Abstract
Purpose
This study aims to examine how the legitimacy of internal auditing is reconstructed during enterprise resource planning (ERP)-driven technological change.
Design/methodology/approach
The study is based on the comparative analysis of internal auditing and its transformation due to ERP implementations at two case firms operating in the food sector in Egypt – one a major Egyptian multinational corporation (MNC) and the other a major domestic company (DC).
Findings
Internal auditors (IAs) at MNC saw ERP implementation as an opportunity to reconstruct the legitimacy of internal auditing work by engaging and partnering with actors involved with the ERP change. In doing so, the IAs acquired system certifications and provided line functions and external auditors with data-driven business insights. The “practical coping mechanism” adopted by the IAs led to the acceptance (and legitimacy) of their work. In contrast, IAs at DC adopted a purposeful strategy of disengaging, blaming and rejecting since they were skeptical of the top management team's (TMT's) sincerity. The “disinterestedness” led to the loss of legitimacy in the eyes of the stakeholders.
Originality/value
The article offers two contributions. First, it extends the literature by highlighting a spectrum of behavior displayed by IAs (coping with impending issues vs strategic purposefulness) during ERP-driven technological change. Second, the article contributes to the literature on legitimacy by highlighting four intertwined micro-processes – participating, socializing, learning and role-forging – that contribute to reconstructing the legitimacy of internal auditing.
Keywords
Citation
Elbardan, H., Nordberg, D. and Sinha, V.K. (2023), "Reconstructing legitimacy of internal auditing during ERP implementations: two contrasting cases", Journal of Accounting Literature, Vol. ahead-of-print No. ahead-of-print. https://doi.org/10.1108/JAL-01-2023-0001
Publisher
:Emerald Publishing Limited
Copyright © 2023, Hany Elbardan, Donald Nordberg and Vikash Kumar Sinha
License
Published by Emerald Publishing Limited. This article is published under the Creative Commons Attribution (CC BY 4.0) licence. Anyone may reproduce, distribute, translate and create derivative works of this article (for both commercial and non-commercial purposes), subject to full attribution to the original publication and authors. The full terms of this licence may be seen at http://creativecommons.org/licences/by/4.0/legalcode
1. Introduction
While attention to internal auditing is increasing (Christ et al., 2015; Roussy and Perron, 2018), it remains a contested business function because of the weak professionalization and absence of regulatory push (Arena and Jeppesen, 2009, 2015; Elbardan et al., 2015; Roussy, 2015; Roussy and Brivot, 2016). The weak professionalization of internal auditing is reflected in its dual professional objectives (Covaleski et al., 2003; Rittenberg and Covaleski, 2001). The USA-based Institute of Internal Auditors (IIA) defines internal auditing as “an independent, objective assurance and consulting activity” that “helps an organization accomplish its objectives” (IIA, 2022). Its UK affiliate puts stress in its code on “acting in the public interest” (CIIA, 2022). The differences in emphasis underline the tensions in the profession (Eklöv Alander, 2023; Jaggi, 2023; Roussy, 2015; Sarens et al., 2009).
Given the dual objectives of internal auditing, internal auditors (IAs) face a dilemma concerning the legitimacy of their work (Burrell Nickell and Roberts, 2014). On the one hand, IAs seek legitimacy from external stakeholders (investors, regulators and the public at large) by providing reasonable assurance on the internal control environment and the risk taken by the management (Burrell Nickell and Roberts, 2014; Everett and Tremblay, 2014). On the other hand, they seek legitimacy from internal stakeholders (especially management) by serving in the interest of organizational goals and being accountable to them (Christopher, 2019; Christopher et al., 2009; Roussy, 2013). This dilemma means that IAs often need to negotiate continuously the legitimacy of their work with several stakeholders who evaluate them from different vantage points (Power, 2003; Roussy and Brivot, 2016).
The introduction of new technologies, such as enterprise resource planning (ERP) systems, can push IAs to renegotiate the legitimacy of their work with a broad array of internal stakeholders (Betti and Sarens, 2021; Elbardan et al., 2015; Madani, 2009). While ERPs have been around for a while, the newer generations of ERP systems facilitate advanced digitalization of accounting and auditing processes by acting as springboards for cloud computing and sophisticated data analytics (Carlsson-Wall et al., 2022). ERP implementations not only raise questions on the technical and functional appropriateness of internal auditing but also its socio-political legitimacy in the eyes of stakeholders (Chenhall and Euske, 2007; Madani, 2009; Saharia et al., 2008; Tsai et al., 2015).
Emerging literature on the impacts of ERP systems or digital technologies has predominantly focused on the technical and functional aspects, such as the changing nature of internal audit work (more emphasis on analytics) (Betti and Sarens, 2021), shifting attention to technology-centric business risks (Kanellou and Spathis, 2013; Saharia et al., 2008), prioritizing consulting activities (Betti and Sarens, 2021) and support during ERP or other technological implementations (Saharia et al., 2008; Tsai et al., 2015). These works have paid little attention to the socio-political questions of legitimacy (and acceptance) of internal auditing in the eyes of internal stakeholders (Betti and Sarens, 2021; Roussy and Perron, 2018). Prior research on the socio-political legitimacy of accounting and auditing, in general, during ERP or other technological implementations, has also been inconclusive (Moll and Yigitbasioglu, 2019; Möller et al., 2020; Salijeni et al., 2019, 2021).
On the one hand, some studies have demonstrated a loss of legitimacy due to automation and jurisdictional conflicts with technology-savvy functional groups such as those working with information technology (IT) (Arnaboldi et al., 2017a, b; Caglio, 2003; Salijeni et al., 2019). On the other, several studies have indicated enhanced legitimacy through value-adding advisory (Ax and Greve, 2017; Carlsson-Wall et al., 2022; Goretzki et al., 2013). Given this controversy in the extant literature, in this paper, we focus on understanding how the legitimacy of internal auditing work is reconstructed during ERP-driven technological change.
The socio-political questions on the legitimacy (and acceptance) of internal auditing in the wake of technological changes are important, given the doubts on whether internal auditing can add value through direct strategic support or strengthening of internal control aspects (Ferry et al., 2017; IIA, 2009; Roussy, 2013). Internal auditing has moved away from being a reactive watchdog for corporate management to a more proactive value-adding strategic service. In doing so, internal auditing has broadened its services to include novel areas (e.g. assurance on implementing disruptive technologies) by embracing agile practices (Betti and Sarens, 2021). Despite such significant developments, internal auditing does not consistently play its presumed value-adding role in practice (Arena and Jeppesen, 2009; Roussy, 2015; Roussy and Rodrigue, 2018). Arguably, this is because of the inconsistency and practical conflicts surrounding traditional assurance-oriented roles and the emerging business-partnering role of IAs. While assurance requires distancing from line functions, business-partnering requires close collaboration with line functions (Christopher et al., 2009; Jaggi, 2023; Sarens et al., 2013; Sarens and de Beelde, 2006). Inconsistency of internal audit practices is also attributed to poor structural and functional arrangements (Christopher, 2019; Vinnari and Skærbæk, 2014) that exacerbate ambiguity on the role of IAs as assurance providers to the board vs partners to the management (Norman et al., 2010; Roussy and Brivot, 2016).
Given a variety of theoretical viewpoints on what legitimacy is and who seeks legitimacy (Andon et al., 2014; Burrell Nickell and Roberts, 2014; Suchman, 1995; Suddaby et al., 2017; Tilling and Tilt, 2010), we focused on one important boundary condition that helped us with our analysis and theorization: a stakeholder-centric definition of legitimacy (Bitektine, 2011; Bitektine and Haack, 2015; Suchman, 1995; Suddaby et al., 2017). The two important assertions inspired our boundary condition. First, we concur with Briers and Chua (2001, pp. 264) that the legitimacy of accounting work during technological change is constructed by a “heterogeneous network of actors.” Second, we agree with the assertions of Burns and Scapens (2000, pp. 13) that the legitimacy of accounting changes depends on “the working out of mutually acceptable methods of working” between accountants and other stakeholders. Andon et al. (2015, p. 1411) term this the “evolving democratisation” of accounting and auditing processes.
Our contribution to the prior literature is twofold. First, unlike the portrayal of IAs as agents who compromise on their professional duties (Iyer et al., 2018; Neu et al., 2013; Roussy and Rodrigue, 2018), our cases illustrate a more nuanced coping behavior displayed by IAs. Second, our cases present contrasting trajectories of legitimation for internal auditing work during ERP-driven technological changes. In doing so, we augment a small but growing stream of field studies focusing on the legitimacy, stability and acceptance of accounting and auditing in organizations during technological changes (Betti and Sarens, 2021; Salijeni et al., 2019, 2021; Tsai et al., 2015). Additionally, unlike studies on professional legitimacy (Andon et al., 2014; Arena and Jeppesen, 2009; Heusinkveld et al., 2018; Rittenberg and Covaleski, 2001) or organizational legitimacy (Sillince and Brown, 2009; Tilling and Tilt, 2010), our findings create more insights into the “micro-processes” of legitimacy (Kuruppu et al., 2019; Suddaby et al., 2017) by focusing on the intra-organizational legitimacy of internal auditing work.
The balance of the paper is structured in this way: Section 2 examines the theoretical literature on legitimacy. Section 3 describes the methods used in the two case studies we examine. Section 4 presents the findings, and Section 5 discusses the implications of these cases on the concepts of legitimacy and professionalism. The paper concludes in Section 6 by highlighting contributions, limitations and ideas for future research.
2. Legitimacy as a process
The concept of legitimacy has been studied from various perspectives, both in accounting (Andon et al., 2014; Burrell Nickell and Roberts, 2014; Passetti and Rinaldi, 2020; Pelger and Spieß, 2017) and management (Elsbach and Sutton, 1992; Suchman, 1995; Suddaby et al., 2017; Suddaby and Greenwood, 2005) literature. These different perspectives have created confusion around the concept of legitimacy (Kuruppu et al., 2019; Suddaby et al., 2017). Our preliminary analysis of the vast literature on legitimacy revealed two contested aspects: what is legitimacy (a property, a process, or a judgment) and who seeks legitimacy (individuals, organizations, or professional groups).
In a recent literature review, Suddaby et al. (2017) find three conceptions of “what is legitimacy”: legitimacy-as-property, legitimacy-as-process and legitimacy-as-perception. The legitimacy-as-property view conceives of legitimacy as a resource (Suchman, 1995) or an intangible asset (Gardberg and Fombrun, 2006) that organizations or individuals can acquire (Burrell Nickell and Roberts, 2014), accumulate (Pelger and Spieß, 2017), maintain (Tilling and Tilt, 2010) and transfer to other organizations (Dobrev et al., 2006). The legitimacy-as-property view is akin to what Suchman (1995) calls the resource-centric view of legitimacy, where organizations or individuals try to gain legitimacy by demonstrating their fit with the audiences' expectations (Mitchell et al., 1997; Pelger and Spieß, 2017).
