CPA firm’s cloud auditing provider for performance evaluation and improvement: an empirical case of China
While CPA (Certified Public Accountant) firms utilize cloud auditing technologies to generate auditing reports and convey information to their clients in the Internet of Things (IoT) Era, they often cannot determine whether cloud auditing is a secure and effective form of communication with clients. Strategies related to cloud auditing provider evaluation and improvement planning are inherently multiple attribute decision making (MADM) issues and are very important to the auditor industry. To overcome these problems, this paper proposes an evaluation and improvement planning model to be a reference for CPA firms selecting the best cloud auditing provider, and illustrates an application of such a model through an empirical case study. The DEMATEL (decision-making trial and evaluation laboratory) approach is first used to analyze the interactive influence relationship map (IIRM) between the criteria and dimensions of cloud auditing technology. DANP (DEMATEL-based ANP) is then employed to calculate the influential weights of the dimensions and criteria. Finally, the modified VIKOR method is utilized to provide improvement priorities for performance cloud auditing provider satisfaction. Based on expert interviews, the recommendations for improvement priorities are privacy, security, processing integrity, availability, and confidentiality. This approach is expected to support the auditor industry to systematically improve their cloud auditing provider selection.
Keyword : CPA (Certified Public Accountant), Cloud computing, provider selection, MADM (multiple attribute decision making), DEMATEL technique, IIRM (interactive influence relationship map), DANP (DEMATEL-based ANP), modified VIKOR method
This work is licensed under a Creative Commons Attribution 4.0 International License.
AICPA, & CICA. (2009). Generally accepted privacy principles: CPA and CA practitioner version. American Institute of Certified Public Accountants, Canadian Institute of Chartered Accountants.
AICPA. (2013a). Service organization controls – managing risks by obtaining a service auditor’s report. Retrieved from https://www.rubinbrown.com/10957-378_soc_whitepaper.pdf
AICPA. (2013b). Information integrity, 1-24. Retrieved from https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/asec-information-integrity-white-paper.pdf
Axelsen, M., Green, P., & Ridley, G. (2017). Explaining the information systems auditor role in the public sector financial audit. International Journal of Accounting Information Systems, 24, 15-31. https://doi.org/10.1016/j.accinf.2016.12.003
Bergh, L. I. V., Hinna, S., Leka, S., & Zwetsloot, G. I. (2016). Developing and testing an internal audit tool of the psychosocial work environment in the oil and gas industry. Safety Science, 88, 232-241. https://doi.org/10.1016/j.ssci.2015.06.003
Buyya, R., Yeo, C. S., Venugopal, S., Broberg, J., & Brandic, I. (2009). Cloud computing and emerging IT platforms: Vision, hype, and reality for delivering computing as the 5th utility. Future Generation Computer Systems, 25(6), 599-616. https://doi.org/10.1016/j.future.2008.12.001
Cavalcante, E., Batista, T., Lopes, F., Delicato, F. C., Pires, P. F., Rodriguez, N., de Moura, A. L., & Mendes, R. (2012, November). Optimizing services selection in a cloud multiplatform scenario. In 2012 IEEE Latin America Conference on Cloud Computing and Communications (LatinCloud) (pp. 31-36). Porto Alegre. https://doi.org/10.1109/LatinCloud.2012.6508154
Chahal, R. K., & Singh, S. (2016). AHP-based ranking of cloud-service providers. In Information systems design and intelligent applications (pp. 491-499). New Delhi: Springer. https://doi.org/10.1007/978-81-322-2755-7_51
Chen, C., Yan, S., Zhao, G., Lee, B. S., & Singhal, S. (2012). A systematic framework enabling automatic conflict detection and explanation in cloud service selection for enterprises. In 2012 IEEE Fifth International Conference on Cloud Computing (pp. 883-890). https://doi.org/10.1109/CLOUD.2012.95
Chen, F. H. (2015). Application of a hybrid dynamic MCDM to explore the key factors for the internal control of procurement circulation. International Journal of Production Research, 53(10), 2951-2969. https://doi.org/10.1080/00207543.2014.961210
