The impact of organizational contexts on EDI controls

International Journal of Accounting Information Systems 1 (2000) 153 ± 177

The impact of organizational contexts on EDI controls Sangjae Leea, Ingoo Hanb,* a

College of Business & Economics, Hanyang University, 1271 Sa-1 Dong, Ansan, Kyunggi-Do, 425-791, Republic of Korea b Graduate School of Management, Korea Advanced Institute of Science and Technology, 207-43 Cheongryangri-Dong Dongdaemun-Gu, Seoul 130-012, Republic of Korea Received 1 December 1998; received in revised form 1 December 1999; accepted 1 January 2000

Abstract The growing popularity of electronic data interchange (EDI) in business operations has led to a growing recognition of the need to implement proper control procedures. The requirements for control systems vary according to organizational context. A research model proposes that the organization, technological, and task characteristics as well as partner attributes affect formal, informal, and automated controls, each of which can be categorized as internal and external controls. Data were gathered from 110 companies that had adopted EDI. IS sophistication and task routineness were significantly associated with the use of formal and automated Ð both internal and external Ð controls. Decentralization and partner trust affected the use of internal and external informal controls. The results of this study could help EDI managers or auditors decide the necessary mode of controls for a certain organizational context. In addition, this study would be of interest to EDI practitioners in designing control systems. D 2000 Elsevier Science Inc. All rights reserved. Keywords: EDI; Organizational contexts; EDI controls

1. Introduction Electronic data interchange (EDI) refers to the direct transmission of data through computers at different sites that would otherwise be sent in printed form. EDI improves customer service and cost efficiencies because data re-entry and paper work by the recipient partner organization as well as the sending organization are reduced. Substantial benefits from * Corresponding author. Tel.: +82-2-958-3613; fax: +82-2-958-3604. E-mail address: [email protected] (I. Han). 1467-0895/00/$ ± see front matter D 2000 Elsevier Science Inc. All rights reserved. PII: S 1 4 6 7 - 0 8 9 5 ( 0 0 ) 0 0 0 0 8 - 7

154

S. Lee, I. Han / International Journal of Accounting Information Systems 1 (2000) 153±177

EDI implementation have been reported, despite the existence of numerous barriers to successful implementation of EDI (Banerjee and Golhar, 1994). EDI controls must be implemented since the speed of transactions and the lack of human intervention increase risk. Unauthorized third parties can reveal confidential information during transmission through the network. Messages can be altered or lost due to disruptions of internal data processing. Errors, omissions, and failures of one system may rapidly influence other systems in a highly integrated system. It is just the same with an interorganizational system linking many trading partners. System errors and failures at one partner's site will render the system of the other partner insecure. EDI controls need to be designed and maintained to ensure completeness, integrity, accuracy, and timeliness of information while meeting its objectives of service improvement, cost reduction, and improvement of productivity (Chan et al., 1993). It is possible to derive competitive advantage from EDI only if integrity and accuracy are ensured in the EDI procedures. Savings in administrative and operating costs can be wiped out by deliberate or erroneous loss of data during data communication. Organizational costs (e.g., a loss of credit or image as well as market share with its competitive advantage) from data loss or invalid data from accidental acts can be reduced when using appropriate controls (Weber, 1988). Before an organization decides to implement EDI, the controls for EDI need to be planned in order to establish the belief that the system is safe and accurate for users. The first step in the design of EDI controls is the preliminary review of the organization and management practices to obtain the information necessary for management to make decisions on the necessary controls. The implementation of controls requires resources. The introduction of IS controls need to proceed in view of an organization's requirements for security and integrity. It is inefficient to implement expensive controls in subsystems if the sensitivity and vulnerability of the systems themselves are not high. Since available resources are limited, it is not possible for EDI managers to develop all of the necessary controls. Guidance in control design must be provided so that the cost of implementation is lower than the reduction in expected losses of IS resources or risks. The necessity of various controls may be different according to organizational contingencies. Guidelines for EDI controls have been suggested in the IS and EDI literature (e.g., Hansen and Hill, 1989; ISACA, 1990). However, a systematic and academic classification of EDI controls is lacking. Since there is a dearth of research on the typology of IS controls, theories of organizational controls may be utilized. Consequently, this study addresses two issues: (1) How can EDI controls be classified? (2) What are the major organizational factors affecting EDI controls? The literature on organization theory as well as IS and EDI controls are reviewed and a research model for EDI control is proposed. The model is tested empirically for Korean companies adopting EDI. A summary of the findings and a list of recommendations for EDI practitioners and researchers are presented. 2. Theoretical framework As EDI becomes increasingly important as a viable alternative way of processing transactions, attention needs to be paid to environmental contexts that affect the controls

S. Lee, I. Han / International Journal of Accounting Information Systems 1 (2000) 153±177

155

of EDI. The organizational context describes the general situational circumstances of an EDI system that affects EDI controls. Based on a review of the literature on organizational control as well as organizational innovation-implementation and EDI adoption literature, this paper proposes organization characteristics (size, professionalism, decentralization), technological characteristics (IS sophistication, role of IS), task characteristics (interdependence and routineness), and partner attributes (trust) as influential factors in establishing EDI controls. Various categories of variables, industrial, organization (including IS), and task characteristics are included in this exploratory study if they could potentially influence EDI controls and implementation. Although some of these variables are also relevant to the overall information systems function of an organization, these variables may influence the controls that are likely to be emphasized within EDI systems operating in a given environment. These organizational contexts necessitate certain modes of controls. The research model is outlined in Fig. 1. 2.1. EDI controls EDI controls represent part of the overall organizational control system. The objectives of EDI controls are to ensure that an organization achieves its goals through the implementation of EDI. These controls relate to the management processes to safeguard assets, maintain data integrity, and accomplish organizational goals effectively, while consuming resources efficiently. There are many ways to classify controls. This study uses three dimensions of EDI controls: formal, informal, and automated controls (see Lee et al., 1998). Formal control is defined as ``written management-initiated'' control, while informal control is based on shared beliefs and values developed by members of an organization (Jaworski et al., 1993). Organizations use formal mechanisms such as rules, regulations, and the hierarchy of authority to direct behavior and assess performance (Daft and Steers, 1986). Formal controls such as standards, operational procedures, process changes, and formal contracts including legal issues with trading partners (e.g., auto makers and providers of auto parts) and Value Added Network (VAN) are the basic elements of EDI systems. Formal controls are supposed to be initiated by management rather than lower level employees and are based

Fig. 1. Research model.