The legitimacy-as-process view conceives legitimacy as an ongoing process where organizations and actors actively negotiate their legitimacy with the stakeholders (Bitektine, 2011; Kuruppu et al., 2019). In this view, social actors negotiate, construct, maintain and defend legitimacy through persuasion, rhetoric and communication (Passetti and Rinaldi, 2020; Suddaby and Greenwood, 2005). In a sense, studies using the legitimacy-as-process view focus on the different persuasion strategies of social actors during both conditions of environmental stability (Sillince and Brown, 2009) and environmental change (Passetti and Rinaldi, 2020). Environmental change can also result in delegitimization if social actors fail to persuade stakeholders or display their “interested-ness” (Whittle et al., 2014).
The legitimacy-as-perception perspective conceives legitimacy as the process of judgment by the stakeholders (Bitektine, 2011; Bitektine and Haack, 2015). This perspective focuses on individuals' perception and cognition within the purview of social processes (Bitektine, 2011; Bitektine and Haack, 2015). In this sense, the legitimacy-as-perception perspective considers both the micro-level individualized cognitive processes (such as bounded rationality) and the macro-level social stimulus that affects the judgment and perception of the evaluative stakeholders (Suddaby et al., 2017). Both individual and collective actors render legitimacy judgments that interact with each other (Bitektine and Haack, 2015). Cognitive, moral and pragmatic legitimacy is conceived at the individual level and validated as socio-political legitimacy at the collective level (Kuruppu et al., 2019; Suchman, 1995).
The literature on legitimacy is also contested on the idea of who seeks legitimacy: professional macro-level perspective, organizational meso-level perspectives and individual micro-level perspectives. Macro-level perspectives on legitimacy focus on how professional groups ascertain their legitimacy and jurisdictional boundaries (Abott, 1988; Currie and Spyridonidis, 2016; Goodrick and Reay, 2011; Heusinkveld et al., 2018; Martin et al., 2015; Whittle et al., 2014). Several accounting studies have focused on the professional legitimacy of regulators, auditors and accountants and how they construct and maintain it during both conditions of environmental stability and environmental change (Covaleski et al., 2003; Griffith, 2019; Hayne and Free, 2014; Parker and Johnson, 2017; Pelger and Spieß, 2017; Rittenberg and Covaleski, 2001). Such studies have more specifically focused on the legitimacy of jurisdictional boundaries drawn by accountants and auditors in the aftermath of technological changes that diffuse accounting knowledge and make it easier for other functions, such as marketing and IT management, to encroach upon the traditional work of accountants (Arnaboldi et al., 2017a, b; Caglio, 2003; Rom and Rohde, 2007).
Meso-level perspectives on legitimacy have focused on how organizations construct and maintain their legitimacy during both conditions of environmental stability and environmental change (Pfeffer and Salancik, 1978; Suchman, 1995; Suddaby et al., 2017). Several accounting studies in this stream have focused on how organizations use corporate social responsibility (CSR) reporting (cf. Kuruppu et al., 2019; Tilling and Tilt, 2010) and internal auditing (Burrell Nickell and Roberts, 2014; Everett and Tremblay, 2014; Neu et al., 2013) to construct and maintain their legitimacy in the eyes of the external stakeholders. Meso-level studies have focused on how organizations use decoupling (espousing appropriate policies while continuing with the bad practices) strategies to gain legitimacy in the eyes of the external stakeholders (Bromley and Powell, 2012; Meyer and Rowan, 1977).
Micro-level studies focus on how individuals and subunits within organizations maintain their legitimacy during organizational or technological change. Several accounting studies in this stream have focused on how accounting and internal auditing functions construct and maintain their legitimacy with internal stakeholders during technology-driven changes (Andon et al., 2014; Dechow and Mouritsen, 2005; Kornberger et al., 2017; de Santis and D'Onza, 2021). In a way, these micro-level studies have elaborated on the negotiation between accountants and other stakeholders in settling the boundaries of accounting work (Arnaboldi et al., 2017a, b; Dechow and Mouritsen, 2005).
Given a variety of viewpoints on what legitimacy is and who seeks legitimacy, we defined one important boundary condition to help us with our analysis and theorization: we side with a stakeholder-centric definition of legitimacy as acceptance by stakeholders (Bitektine, 2011; Bitektine and Haack, 2015; Suchman, 1995; Suddaby et al., 2017). Our choice of boundary condition was inspired by the two important assumptions espoused in the accounting literature. First, we concur with Briers and Chua (2001, pp. 264) that the stabilization of accounting work during technological change is constructed by a “heterogeneous network of actors.” In line with the assertion from Briers and Chua (2001), several prominent studies, dealing with technology-driven accounting changes, have included viewpoints from multiple stakeholders in their studies (cf. Arnaboldi et al., 2017a, b; Caglio, 2003; Rom and Rohde, 2007). Second, we agree with the assertions of Burns and Scapens (2000, pp. 13) that the legitimacy of accounting changes depends on “the working out of mutually acceptable methods of working” between accountants and other stakeholders. Andon et al. (2015, p. 1411) term this the “evolving democratisation” of accounting and auditing processes. Chenhall and Euske (2007), Quattrone and Hopper (2005) and Dechow and Mouritsen (2005) similarly suggest that technological changes, such as ERP, induce more socialization between different stakeholders and legitimacy (stability and acceptance) of new accounting practices depends on the negotiation between accountants/auditors and other stakeholders.
3. Research methodology
We adopt a multiple case-study-based approach (Eisenhardt, 1989; Eisenhardt and Graebner, 2007). The two case firms were selected because of accessibility and representativeness. Our study mainly focused on the work of IAs and their interaction with other organizational actors in reconstructing the legitimacy of their work during ERP implementation. Both case firms operate in a similar industrial sector (food and consumer goods) and are embedded in a similar professional and regulatory context (Egypt). The cases have, however, one important difference. One firm is a multinational corporation (MNC) subsidiary headquartered in the UK, while the other is a domestic company (DC). Both firms had purchased the ERP system and implementation services from the same vendor. Management of both firms had expected two key benefits from the ERP implementations: enhancing the quality of financial control (accuracy, efficiency) and signaling accountability, especially to owners and regulators (legitimacy).
We interviewed 19 individuals (20 interviews), 10 in each case (Refer to Table 1 for details). We first interviewed senior participants who helped us gain access to other key informants. Our key informants included individuals employed at both case firms in internal audit capacities as well as those involved with the changes in internal auditing processes during ERP implementations – representatives of the ERP vendor, the implementation consultants and a representative of the professional body (the IIA) in the country, who took a special interest in the ERP projects at both organizations. All participants were assured anonymity.
The first author (fluent in Arabic and English) conducted the semi-structured interviews over six months. Most of the interviews were recorded. The interviews with IAs focused on their work, the change process for ERP implementations, their views on how the ERP-driven change was carried out, what kind of problems arose during the implementation and what type of involvement and participation they had during the change. The interviews with other informants centered on understanding their perspectives regarding ERP changes and their engagement and contribution to transforming internal auditing processes. To enhance credibility, after each interview, the main points were summarized and sent to the interviewee for confirmation. Additionally, the draft of each case study was emailed to five key participants to ensure accuracy and to gather further feedback and clarification where necessary. We received four responses from MNC and three replies from DC. In addition to the semi-structured interviews, the first author conducted focus groups of IAs, reviewed internal documents of both firms, attended planning and implementation meetings and observed how IAs worked with the new ERP system.
We analyzed both cases separately and afterward compared them to build a coherent framework. We applied a systematic conceptual and analytical discipline (Gioia et al., 2013; Power and Gendron, 2015) that led to more credible interpretations of the data. This approach allowed for a systematic presentation of both a first-order analysis (using informant-centric terms and codes) and a second-order analysis (using researcher-centric concepts, themes and dimensions).
For the first-order analysis, all collected data were read several times to develop a draft list of recurrent signifiers and to sort, organize and create a data-focused storyline (Miles and Huberman, 1984). The first-order data analysis was iterative and consisted of several steps (Eisenhardt, 1989; Eisenhardt and Graebner, 2007; Gioia et al., 2013). First, we identified key actors who participated in ERP change, especially the transformation of internal auditing processes. Second, the approach to internal auditing was characterized before and after the change. Based on prior literature (Eklöv Alander, 2023; Roussy, 2013, 2015), we specifically looked at four important aspects: type (compliance-verification vs. risk-based), scope (transaction and ledgers vs. process), evidence-collection (qualitative, quantitative, or both) and the role of IAs (policeman/watchdog vs. business helper/partner). Third, we identified and marked all data excerpts that were related to the ERP change or suggested the involvement of different actors in the change process. Fourth, for all identified data excerpts, involved actors (IAs, IT, line functions), the stage of the change process (planning, implementation, after implementation) and the type of engagement (collaborative, conflictual, or neutral) were identified and marked.
The second-order analysis was focused on comparing the identified first-order codes for the two cases and abductively linking the empirical codes to the theoretical themes (see Figure 1 for details). Given that we were interested in a processual understanding, following Suddaby et al. (2017), we mainly focused on identifying activities targeted at achieving legitimacy. This analysis helped us identify and label four distinct activities: participating, socializing, learning and role-forging. Following legitimacy as acceptance by stakeholders, we further identified for both cases whether the legitimacy of internal auditing was successfully reconstructed or not. In addition, we also identified how legitimacy was broadly conceived in each case, a process of negotiation, perception, or possession of expertise. Finally, we built our storyline by dissociating context from the theoretical underpinnings.
4. Findings
In this section, we report our findings from both cases according to the two theoretical themes that emerged through our abductive analysis: theorizing and persuading for legitimacy.
4.1 Legitimacy building at MNC
4.1.1 Theorizing legitimacy: MNC's legitimacy-as a process paradigm
The decision to implement ERP to improve corporate governance (CG) and control processes was made at MNC's global and regional headquarters, not just at the subsidiary. The ERP Manager (EMMNC) of the financial module asserted: “… it was not our choice. It was decided at the head office.” Even though the decision was made at the global and regional headquarters, there was a clear understanding that successful implementation, especially of the control activities, would require buy-in from the IAs. The ERP manager asserted:
… The ERP system alone cannot enhance the corporate governance process. However, the internal audit function through the implementation process can assure that [it] integrates appropriately with the other systems. [It] is very flexible in connecting with other systems and gives high control over this integration and over the data transferred. It can be considered as a tool for enhancing the corporate governance process, but when the internal auditors are involved from the beginning (EMMNC).
The initial alienation from the decision created a sense of disenfranchisement among the company's IAs. However, as implementation progressed, the IAs realized that their viewpoints on internal auditing processes as well as their expertise on local taxation and reporting rules were respected. Consequently, IAs progressively became open to accepting digital tools and adopting the best practices. One of the IAs stressed:
There were a lot of misalignments between the ways we were controlling the processes and the ways of the ERP processes […]. But [as implementation progressed and we saw that] the new system offers better options; our internal audit team accepted the best professional practices propounded by the ERP consultants while providing input on localized taxation and reporting needs for the internal auditing process. […] Coordinating with ERP consultants on financial processes opened our eyes to the business goals of our senior managers (IAMNC1)
As this quote suggests, the IAs realized that ERP-driven change was an opportunity to upgrade their professional knowledge and maintain their jurisdiction over audit work (Heusinkveld et al., 2018; Tsai et al., 2015). During our discussions, the risk and control manager (RC) and IAs commented on how they gained knowledge about the system and the best practices through their engagement with other stakeholders as well as the ERP system. Chief IA (CIA) noted that because of their intimate engagement with the ERP system, IAs were becoming “regarded as experts and their greater system knowledge made them a more important port-of-call for other users” throughout the business.
