Exploring the Key Risk Factors for Application of Cloud Computing in Auditing

Hu, Kuang-Hua; Chen, Fu-Hsiang; We, Wei-Jhou

doi:10.3390/e18080401

Open AccessArticle

Exploring the Key Risk Factors for Application of Cloud Computing in Auditing

by

Kuang-Hua Hu

¹,

Fu-Hsiang Chen

^2,* and

Wei-Jhou We

²

¹

Accounting School, Nanfang College of Sun Yat-sen University, Wenquan Town, Conghua, Guangzhou 510970, China

²

Department and Graduate School of Accounting, Chinese Culture University, No. 55 Hwa Kang Rd., Yang Ming Shan, Taipei 11114, Taiwan

^*

Author to whom correspondence should be addressed.

Entropy 2016, 18(8), 401; https://doi.org/10.3390/e18080401

Submission received: 21 April 2016 / Revised: 30 July 2016 / Accepted: 15 August 2016 / Published: 22 August 2016

Download

Browse Figures

Versions Notes

Abstract

:

In the cloud computing information technology environment, cloud computing has some advantages such as lower cost, immediate access to hardware resources, lower IT barriers to innovation, higher scalability, etc., but for the financial audit information flow and processing in the cloud system, CPA (Certified Public Accountant) firms need special considerations, for example: system problems, information security and other related issues. Auditing cloud computing applications is the future trend in the CPA firms, given this issue is an important factor for them and very few studies have been conducted to investigate this issue; hence this study seeks to explore the key risk factors for the cloud computing and audit considerations. The dimensions/perspectives of the application of cloud computing audit considerations are huge and cover many criteria/factors. These risk factors are becoming increasingly complex, and interdependent. If the dimensions could be established, the mutually influential relations of the dimensions and criteria determined, and the current execution performance established; a prioritized improvement strategy designed could be constructed to use as a reference for CPA firm management decision making; as well as provide CPA firms with a reference for build auditing cloud computing systems. Empirical results show that key risk factors to consider when using cloud computing in auditing are, in order of priority for improvement: Operations (D), Automating user provisioning (C), Technology Risk (B) and Protection system (A).

Keywords:

cloud computing; auditing; software-as-a-service (SaaS); CPA firms

1. Introduction

Cloud computing is becoming an important tool that professional CPA (Certified Public Accountant) firms and companies are using for their auditing and accounting information needs abroad. Cloud computing users plug into the cloud to fulfill their information technology needs. Specially, cloud computing should benefit small and medium size firms most, as the “ready-to-use” concept offers them the advantages of cost-savings, efficiency and flexibility. Audit services performed by CPA firms have moved from paper to cloud computing whereby client’s financial report information is stored in cloud, and this audit process is subjected to many risk factors, such as authentication, data security and privacy, system availability, business continuity, and other legal requirements [1]. Since the application of cloud computing technology in the auditing sector is more complicated than regular auditing work in the current system, effective and security audits are more detailed using information, and have become more difficult [2]. Under such circumstances, auditors should realize the risk sources of cloud computing and create a sound auditing framework, so cloud computing audit work can go smoothly [3].

Cloud computing in auditing is thus a future trend, and several risk factors should be considered. Given the few available studies, the importance of this issue and the need for relevant literature, this study examined key risk factors that should be considered when using cloud computing in auditing. CPA firms can reference the study results when constructing their cloud computing applications. Cloud computing applications in auditing involve a huge number of dimensions and sub-factors. Prior studies of the related issues when discussing the security risks of cloud computing auditing by influential analysis mostly adopt narrative presentations [3,4,5,6]. Fewer studies in the literature adopt qualitative data and some variables of the security risk of cloud computing auditing did not have quantitative data provided by experts. Furthermore, the related variables are not independent among them so there exists an influential interrelationship (dependence and feedback). However, conventional statistical methods have some restrictions in assumptions such as the linearity, normality, and independence of security risk variables of cloud computing auditing [7]. Given that the assumptions are often inconsistent with the security risks of cloud computing auditing, the methods have intrinsic limitations in terms of effectiveness and validity.

If the dimensions and sub-factors affecting cloud computing in auditing can be constructed into a framework to determine their mutual impact, strategies for improvement can be prioritized and recommended to relevant authorities. In practice, the abovementioned risk factors are usually not mutually independent, and the dimensions and sub-factors may also be mutually influencing. To resolve the problem of mutual influence between the factors and sub-factors, this study used Multiple Attribute Decision Making (MADM), which is a methodology that simultaneously weighs multiple decision-making attributes to help decision makers prioritize program attributes and make an optimal selection when given limited viable options [8,9,10,11,12,13]. The state-of-the-art survey methods of MADM can be applied to explore the key risk factors that conflict with each other when using cloud computing in auditing. MADM procedures focus on how to select the best one among specified finite alternatives/factors [13]. Another advantage of MADM methods is that they have the capacity to analyze qualitative evaluation criteria [14]. One disadvantage of MADM techniques is the high volume of calculations for finding pairwise comparison, and it is difficult to utilize them when there are a large number of criteria/factors. These techniques need arbitrary ideal levels; however they can’t match with the subjective features of the decision makers [15]. Liou [8] asserts that the Decision Making Trial and Evaluation Laboratory, (DEMATEL) can quantify complex problems and verify their direct and indirect relationship. Chen [16] recommends the DEMATEL-based Analytic Network Process (DANP) for solving dependence problem and feedback relationship since in practice, each dimension and its sub-factors may be mutually influencing and therefore a simple relationship construct should not be used. Peng and Tzeng [12] compromised by using the VlseKriterijumska Optimizacija I Kompromisno Resenje (VIKOR) to determine the dimensionality and sub-factor performance for future reference and development.

This MADM model proposed for solving real-world application of cloud computing in the auditing problems improves upon previous models in the following ways: (1) providing an interdependency model according to DANP concepts to overcome problems of dependence and feedback among risk factors; (2) incorporating VIKOR approaches to prioritize improvements according to the basic aspiration levels, allowing the proposed technique to avoid selecting the seemingly best solution from among alternatives. Instead, all alternatives were replaced by aspiration levels obtained from VIKOR; (3) offering strategic planning models that give decision-makers multiple solutions for improvement priorities. Hence, the MADM model shifts the focus from simple ranking and selection of the most preferable alternatives to performance improvements and methods.

Therefore this study used the MADM to explore cloud computing risk factors in auditing, and through literature review and interviews with industry experts, determined the dimensions and criteria that should be considered when using cloud computing in auditing. Using the DEMATEL approach, the mutual impact of the dimensions and criteria are first determined. Then using an integration of DEMATEL and DANP, the mutually influencing factors will been weighted. Finally, using the modified VIKOR, the performance of the dimensions and criteria for cloud computing in auditing are evaluated to determine key factors for consideration when using cloud computing in auditing and to prioritize strategies for improvement. The result can serve as reference and development basis for CPA firms constructing cloud computing application in auditing. According to the abovementioned observations, the main research questions this study aims to answer are as follows:

Which risk factors should be considered by CPA firms when cloud computing?
When are these risk factors in the mutual influence and conflict and which are those are the key factors?
When based on domain experts’ cognition, those risk factors affect the executive performance?