156

S. Lee, I. Han / International Journal of Accounting Information Systems 1 (2000) 153±177

on written procedures. Informal controls include the use of values, traditions, employee commitment, and social beliefs. Informal controls are initiated by organization members using the members' values, judgments, and communications. Automated controls are defined as controls using at least some portion of a computerized system. Automated controls are measured with automated control procedures and methods. In view of the high speed and large volume of data, it is necessary to install automated tracking and control mechanisms such as electronic audit trails and automated error correction for the purpose of continuity of functions. EDI controls may be categorized into internal and external controls. Internal controls deal with internal components of EDI systems such as the application system interface while external controls are involved with external EDI systems such as a VAN or trading partner. Internal controls for EDI systems are established to monitor the internal application systems, like a production system or a sales system, linked to an external network. In an integrated EDI system, minor failures or a short downtime of one system may adversely affect other systems. Adequate detective controls (controls that identify the occurrence of errors and failures) and contingency planning should be installed to prevent errors from affecting the whole system. External controls like those of VAN and trading partners have special importance (Chan et al., 1993). A cross-vulnerability exists with systems of VAN service providers or trading partners as a major control deficiency in one EDI system can materially compromise the integrity of the other dependent EDI system due to commonalties in security architectures that cross VAN service providers and trading partners (Marcella and Chan, 1993). Invalid or unauthorized transactions can be initiated by staff in a third-party network. Messages could be lost, altered, duplicated, or transposed while they are transmitted through the network. This could cause additional cost from inaccurate processing and possible financial loss. Internal and external controls are interrelated with each other as internal applications are integrated with external systems of VAN providers and trading partners (Chan et al., 1993; ISACA, 1990; Jamieson, 1994; Marcella and Chan, 1993). Trading partners must reach an agreement on several technical matters, including transmission standards, message standards, and communication protocols. Trading partner agreements should specify the liability of each party and reduce the chance of future disputes by specifying how each should cope with transaction errors and the violation of trading rules. Once an electronic trading partner relationship is established, the parties must continuously manage such things as contingency planning, mutual training needs, and transmission security. Because EDI is an interorganizational system, communication is mediated by a VAN or a proprietary network with trading partners. The modes of controls in this study are not mutually exclusive; more than one of them can be simultaneously used. For instance, internal and external formal controls can be used simultaneously although the degrees of emphasis on them are different. The point is that the three internal and external controls are considered as different dimensions rather than alternatives. The aforementioned control dimensions can be used to generate a framework of control modes. Internal and external controls can be classified according to two important control dimensions: formality and automation. Table 1 indicates six potential control modes along with their descriptions.

S. Lee, I. Han / International Journal of Accounting Information Systems 1 (2000) 153±177

157

Table 1 EDI controls in this study Control classifications

Modes of controls

Description

Formal controls

Internal formal controls

Procedures used to ensure security in internal applications and communication interface Externally provideda procedures to ensure security and integrity of communication Risk recognition, sense of responsibility, experience, and interaction among colleagues Risk recognition, sense of responsibility, experience, and interaction among colleagues to prepare for external threats and cross-vulnerabilities Automated routines used to ensure security in internal applications and communication interface Externally provided automated control measures for system integrity and security

External formal controls Informal controls

Internal informal controls External informal controls

Automated controls

Internal automated controls External automated controls

a

``Externally provided'' indicates that they are provided by VAN service providers or trading partners.

2.2. Organizational contexts Many organizational contexts should be considered in designing EDI controls to make control systems effective and efficient. EDI controls exist to accomplish organizational objectives under environmental conditions. For example, a large organization with a sophisticated information system should place more emphasis on EDI control systems in comparison to small organizations with unsophisticated IS infrastructures (Chan et al., 1993). The former should establish more formal controls to manage the large volume of data and technical resources than the latter. The independent variables in the research model will be discussed and hypotheses are developed as follows. 2.2.1. Size As organizations increase in size, the problems of social controls, coordination, and communication become more intricate (Jaworski, 1988; Yap and Souder, 1993). Large organizations face an exponentially increasing number of information channels, which makes informal controls less effective (Blau and Scott, 1972; Burns and Stalker, 1966; Merchant, 1981, 1984). As organizations increase in size, it is necessary to institute a more formal planning process to ensure the development of an integrated vision for the IS function (Cash et al., 1988; McFarlan et al., 1983; Ward and Whitmore, 1990). In that case, formal controls can provide a consistent set of rules to control large and complex application systems integrated with EDI. Thus, organizational size is positively correlated with the use of formal controls. The full implementation of automated controls requires extensive expertise and expense (Lawrence, 1988). Large organizations are more likely to be able to afford the costs for automated controls and possess greater technical expertise than smaller firms. Larger firms have more trading partners with diverse operating environments (protocols, line

158

S. Lee, I. Han / International Journal of Accounting Information Systems 1 (2000) 153±177

speed, standards, hardware) and higher transaction volumes than smaller companies (Chan et al., 1993). Automated controls are cost-effective for large organizations with high communication complexity due to high transaction volumes and numerous trading partners (Fullerton and Evens, 1989). Thus, automated controls are more appropriate for large companies. Hypothesis 1-1: The larger the organization, the greater the use of internal formal controls. Hypothesis 1-2: The larger the organization, the greater the use of external formal controls. Hypothesis 1-3: The larger the organization, the greater the use of internal automated controls. Hypothesis 1-4: The larger the organization, the greater the use of external automated controls. 2.2.2. Professionalism Specialists' jobs require complex decision-making and high reliance on colleagues for advice. Specialists are not accustomed to standard operating procedures, formal rules, and clear standards of performance (Ouchi and Maguire, 1975). They prefer their values and beliefs to formally established rules in coping with exceptions in their work. The specialists in the IS department including EDI discuss with their peers and rely on their knowledge and intuition to address unexpected problems. Informal controls by professionals are enhanced by their knowledge and skills. As most of them are engaged in jobs demanding creativity, the efficiency and effectiveness of their work would decline if their work were to be unduly constrained. Greater technical knowledge of professionals will help control EDI system in an informal way. A survey by Lawrence (1988) shows that automated controls Ð such as integrated test facility Ð have not yet been fully utilized due to the complexity of computerized systems and lack of technical expertise. For example, concurrent audit techniques, continuous and intermittent simulation (CIS) techniques, and parallel simulation techniques to audit batch processing demand high technical expertise and substantial system implementation. The know-how of IS professionals are strongly needed to solve any technical problems in installing these controls and effectively integrate the controls with existing systems. The implementation of automated controls is facilitated if technical expertise and knowledge regarding EDI and communication technology exist. Hypothesis 2-1: The higher the degree of professionalism, the greater the use of internal informal controls. Hypothesis 2-2: The higher the degree of professionalism, the greater the use of external informal controls. Hypothesis 2-3: The higher the degree of professionalism, the greater the use of internal automated controls.

S. Lee, I. Han / International Journal of Accounting Information Systems 1 (2000) 153±177

159

Hypothesis 2-4: The higher the degree of professionalism, the greater the use of external automated controls. 2.2.3. Decentralization The diffusion of innovation is facilitated by organic structures normally associated with decentralization that facilitates initiation and testing of new ideas (Russel and Russel, 1992). When EDI staff members have more authority, they are more likely to act on their own judgment and explore novel approaches. When exceptional incidents happen, they communicate with others to draw on their knowledge and skills. Mechanistic and formal organizational controls will not provide favorable conditions to EDI staff members in decentralized organizations as they inhibit free interaction among them to give innovative ideas. Informal controls are needed to facilitate the communication of ideas and implementation of EDI in such decentralized organizations. Hypothesis 3-1: The greater the degree of decentralization, the greater the use of internal informal controls. Hypothesis 3-2: The greater the degree of decentralization, the greater the use of external informal controls. 2.2.4. IS sophistication EDI relies on the existing IS infrastructure to integrate with internal applications (Sullivan, 1985). As IS becomes more sophisticated (for example, the size of an EDP department becomes large or the demand for the IS function becomes high), the use of formal controls expands. A superior corporate data management is necessary to provide integrated and consistent EDI controls (Chan et al., 1993). The higher the sophistication of EDI, the stronger is the tendency of management for the proactive formal controls on system development and maintenance. An advanced IS demands controls different from traditional methods due to a smaller paper audit trail and decreased segregation of duties. It is more difficult to control distributed, automated, high-tech systems with manual techniques. Unless mistakes are detected, they will propagate swiftly into other systems. It is necessary to identify system errors before they affect other systems. For this reason, advanced controls (such as concurrent control techniques or simulation tools) are embedded in the application system and recognize errors as the processing is being performed (Aggarwal and Rezaee, 1994; Ahituv and Lee, 1984; Hansen and Hill, 1989). Thus, automated controls are effective for a sophisticated IS that is linked with EDI. Hypothesis 4-1: The higher the level of IS sophistication, the greater the use of internal formal controls. Hypothesis 4-2: The higher the level of IS sophistication, the greater the use of external formal controls. Hypothesis 4-3: The higher the level of IS sophistication, the greater the use of internal automated controls.