Chen, F. H., Tzeng, G. H., & Chang, C. C. (2015). Evaluating the enhancement of corporate social responsibility websites quality based on a new hybrid MADM model. International Journal of Information Technology & Decision Making, 14(3), 697-724. https://doi.org/10.1142/S0219622015500121
Chen, F. H., & Tzeng, G. H. (2015). Probing organization performance using a new hybrid dynamic MCDM method based on the balanced scorecard approach. Journal of Testing and Evaluation, 43(4), 1-14. https://doi.org/10.1520/JTE20130181
Chen, H. K., Lin, C. Y., & Chen, J. H. (2014, April). A multi-objective evolutionary approach for cloud service provider selection problems with dynamic demands. In European Conference on the Applications of Evolutionary Computation (pp. 841–852). Berlin, Heidelberg: Springer. https://doi.org/10.1007/978-3-662-45523-4_68
Chou, D. C. (2015). Cloud computing risk and audit issues. Computer Standards & Interfaces, 42, 137-142. https://doi.org/10.1016/j.csi.2015.06.005
Dastjerdi, A. V., Tabatabaei, S. G. H., & Buyya, R. (2010). An effective architecture for automated appliance management system applying ontology based cloud discovery. In 10th IEEE/ACM International Conference on Cluster, Cloud and Grid Computing (CCGrid), 2010. Melbourne, Australia: IEEE. https://doi.org/10.1109/CCGRID.2010.87
Deng, D., Wen, S., Chen, F. H., & Lin, S. L. (2018). A hybrid multiple criteria decision making model of sustainability performance evaluation for Taiwanese certified public accountant firms. Journal of Cleaner Production, 180, 603-616. https://doi.org/10.1016/j.jclepro.2018.01.107
Dong, X., Yu, J., Zhu, Y., Chen, Y., Luo, Y., & Li, M. (2015). SECO: Secure and scalable data collaboration services in cloud computing. Computers & Security, 50, 91-105. https://doi.org/10.1016/j.cose.2015.01.003
Dowling, C., & Leech, S. A. (2014). A big 4 firm’s use of information technology to control the audit process: How an audit support system is changing auditor behavior. Contemporary Accounting Research, 31(1), 230-252. https://doi.org/10.1111/1911-3846.12010
Du, H., & Li, Z. (2011). Online-backup system for cloud computing storage. Energy Procedia, 13, 8194-8202.
Gabus, A., & Fontela, E. (1972). World problems, an invitation to further thought within the framework of DEMATEL. Battelle Geneva Research Center, Geneva, Switzerland.
Ghosh, N., Ghosh, S. K., & Das, S. K. (2015). SelCSP: A framework to facilitate selection of cloud service providers. IEEE Transactions on Cloud Computing, 3(1), 66-79. https://doi.org/10.1109/TCC.2014.2328578
Godse, M., & Mulik, S. (2009, September 21-25). An approach for selecting software-as-a-service (SaaS) product. In IEEE International Conference on Cloud Computing (pp. 155-158). Bangalore, India. https://doi.org/10.1109/CLOUD.2009.74
Gray, D. (2008). Forensic accounting and auditing: Compared and contrasted to traditional accounting and auditing. American Journal of Business Education, 1(2), 115-126. https://doi.org/10.19030/ajbe.v1i2.4630
Hsu, W. C. J., Tsai, M. H., & Tzeng, G. H. (2018). Exploring the best strategy plan for improving the digital convergence by using a hybrid MADM model. Technological and Economic Development of Economy, 24(1), 164-198. https://doi.org/10.3846/20294913.2016.1205531
Hu, K. H., Chen, F. H., Tzeng, G. H., & Lee, J. D. (2015). Improving corporate governance effects on an enterprise crisis based on a new hybrid DEMATEL with the MADM model. Journal of Testing and Evaluation, 43(6), 1395-1412. https://doi.org/10.1520/JTE20140094
Hu, K.-H., Jianguo, W., & Tzeng, G.-H. (2018). Improving China’s regional financial center modernization development using a new hybrid MADM model. Technological and Economic Development of Economy, 24(2), 429-466. https://doi.org/10.3846/20294913.2016.1213195
Janvrin, D., Caster, P., & Elder, R. (2010). Enforcement release evidence on the audit confirmation process: Implications for standard setters. Research in Accounting Regulation, 22(1), 1-17. https://doi.org/10.1016/j.racreg.2010.02.002
Kanagasabai, R. (2012). OWL-S based semantic cloud service broker. In IEEE 19th International Conference on Web Services (ICWS) (pp. 560-567). IEEE: Honolulu, HI.