The remainder of this paper is organized as follows: Section 1 briefly introduces the assessed dimensions and criteria in related literature; Section 2 discusses the analytical framework and methods for constructing the key factors for application of cloud computing in the auditing; Section 3 proposes an empirical case of an improvement plan for application of cloud computing in the auditing; Section 4 offers conclusions.

2. Related Literature

Providing quality service is a very important concern. Especially with an increasing mobile social and business environment, the demand for immediate access has become the trend. Cloud computing is not limited by time or space, and as long as CPAs have Internet connections, information can be accessed for customer inquiries regardless of location and time. Moreover, cloud computing can quickly support a diversity of application software so that during economic boom, CPA firms can continue to expand their operations while during economic downturns, their expenses are reduced to fees needed for their services [2]. Hence CPA firms can flexibly adjust to their actual operation environment since their expansion is not limited by software, and their reduction will not create capital paralysis. In addition, flexible contracts allow CPA firms to pay fees based on different needed expenses, and hence easy control of cash flow. Cloud computing service models and application risk for CPA firms are described below.

Although cloud technology offers a set of low cost, high efficiency and high expandability advantages in cloud computing, there are still unresolved problems inherent in the processing of a large quantity of electronic data [17]. For example, cloud computing system failure could result in security problems such as data loss or theft. Hence before adopting cloud computing services (SaaS, PaaS, IaaS), cloud computing information security must be considered [18]. In terms of data security, CPA firms require very high information security because the consequences of stolen or damaged customer information would be disastrous and it must therefore be highly protected.

When considering cloud computing for its internal organization, CPA firms must evaluate the flexible distribution of their existing computing resources and especially information security [19]. For example, is the remote information center secure? Is the information vulnerable to leaks? If the information shares storage with other departments or shares servers with other corporations, will it be compromised? The efficiency and availability of services must also be evaluated. For example, how efficient is the cloud computing transmission, implementation and availability? Another factor to consider is accuracy and portability. For example, how do CPA firms transfer their existing software and services to cloud service providers? How do CPA firms integrate their software with the services provided by the cloud service providers? Currently, there are detailed management standards for information security technology and management, such as the ISO27001 which delineates key indicators and requirements for hardware, software, managers, users and those with access during auditing.

The use of cloud computing for CPA firms is an inevitable trend, but the new trend poses potential risks. For CPA firms, using cloud computing services requires specialized knowledge and training. Users storing and accessing information in the virtual environment through IT technology are confronted with many risks. Therefore users must clearly understand these risks before implementation, including the legal roles and responsibilities of users and service providers, compliance with local laws and regulations, data protection, tangible security, privacy, incident response and availability [6]. To effectively implement cloud computing, proactive measures must be taken to ensure security [20]. The US National Institute of Standards and Technology (NIST) proposed the Framework for Improving Critical Infrastructure Cybersecurity and Special Publications 800 Series, which states that a network security structure should identify, protect, detect, respond and reply. Based on literature review and interviews with CPA and CPA firm IT experts, this study summarized the four dimensions and criteria for using cloud computing in auditing, as shown below.

2.1. Protection System

The cloud computing system of CPA firms should adopt established security systems for unified and complete analysis. By using various cloud computing security check systems and logs in its operations and maintenance, the detection and investigation of violations can be enhanced. To achieve data protection, a comprehensive mechanism for cloud computing log and review system should be constructed. The logs should include information such as user ID, operation date and time, operation content, and operation success. Zissis and Lekkas [21] pointed out the use of trusted subcontractors in the cloud environment and trusted encryption can ensure the confidentiality, integrity and reliability of information and communications [22]. At the same time, to protect data, attempts should also be made to resolve specific security vulnerability. Choudhury et al. [23] also indicated that a strong authentication structure can restrict access by illegal cloud servers and ensure the safety and efficiency of cloud computing. Since the distribution patterns and open structure of cloud computing render it a target of intrusion, an effective intrusion monitor and defense system are required to satisfy user needs [24,25].

2.2. Technology Risks

To implement cloud computing, CPA firms should construct a cloud computing platform since it is important to the development of cloud computing. The cloud computing platform can comprehensively analyze the risks of the cloud computing services, and objectively evaluate the information security capability of the cloud computing service platform, business continuity capability and legality of the platform and services. Since security vulnerabilities are inherent in the infrastructure, service platforms and applications, Mansfield-Devine [26] believe that implementing a vulnerability management program to determine vulnerable areas followed by a good repair mechanism [27] to eliminate the vulnerabilities can safeguard against malware attacks [28].

2.3. Automating User Provisioning

Jincui and Liqun [29] indicate that in cloud computing applications, automating user provisioning is a complex issue, and CPA firms should adopt an appropriate mode of cloud computing control and effective measures to ensure the accuracy and completeness of user activity logs. The clocks and times for all major cloud computing systems should be synchronized, interviews and operations should be recorded onto a physical recording system, and cloud computing platform logs should be promptly backed up onto designated log server or secured interface. In addition, a monitoring software should be used to ensure the consistency and completeness of the user activity log. Chen et al. [30] noted that many enterprises implement automating user provisioning to enhance security, improve efficiency, reduce costs, maintain data quality and ensure regulation compliance. Cloud computing has changed the security landscape of enterprises from internal to external networks, with increased emphasis on identification, and message and data protection [31]. Liu et al. [32] assert that basic anonymous cloud computing server verification can ensure user identity confidentiality and effective customer management.

2.4. Operations

Given the complexity and innovation in cloud services and cloud computing technology and increasing user concern with data privacy, CPA firms using cloud technology, data warehousing and data mining technology must confront the source, application, flow and protection of data, and find ways to fulfill their responsibilities and protect customer rights. Svantesson [33] indicates that the Swedish Data Protection Act dictates that data controllers must adopt appropriate technology and organization to protect personal data processing. In the cloud computing landscape for auditing, audit information is stored and accessed through Internet links, and audit evidence can only be obtained on the Internet link. Under normal circumstances, the audit information flows globally, and the data owner can neither control its flow nor control its storage location. When using cloud computing for auditing, auditors may not be able to ascertain where the audit evidence is hosted, and may not even know which country the audit information is stored in. On the other hand, audit evidence is often stored with the data of the cloud service providers and other customers in the same environment, and may result in completely unusable information or difficult information availability. Kikuchi and Hiraishi [34] propose an automatic synthesis technology for re-configuring the program to avoid undue changes. They also proposed a vulnerability recognition technology in the system configuration to increase service flexibility, reduce operator error and improve the reliability and availability of cloud services.

In this study, the risk factors for application of cloud computing in the auditing dimensions and criteria are derived from a literature review, brainstorming, CPA expert opinions, and interviews with IT department senior supervisors of CPA firms and academicians that specialize in computer auditing; and as the basis of the pre-test questionnaire. The results are shown in Table 1, including the four dimensions and 21 criteria.