160

S. Lee, I. Han / International Journal of Accounting Information Systems 1 (2000) 153±177

Hypothesis 4-4: The higher the level of IS sophistication, the greater the use of external automated controls. 2.2.5. Role of IS IS plays different roles in different organizations. If the present and future strategic importance of IS is high, management will be more committed to IS planning and controls. In this situation, the quality of the planning process for IS should be higher (McFarlan et al., 1983; Premkumar and King, 1994; Raghunathan and Raghunathan, 1990). If IS has a strategic role in the organization, management may recognize the importance of planning and controls of EDI and invest more resources to implement the strategic system and establish formal planning and control systems due to a concern regarding a possible loss of competitiveness caused by a control failure. Even small errors in the strategic IS may severely affect the credit of a company and lower its competitiveness. Only after a company ensures completeness, accuracy, and data security in each of its transactions can they gain a competitive advantage from EDI implementation. In this environment, the security department will be given greater authority to ensure the security of strategic IS (Straub, 1988). The high position of the security and audit departments makes it easier to get management support for implementing automated controls. Further, the high expenses for the installation of automated controls are justified for a strategic IS. With the growth of the strategic importance of EDI, the IS function will support the expenses required for automated controls to prevent and correct errors. Hypothesis 5-1: The greater the role of IS, the greater the use of internal formal controls. Hypothesis 5-2: The greater the role of IS, the greater the use of external formal controls. Hypothesis 5-3: The greater the role of IS, the greater the use of internal automated controls. Hypothesis 5-4: The greater the role of IS, the greater the use of external automated controls. 2.2.6. Task interdependence It is difficult to control the interactions between interdependent departments in a predetermined way. There is less reliance on standardization, rules, and procedures to guide the workflow under this organizational structure (Daft and Steers, 1986). The implementation of EDI usually affects a number of functional areas within an organization including accounting, purchasing, transportation, and marketing simultaneously (Emmelhainz, 1990). The problems of controls are compounded when different functional units are interdependent and require coordinated effort (Dalton, 1971; Otley, 1980). Mistakes must be detected as promptly as possible before they affect the workflow of other departments. It is difficult to control the EDI process where the activities of one department affect other departments immediately. Detailed guidelines need to exist in order to solve complex interaction between,

S. Lee, I. Han / International Journal of Accounting Information Systems 1 (2000) 153±177

161

for instance, production and ordering departments, as there exists the possibility of confusion from unexpected task procedures among these interdependent departments. Hence, the crossvulnerability of these departments will lead to the development of informal controls. In order to monitor efficiently interdependent task processes, more informal controls are likely to be required. Hypothesis 6-1: The higher the level of the task interdependence, the greater the use of internal informal controls. Hypothesis 6-2: The higher the level of the task interdependence, the greater the use of external informal controls. 2.2.7. Task routineness Routine technologies are characterized by low variety, high analyzability, standard procedures, and few exceptions. A prime candidate for conversion to EDI is a company that handles a large volume of standardized transactions (Marcella and Chan, 1993). As tasks become more routine, the implementation of formal controls becomes effective (Jaworski et al., 1993). As the routineness of EDI tasks increases, formal EDI controls are appropriate because these tasks are amenable to standard operating procedures, formal rules, and clear standards of performance. The nature of tasks influences management procedures. Managers stress efficiency where activities can be measured quantitatively and are well defined (Daft and Steers, 1986). This leads to automation of work processes. For example, production departments and assembly lines are examples of routine processes. In most cases, the processes linking these departments are automated. Automated controls can promote both effectiveness and efficiency in such an environment. Hypothesis 7-1: The higher the level of the task routineness, the greater the use of internal formal controls. Hypothesis 7-2: The higher the level of the task routineness, the greater the use of external formal controls. Hypothesis 7-3: The higher the level of the task routineness, the greater the use of internal automated controls. Hypothesis 7-4: The higher the level of the task routineness, the greater the use of external automated controls. 2.2.8. Partner trust Trust prevents, reduces or eliminates opportunism and requires less formal rules and standards (Zaheer and Venkatraman, 1995). When the level of trust between buyers and suppliers is high, the partners will be less inclined to exert controls in the relationship (Andaleeb, 1995). Trust may reduce the need for formal contracts that are costly to write, monitor, and enforce, as they rely on psychological contracts (Bromiley and Cummings, 1991). The reliance on trust lowers the cost of negotiation. The partners may establish

162

S. Lee, I. Han / International Journal of Accounting Information Systems 1 (2000) 153±177

cooperative IORs (Interorganizational Relations) without the use of formal contracts and safeguards (Ring and Van de Ven, 1994). As trust is further affirmed, informal controls are more used, as they may complement or substitute for formal contractual safeguards. Hypothesis 8-1: The greater the level of partner trust, the greater the use of internal informal controls. Hypothesis 8-2: The greater the level of partner trust, the greater the use of external informal controls.

3. Research methodology 3.1. Data collection Although more than 20,000 companies in Korea have adopted EDI, most of them do not implement it comprehensively. Questions about controls can be answered reliably only by the companies that have implemented EDI comprehensively. Two thousand companies were selected from publicly available company databases (through Chollian network service). Among these companies, respondent organizations were as follows. First, the industries, which have used EDI, were identified. Second, from publicly available company databases, the companies in those industries that are likely to have implemented EDI comprehensively were contacted to check their level of EDI implementation. The respondents selected supposedly possessed the level of knowledge about EDI controls required to answer the questionnaire from the results of a preliminary pilot test. Fifteen companies among sampled organizations refused to participate in the interview. Some of these companies were afraid of exposing the vulnerabilities of the EDI system. All of the remaining firms responded to the request for information and are included in the study. The response rate was 88%. The response rate is high because the participation in the survey was solicited through a direct call to EDI managers and the objectives of the study explained. Final sample included the responses from 110 companies. Structured interviews were used as the main data collection method. One or two EDI managers simultaneously participated in the interview. They were believed to have sufficient knowledge about EDI implementation. Disagreements between two managers were rare and most of the respondents modified their responses when they had different opinions on a question. If some questions could not be answered, they took those questions to their colleagues who had sufficient knowledge of the subject area. The data used in validating the research model were gathered as part of a larger investigation concerning EDI controls (see Lee et al., 1998). The survey instrument was verified first by interviewing EDI practitioners from each firm. Wording, interpretation of items, and the extent to which practitioners felt they possess the knowledge necessary to provide appropriate responses were analyzed until the last draft of the questionnaire, which required a very limited number of minor revisions. The unit of analysis is individual EDI adopting company.

