework can be tested more extensively in Egypt and in other developing countries in order to produce a robust theory in such settings.

This study integrates and extends different institutional perspectives in the introduced framework and then validates it in a different context and a different level of analysis. Institutional theoretical perspectives are used widely on the country and organisational levels; however, there is a room to use these perspectives to understand and interpret empirical findings on the organisation and the sub-organisational levels. Therefore, the basic contribution of this study to institutional theory is an empirical investigation of strategic responses on the organisational level and the sub-organisational level (unexplored analysis level) to institutional external and internal influences. The study empirically verifies the proposed relationships and supports their applicability in the context of ERP, corporate governance and the IAF. The study has significant implications for understanding the change in terms of institutional strategic adaptation theories. The IAF in the sub-organisational level is subject to macro-level institutional pressures from the related corporate governance rules and regulations and micro-level institutional pressure from the related new institutional logic of the ERP systems.

The study contributes by extending the understanding of the strategic responses suggested by Oliver (1991) that can be used in front of institutional pressures. This study extends this view through finding that there is more than one response which can be used as they are not working as alternatives. The response to certain types of pressure can be changed from one to another over time. Moreover, the study contributes through applying the institutional logic concept in the ERP systems field. The study goes deep to explore the assumptions behind the control principle embedded in the ERP institutional logic.

The research contributed to the literature by attempting to fill the gaps identified in critical literature review. Furthermore, the conceptual framework supported by this research may be a step towards developing a theory of addressing external and internal pressures on the IAF.

11.3.2 Contributions to Methodology

There are insufficient qualitative studies in the field of IAF because of the difficulty in accessing and collecting the data from this sensitive position within organisations, and therefore previous studies mainly collect data quantitatively. This study is among the few studies which were conducted qualitatively and data collected from most of the interested stakeholders either within organisations or external parties. The case study protocol including the interview agenda and questions (see Appendix B) is considered to be a methodological contribution that may guide researchers in following the same methods. The reflection of the institutional framework in the interview agenda may help in analysing and exploring a similar phenomenon. The case study protocol was validated which is a helpful guideline for future researchers.

11.3.3 Contributions to Practice

The findings of this study have practical implications for the ways in which the IAF is managed. The findings of the study may be considered by organisations that implement ERP systems in order to adapt and improve their IAF. It is worthy to note that the implications for the IAF from ERP systems implementation are huge such as: internal auditors have to start handling electronic audit evidence effectively; to gain more understanding of the internal controls in ERP systems and the security of the electronic data; to change the structure of the audit department by adding IT audit professionals and operational auditors from different departments in the integrated internal audit team; to extend the scope of service to cover the whole business and to take responsibilities of adding value to the control assurance and risk management.

Understanding the control assumptions of ERP systems opens the possibility of a deeper level of controllability to activities that had been partially opaque. Internal auditors should understand that after ERP systems implementation control is not a hierarchical, totalitarian and centred practice but rather practice that embraces multiple controls and locations. This means that the internal control assurance became a common concern that might not be only related to the internal auditing territory and there are new control concepts that internal auditors should take into consideration when assuring the internal control system such as the peer-review and the self-review controls.

Taking into account the high level of dependence on ERP systems, no reasonable assurance can be provided without consideration of IT infrastructure . In the ERP systems working environment the IT audit should be an integral part of the IAF. It should collectively assure the validity of the transactions by determining whether there are controls in place and determining the integrity of controls and their susceptibility.

An integrated internal audit should audit the processes and systems across the organisation rather than focusing on individual locations. Instead of conducting separate audits focusing on a vertical analysis of different sets of the controls over the end-to-end process, auditors should depend on horizontal analysis in a way that ensures that all interconnected controls to address the business risk are addressed in an integrated fashion. It is suggested that the audits should focus simultaneously on an organisation’s financial, operational and IT controls and processes. Internal auditors are now considered by the top management as a business partner or even an advisor. Lack of trained and multi-disciplinary staff has become a severe difficulty since IAFs started to assume duties in addition to financial auditing. The broader scope of the performance audit has required integration of various specialised skills.

Internal auditors should have the knowledge of the transactions flow and related controls through ERP systems to ensure the reliability of information. Moreover, they have to adopt risk-based auditing that focuses mainly on the adequacy and effectiveness of internal control activities rather than substantive testing of electronic documents and transactions. The IAF activities should change to eliminate redundancies. Therefore, the execution times of the function’s activities should be shorter and the internal audit report should provide more organised and integrated information. Thus, it is suggested that the IAF budget should be increased in order to use CAATs and to take advantage of using ERP systems in the audit practice.