In summary, IAs and sponsors of the ERP change at MNC conceived the legitimacy of internal auditing work in terms of mutual acceptance and buy-in. This view was akin to what Suddaby et al. (2017, p. 453) term the process of “collective-level” judgment formation, where involved actors evaluate one another's viewpoints and positions. Such evaluations involve emotional and affective judgment and are arrived at “intuitively and beyond deliberate control (Suddaby et al., 2017, p. 466)”. Despite adverse initial impressions, inclusion and respectful communication indicated a process-oriented conception of legitimacy in the case of MNC.
4.1.2 Constructing legitimacy: engaging, partnering and updating
IAs at MNC employed what Andon et al. (2014, p. 91) call “practical coping mechanisms” that were driven by “an immediate impediment at hand rather than some grand, overall purposeful scheme.” These practical coping mechanisms were executed by IAs who were adept at both “technical expertise and social skills” Andon et al. (2015, p. 1418) and were willing to go the extra mile to influence the internal stakeholders' perception of legitimacy (Suddaby et al., 2017). As we report in the subsections below, engaging (enthusiasm for seizing ownership of work) and partnering (collaboration to define internal auditing work) approaches by IAs were highly appreciated by the internal stakeholders. The engaging and partnering approaches enabled internal stakeholders to accept the role of internal auditing in the new ERP-driven environment. While indulging in practical matters at hand, IAs were able to update their knowledge and enhance the jurisdictional boundaries of their work (Heusinkveld et al., 2018). Unlike Andon et al. (2014), we cannot infer with certainty that the IAs at MNC did not have a grand purpose in mind, but our analysis indicates a gradual and open-minded approach.
4.1.2.1 Engaging
As indicated earlier, the IAs at MNC had no say in the initial decision to adopt the system, but they were deeply engaged in customizing the ERP system to the country-specific taxation and reporting requirements. As noted by the CIA:
Engagements throughout the process gave IAs experience at an early stage … and a sense of ownership of the processes. Because auditing requires a view of the entire system, IAs found that learning the ERP system during the implementation phase gave them a special status with other system users – the people involved in tasks including tracking customer contact, recording transactions, and entering operational data. (CIA)
The initial implementation phase involved a period of what both RC and EMMNC called “intensive care,” where the IAs were most deeply engaged with the vendor and process consultants, tapping into their knowledge to answer questions raised by system users on the processes of internal auditing at MNC. Moreover, and more importantly, they became more useful to process owners, that is, the managers of departments whose activities the system was designed to track as implementation proceeded. By demonstrating their willingness to engage and share their knowledge with other stakeholders, IAs at MNC were able to forge legitimacy through what Suddaby et al. (2017, p. 468) call “collective-level validity” in the eyes of the internal stakeholders.
4.1.2.2 Partnering
While willingness to engage with other stakeholders during ERP change planning and implementation provided initial collective-level validity to the work of IAs at MNC (Suddaby et al., 2017), it was their sincere participation and quick learning that allowed them to carve out a new legitimate audit space (Andon et al., 2014, 2015) for their work in the wake of technological change. The participation not only allowed IAs at MNC to port the internal auditing work on the segregation of duties to the ERP system but also allowed them to enhance the effectiveness of their work by leveraging the integrated view of data.
Once the system was in operation, the IAs took responsibility for determining the different levels of system access for different roles and individual users on an ongoing basis and in liaison with process owners. In addition, IAs also assisted in developing the policy for segregation of duties (SoD) to ensure that different persons handled information recording, approval and verification. IAs also became the intermediary between process owners and the IT teams responsible for the technical maintenance of the system. This gave the IAs “something of a gatekeeper role, as its approval was needed for any change in SoD” (IAMNC1).
IAs thus saw more information and more possible connections between the data items. As RC put it, internal audit was and needed to “go to the deepest level and dive into the data.”
Starting with the implementation phase and continuing afterward, IAs worked increasingly closely with the IT team on improving the different aspects of digitalized internal auditing. As stressed by one IA:
No longer was internal audit seen as primarily engaged in financial control. The IT systems that interface with the ERP system were themselves subject to an IT audit that would be integrated with the financial results. Sales data, recorded by the sales teams, could also be inspected on a more or less continuous basis, so internal auditors worked in closer liaison with sales. (IAMNC1)
What the IAs at MNC saw as especially important during and after the ERP implementation was their collaboration with IAs in other subsidiaries in the region and, to some extent, with IAs at the global headquarters. These IAs at other subsidiaries and the global headquarters had been through a similar process and could provide insights into the less obvious parts of the system. This collaboration helped the Egyptian IAs gain up-to-date professional knowledge and a strategic understanding of how the region and the firm viewed the role and goal of internal auditing.
The engagement of IAs led to a range of outcomes concerning monitoring and controlling business functions and efforts directed at business improvement. Of particular salience to the IAs was the change in their function's status for the line managers, the subsidiary company and the corporation.
According to RC, “the ERP system and the lessons learned from IAs in other regional subsidiaries led to standardization and transparency in data collection and analysis for internal auditing, risk management, and consolidated reporting.” EMMNC highlighted the “greater consistency of the data.” At the same time, RC and IAMNC2 emphasized the transparency the ERP system brought to IAs' role. The ERP system allowed IAs to feel they could see “100%” of the transactions. Additionally, RC and IAMNC2 indicated that at least a third of transactions were invisible to them before the ERP was introduced.
Moreover, the new ERP system offered IAs easy and direct access to integrated data on different processes. It facilitated the validation of “compensating controls,” in which one control can supplement and offset others. IAs had a much clearer view of other business processes, making them clearly link their work to the corporation's goals. The RC emphasized:
ERP makes the reviews easier, provides an easy way to get multiple reports, provides multiple variables that can be used in the analysis, and provides a wide view from different angles. Before the ERP system, we extracted data, built it into a table, and discussed it in meetings from different points of view (supply chain, finance, etc.). Whereas, after the ERP system implementation, we have the flexibility to make whatever mix of data we see as the best way to achieve our purpose. We really feel included and respected (RC)
Before the ERP implementation, the internal audit workflow was almost exclusively process-driven and responding to ad hoc requests was time-consuming. Afterward, while assurance remained process-driven, the auditors had greater speed and flexibility in responding to ad hoc assurance requests. This greater flexibility in assurance led to a sense of comfort for senior management, in the subsidiary and beyond, that internal audit could provide an “objective view” (IAMNC2).
4.1.2.3 Updating
The IAs at MNC saw the implementation of the ERP system as an opportunity to enhance the legitimacy of their work. Even before the system, internal auditing was a valued part of the organization where corporate policies were documented and followed. According to IAMNC2 (who also had prior experience working in a local company where internal controls were much weaker):
[… Even prior to the ERP implementation …] formal policies and their acceptance throughout the subsidiary contributed positively to the effectiveness and legitimacy of internal auditing. Process transparency and data integrity achieved through the ERP implementation have further strengthened [… the effectiveness and legitimacy]. (IAMNC2)
The ERP system was important, but the IAs at MNC felt that their knowledge of extracting valuable business insights from the integrated data contributed most to improving corporate governance (CG) at the subsidiary and eventually reframing the legitimacy of internal auditing in terms of an important CG process. The IAs were able to “widen the scope of both their oversight and their ability to give advice, making it more respected and accepted by business managers” (IAMNC1). IAs took on “new roles in monitoring business process re-engineering efforts, which increased the importance and responsibility of the function for the business” (EMMNC). RC reported a “strengthened environment for internal audit through the subsidiary, deepening the contact with other parts of the organization.”
The legitimacy of internal auditing work also grew in the rest of the corporation. The growth of a regional network of IAs led to knowledge exchange and legitimacy enhancement. IAMNC1 noted that “the board [now onwards] will not decide to spend millions on something that does not support [internal auditing work].” IAs took pride in that the system allowed them to give the board what it wanted.
The IAs' growing system specialization also contributed to an increased degree of acceptance and legitimacy of their knowledge and work with the professional circles in Egypt. As noted by the IIA head of the Egyptian chapter: “Moreover, qualifying as system specialists involved passing an examination and earning a certificate, which raised the legitimacy of the [IAs at MNC] in the professional circles of Egypt and their marketability for employment in other companies.” In addition, the CIA noted: “IAs [with the system knowledge] became more deeply involved with the work of the external auditors (from one of the Big Four global accountancy firms) and won further acceptance, respect, and legitimacy for their work.”
It could be argued that certifications helped IAs in espousing that their expertise meets “certain predetermined standards (Andon et al., 2015, p. 1415)” as system specialists, which in turn led to acceptance and legitimacy in the eyes of both internal and external stakeholders. In this sense, certificates also enabled IAs to obtain and display “appropriate credentials” that supported their “claim to esoteric knowledge” (Sarens et al., 2009, p. 94). But as indicated above, the acceptance and legitimacy of internal auditing were also driven by IAs' “wealth of assurance-oriented expertise” (Andon et al., 2014, p. 92) in providing reasonable assurance and making internal stakeholders “comfortable” (Sarens et al., 2009).
4.1.2.4 Role-forging as corporate citizens
The purpose of internal auditing is not only to control fraud and protect against errors but also to contribute to business improvement through consultations (IIA, 2009; Morgan, 1980; Roussy, 2013). The IAs at MNC felt the ERP system had enhanced their ability to contribute to improving the business. IAs were able to suggest ways to improve profitability at the operational level. They were called upon by process owners and were able to respond to requests for internal consultancy. The automated assurance on business processes, transactions, SoD-related exceptions, policy documents and approved workflows freed more time for IAs and allowed them to support business units with more ad hoc requests (EMMNC, IAMNC1). It made internal auditing more “business-oriented” and able to engage in “preventative control” rather than post-hoc fault-finding (RC).
This is, in general, a very positive story for the subsidiary company, the corporation as a whole and in a broader context for the IAs and their legitimacy as corporate citizens within the organization. Nonetheless, certain lurking concerns came with increased transparency, more robust control and even the contributions to business improvement that the IAs experienced. The IA, IAMNC1, worried that users would see their assurance as “inspections” or “policing” and that managers would take it personally when they find their decisions challenged through IAs' consulting advice. RC noted that more junior managers take challenges to their decisions as “personal offenses,” though it applied irrespective of whether the ERP system was in place or not. He further argued:
Challenge … doesn’t mean that you are doing badly in your work. You are the expert in your area, while the internal auditors give the advice. Let’s work together to enhance the business process. This is the message that we are trying to deliver. (RC)
ERP implementation at MNC did not entail any job losses in internal audits or any attempt to reduce budgets to help pay for the system. Some staff were skeptical that layoffs might come later once the system was bedded in and the benefits of automating processes were realized, but others doubted it. As suggested by several informants, the benefits to the business and the control process across the corporation were evident already. IAs were forging their legitimacy as corporate citizens by providing internal consultancy. CIA argued that even in the cultural context of Egypt, where failures are not tolerated, the internal auditing work had garnered enough acceptance and legitimacy within the MNC that it could withstand some failures:
And even if IAs were wrong, their experience in implementing and customizing the ERP, qualifying to operate it, and developing business benefits from the available information would help them withstand any disruption to the legitimacy of their work. They had strengthened their legitimacy in the eyes of the internal stakeholders. (CIA)
4.2 Loss of legitimacy at DC
4.2.1 Theorizing legitimacy: DC's legitimacy as a resource paradigm
In the beginning, the primary motivations for DC to implement an ERP system were to improve cost control. The decision to implement ERP was taken at the top management level. As asserted by the finance manager (FM):
We had a fragile internal control system, and this was the main reason for implementing ERP systems. The top management at the time decided that there was a need for cost control, and the ERP systems were satisfying this issue (FM).