S. Lee, I. Han / International Journal of Accounting Information Systems 1 (2000) 153±177

163

Table 2 Items for research variables Classification

Variables

Organization Size characteristics Professionalism

Decentralization

IS sophistication

Role of IS

Task characteristics

Task interdependence Task routineness

Items

Adapted from

Total sales (SIZE1) Number of employees (SIZE2) The proportion of professional staff members with the educational backgrounds in communication and IS (PROF1) The number of professional staff members that have received graduate course in communication and IS (PROF2) The degree to which participation of subordinates in company decision making is encouraged (DEC1) The degree to which employees can make their own decisions (DEC2) The extent of concentration of decision making authority (DEC3) Number of EDP staff (SOP1) IS budget (SOP2) Percentage of administrative applications (SOP3) Planning and control by steering committee (SOP4) User involvement in the development of IS (SOP5) The percentage of the budget in management controls and strategic planning (SOP6) Impact of shutdown of computer center (ROL1) Feasibility of manual work processing (ROL2) Development of systems for cost reductions and productivity improvement (ROL3) Development of systems to provide new ways to compete (ROL4) Studying the impact of new IS technologies and areas of application (ROL5) Development of IS applications that are vital for long-term strategic objectives (ROL6) Extent to which performance depends on other tasks (TINT for five tasks: 10 sub-items) Perception of routineness in performing task (TROUT1 for five tasks: TROUT-1, TROUT-2, TROUT-3, TROUT-4, TROUT-5) Ease in processing tasks due to clear job definition and description (TROUT2 for five tasks: TROUT2-1, TROUT2-2, TROUT2-3, TROUT2-4, TROUT2-5)

Grover, 1993; Runge, 1985 Corwin, 1975; Daft and Becker, 1978

Aiken and Hage, 1971; Corwin, 1975

Cheney and Dickson, 1982; Raymond, 1990

Premkumar and King, 1994

Goodhue and Thompson, 1995; Jaworski et al., 1993

(continued on next page)

164

S. Lee, I. Han / International Journal of Accounting Information Systems 1 (2000) 153±177

Table 2 (continued ) Classification

Variables

Items

Partner attributes

Trust

Controls

Internal formal controls

Degree of mutual trust between trading Mohr and partners (TRS1) Spekman, 1994; Trust in the benefit of trading partner's Zaheer and decision (TRS2) Venkatraman, Expectation of fair deal from partner (TRS3) 1995 Chan et al., System change control by authorization (IFC1) 1993; Integrity check of the message before processing ISACA, 1990; in the application (IFC2) Jamieson, 1994; Transaction log for the possible errors and Marcella and collapse (IFC3) Chan, 1993 Appropriateness of system login procedures using password (IFC4) Integrity check after generating EDI messages (IFC5) Authentication of trading partners after receiving EDI messages (IFC6) Back up and recovery plan by VAN and trading Chan et al., 1993; partners (EFC1 and EFC2) ISACA, 1990; Retransmission after correcting erratic messages by Jamieson, 1994; VAN and trading partners (EFC3 and EFC4) Marcella and Dispute reconciliation procedures by VAN and Chan, 1993 trading partners (EFC5 and EFC6) Access control on network by VAN and trading partners (EFC7 and EFC8) Mailbox access control by VAN (EFC9) Recognition of possible propagation of errors Jaworski et al. from one system to another (IIC1) (1993) Recognition of the importance of their responsibility (IIC2) Ability to judge peer's errors in their tasks by experience (IIC3) Ability to cope with the errors effectively by experience (IIC4) Interaction with seniors or peers to cope with problems in their tasks (IIC5) Recognition of the effect of errors in VAN and Jaworski et al., trading partners (EIC1 and EIC2) 1993 Recognition of importance of interorganizational cooperation (EIC3 and EIC4) Processing nonroutine problems with VAN and trading partners by experience (EIC5 and EIC6) Recognition of importance of items in the agreement with VAN and trading partners (EIC7 and EIC8) Interaction with VAN and trading partners to process message errors (EIC9 and EIC10) (continued on next page)

External formal controls

Internal informal controls

External informal controls

Adapted from

S. Lee, I. Han / International Journal of Accounting Information Systems 1 (2000) 153±177

165

Table 2 (continued ) Classification

Variables

Items

Adapted from

Internal automated controls

Programmed integrity check before processing in application systems (IAC1) Applying access control software on critical application and files (IAC2) Automated data integrity check before transmission of EDI messages (IAC3) Automated authentication of trading partners using message code (IAC4) Automated transaction log for EDI messages by VAN and trading partners (EAC1 and EAC2) Error message tracing and error reporting by VAN and trading partners (EAC3 and EAC4) Digital signatures (message authentication code) provided by VAN and trading partners (EAC5 and EAC6) Provision of various protocol function by VAN (EAC7) Provision of various EDI document standard by VAN (EAC8)

Chan et al., 1993; ISACA, 1990; Jamieson, 1994; Marcella and Chan, 1993

External automated controls

Chan et al., 1993; ISACA, 1990; Jamieson, 1994; Marcella and Chan, 1993

3.2. Measures, measurement reliability, and validity Measures for the research variables are summarized in Table 2. Measures of industry, organizational attributes, task characteristics, and partnership attributes were adapted from previous literature. A multiple 7-point Likert-type scale represented each variable except size and two items among six for IS sophistication. Size was measured by the total number of employees and annual sales while the total number of IS staff and the annual IS budget were included as indicators of measuring IS sophistication. Measures for six modes of EDI controls were constructed separately. Formal and automated control measures were newly developed through a synthesis of various sources (Chan et al., 1993; ISACA, 1990; Jamieson, 1994; Marcella and Chan, 1993). Informal control measures were based on several former studies including Jaworski et al. (1993). Reliability and validity tests were performed for the collected data. The relationships among all the items were examined simultaneously to test whether they measure the same concept. A reliability analysis was conducted and the items (i.e., PROF2 for professionalism, TROUT2 for task routineness) with ``low-to-total'' correlations (the correlation between the item and the variable) were deleted. The final Cronbach's alphas are presented in Table 3. One item each for professionalism, the role of IS, and task routineness were eliminated to increase Cronbach's alpha. All scales exceed 0.6 after deleting low-to-total correlated items, which shows moderate to high reliability (Table 3). In this study, content and construct validity were tested. In this study, the measures are based on previous work and pretested by both practitioners and four IS professors to enhance the content validity of the instrument.

0.7701 ± 0.7553 0.7858 0.6672 ±

Size (1) Professionalism (2) Decentralization (3) IS sophistication (4) Role of IS (5) Task interdependence (6) Task routineness (7) Partner trust (8) Internal formal controls (9) External formal controls (10) Internal informal controls (11) External informal controls (12) Internal automated controls (13) External automated controls (14)

(4)

0.41*** 0.22**

0.9070 0.26*** 0.28*** 0.37***

0.9018 0.20** 0.09

0.34***

0.8415 0.31*** 0.17*

0.08

(8)

(9)

(10)

(11)

(12)

(13)

(14)

0.09 0.36** * 0.39*** 0.59*** 0.74*** 0.62*** 0.66*** 0.64*** 1.00

0.51*** 0.55*** 0.56*** 0.68*** 0.53*** 1.00

0.01 0.35*** 0.27*** 0.55*** 0.64*** 0.58*** 1.00

0.10 0.31*** 0.40*** 0.58*** 0.66*** 1.00

0.01 0.37*** 0.30*** 0.65*** 1.00

0.05 1.00 0.13 0.07 1.00 0.01 0.42*** 0.35*** 1.00

1.00

(6) (7)

0.25** 0.08 0.18*

0.10

0.12

0.12

0.10 0.05 0.07

1.00 ÿ 0.15

(5)

Reliability of the variables that had more than two items was analyzed. * P < .1. ** P < .05. *** P < .01.