The automation brought by ERP systems raised the importance of automating some of the auditing activities. It is suggested that internal auditors should pay more attention to the segregation of incompatible IT tasks and duties. Clear and strict procedures should be set to prevent IT operators and schedulers from gaining access to programme documentation and databases. Internal auditors should be able to assure the effectiveness of the preventive automated controls, which were absent before ERP systems.

Considering data security as a component of the internal control system is a new concept for internal auditors. Internal auditors should have the knowledge of security utilised in the IT infrastructure to effectively audit the controls around removal of access for terminated or moved employees. They have to understand how access to applications can be given. This will help internal auditors limit unauthorised access. The failure to understand security in conjunction with other controls may cause internal auditors to report issues that have no risk to the organisation.

It is strongly advisable to get experienced internal auditors involved in the implementation team to understand and to ensure that controls are not compromised during implementation. Through understanding of common ERP risks and control, they should improve their skills and knowledge to be strategic governance members.

Using Egyptian cases offers useful policy implications since policy makers need to be informed about the outcomes of the reforms mainly in the wake of the global financial crisis . Therefore, it is suggested that the regulators in Egypt should begin the necessary actions for issuing laws and regulations to force maintaining and adapting the IAF to be a developed profession that takes action in response to technological changes. This is by the aim of emphasising the coercive criteria to legitimise the IAF and set what should be the stakeholders’ expectations. It is suggested that governments should play a coercive role by encouraging organisations to maintain a well-adapted IAF that organises its activities to be compatible with its business needs and in the manner specified in internal audit standards. There should be more powers given to shareholders to remove ineffective internal auditors. Furthermore, the shareholders should be made aware of the importance of the IAF so that the recommendations of internal auditors and actions of the management are taken in the right perspective. Regulators in Egypt should take action to legalise and improve the Egyptian code of corporate governance in order to develop the internal audit profession and enhance its role and organisational status.

Professional bodies such as the IIA should modify the required competencies and skills set for internal auditors to highlight the normative criteria of legitimisation . These are needed for internal integrated auditing to be consistent with the evolution occurring in the structure and practice of the IAF within organisations that implement ERP systems and to give it the cognitive legitimacy. The IAF should be given recognition as a profession. This requires formal training and continuous professional education. The authority for the IAF should be delegated in written format and communicated to all concerned. It is suggested that associations can legitimate IAF change by reframing professional identities as they are presented to others outside the profession. There is a need for a professional body that looks after the interests of the internal audit profession in Egypt. In Egypt, there is still ambiguity regarding the objectives, scope and nature of the internal audit. Internal auditing needs clearly outlined statements of responsibilities and objectives.

It is suggested that the ESAA should act to encourage wider awareness of the importance of the IAF and its benefits and play a better role in offering thorough support for training and professional development to enhance the profile of the IAF. The IIA chapter in Egypt should have sufficient power to promote and establish internal audit departments . The ESAA could liaise with the IIA chapter for disseminating the CIA examination in Egypt.

Furthermore, internal auditing courses in Egyptian universities should be modernised to include the international standards. It is essential that universities in Egypt review the material used in teaching internal auditing. Currently, internal auditing is merely a topic covered among many other topics and only the financial aspects of internal auditing are studied. This syllabus needs to be improved to allow covering the international standards and the needs of the new ERP systems working environment.

Educational programmes should be developed to be adjusted to the changes that are occurring in the field of auditing. It is vital to understand the changes taking place in assurance services. It is recommended that the auditors’ ability to gather information, to examine, to evaluate and to communicate must be taken into account along with the growing technological complexity of ISs. There is a necessity for practical and scientific retraining for the internal auditors in order to assimilate the principles and criteria of governance in the new ERP working environment. The IAF, besides looking at the compliance side, has to be dynamic, staffed by highly qualified individuals and be a value-adding function.

11.4 Research Limitations

There are some limitations which are worth noting as they open up fruitful avenues for future research. The results must be interpreted with caution, given the limitations imposed by the research methodology and the complexity of the issues involved. Even though a lot of effort was invested to minimise these problems, the limitations on the implications of the results must be kept in mind.

The generalisation achieved in this research is on the theoretical level as the framework is verified to be used on other contexts. However, a limitation of the qualitative research methodology is the difficulty to generalise results from the cases study. Using a case study strategy made the external generalisation of the findings limited. The adoption of case study research reduced the number of organisations which could participate. However, these limitations were overcome through reasoning made by drawing on other literature and case materials (Walsham 1995).