Kleijnen, J. P. C. (2005). An overview of design and analysis of simulation experiments for sensitivity analysis. European Journal of Operational Research, 164(2), 287-300. https://doi.org/10.1016/j.ejor.2004.02.005
Ko, Y. C., & Fujita, H. (2016). Evidential weights of multiple preferences for competitiveness. Information Sciences, 354, 211-221. https://doi.org/10.1016/j.ins.2016.03.024
Krishna, B. H., Kiran, S., Murali, G., & Reddy, R. P. K. (2016). Security issues in service model of cloud computing environment. Procedia Computer Science, 87, 246-251. https://doi.org/10.1016/j.procs.2016.05.156
Kwon, H. K., & Seo, K. K. (2014). A fuzzy AHP based multi-criteria decision-making model to select a cloud service. International Journal of Smart Home, 8(3), 175-180. https://doi.org/10.14257/ijsh.2014.8.3.16
Lee, K., Park, C., & Yang, H. D. (2013). Development of service verification methodology based on cloud computing interoperability standard. International Journal of Smart Home, 7(5), 57-66. https://doi.org/10.14257/ijsh.2013.7.5.06
Lee, K., Park, C., & Yang, H. D. (2015). Development of a cloud computing interoperability-based service certification. International Journal of Security and its Applications, 9(12), 11-20. https://doi.org/10.14257/ijsia.2015.9.12.02
Limam, N., & Boutaba, R. (2010). Assessing software service quality and trustworthiness at selection time. IEEE Transactions on Software Engineering, 36(4), 559-574. https://doi.org/10.1109/TSE.2010.2
Liou, J. J. H., Chuang, Y. H., & Tzeng, G. H. (2014). A fuzzy integral-based model for supplier evaluation and improvement. Information Sciences, 266(10), 199-217. https://doi.org/10.1016/j.ins.2013.09.025
Liu, J., Huang, X., & Liu, J. K. (2015). Secure sharing of personal health records in cloud computing: ciphertext-policy attribute-based signcryption. Future Generation Computer Systems, 52, 67-76. https://doi.org/10.1016/j.future.2014.10.014
Liu, K. M., Lin, J. C., Hsieh, J. C., & Tzeng, G. H. (2018). Improving the food waste composting facilities site selection for sustainable development using a hybrid modified MADM model. Waste Management, 75, 44-59. https://doi.org/10.1016/j.wasman.2018.02.017
Liu, Q., Wang, G., & Wu, J. (2012). Secure and privacy preserving keyword searching for cloud storage services. Journal of Network and Computer Applications, 35(3), 927-933. https://doi.org/10.1016/j.jnca.2011.03.010
Lu, M. T., Hu, S. K., Huang L. H., & Tzeng, G. H. (2015). Evaluating the implementation of business-to-business m-commerce by SMEs based on a new hybrid MADM model. Management Decision, 53(2), 290-317. https://doi.org/10.1108/MD-01-2014-0012
Mackay, M., Baker, T., & Al-Yasiri, A. (2012). Security-oriented cloud computing platform for critical infrastructures. Computer Law & Security Review, 28(6), 679-686. https://doi.org/10.1016/j.clsr.2012.07.007
Mansouri, N. (2016). Adaptive data replication strategy in cloud computing for performance improvement. Frontiers of Computer Science, 10(5), 925-935. https://doi.org/10.1007/s11704-016-5182-6
Martens, B., & Teuteberg, F. (2012). Decision-making in cloud computing environments: A cost and risk based approach. Information Systems Frontiers, 14(4), 871-893. https://doi.org/10.1007/s10796-011-9317-x
Martens, B., Teuteberg, F., & Gräuler, M. (2011). Design and implementation of a community platform for the evaluation and selection of cloud computing services: A market analysis. In ECIS 2011 Proceedings. 215. Retrieved from https://aisel.aisnet.org/ecis2011/215
Mazalov, V., Lukyanenko, A., & Luukkainen, S. (2015). Equilibrium in cloud computing market. Performance Evaluation, 92, 40-50. https://doi.org/10.1016/j.peva.2015.07.002
Menzel, M., Schönherr, M., & Tai, S. (2013). (MC2) 2: criteria, requirements and a software prototype for cloud infrastructure decisions. Software: Practice and Experience, 43(11), 1283-1297. https://doi.org/10.1002/spe.1110
Nicolaou, C. A., Nicolaou, A. I., & Nicolaou, G. D. (2012). Auditing in the cloud: challenges and opportunities. The CPA Journal, 82(1), 66-70.