0.34***

0.40***

0.7517 0.31*** 0.20** 0.34***

0.17*

0.26***

0.9061 0.27*** 0.26*** 0.35***

1.00 0.30*** 1.00 0.10 ÿ 0.07 0.11 0.23**

(3)

0.04 0.29*** 0.25***

1.00 0.25*** 0.42*** 0.05 0.18*

(2)

± 0.12 0.06 0.13 0.6181 0.24** 0.33*** 0.18* 0.8240 0.23** 0.27*** 0.28***

1.00 0.08 0.27*** 0.39*** 0.00 0.05

Alphas (1)

Variables

Table 3 Bivariate correlations between variables and Cronbach's alphas

166 S. Lee, I. Han / International Journal of Accounting Information Systems 1 (2000) 153±177

S. Lee, I. Han / International Journal of Accounting Information Systems 1 (2000) 153±177

167

Table 4 Factor analysis for multiple-item measures

Variables

Items

Factor loadings

Decentralization

DEC1 DEC2 DEC3 SOP1 SOP2 SOP5 SOP6 SOP3 SOP4 ROL3 ROL4 ROL5 ROL6 ROL1 ROL2 TRS1 TRS2 TRS3 IFC1 IFC2 IFC3 IFC4 IFC5 IFC6 EFC1 EFC2 EFC3 EFC4 EFC5 EFC6 EFC7 EFC8 EFC9 IIC1 IIC2 IIC3 IIC4 IIC5 IIC6 IIC7 IIC8 IIC9 IIC10 EIC1 EIC2

0.8640 0.8745 0.7130 0.6696 0.4018 0.6339 0.5036 0.5902 0.4460 0.7112 0.8480 0.8403 0.8180 0.8171 0.8313 0.8078 0.6675 0.7880 0.5079 0.6681 0.7891 0.7556 0.8176 0.8096 0.7487 0.6674 0.7647 0.7588 0.8369 0.7878 0.7679 0.7454 0.7506 0.7914 0.8429 0.7962 0.7957 0.7570 0.7523 0.6328 0.6934 0.6269 0.6807 0.7542 0.6972

IS sophisticationa

Role of ISa

Partner trust Internal formal controls

External formal controls

Internal informal controls

External informal controls

Eigenvalues

Percent of variance explained

Cumulative percent

2.0195

67.3

67.3

1.5044

25.1

25.1

1.3740

22.9

48.0

2.6269

43.8

43.8

1.3646

22.7

66.5

1.7191

57.3

57.3

3.2218

53.7

53.7

5.1829

57.6

57.6

5.4804

54.8

54.8

5.3354

53.4

53.4

(continued on next page)

168

S. Lee, I. Han / International Journal of Accounting Information Systems 1 (2000) 153±177

Table 4 (continued )

Variables

Internal automated controls

External automated controls

Items

Factor loadings

EIC3 EIC4 EIC5 EIC6 EIC7 EIC8 EIC9 EIC10 IAC1 IAC2 IAC3 IAC4 EAC1 EAC2 EAC3 EAC4 EAC5 EAC6

0.6979 0.6634 0.6611 0.6889 0.8086 0.8035 0.7549 0.7566 0.6823 0.7315 0.7945 0.8223 0.7368 0.7051 0.7310 0.7372 0.6146 0.6554

Eigenvalues

Percent of variance explained

Cumulative percent

2.3080

57.7

57.7

2.9251

48.8

48.8

Only variables that had more than three items were analyzed. a Variables that failed to cluster together as one factor.

Construct validity was assessed using convergent and discriminant validity. Convergent validity can be tested using principal component factor analysis. Table 4 shows the results of individual factor analysis for each research variable. All variables except IS sophistication and the role of IS have one factor. IS sophistication and the role of IS are divided into two factors. Although it is technically desirable to treat them as separate factors, it may be acceptable to aggregate them as a single construct if there exists sufficient theoretical justification. This approach has been used extensively in IS research (Ives et al., 1983; Tait and Vessey, 1988). Discriminant validity testing can be accomplished by comparing correlations among variables with Cronbach's alpha. Gaski and Nevin (1985) have suggested that if the correlation between one variable and another is lower than each variable's coefficient alpha, it indicates a good discrimination. The results in Table 3 shows good discrimination among research variables; no correlation between variables was as high as the coefficient alpha of the individual variable. 4. Data analysis and results A Pearson correlation analysis and multiple regression analysis were conducted to test the significance of the relationship between individual variables of organizational contexts and controls. The correlation analysis in Table 3 indicates that every hypothesized relation is

S. Lee, I. Han / International Journal of Accounting Information Systems 1 (2000) 153±177

169

significant except for that between professionalism and external informal controls (r = .0948), and between task interdependence and internal informal controls (r = .0956). Table 3 indicates high correlations among six modes of EDI controls. This indicates that formal, informal, and automated controls as well as internal and external controls are interrelated with each other. For instance, formal controls can be the basis for shaping informal controls. Management uses education programs to disperse information about organization guidelines for acceptable system usage; the formal controls may facilitate the socialization process to identify the ``acceptable behaviors.'' The faithfulness and responsibility of employees for system performance can increase through an education program on the ethical aspects of system usage. Education of system users can encourage user awareness of the integrity and security vulnerabilities due to the violation of rules. Formalized teamwork training can facilitate interaction (e.g., communication and discussion) among employees. Automated controls are related to formal and informal controls. Automated controls are enacted through a computer-based system; the development and operation of automated controls need formal and informal controls. For instance, audit software modules that are embedded in the application systems identify the transactions having certain traits of interest to the auditor and this demands formal policies for their management. Formal controls like system development procedures are applied to ensure that programs are modified by authorized persons and for legitimate reasons. Informal controls can also help audit software modules develop over time. The effectiveness of audit software modules relies on informal understandings and commitment to follow and manage them. User awareness of periodic change of passwords for access control software is required for the successful use of access control systems. User commitment to these procedures may also help identify the problems of existing controls and ways to enhance these controls. Messages may be altered or lost due to disruption of internal data processing. In a highly integrated system, the failures of one system rapidly influence others. Further, as EDI is an interorganizational system linking many trading partners, the security and integrity of VAN and trading partners' systems can be seriously affected by the mishaps or opportunistic behavior of other partners or VAN service providers (Chan et al., 1993). Internal applications and external communication networks may be closely interrelated with each other due to system integration and sophistication; both internal and external controls are necessary for overall security and integrity of EDI systems and this applies to formal, informal, and automated controls. Adequate controls must be in place to provide ``control assurance'' to stakeholders such as internal users, trading partners, and industry association, in terms of written procedures or policies or contractual obligations or agreements, before the decisions regarding further implementation Ð integration or external expansion Ð of the system can be made (Chan et al. 1993). Both internal and external controls are important to protect internal applications from errors and unauthorized access and to ensure security and integrity of communication, which provides ``control assurance'' to internal applications and external networks. Table 5 presents a series of regression analyses with the six modes of EDI controls as dependent variables and the organizational contexts as independent variables. The effect of each organizational context on EDI controls could be examined while controlling for the effects of the other independent variables through multiple regression analysis. All the