Despite the advantages the qualitative research provides, this methodology has disadvantages as well, such as being time-consuming, in that the researchers spent more than one year in the process of data collection and analysis. A large amount of data were collected from the four cases and transcribing and translating consumed a lot of time as many interviews were in the Arabic language. The relative difficulty in analysing this data did not invalidate any conclusion drawn, since analysis was applied to data obtained from multiple-case studies .

The data were collected within 12 months of ERP system implementation, while the comprehensive control benefits of ERP systems may take a longer time to be gained and the ultimate adaptation of the IAF may take a longer time to be finalised. Therefore, it is important to take into consideration this timing of data collection when interpreting the study findings.

There is potential for some bias regarding the way cases and interviewees were eventually chosen. The researchers did his best to choose the cases based on phenomena representative matters; however, accessibility to the field was an important determinant. The selected cases were chosen based on the recent implementation of an ERP system and of having a well-established IAF. The cases were from two different sectors, banking and manufacturing, and from two different categories , national and international in order to be subject to different corporate governance pressures. Even though the number of cases investigated during this study was four, to extend it further would not have increased the external validity. Although the research context is specific, it is believed that the findings are of relevance to inform other sectors and other countries. This is justified based on that there are no specific requirements for the IAF in different sectors and that the ERP system is a readymade package.

Qualitative research is criticised for its inability to establish a scientific link between theory and research. The interpretation was difficult and hard to be achieved without controlled and minimised degree of bias. However, this concern was addressed through many strategies discussed in Sect. 4.7.5, such as developing a theoretical framework to guide the interpretations, using replication strategy and using data triangulation . To minimise bias, data were shared with peers to open the mind to alternative explanations. The researchers avoided a biased intervention in the process of the data collection as much as possible. This was to separate the participants’ responses from the researchers’ opinions so that the data represent interviewees’ experience accurately and precisely.

Even if the results from this research have limitations and cannot be regarded as generally applicable, some conclusion could be drawn from this case study, contributing to the achievement of a deeper understanding of internal audit issues in the ERP system working environment. Since this is an exploratory and analytical study, it is a starting point for further research in this area. It is hoped that the research will form the basis for further more specific research and investigation relevant to the issues highlighted in this study.

11.5 Recommendations for Further Research

Although the researchers have a prolonged engagement with the cases and data collection phases, such research requires a longitudinal method to avoid any limitations which stem from the retrospective data collection methods. This research is conducted within a specific time period with a snapshot nature of research methodology and does not consider the changes over a longer time. This represents a worthy route of inquiry for future scholars. Future research is recommended to consider the longitudinal type of study of the legitimacy of the IAF over time. Such future longitudinal studies may improve the robustness of the results presented in this study.

Whereas the study offers various interesting and novel insights, the limitations draw attention to the need for more research adopting different methods and targeting different populations and participants to investigate the wider prevalence of the findings. Longitudinal studies are important in terms of further research. As noted earlier, the responses of internal auditors are unlikely to stay stable over the operational life of ERP systems. It is probable that ERP systems will be reinterpreted, which may necessitate redefining functional boundaries. The in-progress nature of the relationship between ERP systems’ logic and the subjective interpretations of internal auditors, underscores the need for longitudinal studies to explore how well the proposed theoretical model reflects realities in the longer term.

The qualitative approach taken by this study leaves scope for future research using quantitative research methods, such as a questionnaire survey in order to increase the reliability of the findings. It would also be fruitful to design research to increase the generalisability of the findings by testing the conceptual framework more widely in other countries in the Middle East and elsewhere.

The findings of this study confirm the relevance of the corporate governance institutional pressures and ERP systems’ institutional logic in determining changes in the IAF; however, the results also highlighted the influence of further elements such as organisational culture. The extent to which this change will lead to a growth in internal auditing and will be legitimated in the long run is a subject for further research.

In this book, the IAF changes gain pragmatic and moral legitimacy. The IAF adaptations could be diffused to gain social consensus concerning their pragmatic value (Suchman 1995); thus, they might diffuse even further. Therefore, it is suggested that future research could investigate whether the changes themselves become taken for granted as the natural and appropriate arrangement to reach cognitive legitimacy (Suchman 1995).

There is also a great need for more comparative studies of the perception and practice of internal auditing between different developed and developing countries in the ERP systems working environment. Further research is needed to investigate the obstacles to adapt internal auditing in developing countries and ways to solve any difficulties that might hinder the practice of internal auditing in its wider scope. Future research conducted in different national environments would verify the findings of this study and may yield additional interesting and complementary insights. Conducting future studies would enable researchers to obtain an overall picture of the phenomenon or perform a comparison.