One of the ERP vendor experts concurred with the FM at DC by arguing that “ERP systems automate archiving for transactions, assets, and HR records, instead of a manual and paper-based system, thereby enabling continuous access of data for not only cost control but also risk and fraud control” (SV1).
Although the ERP system offered more robust control over risks and fraud, management chose not to implement all available control mechanisms as doing so would have limited the scope for earnings manipulations. As a result, the ERP implementation did not attain legitimacy among many employees, especially the control functions and IAs. IAs doubted that the system would deliver improved control over costs and risks. Consequently, during the implementation and early operation, IAs spent nights doing manual checks to ensure the accuracy of automated results. One of the IAs (IADC1) confirmed: “I don't fully trust [the new] ERP systems.”; the respondent went on further to pinpoint his distrust of top management and their intentions to continue earnings manipulations:
If we apply [the ERP system] properly, most of these illegal and unacceptable practices should be stopped. Most of these practices are preferable for the management … such as raising the accounting profits to get a loan from a bank and reducing the accounting profit for taxing purposes (IADC1).
That interpretation of the events was also supported by the system vendor's response:
If ERP systems are implemented and used appropriately, they should eliminate many unacceptable practices as it applies the best practices; however, DC asked not to activate many processes on the systems as they want to do it around the system […] Each module offers many types of reports that can be used for auditing purposes. At DC, we have not been asked to make such query responsibilities or modify any of the reports. (SV2).
The use of terms like “illegal” and “unacceptable” by serving members of the internal auditing team suggested considerable discomfort with the approach DC used. For the respondent “IADC1,” it signified an attempt by management to “alienate professionals from their ethical imperatives as well.”
A further source of discomfort came from the funding arrangements used in this case. Companies in Egypt implement ERP systems to benefit from government subsidies. As asserted by the ERP implementation consultant:
[Government subsidies have] caused distortion in the ERP systems market. As there is free funding, there is abuse. Companies apply for the fund to implement the ERP systems even [when] they are not ready to have the system. DC, as a manufacturing company, took this fund to implement ERP systems (CDC).
The allegation that easy access to funding can result in abuse raises concerns about whether management valued the output of the ERP system in terms of quality improvement or just the opportunity for a low-cost system upgrade that might also generate cost savings by diminishing the use of internal audit professionals. But it also indicates an embedded culture of abuse.
In summary, both ERP change sponsors (top management team (TMT)) and IAs at DC saw legitimacy as a resource (Suddaby et al., 2017). ERP change sponsors at DC saw tangible ERP systems as a resource that could help them gain legitimacy from external stakeholders (Kuruppu et al., 2019; Tilling and Tilt, 2010). The top management at DC focused on what Kuruppu et al. (2019), Suchman (1995) and Suddaby et al. (2017) term the manipulation of external stakeholders to seek favorable acceptance by implementing ERP functionalities for the namesake. While ERP modules that can give DC managers visibility over cost were implemented, modules that could have curbed the culture of earnings manipulation for loan and taxation purposes were not implemented. While such manipulations worked for external stakeholders who could not easily understand the “internal thinking processes and behaviors” (Kuruppu et al., 2019, p. 2078) of the TMT at DC, such manipulation tactics failed internally.
IAs at DC, in contrast, saw “themselves” as the legitimate human resources (i.e. professional experts), possessing jurisdiction over internal control processes, who should have been given the sole authority over internal control and reporting modules of the ERP implementation (Burrell Nickell and Roberts, 2014). The IAs never saw the manipulative ERP system at DC as a legitimate system. This view of legitimacy as something residing in a tangible ERP system or human resources created tension between the two actors and hampered the process of legitimacy reconstruction and mutual acceptance of the internal auditing work.
4.2.2 Constructing legitimacy: disengaging, blaming and rejecting
IAs at DC were distrustful of the top management's intentions and motivations for implementing the ERP system. The distrust led to IAs withdrawing from the process and this led to what Whittle et al. (2014, p. 800) term loss of legitimacy due to the loss of perception of “interested-ness” by the stakeholders. As demonstrated in the subsections below, loss of legitimacy “emerged as a process of micro-translations” (Suddaby et al., 2017, p. 460) due to purposeful and strategic choices and not necessarily IAs dealing with “immediate impediments” at hand (Andon et al., 2014, p. 91). Our analysis particularly revealed two purposeful strategies of disengaging (non-participation) and blaming (not us but the ERP system and management) by IAs highlighted by many stakeholders. The purposeful strategies of disengaging and blaming also resulted in the rejecting approach where IAs did not update their knowledge and became disinterested in the audit work. As a result, many of the skeptical IAs left the organization and those who stayed accepted “pleasing management” as their fate.
4.2.2.1 Disengaging
As respondent “IADC1” mentioned, IAs believed that they should have been involved in the planning and implementation stage, which might have overcome their resistance to the ERP and improved their understanding of its purpose and capabilities. This had implications for the applied internal controls.
We did not participate at all as we anticipated that the implementers would apply the internal [inappropriate practices, policies, and] regulations of the company (IADC1).
Similar sentiments were expressed by the ERP vendor expert:
ERP systems enforce basic controls according to the proper business process … for companies that have chaotic processes, such as DC, the business processes must be reorganized along with ERP implementation to have better controls … While ERP systems offer [customizable] approval cycles to be very tight or too loose, […] DC asked for the most effortless approval cycle and segregation of duties (SV1).
The ERP thus permitted management to continue with easier approval cycles and inappropriate segregation of duties.
While IAs did not trust their managers and blamed them for manipulation, other respondents blamed IAs for not participating in the change process. One IT team member (ITM) explained that IAs refused to participate even though they were trained on how to use the systems or how to enter the parameters needed in the reports they would like to get from the system:
Despite training, they [internal auditors] refused to learn how to get the data directly from the systems. They [were always asking us] to prepare or provide the data in their desired format. They did not […] learn new ways of accessing the data (ITM).
The ERP system consultant corroborated the assertions of the ITM:
[DC] had an old generation of IAs who did not accept [the change] and were not [willing] to change and learn (CDC).
While ERP systems do offer standardized functions specially designed for internal auditing use, generic control modules can also be flexibly adapted to produce specialized views and integrated database access for IAs. In this sense, ERP systems offer IAs a massive amount of data that can be analyzed to provide suggestions for improving the processes and give constructive and value-adding recommendations to line managers. However, most of the IAs at DC refused to understand how the ERP system works and how they can use it in their audits. IAs could not understand what they can do with the integrated data access and why they should provide advice to managers. They found the notion of data analytics strange and unusual. In addition, they found that the ERP was doing the transaction verification work automatically which they saw as their responsibility (EMDC).
As highlighted by the external auditor (EADC):
Even before the implementation, the internal audit function (IAF) worked without an audit plan and reported to a weak and passive audit committee. Top management and the audit committee believed that having an external audit was enough; therefore, the internal auditor’s role was bare minimum following the management requests for transaction, policy and SoD verification.
Similarly, the FM further suggested that the ERP systems were doing an excellent job in assuring the internal control effectiveness that IAs used to do.
The internal auditing function was a part of the financial department employed to review financial figures … ERP systems are embedded [in] all procedures according to the internal manuals and policies and it [automatically] preserves the Segregation of Duties (SoDs) [and internal control-related] rules [and policies without the need for IAs].
As highlighted in the quotes above, internal auditing at DC lost legitimacy in the eyes of the stakeholders who thought the ERP system itself could ensure appropriate internal controls through the digitalized implementation of transaction verification, policies and SODs.
The culture of earnings management suggests that even before the ERP change started, the top management did not perceive internal auditing as legitimate in terms of adding value to the business by participating in their (dishonest) schemes. In a sense, the misalignment of interests between IAs and the top management team led to the loss of legitimacy of internal auditing at DC (Whittle et al., 2014). While the resentment of IAs could indicate their focus on not losing professional (in fact, moral and ethical) legitimacy (Everett and Tremblay, 2014), their purposeful strategy of disengaging led to the loss of legitimacy in the eyes of IT and finance management teams as well.
4.2.2.2 Blaming
IAs' reaction to the ERP implementation was to shirk their responsibility and blame everyone else for implementing unacceptable practices sans proper internal controls. They considered the implemented system as their replacement. IAs believed that they did not have the knowledge and skills to audit in the new digital environment and that there was work for professionals elsewhere.
We had a full internal audit department, but unfortunately, it does not exist anymore … The head of the internal audit department left the company and then disruption in the department occurred; therefore, most of the auditors left too (IADC1).
Those who are auditing in the ERP systems environment will not be those experienced auditors who know and understand the manual auditing process … The important knowledge to audit in the ERP systems is to understand the control of the workflow going through the ERP systems. As a financial manager, I fully understand this process sequence (FM).
The expositions above also indicate that IAs at DC lost legitimacy because their approach to disengaging also contributed to their inability in obtaining and displaying “appropriate credentials” that supported their “claim to esoteric knowledge” of internal auditing on the ERP platform (Sarens et al., 2009, p. 94).
Most of the IAs at DC failed to update their knowledge of how to carry out the auditing work in the ERP environment. However, one IA who stayed at DC (while others left) accepted that, in hindsight, several benefits could be easily recognized that many IAs failed to understand initially. For example, he acknowledged that ERP systems saved the traveling expenses to the branches as “it offered transparency of financial information and visibility of non-financial numbers” (IADC1). He further asserted that ERP systems “closed the control cycle by bringing all the data of inventory, production, sales, and accounting adjustments together in an integrated and consistent way to assure that all controls were active in a well-documented business process” (IADC1).
The ERP implementation consultant also concurred with the views of the informant “IADC1”. He argued that “the ERP systems transformed the internal auditing processes from focusing on daily control to focus on planning for the future through offering better information to improve the efficiency and operations” (CDC). The FM also asserted:
In our company, we did not have one manual that gathers all policies and procedures or job descriptions in one booklet. With the ERP systems implementation, we start having documents that determine all procedures and duties for each function (FM).
While IAs at DC had reasons for distrusting top management, their disengaging and blaming strategy limited their understanding of the benefits of the ERP system. It is difficult to say whether continuous engaging and partnering would have changed the top management's attitude towards dishonest earnings manipulations. Still, it might have allowed IAs to upgrade their knowledge of auditing in a digitalized environment and gain legitimacy in the eyes of the finance and IT functions. In this sense, it could also be argued that the loss of legitimacy was not one-sided but resulted from the interpretation and reinterpretation of a broad array of internal organizational actors (cf. Suddaby et al., 2017, p. 460).
