The first objective of the current study is to examine the extent to which financial auditors recognize heightened risks associated with an enterprise resource planning (ERP) system, as compared to a non‐ERP (legacy) system, in the presence of a control weakness over access privileges. The second objective is to assess the propensity of financial auditors to consult with information technology (IT) audit specialists within their firm when assessing ERP and non‐ERP system risks during the planning stage of an audit. One hundred sixty‐five auditors participated in an experiment in which we manipulated system type (ERP versus non‐ERP) and measured auditor type (IT audit specialists versus financial auditors). Both auditor types indicate significantly higher business interruption, process interdependency, and overall control risks with the ERP, as compared to the non‐ERP, system. Additionally, while IT audit specialists assess significantly higher network, database, and application security risks with the ERP system, financial audits do not recognize higher security risks in these areas. Perceived risk differentials from the non‐ERP to the ERP system across all risk categories are significantly greater for IT audit specialists than financial auditors. Finally, financial auditors do not indicate a greater need to consult with IT audit specialists when auditing an ERP versus a non‐ERP system and they are equally highly confident in the ability of financial audit teams to assess risks in both computing environments. Overall, evidence from this study suggests that financial auditors may be overconfident in their ability to assess ERP system risks.

This content is only available via PDF.
You do not currently have access to this content.