Nie, G., She, Q., & Chen, D. (2012). Evaluation index system of cloud service and the purchase decisionmaking process based on AHP. Proceedings of the 2011 International Conference on Informatics, Cybernetics, and Computer Engineering (ICCE2011). Melbourne, Australia: Springer.
Opricovic, S. (1998). Multicriteria optimization of civil engineering systems. Faculty of Civil Engineering Belgrade, 2(1), 5-21.
Opricovic, S., & Tzeng, G. H. (2007). Extended VIKOR method in comparison with outranking methods. European Journal of Operational Research, 178(2), 514-529. https://doi.org/10.1016/j.ejor.2006.01.020
Prosch, M. (2008). Protecting personal information using Generally Accepted Privacy Principles (GAPP) and continuous control monitoring to enhance corporate governance. International Journal of Disclosure and Governance, 5(2), 153-166. https://doi.org/10.1057/jdg.2008.7
Ramachandran, M., & Chang, V. (2016). Towards performance evaluation of cloud service providers for cloud data security. International Journal of Information Management, 36(4), 618-625. https://doi.org/10.1016/j.ijinfomgt.2016.03.005
Ren, W., Yu, L., Gao, R., & Xiong, F. (2011). Lightweight and compromise resilient storage outsourcing with distributed secure accessibility in mobile cloud computing. Tsinghua Science & Technology, 16(5), 520-528. https://doi.org/10.1016/S1007-0214(11)70070-0
Repschläger, J., Wind, S., Zarnekow, R., & Turowski, K. (2011, September 22–23). Developing a cloud provider selection model. In Enterprise Modelling and Information Systems Architectures (EMISA 2011) (pp. 163-176). Hamburg, Germany.
Saaty, T. L. (1990). How to make a decision: the analytic hierarchy process. European Journal of Operational Research, 48(1), 9-26. https://doi.org/10.1016/0377-2217(90)90057-I
Saaty, T. L. (1996). Decision making with dependence and feedback: Analytic network process. Pittsburgh: RWS Publications
Saaty, T. L. (2004). Decision making – the analytic hierarchy and network processes (AHP/ANP). Journal of Systems Science and Systems Engineering, 13(1), 1-35. https://doi.org/10.1007/s11518-006-0151-5
Sanayei, A., Mousavi, S. F., Abdi, M. R., & Mohaghar, A. (2008). An integrated group decision-making process for supplier selection and order allocation using multi-attribute utility theory and linear programming. Journal of the Franklin Institute, 345(7), 731-747. https://doi.org/10.1016/j.jfranklin.2008.03.005
Shen, K. Y., & Tzeng, G. H. (2016). Combining DRSA decision-rules with FCA-based DANP evaluation for financial performance improvements. Technological and Economic Development of Economy, 22(5), 685-714. https://doi.org/10.3846/20294913.2015.1071295
Shin, D. H. (2013). User centric cloud service model in public sectors: Policy implications of cloud services. Government Information Quarterly, 30(2), 194-203. https://doi.org/10.1016/j.giq.2012.06.012
Shkurti, R., & Muça, E. (2014). An analysis of cloud computing and its role in accounting industry in Albania. Journal of Information Systems & Operations Management, 8(2), 1-12.