3. Building a New MADM Model to Identify the Key Risk Factors for Application of Cloud Computing in the Auditing

This study uses a MADM tool characterized by multiple conflicting criteria [13,35,36]. The MADM model is developed based on the abovementioned studies, and is selected as a fitting method for the assessment of the key factors for application of cloud computing in the auditing; decision-makers can use the outcome for improving and reducing the performance gaps in each criterion. This section includes four sub-sections: First, the DEMATEL method is used to construct an influential network relation map (INRM). Secondly, this study illustrates how to derive the influential weights of DANP, as based on the total influence matrix of DEMATEL. Thirdly, the modified VIKOR method is applied to transform the performance values into the amended gap. Finally, the data collection process is introduced. The analytical framework is illustrated in Figure 1.

3.1. Building an Influential Network Relation Map by DEMATEL

The DEMATEL technique is used to construct an INRM in order to understand specific societal problems [37,38]. The DEMATEL technique can be divided into five stages. In the first stage, it calculates a system with n elements/criteria, and launches the evaluation scale using pairwise comparison of the aspects/criteria, in order to determine the degree of influence using a five-point scale ranging from 0 (no effect) to 4 (extremely influential), for pairwise comparison of perceptions/feelings by domain experts. The second stage measures the initial matrix to directly obtain influential matrix G. The third stage finds the normalized matrix Z, where the sums of at least one column or row, but not all, equal one. In the fourth stage, the total influential matrix P can be derived, and the INRM can be illustrated [12,39]. Further explanation of the DEMATEL method may be found in Appendix A.1.

3.2. Identifying the Weights by DANP

The basic ANP concepts are applied in the DEMATEL method in order to confirm the influential relationship of the criteria of DANP, which shows the relative influential weights of criteria. The ANP method is considered suitable to treat complex network relationships, which is expanded from AHP (Analytic Hierarchy Process) method by Saaty [40]. In this paper, the DEMATEL method is adopted into the ANP method to generate the un-weighted super-matrix. Therefore, this research combined the advantages of ANP and DEMATEL to solve the problems of dependence and feedback associated with the interrelations between criteria [16,41,42]. The DANP process is as shown in Appendix A.2.

3.3. Measuring the Performance by Modified VIKOR

The VIKOR method, as introduced by Opricovic [43] and developed by Opricovic and Tzeng [44], uses the concept of compromise to solve MADM problems with conflicting criteria. The best one can be selected among the alternatives, as based on the concept of a compromise solution, when handling complex decision making problems in the MADM framework. The modified VIKOR is applied here to derive the optimal alternative/criteria; for detailed steps see Appendix A.3.

3.4. Data Collection

In order to ensure effective pair-wise comparisons and good consistency, Saaty [45] suggests that there should be a limited number of factors in a single construct. The relative importance criteria were found by asking experts (a total of eight senior supervisors of IT departments of CPA firms, two CPA experts, and two academicians that specialize in computer auditing) to answer the pre-test questionnaire, selecting the important criteria (based on triangular fuzzy numbers and with a mean of eight and above). Question responses ranged from 0 to 10 with a high score meaning high importance, the results are shown in Table 2. The pre-test questionnaire results were applied and the DEMATEL, DANP and modified VIKOR methods combined and incorporated into the questionnaire design. A total of 40 interviews (a total of 20 senior supervisors of IT departments of CPA firms, 15 CPA experts, and five professors of computer auditing) have been carried out mainly for the analysis of interactions between the application of cloud computing in the auditing dimensions and criteria as well as performance.

4. Empirical Analysis

This section explains the study, which proposed improvement priorities based on questionnaire results and assessment. The empirical analysis process is shown in Figure 2.

4.1. Background and Problem Description

Cloud computing is appropriate for corporations needing mobile services and IT outsourcing, and the business programs of CPA firms are consistent with these needs [51]. For accounting and auditing, cloud technology offers the advantage of revolutionary technological development, and cloud computing allows CPA firms to purchase less new software and hardware each year. At the same time, efficiency, seamless programs and quality service are becoming increasing important for CPA firms, and cloud computing provides information access that is limited by time or space so that CPAs can access information as long as the Internet is available. The main advantages of using cloud computing are as described above, but before using cloud computing in auditing to manage client’s information, what issues should CPA firms consider and how would these issues affect client service?

4.2. Analysis of Empirical Result

4.2.1. DEMATEL Verification of the Analysis of Interactions between Dimensions and Criteria

According to the research method described in Section 3.1, the average initial direct-influence matrix G involving 15 criteria has been derived from expert interviews, and is a 15 × 15 matrix. The DEMATEL procedure were then utilized to obtain a normalized direct-influence matrix, and then carried out to obtain the total-influence matrix Z as shown in Table 3. From the understanding of the interviewed experts, there would be interactions between the 4 dimensions and 15 standards. The total-influence matrix T_D for the dimension and T_C for the criteria is derived, as shown in Table 3 and Table 4. The sum of influence given di − ri and received di − ri (please see Appendix A: DEMATEL step 3, Equations (3), (5) and (6)) for each dimension and criterion can be derived and shown in Table 3 and Table 5. The influential network-relationship can be visualized by drawing an INRM four dimensions and their subsystem as illustrated in Figure 3.

According to the influential relation (d_i − r_i), it can be found that a “Operations (D)” (di − ri = 1.688 maximum) has the highest degree of an impact relationship that affects other dimensions directly. Otherwise, “Protection system (A)” (di − ri = −0.242 minimum) is the most vulnerable to impact.

Results of Table 3 show that the four dimensions, namely Protection system (A), Technology risks (B), Automating user provisioning (C) and Operations (D) are mutually influential. According to the influential relation (di − ri), it can be found that a “Operations (D)” (di − ri = 1.688 maximum) has the highest degree of an impact relationship that affects other dimensions directly. Otherwise, “Protection system (A)” (di − ri = −0.242 minimum) is the most vulnerable to impact.

This is further illustrated in Figure 3, indicating that influential priority can be sequenced as: “Operations (D)”_”Automating user provisioning (C)”_”Technology risks (B)”_”Protection system (A)”. When considering the improvement, the panel experts all regard “operations” first and agree the first priority for improvement should be a “Operations (D)”which can then produce an influential effect on the remaining dimensions.

For CPA firms, the most serious problem is incorrect information or cloud service system failure when using cloud computing in auditing, so when using cloud computing, information correctness and cloud service system support should be the foremost objectives for CPA firms, as the occurrence of any problem in these areas could result in auditing failure. Therefore signing a contract with cloud providers to require cloud computing system stability [53] can reduce system downtime and maintain high work efficiency and quality service [54].

In terms of criteria, Table 5 shows that 15 of the criteria are mutually influencing. Compared to other criteria, Private Laws (d₁) is the most influential (di − ri = 0.429); in contrast, Authentication method and authorization system (a₃) is the least influential (di − ri = −0.185). When using cloud computing in auditing, client audit information is a critical concern for CPA firms. In compliance with the governmental Personal Information Protection Act, CPA firms must properly protect client audit information, and store the information in a secure, damage and leak proof facility [55]. At the same time, the Personal Information Protection Act has also ensured that cloud computing systems are more sophisticated and audit information less vulnerable to hackers.