170

S. Lee, I. Han / International Journal of Accounting Information Systems 1 (2000) 153±177

Table 5 Multiple regression results Dependents Internal formal controls Independents

Beta

External formal controls

Standard error t value P value Beta

(a) Dependent variables = formal controls Constant 2.5985*** 0.7655 Size 0.1538 0.1275 IS sophistication 0.4708** 0.2399 Role of IS 0.0432 0.1133 Task routineness 0.4320*** 0.0914 R2 .2494 .2203 Adjusted R2 F 8.5571*** Significant F 0.0000

3.394 1.207 1.963 0.381 4.727

.0005 .1152 .0262 .3520 .0000

Internal informal controls (b) Dependent variables = informal Constant 1.5119** Professionalism 0.1212 * Decentralization 0.2812*** Task interdependence 0.0035 Partner trust 0.3709*** R2 .2225 .1901 Adjusted R2 F 6.8665*** Significant F 0.0001

controls 0.6596 0.0798 0.1045 0.0609 0.1208

2.292 1.520 2.691 0.058 3.071

5.518 1.823 0.393 2.884 1.718

P value

0.8700 0.1449 0.2726 0.1288 0.1039

1.365 1.597 2.120 1.236 3.787

.0877 .0567 .0182 .1097 .0002

3.841 0.497 1.561 ÿ 0.554 3.098

.0001 .3103 .0620 .2905 .0013

External informal controls .0122 .0659 .0042 .4769 .0014

Internal automated controls (c) Dependent variables = automated controls Constant 3.7469*** 0.6790 Size 0.2647** 0.1452 Professionalism 0.0360 0.0916 IS sophistication 0.8483*** 0.2942 Task routineness 0.1745** 0.1016 R2 .2108 Adjusted R2 .1799 F 6.8115*** Significant F 0.0001

1.1872 * 0.2314 * 0.5780** 0.1592 0.3933*** .2297 .1998 7.6776*** 0.0000

Standard error t value

2.5547*** 0.0400 0.1645* ÿ 0.0340 0.3773*** .1383 .1024 3.8529*** 0.0060

0.6651 0.0805 0.1054 0.0614 0.1218

External automated controls .0000 .0306 .3976 .0024 .0444

2.1125*** 0.2597** 0.0286 0.6710*** 0.3583*** .2641 .2352 9.1493*** 0.0000

0.6313 0.1350 0.0851 0.2735 0.0944

3.346 1.924 0.336 2.453 3.794

.0006 .0286 .3689 .0080 .0002

* P < .1. ** P < .05. *** P < .01.

regression equations turn out to have significant F ratios. In other words, the collective explanatory power of the dependent variables is statistically significant. IS sophistication and task routineness are significantly related to the reliance on internal and external formal controls. The establishment of formal controls can be strongly affected by

S. Lee, I. Han / International Journal of Accounting Information Systems 1 (2000) 153±177

171

the recognition of risks by management. Internal organizational factors such as IS sophistication and task routineness indicate the vulnerability of the system if appropriate controls do not exist. When management recognizes the vulnerability of the system due to sophisticated IS resources and a large volume of transactions to be processed at high speed, they perceive relative advantages of the establishment of formal controls in user applications and external networks. If tasks are highly repetitive and structured, formal controls such as standardized procedures can greatly contribute to the improvement of system utilization. Size is significantly related to the use of external formal controls. Large firms tend to have formalized relationships with trading partners due to the large number of trading partners and transactions. The extent of internal formal controls are, however, more related to the characteristics of IS and inner processes rather than mere size of organization. Large organizations that have simple EDI applications may not need many internal formal controls; however, external formal controls by VAN or trading partners may be more necessary for large organizations that have trading partners with diverse operating environments (in protocols, line speed, standards, hardware) and higher transaction volumes than small companies. Decentralization and partner trust significantly affect the reliance on internal and external informal controls. EDI staff members have a different extent of risk recognition, sense of responsibility, experience, and interaction with their colleagues according to the extent of the authority they are given and the trust they have in relation with trading partners. This reliance on informal controls tends to increase as they further delegate organizational authority to members. Management of EDI adopters experience the ability of departments or trading partners to deliver or even work ``outside'' the existing terms of formal procedures or interorganizational agreements; their reliance on informal controls deepens even more when organization is more decentralized. Informal understanding of acceptable behavior stems from a reliance on trust; informal controls compensate for the absence of formal rules and contracts. EDI adopters depend mainly on the use of informal controls and rely on trading partners to provide communication controls when they highly trust them. Size, IS sophistication, and task routineness are significantly related to the use of internal and external automated controls. The implementation of automated controls such as integrated test facility and concurrent audit technique can only be successful when enough IS resources are provided. In addition, a large volume of transactions is necessary to make the implementation of automated controls in inner applications and VAN cost-effective. Large organizations and organizations with sophisticated IS and highly routine processes can afford the high cost and expertise required for the implementation of automated controls and this subsequently makes the system more beneficial. The role of IS fails to affect the use of internal and external formal controls. Professionalism does not affect the use of internal and external automated controls. Professionalism has a significant effect only on internal informal controls. The technical expertise of professionals is used to implement the internal informal controls. Professionalism fails to affect the use of external informal controls and this indicates that the extent of education EDI staff members have received does not influence the establishment of external informal controls; EDI staff members appear to trust the security and integrity of external networks provided by trading partners or VAN and do not have much concern with external controls. As the number of EDI documents and trading partners increases, EDI adopters rely more on the expertise of

172

S. Lee, I. Han / International Journal of Accounting Information Systems 1 (2000) 153±177

communication controls by VANs or ``hub'' companies rather than on controls developed by themselves; the controls that are provided by VAN become cost-effective with additional peripheral services. The knowledge and expertise of EDI adopters become less important in implementing external controls; companies allow VAN to provide sophisticated external control systems (e.g., conversions between different trading partners' environments, provision of varied protocol and access methods). The implementation of formal or automated controls is affected more by technical characteristics such as IS sophistication and task routineness rather than professionalism and role of IS. The insignificant effect of the role of IS and professionalism on EDI controls can be partially explained by the influence of external factors on the implementation of EDI. The role of IS and professionalism in organization may not influence the use of EDI controls in a situation where much of the work processes for EDI implementation becomes structured and formalized by the influence of external trading partners and VAN service providers. This is often the case in Korea. Korean companies have been using EDI for less than 5 years and the state of their implementation is under strong external influence from trading partners and VAN service providers. Additionally, Korean companies have not recognized the seriousness of exposure that is present when using EDI. Since they have little experience of computer abuse, they have less concern that fraud, disruptions to production, and intentional manipulation of operations in EDI systems may lead to impaired customer service, inappropriate decision making, loss of market shares, and financial loss. Positive managerial attitude toward IS does not always lead to extensive efforts to control EDI. Management tends to concentrate on improving short-term effectiveness and efficiency; hence they are likely to invest more resources on integrating and expanding EDI but less on controls to enhance security and integrity. This may be due to the fact that the effects of control are not realized swiftly. The low explanatory power of task interdependence on controls can be partially due to the fact that companies use EDI controls intensively for each of the EDI tasks although not all five EDI tasks are interdependent with each other. Some companies may use EDI for different groups of tasks; the tasks within a single group may be highly interdependent even while intergroup activities are only loosely linked. For instance, manufacturing companies used EDI in trade procedures such as import/export authorization or tariff procedures as well as in financial applications such as electronic fund transfer or receiving invoices from suppliers. The interdependence between trade and financial applications may be low although the interdependence among trade procedures or financial applications is high, respectively. In this situation, it is difficult to examine the relation between task interdependence (which is the average interdependence among every pair of tasks) and the use of informal controls. 5. Summary and conclusions The purpose of this study is to study the impact of organizational contexts on EDI controls. This investigation extended previous work in organizational control and innovation-diffusion by applying the concepts of IS controls, especially in the context of EDI. The study suggested six modes of controls Ð internal and external formal controls, internal and external informal