4.2.2.3 Rejecting
ERP systems promise improved control and the ability to translate that into business improvement. As the case of MNC has illustrated, the legitimacy of internal auditing within the organization can be reconstructed by providing business-relevant insights through consulting activities. Unfortunately, in the case of DC, such opportunities remained immaterialized.
ERP systems are powerful governance tools that apply tightened access control and authorization processes to ensure that no action can occur unless all prerequisites are met (FM). According to “ITM”:
ERP systems change the internal control system by offering new assumptions such as preventive controls … and creating the peer review concept within a company.
ERP systems have robust access control to prevent unauthorized actions on both financial and operational processes. However, since the IAs at DC did not understand how the ERP systems could help them, “the reviewing and verification function became the responsibility of a wider range of employees, including finance, IT, and line managers” (ITM). This diffusion of responsibility of control away from IAs, coupled with a rampant culture of earnings manipulations, led to the undermining of the promise of tight control offered by the ERP system.
After ERP system implementation, the IAs believed that there was no need for traditional transaction tracing as this was literally what the ERP system was doing automatically. IAs believed that they would neither be able to change the implementation nor improve or add value. Consequently, several IAs left. The remaining IAs were, initially, very interested in knowing more about the system. As asserted by the ERP implementation consultant (CDC): “[Initially] they [the remaining IAs] asked many questions about the system and how it will affect the work of internal auditing. […] they also received training but they were not interested in upgrading their knowledge”.
The IAs remaining in the firm were doing non-automated tasks (such as verifying the content of policy documents) since the ERP implementation had automated the task of transaction tracing (FM). Having not fully participated in the implementation phase, these professionals were unable to utilize the advanced analytical and control options available in the system. As the informant, IADC1 himself exclaimed:
I do not use [the ERP system] at all, even though I have heard about some of its advanced controlling features …. We are now fewer internal auditors as [the ERP system] is doing most of the traditional tasks [of transaction and ledger checks] … [the ERP system] saves the auditor time as I can get all the needed information with one click. This gives me some opportunity to verify […] the content of the policy documents.
To make the best use of the ERP system, IAs needed to learn and operate in close collaboration with IT, especially as they lacked a detailed understanding of the ERP. The unwillingness to learn left IAs with a close but dependent relationship with the IT team. However, this led the IT team at DC to substitute IAs, thereby diminishing the legitimacy of the traditional internal auditing work. The defensiveness of IAs also harmed the relationship with IT staff, who capitalized on their IT expertise and appreciated better the scope and features of the ERP system: “Good IAs should use these [advanced analytical] features [themselves], but who cares” (ITM).
The expositions highlighted in this and previous subsections suggest that even before the ERP system implementation had started, IAs at DC were only proficient in transaction tracing and rechecking ledgers. In a sense, IAs at DC lacked a “wealth of assurance-oriented expertise” (Andon et al., 2014, p. 92) and even failed to update it during ERP implementation. This led to discomfort among different internal stakeholders (Carrington and Catasús, 2007) and contributed to the loss of legitimacy of the internal auditing work at DC. In stark contrast to MNC, where new auditing spaces (Andon et al., 2014, 2015) for internal auditing were legitimized, at DC, internal auditing became marginalized and lost legitimacy in the eyes of the internal stakeholders.
4.2.2.4 Role-forging: skeptical rebels left, namesake survived
There were no compulsory rules or laws requiring companies to maintain an internal audit function (IAF) in Egypt. That DC had one at all seemed to indicate that it was aware that the presence of internal auditing could improve its legitimacy in the industry (Burrell Nickell and Roberts, 2014). But it also meant that DC was “free to rearrange the internal auditing according to its needs” (FM). Most of the IAs left DC after the ERP implementation because they felt that the system could cover the transaction and ledger checks they used to perform and that inappropriate practices and policies would undermine their professional (ethical and moral) legitimacy (Everett and Tremblay, 2014). As demonstrated in previous subsections, the erosion of legitimacy was partly self-inflicted by the IAs, most of whom left the organization. Initially, those who remained thought that they could balance between satisfying the management and their professional duties of being objective. But that soon changed, and the remaining IAs had to please management at the cost of being objective. One IA rationalized:
We are working in the private sector, so we must be flexible to please the management … The IAs should do whatever they are asked to do by the management. (IADC1).
The ITM also concurred:
Ninety percent of the IAs could not cope with the ERP environment. The management did give IAs the opportunity to learn […] but due to their obstinate attitude, in the end, decided that there was no need for this function. Most of them found other jobs [outside our firm]. The top management kept only […] one person to [pretend] that we still have an IAF; however, to be honest, he is doing a kind of [part-time] audit, but he has a sales target. Can you imagine?! (ITM)
At the time of this study, the legitimacy of the IAF was so impaired that most interviewees began to wonder if it had a purpose at all. Some could see the benefits if the function were rebuilt with individuals who embraced the system and learned the advanced technical skills and knowledge:
There is not enough appreciation for the IAF; therefore, this function could not survive after ERP system implementation as it did not get the proper support to improve (ITM).
Others were skeptical and totally dismissive of internal auditing. The FM emphasized that ERPs can easily replace IAF and reduce the budget assigned for the IAF:
ERP systems reduce the need for an IAF as these systems help and reduce the monitoring and auditing procedures […] Auditing in the ERP environment is like [verifying using a prepared model consisting of appropriate answers …] By implementing the ERP systems, the company saved the budget assigned before for the IAF (FM).
Such skepticism was contingent on the fact that the focus of IAF, even before ERP implementation, was on transaction verification and tick-box-based compliance. The ERP manager emphasized:
Since transaction and ledger checks are automatized […], there is no need for internal auditors […]; if we are using the ERP systems properly, there will be [… no] need for the IAF. This could be because we did not have a strong and effective IAF that could do more than transaction reviews (EMDC).
Similar views were also expressed by the ERP system experts:
ERP systems are very flexible and absorb all [internal auditing] related [policies,] rules and regulations and automatically enforce them. Therefore, the need for compliance auditing is also significantly reduced (SV2).
This is dominantly a “downsides” story: IAs struggling with the introduction of a new technology, in a setting that progressively devalued their status and threatened the legitimacy of their work. This study was unable to develop a complete understanding of the initial position and how important integrity was to the initial members of the IAF. But there is enough evidence to surmise that the combination of managerial imperatives for the investment (cost-cutting; embedding opportunities for manipulation) and then the processes of implementing it (privileging IT over IAF) undermined the legitimacy of internal auditing.
A few upsides are evident, however. The system seems to have led to some improvements in policy documentation and basic information was made accessible with lower operating costs to the organization. That IAF was “folded into” the organization and was no longer needed by the organization -- this suggests that management may have achieved the (limited) goal it had in using public money to make this investment in ERP.
5. Discussion
The two cases illustrate how four intertwined micro-processes — participating, socializing, learning and role-forging — contribute to reconstructing the legitimacy of internal auditing during ERP implementation (Figure 2 summarizes these findings). Our cases provide nuanced illustrations of the contrasting approaches of IAs to ERP-driven technological changes. In the case of MNC, the IAs and ERP sponsors conceived legitimacy as a process. In the case of DC, the IAs and the ERP sponsors conceived legitimacy as a property. IAs at MNC deployed gradual coping mechanisms to collaborate and negotiate their work boundaries. In contrast, IAs at DC deployed purposeful strategies to defend their work boundaries.
In both cases, the decisions to invest in ERP were taken by the top management team (TMT). In the case of MNC, there was a widespread positive general perception of the TMTs' desire for better transparency and control. In contrast, at DC, several interviewees were suspicious that this exercise was primarily aimed at utilizing government subsidies for digitalization while continuing with the earnings manipulations. In both cases, IAs initially felt alienated and regarded the decision as an assertion of managerial primacy over the organization and the professionals it employed.
At MNC, initial worries about the non-involvement of IAs were set aside during ERP implementation. The IAs at MNC actively and constructively participated in the four micro-processes to rebuild legitimacy (Heusinkveld et al., 2018; Suddaby et al., 2017). IAs proactively participated in customizing ERP to meet local taxation and reporting requirements (engaging). They also created a greater sense of partnering across functional lines by flexibly responding to ad hoc requests and keeping jurisdiction over traditional tasks, such as defining and verifying the segregation of duties (SoDs) and internal controls. Moreover, IAs acquired system certifications and developed skills and knowledge for operating in the digital environment (updating). The IAs also provided data-driven business insights to auditors and managers and forged the role of corporate citizens. The responses of IAs at MNC emerged as gradual “coping mechanisms” (Andon et al., 2014, p. 91) where they focused on immediate impediments and did not apply a grand-purpose-driven approach (Suddaby et al., 2017). While indulging in immediate practical matters, IAs could gradually update their knowledge and enhance the jurisdictional boundaries of their work (Heusinkveld et al., 2018). Unlike Andon et al. (2014), we cannot infer that the IAs at MNC did not have a grand purpose in mind, but our analysis indicates a gradual and open-minded approach. The gradual and open-minded approach positively reinforced the legitimacy of internal auditing in the eyes of the different stakeholders. Unlike in the past, the IAs also partnered with IAs in other parts of the corporation, particularly across the Middle East region, but also corporate headquarters. This had the effect of strengthening their legitimacy outside the Egyptian subsidiary as well as within the Egyptian internal auditing community.
The DC case illustrates the purposeful strategy and “deliberate campaign” by IAs to protest against the continuation of earnings manipulation by the managers (Suddaby et al., 2017). Additionally, the TMT purposefully did not address the initial alienation of IAs by opting not to implement advanced internal auditing and control routines. The distrust among IAs led to their “purposeful withdrawal” and purposeful “disinterestedness” (Whittle et al., 2014) in the project (disengaging). The IAs expressed their resentment by blaming the TMT for implementing unacceptable practices that allowed the continuation of earnings manipulation. Indulging in the purposeful strategies of disengaging (even with other stakeholders) and blaming resulted in the loss of legitimacy for internal auditing in the eyes of the finance and IT functions. The ERP system automated transaction and ledger checks, along with the implementation and enforcement of SoDs. These improvements made the task of IAs redundant at DC (Ax and Greve, 2017). Despite training arrangements, the IAs at DC did not update their knowledge (rejecting) and skills. Ultimately, most of the disinterested IAs left as infamous skeptical rebels. Those who stayed accepted pleasing management instead of challenging them as their fate. As we illustrate in our case narratives, the loss of legitimacy did not happen instantly but emerged through the “process of micro-translations” (Suddaby et al., 2017).