Furthermore, analysis of each dimension showed that in the Protection system (A) dimension, Tangible and intangible security (a₁) is the most important criterion (di − ri = 0.160) whereas Authentication method and Authorization system (a₃) is the least influential criterion (di − ri = −0.185). CPA firms must have hardware and software support to successfully implement cloud computing, and must ensure that their equipment are subjected to rigorous protection and monitoring to protect stored customer audit information [56]. Therefore, compared to other criteria in the Protection system dimension, the Tangible and intangible security (a₁) criterion is more influential.

In the Technology risks (B) dimension, Supervisors (b₂) is the most important criterion (di − ri = 0.050) whereas Segregation of duties (b₃) is the least influential criterion (di − ri = −0.029). In cloud computing, CPA firms depend on a primary user to centrally manage the cloud computing, and implement a set of strict segregation of duties to prevent unauthorized users from accessing customer audit information. Without such segregation, customer audit information may be subjected to unauthorized access or leakage, and result in lawsuits that may severely jeopardize the reputation of the CPA firms. Therefore, compared to other criteria in the Technology risks (B) dimension, the Supervisors (b₂) criterion is more influential.

In the Automating user provisioning (C) dimension, Periodic inspection of access (c₃) is the most important criterion (di − ri = 0.052) whereas Removal of entrance (c₂) is the least influential criterion (di − ri = −0.075). Cloud computing is an information technology, and when used in auditing, regular testing for damage or inadequacy is critical to ensure that the cloud computing system is updated with the latest version, secure and in compliance with SLA specification [51,57] to prevent information leak that may result in hacker damage. Therefore, compared to other criteria, the Periodic inspection of access (c₃) criterion is more influential.

In the Operations (D) dimension, Privacy laws (d₁) is the most important criterion (di − ri = 0.429) whereas Reliability and availability (d₅) is the least influential criterion (di − ri = −0.152) for the same reason as described above. Therefore, compared to other criteria, the Privacy laws (d₁) criterion is more influential.

4.2.2. Using the DANP to Determine Factor Weight

Using a combination of DEMATEL and DANP, the factor weight of each criterion is obtained. Using Equations (A10), (A11) and (A12), the DEMATEL Total influence-relation matrix is used to construct the un-weighted super-matrix, as shown in Table 6. Using Equations (A8), (A14) and (A15), and the weighted super-matrix for each dimension is obtained, as shown in Table 7. Finally, the limit super-matrix is used to obtain the global weights of the elements, as shown in Table 8. The results are applied to the modified VIKOR method to determine each criterion performance.

4.2.3. Implementation Performance of each Dimension and Standard

The modified VIKOR method is used to evaluate the overall performance gap of key factors in cloud computing in auditing. Based on the 40 experts assessment, this study ranked the criterion performance items in the cloud computing auditing on a score of 1 to 10, with 1 being the lowest score and 10 the highest score, and a higher score representing better performance. Each criterion score and the total average gap (

S_{k} = \sum_{j = 1}^{n} w_{j} r_{j k}

) is obtained using the DANP global weights multiplied by the gap (r_jk). As shown in Table 9, the average performance value is calculated from all the values of the criteria performance and their corresponding gaps (

r_{j k} = \frac{| f_{j}^{a s p i r e} - f_{j k} |}{| f_{j}^{a s p i r e} - f_{j k} |}) .

Based on these performance values, decision makers can identify the performance value of each dimension and criterion. The results showed that compared to other dimensions, Automating user provisioning (C) had a highest performance value of 7.899 and Technology risks (B) had a lowest value of 7.440. The overall average performance value is 7.607, which is 0.239 less than the expected optimal value (10), indicating a 23.9% gap from the optimal standard.

4.3. Management Implication

Figure 3 illustrates the causal relationship between the dimensions and criteria in this study. Through the INRM, the order of priority for improving key factors in cloud computing in auditing is: Operations (D), Automating user provisioning (C), Technology Risks (B), and Protection system (A). The results indicate that compared to other dimensions, Operations (D) is the most influential. Unlike laptops which are easily misplaced, CPA firms using cloud computing to store audit information can reduce the risk of losing information and increase audit information security [58]. At the same time, CPA firms are obliged to ensure the security and confidentiality of customer information, and to fulfill their commitment to customer information security, they must exercise more caution when using cloud computing. Hence in the Operations (D) dimension, the most important element is compliance with Personal Information Protection Act, followed by information log of incorrect audit information, cloud service system error or any other errors. The system is then updated according to prioritized log content to reduce time cost due to operating system delays. Therefore, in the abovementioned interview, experts perceived Operation as the most influential.

When considering only the single dimension of Operations (D) for improving cloud computing in auditing, the following criteria prioritization is recommended: (d₁) _ (d₃) _ (d₂) _ (d₄) _ (d₅); when considering only criteria (d₂), (d₃), (d₄), (d₅) in this dimension, recommended prioritization is (d₃) _ (d₂) _ (d₄) _ (d₅). For other dimensions, improvement prioritization for corresponding criteria is shown in Table 10. In addition, as shown in Table 9, the performance values overall have an average of 7.607, with 10 as the desired level. The average gap, indicating room for improvement, is 0.239 (this is the distance from 1.0).

5. Conclusions

This study proposed Taiwan CPA firms for application of cloud computing in auditing as an empirical case to demonstrate that the MADM method could overcome the defects of the conventional MCDM method. First, the traditional model assumes that the criteria are independent and hierarchical in structure; however, real-world cloud computing in the auditing area frequently involves interdependent perspectives and criteria, decision problems are frequently characterized by interdependence criteria and dimensions and may even exhibit feedback-like effects. This study presented a MADM method that applies the characteristics of influential weights ANP and DEMATEL (DANP) to solve interdependence and feedback problems of cloud computing in the auditing risk criteria. Second, the VIKOR method set the aspired values as the aspiration level and the worst values as the tolerable level for all criterion functions, this enables a decision maker to reduce the gaps in alternatives to reach the aspiration levels. Third, the MADM method shifts the concept from the “ranking” or “selection” of the most preferable alternatives to the “improvement” of their performances to achieve the aspiration level based on INRM using the DEMATEL method. The INRM identifies how and in which directions the cloud computing risk factors influence each other, which helps decision maker to understand the root causes of performance issues and devise strategies for improvement.

Cloud computing is a ready-to-use technology [2] that allows CPA firms to reduce costs and the inconvenience of paper audits and storage. It also offers the advantages of efficiency, mobility and flexibility. However, potential risks must be considered. Although cloud computing service providers have strengthened security controls to prevent hacking, CPA firms must exercise precaution to prevent confidential information damage or loss. Hence based on literature review and a summary of expert recommendations for CPA firms when using cloud computing in auditing, this study constructed an assessment framework for cloud computing in auditing. The DEMATEL is used to construct a network diagram showing the influential relationship between the dimensions and criteria of cloud computing in auditing. The DANP is then used to analyze the weightings. Last, the modified VIKOR is used to examine the performance of cloud computing in auditing, and the DEMATEL is used to prioritize improvement strategies. Risk key factors and improvement strategies are recommended for CPA firms when using cloud computing for auditing.