S. Lee, I. Han / International Journal of Accounting Information Systems 1 (2000) 153±177

173

controls, as well as internal and external automated controls. The framework also included various organizational contexts such as task characteristics and partnership attributes. Organization characteristics (size, professionalism, decentralization), technological characteristics (IS sophistication, role of IS), task characteristics (interdependence and routineness), and partner attributes (trust) are suggested to be determinants of six control modes. IS sophistication and task routineness are significantly associated with the use of internal and external formal controls. Decentralization and partner trust affect the use of internal and external informal controls. Size, IS sophistication, and task routineness are significantly related to the use of internal and external automated controls. The results of testing hypotheses are indicated in Table 6. 5.1. Implications for practitioners The results of the study provide some insights on organizational context that necessitate the effectiveness of specific modes of EDI controls. For instance, organizational contexts such sophisticated IS and routine task environment are important to determine the level of internal and external formal controls while decentralized organizational structure and high partner trust demands internal and external informal controls. Large organizations and

Table 6 Results of testing hypotheses Hypotheses

Result

Significance

1-1 1-2 1-3 1-4 2-1 2-2 2-3 2-4 3-1 3-2 4-1 4-2 4-3 4-4 5-1 5-2 6-1 6-2 7-1 7-2 7-3 7-4 8-1 8-2

rejected accepted accepted accepted accepted rejected rejected rejected accepted accepted accepted accepted accepted accepted rejected rejected rejected rejected accepted accepted accepted accepted accepted accepted

P > .1 P < .1 P < .05 P < .05 P < .1 P > .1 P > .1 P > .1 P < .01 P < .1 P < .05 P < .05 P < .01 P < .01 P > .1 P > .1 P > .1 P > .1 P < .01 P < .01 P < .05 P < .01 P < .01 P < .01

174

S. Lee, I. Han / International Journal of Accounting Information Systems 1 (2000) 153±177

organizations with high professional expertise require external formal and internal informal controls, respectively. Size, IS sophistication, and task routineness are related to volume, complexity of transactions, and the speed of processing, respectively; EDI adopters with these organizational contexts demand automation of controls for control effectiveness; the benefits of automated EDI controls vary across such organizational contexts as size, IS organizations, and task routineness. These benefits are related to decreased occurrence of irregularities or errors. The tasks of designing control systems as performed by EDI auditors are difficult and unstructured, as there exists no normative model of EDI controls. EDI auditors often use past experience or their professional knowledge to determine how EDI systems are controlled in certain organizational contexts, as EDI controls depend on organizational contexts. EDI auditors often use analogies from their previous experience to design controls; however, the effectiveness of this reasoning process is greatly limited by the lack of normative models of EDI controls as well as their cognitive and situational limitations. EDI auditors must determine which controls are necessary from the viewpoint of cost-benefit effectiveness. Many alternative forms of controls may exist, and many organizational contexts affect the design of controls. It is difficult to establish if±then rules explaining the choice of controls in some organizational contexts, as the benefits of controls are hard to measure quantitatively. The results of the study can help auditors analyze organizational contexts and recommend the controls that are needed in a given situation; they then can concentrate their limited IS resources to design and effectively implement these controls. The quality of the processes of determining and evaluating required controls in an organizational context can be improved based on the empirically validated relationship between organizational context and EDI controls in this study. The implementation level of internal and external formal and automated controls can be adjusted in order to satisfy the efficiency control objective. The results of the study can attract management to invest appropriate resources to specific EDI controls demanded in their organizational context. Unless the new controls are validated, organizations will be reluctant to install them. Some may think that the controls will slow system response time and utilization, or that the costs outweigh the benefits to system integrity. A major obstacle to the control development arises from cultural factors. Management is accustomed to traditional methods such as paper audit trails, segregation of duties, and hand-written signatures rather than technical controls, which are often embedded in the EDI system. The changeover to new controls may require a new regulatory system to be enforced. Management can overcome some resistance from user departments or trading partners and encourage the implementation of EDI controls more proactively than before based on the results of this study. 5.2. Implication for researchers and limitations The results of the study also have significant implications for researchers. In light of the fragmented and scant nature of the literature that addresses factors for IS controls, a specification of the linkages between organizational contexts and EDI controls can provide a useful framework for future research. The contingent controls framework may be generalized with appropriate modification in research variables for other IS controls (e.g., partner

S. Lee, I. Han / International Journal of Accounting Information Systems 1 (2000) 153±177

175

relations may be excluded to explain controls in internal IS). There may exist other variables that affect the use of EDI controls; a more exhaustive model is needed to examine and identify various organizational contexts that affect EDI controls using a large base of data in future studies. The dimensions of EDI controls can be further studied. Other control dimensions may include the objectives of controls. It is difficult to apply a single set of measures for EDI controls to the respondent organizations, which have developed EDI systems that have different purposes and requirements. For instance, accuracy of information is important in a JIT (Just-In-Time) system while confidentiality of information is critical in financial applications. The controls for authorization (e.g., cryptography, message authentication code, access control software) are different from the controls for accuracy (e.g., edit check, syntactic check, error logging). The former checks that all related software and data are protected against unauthorized disclosure or change during transmission or storage while the latter ensures accuracy and completeness during input, process, and output stage of processing transactions. Dimensions and measures of controls need to be developed to reflect distinct control objectives. Specifically, the environment in Korea may affect the causal relation between organizational contexts and controls. It is necessary to analyze data collected from other countries in order to control the effects of economic, political, and cultural situations. Any attempt to generalize the findings to EDI systems in different countries need to be pursued with care and caution. The EDI system in Korea is rapidly growing and the results of this study may reflect unique characteristics of Korean companies. For example, the implementation of EDI in some industries in Korea has been supported by a government agency that monopolizes the provision of services associated with international trade. Their implementation of EDI relies substantially on a VAN that is managed by the government. Korean companies do not currently prepare communication controls with trading partners and rely on the VAN to provide these controls. Further, it is difficult to justify the investment of controls in order to reduce computer abuse when computer abuse and disputes between partners rarely occur. This is a reflection of Korean culture that does not place much importance on formal contracts and agreements in anticipation of possible disputes from errors and system failures. The partners believe such problems will not arise in their own network. However, as EDI is rapidly spreading in Korea, system failures or abuses will lead to an increased recognition of external formal controls. References Aggarwal G, Rezaee Z. Introduction to EDI internal control. IS Audit Control J 1994;2:64 ± 8. Ahituv N, Lee D. Control concepts and evaluation techniques for use in auditing of advanced EDP systems. EDP Auditor J 1984;4:45 ± 53 (Fall). Aiken M, Hage J. The organic organization and innovation. Sociology 1971;5:63 ± 82. Andaleeb SS. Dependence relations and the moderating role of trust: implications for behavioral intentions in marketing channels. Int J Res Mark 1995;12:157 ± 72. Banerjee S, Golhar DY. Electronic data interchange: characteristics of users and nonusers. Inf Manage 1994;26:65 ± 74.