The two contrasting tales of legitimacy reconstruction of internal auditing provide insights into the challenges IAs face in demonstrating their usefulness as a business function. On the one hand, IAs need to diligently scrutinize organizational practices. On the other, they also need to provide advice on improving risk management and control in particular and business processes in general (Norman et al., 2010; Roussy, 2013). Several case studies have highlighted how IAs succumb to conflicting demands and fail to scrutinize organizational practices thoroughly (Iyer et al., 2018; Neu et al., 2013). In some cases, fearing backlash and non-cooperation from line functions, IAs try to please managers (Fanning and David Piercey, 2014). In other instances, IAs fail to distance themselves from line functions because they feel like members of the organizational clan (Eklöv Alander, 2023; Roussy, 2015; Roussy and Rodrigue, 2018). While several case studies have highlighted IAs as “docile” agents who accept their fait accompli, our findings reveal stories of IAs as harmonious corporate citizens as well as skeptical rebels. At MNC, IAs played a positive role; at DC, many resisted succumbing to the pressure from managers. While we accept that our story reveals the tip of the iceberg, we encourage more studies illustrating a spectrum of behavior displayed by IAs.
We also suspect that more research is needed to identify how IAs simultaneously deploy different legitimacy approaches in response to radical technological shifts. In this regard, inspiration can be drawn from studies by Salijeni et al. (2019, 2021), who depict that auditors are more collaborative in deploying technologies for peripheral tasks such as planning and reporting (visual display), but are more conflictual in relinquishing their autonomy over core auditing tasks. Additionally, more studies on what scholars dub radical epistemic technologies, such as artificial intelligence (AI) (Anthony et al., 2023), can also be fruitful in illuminating how IAs reconstruct their legitimacy when it is difficult to upgrade their knowledge quickly. Recent studies on medical imaging experts have demonstrated varying responses, where some experts develop new capabilities of questioning AI and augmenting their professional judgments, while others outrightly accept or reject AI (Lebovitz et al., 2022). Since AI black-boxes its decision-making process and can infringe upon the core tasks of experts, more research on responses of IAs and accountants can further illuminate our understanding of the micro-processes of legitimacy.
Our findings also prompt important reflections on how technological implementations challenge the technical legitimacy of internal auditing work by requiring a shift to judgment-oriented tasks. Studies on other expert groups have also conceptualized changing the work focus to judgment-oriented tasks and willing adoption of technology as two mechanisms for maintaining technical legitimacy (Anthony, 2018; Anthony et al., 2023). Studies on audit experts have presented conflicting evidence. While some studies have highlighted the adoption of technologies and shift to judgment-oriented tasks by auditors (Goto, 2023; Pemer and Werr, 2023), others have demonstrated the reluctance of audit experts (Salijeni et al., 2019, 2021). There is evidence that advanced technologies may compel IAs to shift their focus toward technology-centric risk assurance (Saharia et al., 2008), consulting/business-partnering (Betti and Sarens, 2021), advanced data analysis (Betti and Sarens, 2021) and continuous auditing mechanisms (Kuhn and Sutton, 2010) to reconstruct the technical legitimacy of their work. However, there is a need for more case-based research to highlight how IAs maintain their technical legitimacy. Some studies have also suggested that the strategies for reconstructing technical and socio-political legitimacy are interconnected (Goto, 2023; Pemer and Werr, 2023). We, therefore, call for more research to delve into this interplay.
Our findings also suggest the importance of professional knowledge in reconstructing legitimacy. The legitimacy of internal auditing at MNC was driven by the “wealth of assurance-oriented expertise” (Andon et al., 2014, p. 92) of its IAs, who provided reasonable assurance and made internal stakeholders “comfortable” (Sarens et al., 2009). Furthermore, IAs' willingness to update and share their knowledge further strengthened the legitimacy of internal auditing at MNC. In contrast, IAs at DC lacked a “wealth of assurance-oriented expertise” (Andon et al., 2014, p. 92) and failed to update it during ERP implementation. Their unwillingness to learn and lack of knowledge in consulting, risk management and data analysis masked their judgment in seeing whatever limited benefits the ERP system could have brought to them in updating their knowledge. This led to discomfort among different internal stakeholders (Carrington and Catasús, 2007) and contributed to the loss of legitimacy of internal auditing at DC.
Our results also have several practical implications for internal auditing and the accounting profession in general. First, given the rising importance of digital technologies, accounting and auditing professionals need to adapt their technical knowledge (Moll and Yigitbasioglu, 2019; Möller et al., 2020). Again, as demonstrated in the case of MNC, focusing on impending issues at hand can be useful. No grand purposeful strategy is required if accounting professionals are willing to engage positively with different stakeholders. Of course, learning and deploying complex technologies such as data analytics and artificial intelligence can be challenging and would require broader changes in the way accountants and auditors are trained (Munoko et al., 2020). Second, accounting professionals can capitalize on their wealth of assurance and control-oriented expertise, such as expertise in tracing audit trails (Power, 2021) and enforcing strict requirements on data quality (Abbott et al., 2016), to continue being relevant even in digitalized environments. Third, internal accountants (controllers) and auditors will always be subject to management pressure and participation in technological transformations, and a business-partnering attitude can help them prove their worth to management (Chenhall and Euske, 2007; Chenhall and Moers, 2015). Internal accountants and auditors need to tread the middle path as corporate citizens, where they need to avoid becoming either total rebels or people pleasers. Again, professional bodies and regulators must accept that internal accountants and auditors are internal control and assurance tools for firms and, therefore, cannot provide an entirely objective view of a firm.
6. Conclusions
Our contribution to the existing literature is twofold. First, unlike the portrayal of IAs as “docile agents” who abandon their professional duties (Iyer et al., 2018; Neu et al., 2013; Roussy and Rodrigue, 2018), our cases suggest that IAs, just like other organizational agents, can display a spectrum of behavior from rebellious agents to harmonious corporate citizens.
Second, we answer the call for more field-based research on how technology is challenging auditing work (Roussy and Perron, 2018; Salijeni et al., 2019, 2021). In doing so, we augment a small but growing stream of field studies focusing on the legitimacy, stability and acceptance of internal auditing during technological changes (Betti and Sarens, 2021; Tsai et al., 2015). In doing so, our study provides fresh insights into how actors' conceptions on legitimacy (process vs. resource) can affect the reconstruction of legitimacy (Suddaby et al., 2017). Additionally, our focus on the legitimacy of organizational practices, rather than the widely studied macro issues of professional legitimacy (Andon et al., 2014) or organizational legitimacy (Sillince and Brown, 2009; Tilling and Tilt, 2010), elaborates on the “micro-processes” of legitimacy within organizations (Kuruppu et al., 2019; Suddaby et al., 2017). We do so by highlighting four intertwined micro-processes— participating, socializing, learning and role-forging — that contribute to reconstructing the legitimacy of internal auditing work.
Finally, we accept the limitations of our study and propose future research opportunities. First, to gain a deeper understanding of how the legitimacy of internal auditing is reconstructed during technological transformations, we encourage scholars to concentrate on longitudinal case studies. Second, we invite scholars to expand on our work by conducting comparative studies of firms in different geographies and industries to account for the impact of national/geographical and industrial culture on legitimacy reconstruction. Third, internal audit departments in manufacturing firms are generally small. Therefore, we call for research focusing on firms with larger internal audit departments. In doing so, such studies could bring more depth to the linkages between socio-political legitimacy, power and manipulation.
Figures
Interview participants
| Code | Role | Number of interviews | Duration | Experience |
|---|---|---|---|---|
| Common participants for MNC and DC | ||||
| H | Head of the internal audit professional body in Egypt | 2 | 90 and 72 minutes | 20 years, internal auditing |
| Participants from MNC | ||||
| CIA | Chief internal auditor | 1 | 80 minutes | 12 years, auditing and client engagement |
| RC | Risk and control manager | 1 | 54 minutes | 7 years, accounting and finance function |
| ITH | Head of the IT department | 1 | 55 minutes | 9 years, IT consulting |
| IAMNC1 | Senior internal auditor 1 | 1 | 78 minutes | 8 years, external and internal auditing |
| IAMNC2 | Senior internal auditor 2 | 1 | 76 minutes | 9 years, risk management and internal audit |
| V | ERP vendor expert 3 | 1 | 60 minutes | 6 years, ERP consulting and professional services |
| CMNC | ERP implementation consultant | 1 | 65 minutes | 9 years, project management and client support |
| EMMNC | ERP manager (financial module) | 1 | 50 minutes | 6 years, ERP business process consulting |
| EAMNC | External auditor | 1 | 67 minutes | 15 years, auditing |
| Participants from DC | ||||
| FM | Financial manager | 1 | 61 minutes | 10 years, accounting and finance function |
| A | Accountant | 1 | 53 minutes | 6 years, accounting and auditing |
| ITM | IT team member | 1 | 55 minutes | 8 years, IT consulting, software engineer |
| IADC1 | Internal auditor | 1 | 75 minutes | 5 years, internal auditing |
| SV1 | ERP system vendor expert 1 | 1 | 65 minutes | 7 years, software development/consulting |
| SV2 | ERP system vendor expert 2 | 1 | 58 minutes | 5 years, software development/consulting |
| CDC | ERP implementation consultant | 1 | 60 minutes | 10 years, ERP software consulting and professional services |
| EMDC | ERP manager | 1 | 50 minutes | 6 years, project management |
| EADC | External auditor | 1 | 70 minutes | 20 years, auditing |
Source(s): Table by authors
References
Abbott, L.J., Daugherty, B., Parker, S. and Peters, G.F. (2016), “Internal audit quality and financial reporting quality: the joint importance of independence and competence”, Journal of Accounting Research, Vol. 54 No. 1, pp. 3-40, doi: 10.1111/1475-679X.12099.
Abott, A. (1988), The System of Professions: An Essay on the Division of Expert Labor, University of Chicago Press, Chicago.
Andon, P., Free, C. and Sivabalan, P. (2014), “The legitimacy of new assurance providers: making the cap fit”, Accounting, Organizations and Society, Vol. 39 No. 2, pp. 75-96, doi: 10.1016/j.aos.2014.01.005.
Andon, P., Free, C. and O'Dwyer, B. (2015), “Annexing new audit spaces: challenges and adaptations”, Chris Carter, Professor Crawford Sp, P, Accounting, Auditing and Accountability Journal, Vol. 28 No. 8, pp. 1400-1430, doi: 10.1108/AAAJ-01-2015-1932.
Anthony, C. (2018), “To question or accept? How status differences influence responses to new epistemic technologies in knowledge work”, Academy of Management Review, Vol. 43 No. 4, pp. 661-679, doi: 10.5465/amr.2016.0334.
Anthony, C., Bechky, B.A. and Fayard, A.-L. (2023), “Collaborating’ with AI: taking a system view to explore the future of work”, Organization Science, Vol. 34 No. 5, pp. 1672-1694, doi: 10.1287/orsc.2022.1651.
Arena, M. and Jeppesen, K.K. (2009), “The jurisdiction of internal auditing and the quest for professionalization: the Danish case”, International Journal of Auditing, Vol. 129, pp. 111-129, doi: 10.1111/j.1099-1123.2009.00408.x.
Arena, M. and Jeppesen, K.K. (2015), “Practice variation in public sector internal auditing: an institutional analysis”, European Accounting Review, Vol. 25 No. 2, pp. 319-345, doi: 10.1080/09638180.2015.1018917.