The sequence of influence priorities was as follows: Operations (D), Automating user provisioning (C), Technology risks (B) and Protection system (A). The average gap between the actual and desired levels of the application and implementation of cloud computing in the auditing was 0.239, denoting the level that current Taiwan’s CPA firms cloud computing implementation needs to reach. The implications of these results for management and improvement plans have been raised and formulated to help CPA firms effectively provide professional services and enjoy the advantages of cloud computing, thereby enhancing their reputation and quality and quantity of economic benefits.

However, there are some limitations. First, this study was conducted with relatively expert sample groups. A larger sample that brought more explanatory power would have allowed more sophisticated evaluation analysis. Second, the criteria used in this research design are key criteria obtained through the integration of literature review and summary of expert interviews. Future studies can use other methods such as longitudinal studies and in-depth interviews to obtain the criteria, and examine the advantages and disadvantages compared to this study.

Acknowledgments

The authors thank the financial support from the Ministry of Science and Technology, Taiwan, under the Project No. NSC- 104-2410-H-034-004.

Author Contributions

Kuang-Hua Hu and Fu-Hsiang Chen drafted the manuscript. Wei-Jhou We performed the experiments, Kuang-Hua Hu and Fu-Hsiang Chen participated in the design of the study and performed the statistical analysis. Fu-Hsiang Chen coordination and helped to draft the manuscript. All authors read and approved the final manuscript.

Conflicts of Interest

The authors declare no conflict of interest.

Appendix A. A novel hybrid MADM model combined with DEMATEL, ANP, and modified VIKOR

Appendix A.1. Building an Influential Network Relation Map by DEMATEL

The DEMATEL technique was developed for the purpose of showing a network relation diagram, and a structural model for understanding specific societal problems. These basic concepts were used to create a series of new hybrid MADM models for solving complex and dynamic real world problems [32,33,59,60]. The DEMATEL technique involves three steps, detailed as follows:

Step 1:: Calculate the direct influence-relation average matrix G. Assume the number of experts F and the number of criteria n are asked to propose that the pairwise comparisons between any two criteria are denoted by, and are given, an integer score of 0, 1, 2, 3, or 4, expressing the range from “absolutely no influence (0)” to “very high influence (4)” by natural language in linguistics (e.g., semantics), and showing the degree that each criterion i affects each criterion j. The answers by each expert form a n × n non-negative matrix $X^{p} = {[x_{i j}^{p}]}_{n \times n},$ $p = 1, 2, ..., P,$ where $X^{1}, ..., X^{p}, ..., X^{P}$ are the answer matrices by the P experts in practical experience, and the elements of $X^{p}$ are denoted by $x_{i j}^{p}$ from expert p. Thus, an n × n average matrix P of all experts given can be built by Equation (A1):

$G = [\begin{matrix} g_{11} & g_{12} & \dots & g_{1 n} \\ g_{21} & g_{22} & \dots & g_{2 n} \\ ⋮ & ⋮ & ⋱ & ⋮ \\ g_{n 1} & g_{n 2} & \dots & g_{n n} \end{matrix}]$

(A1)

The average scores of the P experts are $g_{i j} = \frac{1}{P} \sum_{f = 1}^{P} x_{i j}^{p}$ . The average matrix is called the initial direct relation matrix G, and represents the degree of influence one criterion exerts on another, as well as the degree of influence it receives from other criteria.
Step 2:: Normalize the initial direct-influence relation matrix. The normalized initial direct influence relation matrix Z is acquired by normalizing the average matrix G. The matrix Z is easily derived from Equations (A2) and (A3), whereby all principal diagonal criteria are equal to zero:

$Z = s \cdot G$

(A2)

$s = \min {\frac{1}{\max_{1 \leq i \leq n} \sum_{j = 1}^{n} g_{i j}}, \frac{1}{\max_{1 \leq j \leq n} \sum_{i = 1}^{n} g_{i j}}}$

(A3)
Step 3:: Derive the total influence-relation matrix. A continuous decrease of the indirect effects of problems moves with the powers of the matrix Z, e.g., $Z^{2}, Z^{3}, \dots, Z^{\infty},$ and $\lim_{k \to \infty} Z^{k} = {[0]}_{n \times n},$ for $\lim_{k \to \infty} (I + Z + Z^{2} + \dots + Z^{k}) = {(I - Z)}^{- 1}$ , where $I$ is a $n \times n$ unit matrix. The total influence relation matrix P is a $n \times n$ matrix, and is defined by $P = {[t_{i j}]}_{n \times n}, i, j = 1, 2, \dots, n$ as shown in Equation (A4):

$\begin{array}{l} P = Z + Z^{2} + ... + Z^{k} \\ = Z (I + Z^{2} + ... + Z^{k - 1}) \\ = Z (I + Z^{2} + ... + Z^{k - 1}) (I - Z) {(I - Z)}^{- 1} \\ = Z {(I - Z)}^{- 1}, when \lim_{k \to \infty} Z^{k} = {[0]}_{n \times n} \end{array}$

(A4)

The total influence relation matrix P of INRM can be acquired by Equation (A4). Equations (A5) and (A6) are used to generate each row sum and column sum in the matrix P, respectively:

$d = {(d_{i})}_{n \times 1} = {[\sum_{j = 1}^{n} t_{i j}]}_{n \times 1} = (d_{1}, ..., d_{i}, ..., d_{n})^{'}$

(A5)

$r = {(r_{j})}_{n \times 1} = {(r_{j})^{'}}_{1 \times n} = {[\sum_{i = 1}^{n} t_{i j}]}^{'}_{1 \times n} = (r_{1}, ..., r_{j}, ..., r_{n})^{'}$

(A6)

where d_i is the sum of a row in the total influence relation matrix P, which represents the total effects (both direct and indirect) of criterion/perspective i on the all other criteria/perspectives ${[\sum_{j = 1}^{n} t_{i j}]}_{n \times 1}$ . Similarly, r_j is the column sum in the total influence relation matrix P, which represents the total effects (both direct and indirect) of criterion/perspective j received from the all other criteria/perspectives ${[\sum_{i = 1}^{n} t_{i j}]}^{'}_{1 \times n}$ . Thus, when i = j, $(d_{i} + r_{i})$ offers an index of the strength of the total influences given and received, that is $(d_{i} + r_{i})$ indicates the degree of importance that criterion/perspective i plays in the system. In addition, $(d_{i} - r_{i})$ provides an index of the degree of the cause of total influence. If $(d_{i} - r_{i})$ is positive, then criterion/perspective i is a net causer, and if $(d_{i} - r_{i})$ is negative, then criterion/perspective i is a net receiver.