Simon, H. A. (1955). A behavioral model of rational choice. The Quarterly Journal of Economics, 66(1), 99-118. https://doi.org/10.2307/1884852
Simon, H. A. (1956). Rational choice and the structure of the environment. Psychological Review, 63(1), 129-138. https://doi.org/10.1037/h0042769
Sood, S. K. (2012). A combined approach to ensure data security in cloud computing. Journal of Network and Computer Applications, 35(6), 1831-1838. https://doi.org/10.1016/j.jnca.2012.07.007
System and Organization Controls 3 Report. (2017, December). Retrieved from https://d1.awsstatic.com/whitepapers/compliance/AWS_SOC3.pdf
Tarmidi, M., Rasid, S. Z. A., Alrazi, B., & Roni, R. A. (2014). Cloud computing awareness and adoption among accounting practitioners in Malaysia. Procedia-Social and Behavioral Sciences, 164, 569-574. https://doi.org/10.1016/j.sbspro.2014.11.147
Toy, A., & Hay, D. C. (2015). Privacy auditing standards. Auditing: A Journal of Practice & Theory, 34(3), 181-199. https://doi.org/10.2308/ajpt-50932
Van Akkeren, J., Buckby, S., & MacKenzie, K. (2013). A metamorphosis of the traditional accountant: An insight into forensic accounting services in Australia. Pacific Accounting Review, 25(2), 188-216. https://doi.org/10.1108/PAR-06-2012-0023
Wang, C., Wood, L. C., Abdul-Rahman, H., & Lee, Y. T. (2016). When traditional information technology project managers encounter the cloud: Opportunities and dilemmas in the transition to cloud services. International Journal of Project Management, 34(3), 371-388. https://doi.org/10.1016/j.ijproman.2015.11.006
Wang, F. Y., Zhang, H., & Liu, D. (2009). Adaptive dynamic programming: an introduction. Computational Intelligence Magazine, 4(2), 39-47. https://doi.org/10.1109/MCI.2009.932261
Yang, J., Lin, W., & Dou, W. (2013). An adaptive service selection method for cross‐cloud service composition. Concurrency and Computation: Practice and Experience, 25(18), 2435-2454. https://doi.org/10.1002/cpe.3080
Yavuz, A. A., & Ning, P. (2009, December). Baf: An efficient publicly verifiable secure audit logging scheme for distributed systems. In Computer Security Applications Conference, 2009. ACSAC’09. Annual (pp. 219-228). IEEE.
Yigitbasioglu, O. M. (2015). External auditors’ perceptions of cloud computing adoption in Australia. International Journal of Accounting Information Systems, 18, 46-62. https://doi.org/10.1016/j.accinf.2015.09.001
Yu, J., Xiao, X., & Zhang, Y. (2016). From concept to implementation: The development of the emerging cloud computing industry in China. Telecommunications Policy, 40(2), 130-146. https://doi.org/10.1016/j.telpol.2015.09.009
Yu, P. L. (1973). A class of solutions for group decision problems. Management Science, 19(8), 936-946. https://doi.org/10.1287/mnsc.19.8.936
Zhang, H., Ye, L., Shi, J., Du, X., & Guizani, M. (2014). Verifying cloud service‐level agreement by a third-party auditor. Security and Communication Networks, 7(3), 492-502. https://doi.org/10.1002/sec.740
Zhao, L., Ren, Y., Li, M., & Sakurai, K. (2012). Flexible service selection with user-specific QoS support in service-oriented architecture. Journal of Network and Computer Applications, 35(3), 962-973. https://doi.org/10.1016/j.jnca.2011.03.013
Zheng, Z., Wu, X., Zhang, Y., Lyu, M. R., & Wang, J. (2013). QoS ranking prediction for cloud services. IEEE Transactions on Parallel and Distributed Systems, 24(6), 1213-1222. https://doi.org/10.1109/TPDS.2012.285
Zhu, W., & Lee, C. (2016). A security protection framework for cloud computing. Journal of Information Processing Systems, 12(3), 538-547.
Zhu, Y., Hu, H., Ahn, G. J., & Yau, S. S. (2012). Efficient audit service outsourcing for data integrity in clouds. Journal of Systems and Software, 85(5), 1083-1095. https://doi.org/10.1016/j.jss.2011.12.024
Zionts, S., & Wallenius, J. (1983). An interactive multiple objective linear programming, method for a class of underlying nonlinear utility functions. Management Science, 29(5), 519-529. https://doi.org/10.1287/mnsc.29.5.519