Arnaboldi, M., Azzone, G. and Sidorova, Y. (2017a), “Governing social media: the emergence of hybridised boundary objects”, Accounting, Auditing and Accountability Journal, Vol. 30 No. 4, pp. 821-849, doi: 10.1108/AAAJ-07-2015-2132.
Arnaboldi, M., Busco, C. and Cuganesan, S. (2017b), “Accounting, accountability, social media and big data: revolution or hype?”, Accounting, Auditing and Accountability Journal, Vol. 30 No. 4, pp. 762-776, doi: 10.1108/AAAJ-03-2017-2880.
Ax, C. and Greve, J. (2017), “Adoption of management accounting innovations: organizational culture compatibility and perceived outcomes”, Management Accounting Research, Vol. 34, pp. 59-74, doi: 10.1016/j.mar.2016.07.007.
Betti, N. and Sarens, G. (2021), “Understanding the internal audit function in a digitalised business environment”, Journal of Accounting and Organizational Change, Vol. 17 No. 2, pp. 197-216, doi: 10.1108/JAOC-11-2019-0114.
Bitektine, A. (2011), “Toward a theory of social judgments of organizations: the case of legitimacy, reputation, and status”, Academy of Management Review, Vol. 36 No. 1, pp. 151-179.
Bitektine, A. and Haack, P. (2015), “The ‘macro’ and the ‘micro’ of legitimacy: toward a multilevel theory of the legitimacy process”, Academy of Management Review, Vol. 40 No. 1, pp. 49-75, doi: 10.5465/amr.2013.0318.
Briers, M. and Chua, W.F. (2001), “The role of actor-networks and boundary objects in management accounting change: a field study of an implementation of activity-based costing”, Accounting, Organizations and Society, Vol. 26 No. 3, pp. 237-269, doi: 10.1016/s0361-3682(00)00029-5.
Bromley, P. and Powell, W.W. (2012), “From smoke and mirrors to walking the talk: decoupling in the contemporary world”, The Academy of Management Annals, Vol. 6 No. 1, pp. 483-530, doi: 10.1080/19416520.2012.684462.
Burns, J. and Scapens, R.W. (2000), “Conceptualizing management accounting change: an institutional framework”, Management Accounting Research, Vol. 11 No. 1, pp. 3-25, doi: 10.1006/mare.1999.0119.
Burrell Nickell, E. and Roberts, R.W. (2014), “Organizational legitimacy, conflict, and hypocrite: an alternative view of the role of internal auditing”, Critical Perspectives on Accounting, Vol. 25 No. 3, pp. 217-221, doi: 10.1016/j.cpa.2013.10.005.
Caglio, A. (2003), “Enterprise Resource Planning systems and accountants: towards hybridization?”, European Accounting Review, Vol. 12 No. 1, pp. 123-153, doi: 10.1080/0963818031000087853.
Carlsson-Wall, M., Goretzki, L., Hofstedt, J., Kraus, K. and Nilsson, C. (2022), “Exploring the implications of cloud‐based enterprise resource planning systems for public sector management accountants”, Financial Accountability and Management, Vol. 38 No. 2, pp. 177-201, faam.12300, doi: 10.1111/faam.12300.
Carrington, T. and Catasús, B. (2007), “Auditing stories about discomfort: becoming comfortable with comfort theory”, European Accounting Review, Vol. 16 No. 1, pp. 35-58, doi: 10.1080/09638180701265846.
Chenhall, R.H. and Euske, K.J. (2007), “The role of management control systems in planned organizational change: an analysis of two organizations”, Accounting, Organizations and Society, Vol. 32 Nos 7-8, pp. 601-637, doi: 10.1016/j.aos.2006.09.007.
Chenhall, R.H. and Moers, F. (2015), “The role of innovation in the evolution of management accounting and its integration into management control”, Accounting, Organizations and Society, Vol. 47, pp. 1-13, doi: 10.1016/j.aos.2015.10.002.
Christ, M.H., Masli, A., Sharp, N.Y. and Wood, D.A. (2015), “Rotational internal audit programs and financial reporting quality: do compensating controls help?”, Accounting, Organizations and Society, Vol. 44, pp. 37-59, doi: 10.1016/j.aos.2015.05.004.
Christopher, J. (2019), “The failure of internal audit: monitoring gaps and a case for a new focus”, Journal of Management Inquiry, Vol. 28 No. 4, pp. 472-483, 105649261877485, doi: 10.1177/1056492618774852.
Christopher, J., Sarens, G. and Leung, P. (2009), “A critical analysis of the independence of the internal audit function: evidence from Australia”, Accounting, Auditing and Accountability Journal, Vol. 22 No. 2, pp. 200-220, doi: 10.1108/09513570910933942.
CIIA (2022), “Code of professional conduct”, available at: https://www.iia.org.uk/members/member-benefits/code-of-professional-conduct/ (accessed 2 May 2022).
Covaleski, M.A., Dirsmith, M.W. and Rittenberg, L. (2003), “Jurisdictional disputes over professional work: the institutionalization of the global knowledge expert”, Accounting, Organizations and Society, Vol. 28 No. 4, pp. 323-355, doi: 10.1016/S0361-3682(02)00029-6.
Currie, G. and Spyridonidis, D. (2016), “Interpretation of multiple institutional logics on the ground: actors' position, their agency and situational constraints in professionalized contexts”, Organization Studies, Vol. 37 No. 1, pp. 77-97, doi: 10.1177/0170840615604503.
de Santis, F. and D'Onza, G. (2021), “Big data and data analytics in auditing: in search of legitimacy”, Meditari Accountancy Research, Vol. 29 No. 5, pp. 1088-1112, doi: 10.1108/medar-03-2020-0838.
Dechow, N. and Mouritsen, J. (2005), “Enterprise resource planning systems, management control and the quest for integration”, Accounting, Organizations and Society, Vol. 30 Nos 7-8, pp. 691-733, doi: 10.1016/j.aos.2004.11.004.
Dobrev, S.D., Ozdemir, S.Z. and Teo, A.C. (2006), “The ecological interdependence of emergent and established organizational populations: legitimacy transfer, violation by comparison, and unstable identities”, Organization Science, Vol. 17 No. 5, pp. 577-597, doi: 10.1287/orsc.1060.0209.
Eisenhardt, K.M. (1989), “Building theories from case study research”, Academy of Management Review, Vol. 14, pp. 532-550, doi: 10.5465/AMR.1989.4308385.
Eisenhardt, K.M. and Graebner, M.E. (2007), “Theory building from cases: opportunities and challenges”, Academy of Management Journal, Vol. 50, pp. 25-32, doi: 10.2307/20159839.
Eklöv Alander, G. (2023), “Internal auditor independence as a situated practice: four archetypes”, Accounting, Auditing and Accountability Journal, Vol. 36 No. 9, pp. 108-134, doi: 10.1108/AAAJ-08-2019-4137.
Elbardan, H., Ali, M. and Ghoneim, A. (2015), “The dilemma of internal audit function adaptation”, Journal of Enterprise Information Management, Vol. 28 No. 1, pp. 93-106, doi: 10.1108/JEIM-10-2013-0074.
Elsbach, K.D. and Sutton, R.I. (1992), “Acquiring organizational legitimacy through illegitimate actions: a marriage of institutional and impression management theories”, The Academy of Management Journal, Academy of Management, Vol. 35 No. 4, pp. 699-738, Briarcliff Manor, doi: 10.2307/256313.
Everett, J. and Tremblay, M.-S. (2014), “Ethics and internal audit: moral will and moral skill in a heteronomous field”, Critical Perspectives on Accounting, Vol. 25 No. 3, pp. 181-196, doi: 10.1016/j.cpa.2013.10.002.
Fanning, K. and David Piercey, M. (2014), “Internal auditors' use of interpersonal likability, arguments, and accounting information in a corporate governance setting”, Accounting, Organizations and Society, Vol. 39 No. 8, pp. 575-589, doi: 10.1016/j.aos.2014.07.002.
Ferry, L., Zakaria, Z., Zakaria, Z. and Slack, R. (2017), “Watchdogs, helpers or protectors? – Internal auditing in Malaysian Local Government”, Accounting Forum, Vol. 41 No. 4, pp. 375-389, doi: 10.1016/j.accfor.2017.10.001.
Gardberg, N.A. and Fombrun, C.J. (2006), “Corporate citizenship: creating intangible assets across institutional environments”, Academy of Management Review, Vol. 31 No. 2, pp. 329-346, doi: 10.5465/amr.2006.20208684.
Gioia, D.A., Corley, K.G. and Hamilton, A.L. (2013), “Seeking qualitative rigor in inductive research”, Organizational Research Methods, Vol. 16 No. 1, pp. 15-31, doi: 10.1177/1094428112452151.
Goodrick, E. and Reay, T. (2011), “Constellations of institutional logics: changes in the professional work of pharmacists”, Work and Occupations, Vol. 38 No. 3, pp. 372-416, doi: 10.1177/0730888411406824.
Goretzki, L., Strauss, E. and Weber, J. (2013), “An institutional perspective on the changes in management accountants' professional role”, Management Accounting Research, Vol. 24 No. 1, pp. 41-63, doi: 10.1016/j.mar.2012.11.002.
Goto, M. (2023), “Anticipatory innovation of professional services: the case of auditing and artificial intelligence”, Research Policy, Vol. 52 No. 8, 104828, doi: 10.1016/j.respol.2023.104828.
Griffith, E.E. (2019), “Auditors, specialists, and professional jurisdiction in audits of fair values”, Contemporary Accounting Research, Vol. 37 No. 1, pp. 245-276, doi: 10.1111/1911-3846.12506.
Hayne, C. and Free, C. (2014), “Hybridized professional groups and institutional work: COSO and the rise of enterprise risk management”, Accounting, Organizations and Society, Vol. 39 No. 5, pp. 309-330, doi: 10.1016/j.aos.2014.05.002.
Heusinkveld, S., Gabbioneta, C., Werr, A. and Sturdy, A. (2018), “Professions and (new) management occupations as a contested terrain: redefining jurisdictional claims”, Journal of Professions and Organization, Vol. 5 No. 3, pp. 248-261, doi: 10.1093/jpo/joy015.
IIA (2009), “IIA position paper: the role of internal auditing in enterprise-wide risk management”.
IIA (2022), “Definition of internal auditing”, available at: https://www.theiia.org/en/standards/what-are-the-standards/mandatory-guidance/definition-of-internal-audit/ (accessed 2 May 2022).
Iyer, V.M., Jones, A., III and Raghunandan, K. (2018), “Factors related to internal auditors' organizational-professional conflict”, Accounting Horizons, Vol. 32 No. 4, pp. 133-146, doi: 10.2308/acch-52139.
Jaggi, J. (2023), “When does the internal audit function enhance audit committee effectiveness?”, The Accounting Review, Vol. 98 No. 2, pp. 329-359, doi: 10.2308/TAR-2021-0089.
Kanellou, A. and Spathis, C. (2013), “Accounting benefits and satisfaction in an ERP environment”, International Journal of Accounting Information Systems, Vol. 14 No. 3, pp. 209-234, doi: 10.1016/j.accinf.2012.12.002.