Appendix A.2. Based on the DEMATEL Technique to Find the Influential Weights of DANP

The traditional ANP solved problems with interdependence and feedback only on perspectives (dimensions) and criteria until becoming/assuming independence. Therefore, these basic ANP concepts [35] are used as a base, and are combined with DEMATEL to solve these issues. Thus, the influential weights of DANP (DEMATEL–based ANP) contain the following steps:

Step 4:: Find the normalized total influence relation matrix P_c. DEMATEL is used to build total influence relation matrix from each perspective (dimension or cluster), with different degrees of influence relation for the criteria, as shown in Equation (A7):

$P_{C} = \begin{matrix} \begin{array}{l} D_{1} \\ ⋮ \end{array} \\ \begin{array}{l} D_{i} \end{array} \\ \begin{array}{l} ⋮ \end{array} \\ D_{n} \end{matrix} \begin{matrix} \begin{array}{l} c_{11} \\ c_{\begin{array}{l} 12 \\ ⋮ \end{array}} \\ c_{1 m_{\begin{array}{l} 1 \end{array}}} \\ c_{i 1} \\ c_{\begin{array}{l} i 2 \\ ⋮ \end{array}} \end{array} \\ \begin{array}{l} c_{\begin{array}{l} i m i \\ ⋮ \end{array}} \\ c {}_{n 1} \\ c_{\begin{array}{l} n 2 \\ ⋮ \end{array}} \\ c_{n m_{n}} \end{array} \end{matrix} \overset{\begin{matrix} \begin{matrix} \begin{matrix} \begin{matrix} D_{1} & \dots & D_{i} \end{matrix} & \dots \end{matrix} \end{matrix} & D_{n} \end{matrix}}{\overset{\begin{matrix} c_{11 \dots} c_{1 m_{1}} \dots & c_{i 1 \dots} c_{i m_{i}} \end{matrix} \dots c_{n 1 \dots} c_{n m_{n}}}{[\begin{matrix} P_{{}_{C}}^{11} & \dots & P_{{}_{C}}^{1 j} & \dots & P_{{}_{C}}^{1 n} \\ ⋮ & ⋮ & ⋮ \\ P_{{}_{C}}^{i 1} & \dots & P_{{}_{C}}^{i j} & \dots & P_{{}_{C}}^{i n} \\ ⋮ & ⋮ & ⋱ & ⋮ \\ P_{{}_{C}}^{n 1} & \dots & P_{{}_{C}}^{n j} & \dots & P_{{}_{C}}^{n n} \end{matrix}]}}$

(A7)

where $D_{n}$ is the nth cluster; $c_{n m}$ is the mth criterion in the nth dimension; and $P_{C}^{i j}$ is a submatrix of the influence relation by the criteria from a comparison of the ith dimension and the jth dimension. In addition, if the ith dimension has no influence on the jth dimension, then submatrix $P_{C}^{i j} = [0]$ , shows independence (no influence relation) in each other criterion.
Step 5:: Form an un-weighted super-matrix $W$ . Normalize the total influence relation matrix $P_{C}$ as shown in Equation (A8):

$P_{C}^{α} = \begin{matrix} \begin{array}{l} D_{1} \\ ⋮ \end{array} \\ \begin{array}{l} D_{i} \\ ⋮ \end{array} \\ \begin{array}{l} \end{array} \\ D_{n} \end{matrix} \begin{matrix} \begin{array}{l} c_{11} \\ c_{\begin{array}{l} 12 \\ ⋮ \end{array}} \\ c_{\begin{array}{l} 1 m_{1} \\ ⋮ \end{array}} \\ c_{i 1} \\ c_{\begin{array}{l} i 2 \\ ⋮ \end{array}} \end{array} \\ \begin{array}{l} c_{\begin{array}{l} i m_{i} \\ ⋮ \end{array}} \\ c {}_{n 1} \\ c_{\begin{array}{l} n 2 \\ ⋮ \end{array}} \\ c_{n m_{n}} \end{array} \end{matrix} \overset{\begin{matrix} D_{1} & D_{j} & D_{n} \\ c_{11 \dots} c_{1 m_{1}} & c_{j 1 \dots} c_{j m_{j}} & \dots & c_{n 1 \dots} c_{n m_{n}} \end{matrix}}{[\begin{matrix} P_{C}^{α 11} & \dots & P_{C}^{α 1 j} & \dots & P_{C}^{α 1 n} \\ ⋮ & ⋮ & ⋮ \\ P_{C}^{α i 1} & \dots & P_{C}^{α i j} & \dots & P_{C}^{α i n} \\ ⋮ & ⋮ & ⋮ \\ P_{C}^{α n 1} & \dots & P_{C}^{α n j} & \dots & P_{C}^{α n n} \end{matrix}]}$

(A8)

where $P_{C}^{α}$ denotes the normalizing total influence relation matrix, and $P_{c}^{α 12}$ is derived from Equations (A9) and (A10). Similarly, $P_{c}^{α n n}$ can be obtained:

$P_{i}^{12} = \sum_{j = 1}^{m_{2}} P_{\overset{i j}{c}}^{12}, i = 1, 2, \dots, m_{1}$

(A9)

$P_{c}^{α 12} = \begin{matrix} [\begin{matrix} p_{11}^{12} / p_{1}^{12} & \dots & p_{1 j}^{12} / p_{1}^{12} & \dots & p_{1 m_{2}}^{12} / p_{1}^{12} \\ ⋮ & ⋮ & ⋮ \\ p_{i 1}^{12} / p_{i}^{12} & \dots & p_{i j}^{12} / p_{i}^{12} & \dots & p_{i m_{2}}^{12} / p_{i}^{12} \\ ⋮ & ⋮ & ⋮ \\ p_{m_{1} 1}^{12} / p_{m_{1}}^{12} & \dots & p_{m_{1} j}^{12} / p_{m_{1}}^{12} & \dots & p_{m_{1} m_{2}}^{12} / p_{m_{1}}^{12} \end{matrix}] \end{matrix} = \begin{matrix} [\begin{matrix} p_{11}^{α 12} & \dots & p_{1 j}^{α 12} & \dots & p_{1 m_{2}}^{α 12} \\ ⋮ & ⋮ & ⋮ \\ p_{i 1}^{α 12} & \dots & p_{i j}^{α 12} & \dots & p_{i m_{2}}^{α 12} \\ ⋮ & ⋮ & ⋮ \\ p_{m_{1} 1}^{α 12} & \dots & p_{m_{1} j}^{α 12} & \dots & p_{m_{1} m_{2}}^{α 12} \end{matrix}] \end{matrix}$

(A10)

According to the pair-wise comparisons with the criteria, and based on the basic concept of ANP, the un-weighted super-matrix W can be obtained by transposing the normalized influence-relation matrix $P_{C}^{α}$ by dimensions (clusters), i.e., $W = (P_{C}^{α})^{'}$ , as shown in Equation (A11):