176

S. Lee, I. Han / International Journal of Accounting Information Systems 1 (2000) 153±177

Blau P, Scott WR. Formal organizations. San Francisco: Chandler Publishing, 1972. Bromiley P, Cummings LL. Transaction costs in organizations with trust. Working Paper, Department of Strategic Management and Organization, Carlson School of Management, University of Minnesota, 1991. Burns T, Stalker GM. The management innovation. London: Tavistock, 1966. Cash JL, McFarlan FW, McKenney JL, Vitale MR. Corporate information systems management: text and cases 3rd ed. Homewood, IL: Irwin, 1988. Chan S, Govindan M, Picard JY, Leschiutta E. EDI for managers and auditors. Toronto, Ontario: Electronic Data Interchange Council of Canada, 1993. Cheney PH, Dickson GW. Organizational characteristics and information systems: an exploratory investigation. Acad Manage J 1982;25(1):170 ± 84 (March). Corwin RG. Innovation in organizations: the case of schools. Sociol Educ 1975;4:1 ± 37 (Winter). Daft LR, Becker SW. The innovative organization. New York: Elsevier, 1978. Daft LR, Steers RM. Organizations: a micro/macro approach. Glenview, IL: Scott, Foresman and Company, 1986. Dalton GW. Motivation and control in organizations. In: Dalton GW, Lawrence PR, editors. Motivation and control in organizations. Homewood, IL: Richard D. Irvin, 1971. pp. 1 ± 35. Emmelhainz MA. Electronic data interchange: a total management guide. New York: Van Nostrand-Reinhold, 1990. Fullerton KH, Evens MD. EDI and auditing: opportunity and threat. EDI Forum: J EDI 1989;2:74 ± 7. Gaski JF, Nevin JR. The differential effects of exercised and unexercised power sources in a marketing channel. J Mark Res 1985;22:130 ± 42 (May). Goodhue LD, Thompson RL. Task-technology fit and individual performance. MIS Q 1995;19(2):213 ± 36. Grover V. An empirically derived model for the adoption of customer-based interorganizational systems. Decis Sci 1993;24(3):603 ± 39. Hansen JV, Hill NC. Control and audit of electronic data interchange. MIS Q 1989;13:403 ± 13 (December). ISACA, EDI Control Guide. EDI Council of Australia, Information Systems Audit and Control Association, Sydney Chapter, 1990. Ives B, Olsen M, Baroudi IJ. The measurement of user information satisfaction. Commun ACM 1983; 26(10):785 ± 93. Jamieson R. EDI: an audit approach. Rolling Meadows, IL: EDP Auditors Foundation, 1994. Jaworski JB. Toward a theory of marketing control: environmental context, control types, and consequences. J Mark 1988;52:23 ± 39 (July). Jaworski JB, Stathakopoulos V, Krishnan HS. Control combinations in marketing: conceptual framework and empirical evidence. J Mark 1993;57:57 ± 69 (January). Lawrence CM. Usage of concurrent EDP audit tools. EDP Auditor J 1988;3:49 ± 54 (Fall). Lee S, Han I, Kym H. The impact of EDI controls on EDI implementation. Int J Electron Commer 1998;2(4):71 ± 98. Marcella JA, Chan S. EDI security, control, and audit. Norwood, MA: Artech House, 1993. McFarlan FW, McKenney JL, Pyburn P. Information archipelago Ð plotting a course. Harv Bus Rev 1983; 61(1):145 ± 56 (January ± February). Merchant KA. The design of the corporate budgeting system: influences on managerial behavior and performance. Account Rev 1981;56:813 ± 29 (October). Merchant KA. Influences on departmental budgeting: an empirical examination of a contingent model. Account Organ Soc 1984;9:291 ± 307. Mohr J, Spekman R. Characteristics of partnership success: partnership attributes, communication behavior, and conflict resolution. Strategic Manage J 1994;15:135 ± 52. Otley TD. The contingent theory of management accounting: achievement and prognosis. Account Organ Soc 1980;5(4):413 ± 28. Ouchi WG, Maguire MA. Organizational control: two functions. Adm Sci Q 1975;20:559 ± 69 (December). Premkumar G, King RK. Organizational characteristics and information systems planning: an empirical study. Inf Syst Res 1994;5(2):75 ± 108. Raghunathan TS, Raghunathan B. Planning implications of information systems strategic grid: an empirical investigation. Decis Sci 1990;21(2):287 ± 300.

S. Lee, I. Han / International Journal of Accounting Information Systems 1 (2000) 153±177

177

Raymond L. Organizational context and information systems success: a contingent approach. J Manage Inf Syst 1990;6(4):5 ± 20 (Spring). Ring PS, Van de Ven AH. Developmental processes of cooperative interorganizational relationships. Acad Manage Rev 1994;19(1):90 ± 118. Runge DA. Using telecommunications for competitive advantage. Unpublished PhD Dissertation, Oxford University, 1985. Russel DR, Russel CJ. An examination of the effects of organizational norms, organizational structure, and environmental uncertainty on entrepreneurial strategy. J Manage 1992;18(4):639 ± 56. Straub DW. Organizational structuring of the computer security function. Comput Secur 1988;7:185 ± 95. Sullivan C. Systems planning in information age. Sloan Manage Rev 1985;26(2):3 ± 12 (Winter). Tait P, Vessey I. Effect of user involvement on system success: a contingency perspective. MIS Q 1988;12(1): 91 ± 109. Ward JPG, Whitmore P. Strategic planning for information systems. New York: Wiley, 1990. Weber R. EDP auditing: conceptual foundations and practice. 2nd ed. McGraw-Hill, 1988. Yap CM, Souder WE. A filter system for technology evaluation and selection. Technovation 1993;13(7):449 ± 69. Zaheer A, Venkatraman N. Relational governance as an empirical test of the role of trust in economic exchange. Strategic Manage J 1995;16:373 ± 92. Sangjae Lee is a professor at the College of Business & Economics at Hanyang University. He received his PhD in Management Information Systems from the Graduate School of Management, Korea Advanced Institute of Science and Technology. He is a certified information systems auditor (CISA). His research interests include electronic data interchange, information systems control and audit. Ingoo Han is an associate professor at the Graduate School of Management, Korea Advanced Institute of Science and Technology. He received his PhD from the University of Illinois at Urbana-Champaign. His research interests are information systems audit and security, information system evaluation, and AI applications in accounting and finance. The recent research issues include the audit and control under EC, prediction of stock price using neural network, and integration of AI techniques. Dr. Han has published in Decision Support Systems, Information and Management, International Journal of Electronic Commerce, Contemporary Accounting Research, International Journal of Intelligent Systems in Accounting Finance and Management, Expert Systems with Applications, Engineering Economists, etc.