Kornberger, M., Pflueger, D. and Mouritsen, J. (2017), “Evaluative infrastructures: accounting for platform organization”, Accounting, Organizations and Society, Vol. 60, pp. 79-95, doi: 10.1016/j.aos.2017.05.002.
Kuhn, J.R. and Sutton, S.G. (2010), “Continuous auditing in ERP system environments: the current state and future directions”, Journal of Information Systems, Vol. 24 No. 1, pp. 91-112, doi: 10.2308/jis.2010.24.1.91.
Kuruppu, S.C., Milne, M.J. and Tilt, C.A. (2019), “Gaining, maintaining and repairing organisational legitimacy”, Accounting, Auditing and Accountability Journal, Vol. 32 No. 7, pp. 2062-2087, doi: 10.1108/AAAJ-03-2013-1282.
Lebovitz, S., Lifshitz-Assaf, H. and Levina, N. (2022), “To engage or not to engage with AI for critical judgments: how professionals deal with opacity when using AI for medical diagnosis”, Organization Science, Vol. 33 No. 1, pp. 126-148, doi: 10.1287/orsc.2021.1549.
Madani, H.H. (2009), “The role of internal auditors in ERP‐based organizations”, Journal of Accounting and Organizational Change, Vol. 5 No. 4, pp. 514-526, doi: 10.1108/18325910910994702.
Martin, G.P., Armstrong, N., Aveling, E.-L., Herbert, G. and Dixon-Woods, M. (2015), “Professionalism redundant, reshaped, or reinvigorated? Realizing the ‘third logic’ in contemporary health care”, Journal of Health and Social Behavior, Vol. 56 No. 3, pp. 378-397, doi: 10.1177/0022146515596353.
Meyer, J.W. and Rowan, B. (1977), “Institutionalized organizations: formal structure as myth and ceremony”, American Journal of Sociology, Vol. 83 No. 2, p. 340, doi: 10.1086/226550.
Miles, M.B. and Huberman, A.M. (1984), Qualitative Data Analysis: A Sourcebook of New Methods, Sage Publications, California.
Mitchell, R.K., Agle, B.R. and Wood, D.J. (1997), “Toward a theory of stakeholder identification and salience: defining the principle of who and what really counts”, The Academy of Management Review, Vol. 22 No. 4, p. 853, doi: 10.2307/259247.
Möller, K., Schäffer, U. and Verbeeten, F. (2020), “Digitalization in management accounting and control: an editorial”, Journal of Management Control, Vol. 31 Nos 1-2, pp. 1-8, doi: 10.1007/s00187-020-00300-5.
Moll, J. and Yigitbasioglu, O. (2019), “The role of internet-related technologies in shaping the work of accountants: new directions for accounting research”, The British Accounting Review, Vol. 51 No. 6, 100833, doi: 10.1016/j.bar.2019.04.002.
Morgan, G. (1980), “Internal audit role conflict: a pluralist view”, Managerial Finance, Vol. 5 No. 2, pp. 160-170, doi: 10.1108/eb013444.
Munoko, I., Brown-Liburd, H.L. and Vasarhelyi, M. (2020), “The ethical implications of using artificial intelligence in auditing”, Journal of Business Ethics, Vol. 167 No. 2, pp. 209-234, doi: 10.1007/s10551-019-04407-1.
Neu, D., Everett, J. and Rahaman, A.S. (2013), “Internal auditing and corruption within government: the case of the Canadian sponsorship program”, Contemporary Accounting Research, Vol. 30 No. 3, pp. 1223-1250, doi: 10.1111/j.1911-3846.2012.01195.x.
Norman, C.S., Rose, A.M. and Rose, J.M. (2010), “Internal audit reporting lines, fraud risk decomposition, and assessments of fraud risk”, Accounting, Organizations and Society, Vol. 35 No. 5, pp. 546-557, doi: 10.1016/j.aos.2009.12.003.
Parker, S. and Johnson, L.A. (2017), “The development of internal auditing as a profession in the U.S. During the twentieth century”, Accounting Historians Journal, Vol. 44 No. 2, pp. 47-67, doi: 10.2308/aahj-10549.
Passetti, E. and Rinaldi, L. (2020), “Micro-processes of justification and critique in a water sustainability controversy: examining the establishment of moral legitimacy through accounting”, The British Accounting Review, Vol. 52 No. 3, 100907, doi: 10.1016/j.bar.2020.100907.
Pelger, C. and Spieß, N. (2017), “On the IASB's construction of legitimacy – the case of the agenda consultation project”, Accounting and Business Research, Vol. 47 No. 1, pp. 64-90, doi: 10.1080/00014788.2016.1198684.
Pemer, F. and Werr, A. (2023 In press), “Defusing digital disruption through creative accumulation: technology-induced innovation in professional service firms”, Journal of Management Studies, doi: 10.1111/joms.12972.
Pfeffer, J. and Salancik, G. (1978), The External Control of Organizations: A Resource Dependence Perspective, Harper & Row, New York.
Power, M. (2003), “Auditing and the production of legitimacy”, Accounting, Organizations and Society, Vol. 28, pp. 379-394.
Power, M. (2021), “Modelling the microfoundations of the audit society: organizations and the logic of the audit trail”, Academy of Management Review, Vol. 46 No. 1, pp. 6-32, amr.2017.0212, doi: 10.5465/amr.2017.0212.
Power, M. and Gendron, Y. (2015), “Qualitative research in auditing: a methodological roadmap”, AUDITING: A Journal of Practice and Theory, Vol. 34 No. 2, pp. 147-165, doi: 10.2308/ajpt-10423.
Quattrone, P. and Hopper, T. (2005), “A ‘time–space odyssey’: management control systems in two multinational organisations”, Accounting, Organizations and Society, Vol. 30 Nos 7-8, pp. 735-764, doi: 10.1016/j.aos.2003.10.006.
Rittenberg, L. and Covaleski, M.A. (2001), “Internalization versus externalization of the internal audit function: an examination of professional and organizational imperatives”, Accounting, Organizations and Society, Vol. 26 Nos 7-8, pp. 617-641, doi: 10.1016/S0361-3682(01)00015-0.
Rom, A. and Rohde, C. (2007), “Management accounting and integrated information systems: a literature review”, International Journal of Accounting Information Systems, Vol. 8 No. 1, pp. 40-68, doi: 10.1016/j.accinf.2006.12.003.
Roussy, M. (2013), “Internal auditors' roles: from watchdogs to helpers and protectors of the top manager”, Critical Perspectives on Accounting, Vol. 24 Nos 7-8, pp. 550-571, doi: 10.1016/j.cpa.2013.08.004.
Roussy, M. (2015), “Welcome to the day-to-day of internal auditors: how do they cope with conflicts?”, AUDITING: A Journal of Practice and Theory, Vol. 34 No. 2, pp. 237-264, doi: 10.2308/ajpt-50904.
Roussy, M. and Brivot, M. (2016), “Internal audit quality: a polysemous notion?”, Accounting, Auditing and Accountability Journal, Vol. 29 No. 5, pp. 714-738, doi: 10.1108/AAAJ-10-2014-1843.
Roussy, M. and Perron, A. (2018), “New perspectives in internal audit research: a structured literature review”, Accounting Perspectives, Vol. 17 No. 3, pp. 345-385, doi: 10.1111/1911-3838.12180.
Roussy, M. and Rodrigue, M. (2018), “Internal audit: is the ‘third line of defense’ effective as a form of governance? An exploratory study of the impression management techniques chief audit executives use in their annual accountability to the audit committee”, Journal of Business Ethics, Vol. 151 No. 3, pp. 853-869, doi: 10.1007/s10551-016-3263-y.
Saharia, A., Koch, B. and Tucker, R. (2008), “ERP systems and internal audit”, Issues In Information Systems, Vol. 11 No. 2, pp. 578-586, doi: 10.48009/2_iis_2008_578-586.
Salijeni, G., Samsonova-Taddei, A. and Turley, S. (2019), “Big Data and changes in audit technology: contemplating a research agenda”, Accounting and Business Research, Vol. 49 No. 1, pp. 95-119, doi: 10.1080/00014788.2018.1459458.
Salijeni, G., Samsonova-Taddei, A. and Turley, S. (2021), “Understanding how big data technologies reconfigure the nature and organization of financial statement audits: a sociomaterial analysis”, European Accounting Review, Vol. 30 No. 3, pp. 531-555, doi: 10.1080/09638180.2021.1882320.
Sarens, G. and de Beelde, I. (2006), “The relationship between internal audit and senior management: a qualitative analysis of expectations and perceptions”, International Journal of Auditing, Vol. 10 No. 3, pp. 219-241, doi: 10.1111/j.1099-1123.2006.00351.x.
Sarens, G., De Beelde, I. and Everaert, P. (2009), “Internal audit: a comfort provider to the audit committee”, British Accounting Review, Vol. 41 No. 2, pp. 90-106, doi: 10.1016/j.bar.2009.02.002.
Sarens, G., Christopher, J. and Zaman, M. (2013), “A study of the informal interactions between audit committees and internal auditors in Australia”, Australian Accounting Review, Vol. 23 No. 4, pp. 307-329, doi: 10.1111/auar.12024.
Sillince, J.A.A. and Brown, A.D. (2009), “Multiple organizational identities and legitimacy: the rhetoric of police websites”, Human Relations, Vol. 62 No. 12, pp. 1829-1856, doi: 10.1177/0018726709336626.
Suchman, M.C. (1995), “Managing legitimacy: strategic and institutional approaches”, The Academy of Management Review, Vol. 20 No. 3, pp. 571-610, Academy of Management, Briarcliff Manor, doi: 10.5465/AMR.1995.9508080331.
Suddaby, R. and Greenwood, R. (2005), “Rhetorical strategies of legitimacy”, Administrative Science Quarterly, Vol. 50, pp. 35-67, doi: 10.2189/asqu.2005.50.1.35.
Suddaby, R., Bitektine, A. and Haack, P. (2017), “Legitimacy”, Academy of Management Annals, Vol. 11 No. 1, pp. 451-478, doi: 10.5465/annals.2015.0101.
Tilling, M.v. and Tilt, C.A. (2010), “The edge of legitimacy”, Accounting, Auditing and Accountability Journal, Vol. 23 No. 1, pp. 55-81, doi: 10.1108/09513571011010600.
Tsai, W.-H., Chen, H.-C., Chang, J.-C., Leu, J.-D., Chen, D.C. and Purbokusumo, Y. (2015), “Performance of the internal audit department under ERP systems: empirical evidence from Taiwanese firms”, Enterprise Information Systems, Vol. 9 No. 7, pp. 725-742, doi: 10.1080/17517575.2013.830341.
Vinnari, E. and Skærbæk, P. (2014), “The uncertainties of risk management”, Accounting, Auditing and Accountability Journal, Vol. 27 No. 3, pp. 489-526, doi: 10.1108/aaaj-09-2012-1106.
Whittle, A., Carter, C. and Mueller, F. (2014), “‘Above the fray’: interests, discourse and legitimacy in the audit field”, Critical Perspectives on Accounting, Vol. 25 No. 8, pp. 783-802, doi: 10.1016/j.cpa.2013.09.001.