$W = (P_{C}^{α})^{'} = \begin{matrix} \begin{array}{l} D_{1} \\ ⋮ \end{array} \\ \begin{array}{l} D_{j} \\ ⋮ \end{array} \\ \begin{array}{l} \end{array} \\ D_{n} \end{matrix} \begin{matrix} \begin{array}{l} c_{11} \\ c_{\begin{array}{l} 12 \\ ⋮ \end{array}} \\ c_{\begin{array}{l} 1 m_{1} \\ ⋮ \end{array}} \\ c_{j 1} \\ c_{\begin{array}{l} j 2 \\ ⋮ \end{array}} \end{array} \\ \begin{array}{l} c_{\begin{array}{l} j m_{j} \\ ⋮ \end{array}} \\ c {}_{n 1} \\ c_{\begin{array}{l} n 2 \\ ⋮ \end{array}} \\ c_{n m_{n}} \end{array} \end{matrix} \overset{\begin{matrix} D_{1} & D_{i} & D_{n} \\ c_{11 \dots} c_{1 m_{1}} & \dots & c_{i 1 \dots} c_{i m_{i}} & \dots & c_{n 1 \dots} c_{n m_{n}} \end{matrix}}{[\begin{matrix} W^{11} & \dots & W^{i 1} & \dots & W^{n 1} \\ ⋮ & ⋮ & ⋮ \\ W^{1 j} & \dots & W^{i j} & \dots & W^{n j} \\ ⋮ & ⋮ & ⋮ \\ W^{1 n} & \dots & W^{i n} & \dots & W^{n n} \end{matrix}]}$

(A11)
Step 6:: Obtain the weighted super-matrix $W^{α}$ . The total influence-relation matrix $P_{D}$ of dimensions is derived according to the DEMATEL technique, as given by Equation (A12):

$P_{D} = [\begin{matrix} p_{D}^{11} & \dots & p_{D}^{1 j} & \dots & p_{D}^{1 n} \\ ⋮ & ⋮ & ⋮ \\ p_{D}^{i 1} & \dots & p_{D}^{i j} & \dots & p_{D}^{i n} \\ ⋮ & ⋮ & ⋮ \\ p_{D}^{n 1} & \dots & p_{D}^{n j} & \dots & p_{D}^{n n} \end{matrix}]$

(A12)

The normalized total influence-relation matrix $P_{D}^{α}$ of dimensions can be obtained through the total influence-relation matrix $P_{D}$ divided by $\sum_{j = 1}^{n} p^{i j} = p^{i}, i = 1, 2, \dots, n .$ , as shown in Equation (A13):

$P_{D}^{α} = [\begin{matrix} p_{D}^{11} / p_{1} & \dots & p_{D}^{1 j} / p_{1} & \dots & p_{D}^{1 n} / p_{1} \\ ⋮ & ⋮ & ⋮ \\ p_{D}^{i 1} / p_{i} & \dots & p_{D}^{i j} / p_{i} & \dots & p_{D}^{i n} / p_{i} \\ ⋮ & ⋮ & ⋮ \\ p_{D}^{n 1} / p_{n} & \dots & p_{D}^{n j} / p_{n} & \dots & p_{D}^{n m} / p_{n} \end{matrix}] = [\begin{matrix} p_{D}^{α 11} & \dots & p_{D}^{α 1 j} & \dots & p_{D}^{α 1 n} \\ ⋮ & ⋮ & ⋮ \\ p_{D}^{α i 1} & \dots & p_{D}^{α i j} & \dots & p_{D}^{α i n} \\ ⋮ & ⋮ & ⋮ \\ p_{D}^{α n 1} & \dots & p_{D}^{α n j} & \dots & p_{D}^{α n n} \end{matrix}]$

(A13)

The normalized $P_{D}^{α}$ and the un-weighted super-matrix W (shown as Equation (A11)), and the weighted super-matrix $W^{α}$ (normalized super-matrix) can be easily obtained by Equation (A14):

$W^{α} = P_{D}^{α} \times W = [\begin{matrix} p_{D}^{α 11} \times W^{11} & \dots & p_{D}^{α i 1} \times W^{i 1} & \dots & p_{D}^{α n 1} \times W^{n 1} \\ ⋮ & ⋮ & ⋮ \\ p_{D}^{α 1 j} \times W^{1 j} & \dots & p_{D}^{α i j} \times W^{i j} & \dots & p_{D}^{α n j} \times W^{n j} \\ ⋮ & ⋮ & ⋮ \\ p_{D}^{α 1 n} \times W^{1 n} & \dots & p_{D}^{α i n} \times W^{i n} & \dots & p_{D}^{α n n} \times W^{n n} \end{matrix}]$

(A14)
Step 7:: Find the limit super-matrix $W^{α}$ . Limit the weighted super-matrix by raising it to the kth power, until the super-matrix has converged and become a stable super-matrix. The global priority vectors are obtained, which are called the influential weights of DANP (DEMATEL-based ANP), such as $\lim_{k \to \infty} {(W^{α})}^{k}$ , where z represents any number of power.

In brief, according to the above process, the INRM and the influence weights of DANP can be obtained. Both the above (INRM and DANP) can be used to cope with the problem of interdependence and feedback in order to innovate/create the best systematic improvement strategies to reduce the gaps of criteria performance, in order that all criteria can achieve the aspiration level.

Appendix A.3. Measuring the Performance by Modified VIKOR

The VIKOR method, as developed by Opricovic and Tzeng [44], solves MADM problems with conflicting criteria. The concept of compromise is used for evaluation of the criteria for the different projects/alternatives in competition. It is based on the basic concept of the positive-ideal solution (or the aspiration level) and negative-ideal solution (or the worst level). The modified VIKOR method is, as follows:

Step 1:

Determine the positive-ideal solution and negative-ideal solution replaced by the aspiration levels and the worst value to fit today’s real world situation. Define the best value (aspiration level) shown as

f_{j}^{a s p i r e}

in j criterion and the worst value

f_{j}^{w o r s t}

for all criteria, which can be acquired from the traditional form to the modified form.

(1): Traditional approach for deriving the positive-ideal solution and negative-ideal solution as follows:
The positive-ideal solution: $f^{*} = (f_{1}^{*}, ..., f_{j}^{*}, ..., f_{n}^{*}),$ where $f_{j}^{*} = \max_{k} {f_{k j} | k = 1, 2, ..., m}$ ;
The negative-ideal solution: $f^{-} = (f_{1}^{-}, ..., f_{j}^{-}, ..., f_{n}^{-}),$ where $f_{j}^{-} = \min_{k} {f_{k j} | k = 1, 2, ..., m} .$
(2): The modified approach for replacement by the aspiration level and the worst value, as follows:
The aspiration level: $f^{a s p i r e} = (f_{1}^{a s p i r e}, ..., f_{j}^{a s p i r e}, ..., f_{n}^{a s p i r e})$ , where $f_{j}^{a s p i r e}$ is an aspiration level; The worst values: $f^{w o r s t} = (f_{1}^{w o r s t}, ..., f_{j}^{w o r s t}, ..., f_{n}^{w o r s t})$ , where $f_{j}^{w o r s t}$ is a worst value.
In this study, the performance range-scores from 0 to 10 (very bad ← 0,1,2,..,9,10 → very good) are used with natural language in the linguistic/semantic questionnaire, thus, the aspiration level takes the highest score of 10 and the worst value takes the value of 0. Hence, $f_{j}^{a s p i r e} = 10$ is defined as the aspiration level and $f_{j}^{w o r s t} = 0$ as the worst value, it can avoid choosing the best among inferior choices/options/alternatives. In other words, it avoids “picking the best apple from a barrel of rotten apples”.

Step 2:

Calculate the mean group utility

S_{k}

for the gap and maximal gap

Q_{k}

for prioritizing improvement. These values can be calculated using Equations (A15) and (A16), respectively:

S_{k} = \sum_{j = 1}^{n} w_{j} r_{k j} = \sum_{j = 1}^{n} w_{j} (| f_{j}^{a s p i r e} - f_{k j} |) / (| f_{j}^{a s p i r e} - f_{j}^{w o r s t} |)

(A15)

Q_{k} = \max_{j} {(| f_{j}^{a s p i r e} - f_{k j} |) / (| f_{j}^{a s p i r e} - f_{j}^{w o r s t} |) | j = 1, 2, ..., n}

(A16)

where

S_{k}

is defined as the normalized ratio of distance to the aspiration level, which implies the synthesized gap for the criteria. On the other hand,

Q_{k}

is defined as the normalized ratio of distance to the worst value, which implies the maximal gap in j criteria for priority improvement. Here,

w_{j}

indicates the influential weights for the criteria obtained from DANP, and

r_{k j}

indicates the normalized gap of the distance to the aspiration level.

Step 3:

Obtain the comprehensive indicator

R_{k}

for ranking and selection in the traditional VIKOR approach. The values are given by:

R_{k} = v (S_{k} - S^{*}) / (S^{-} - S^{*}) + (1 - v) (Q_{k} - Q^{*}) / (Q^{-} - Q^{*})

(A17)

where

S^{*} = \min_{k} S_{k}

,

S^{-} = \max_{k} S_{k}

,

Q^{*} = \min_{k} Q_{k}

,

Q^{-} = \max_{k} Q_{k}

and

0 \leq ν \leq 1

, where v denotes the weight on the strategy of the maximum group utility, and 1-v is the weight on the individual regret (maximal gap for priority improvement). Therefore, Equation (A17) can be rewritten as

R_{k} = v S_{k} + (1 - v) Q_{k}

in the modified VIKOR to replace the traditional VIKOR approach, when

S^{*} = S^{a s p i r e} = 0

and

Q^{*} = Q^{a s p i r e} = 0

as well as

S^{-} = S^{w o r s t} = 1

and

Q^{-} = Q^{w o r s t} = 1

are set. If

v = 1

represents only the consideration of the average gap weighting integration, then

v = 0

can be regarded as the maximum gap regarding the improvement priority. Generally speaking,

v = 0.5

can be set, but can be adjusted depending on expert opinion in the value integration.

References

Raval, V. Risk landscape of cloud computing. ISACA J. 2010, 1, 26. [Google Scholar]
Du, H.; Cong, Y. Cloud computing, accounting, auditing, and beyond. CPA J. 2010, 80, 66–70. [Google Scholar]
Fraser, S. The Risk Based Audit Process. Available online: http://www.charteredaccountants.com.au/ News-Media/Charter/Charter-articles/Audit-and-assurance/2011–07-The-Risk-Based-Audit-Approach.aspx2012 (accessed on 19 August 2016).
Robson, K.; Humphrey, C.; Khalifa, R.; Jones, J. Transforming audit technologies: Business risk and the audit field. Account. Organ. Soc. 2007, 32, 409–438. [Google Scholar] [CrossRef]
ISACA, ISACA Issues Four New Audit Programs on Cloud Computing, Crisis Management, Security and Active Directory. Available online: http://www.isaca.org/About-ISACA/Press-room/News-Releases/2010/Pages/ISACA-Issues-Four-New-Audit-Programson-Cloud-Computing-Crisis-Management-Security-and-Active-Directory.aspx2010 (accessed on 18 August 2015).
Chou, D.C. Cloud computing risk and audit issues. Comput. Stand. Interfaces 2015, 42, 137–142. [Google Scholar] [CrossRef]
Sookhak, M.; Talebian, H.; Ahmed, E.; Gani, A.; Khan, M.K. A review on remote data auditing in single cloud server: Taxonomy and open issues. J. Netw. Comput. Appl. 2014, 43, 121–141. [Google Scholar] [CrossRef]
Liou, J.J.H. New concepts and trends of MCDM for tomorrow-in honor of Professor Gwo-Hshiung Tzeng on the occasion of his 70th birthday. Technol. Econ. Dev. Econ. 2013, 19, 367–375. [Google Scholar] [CrossRef]
Liou, J.J.H.; Tzeng, G.H. Comments on “Multiple criteria decision making (MCDM) methods in economics: An overview”. Technol. Econ. Dev. Econ. 2012, 18, 672–695. [Google Scholar] [CrossRef]
Liou, J.J.H.; Tamošaitienė, J.; Zavadskas, E.K.; Tzeng, G.H. New hybrid COPRAS-G MADM model for improving and selecting suppliers in green supply chain management. Int. J. Prod. Res. 2016, 54, 114–134. [Google Scholar] [CrossRef]
Ondrus, J.; Pigneur, Y. Near field communication: An assessment for future payment systems. Inf. Syst. E-Bus. Manag. 2009, 7, 347–361. [Google Scholar] [CrossRef]
Peng, K.H.; Tzeng, G.H. A hybrid dynamic MADM model for problems-improvement in economics and business. Technol. Econ. Dev. Econ. 2013, 19, 638–660. [Google Scholar] [CrossRef]
Hwang, C.L.; Yoon, K. Multiple Attribute Decision Making: Methods and Applications a State-of-the-Art Survey; Springer Science & Business Media: New York, NY, USA, 2012. [Google Scholar]
Bozbura, F.T.; Beskese, A.; Kahraman, C. Prioritization of human capital measurement indicators using fuzzy AHP. Expert Syst. Appl. 2007, 32, 1100–1112. [Google Scholar] [CrossRef]
Asgari, M.; Abbasi, A. Comparing MADM and artificial neural network methods for evaluating suppliers in multiple sourcing decision. Decis. Sci. Lett. 2015, 4, 193–202. [Google Scholar] [CrossRef]
Chen, F.H. Application of a hybrid dynamic MCDM to explore the key factors for the internal control of procurement circulation. Int. J. Prod. Res. 2015, 53, 2951–2969. [Google Scholar] [CrossRef]
Li, X.; Wang, Y.; Chen, X. Cold chain logistics system based on cloud computing. Concurr. Comput. Pract Exp. 2012, 24, 2138–2150. [Google Scholar] [CrossRef]
Chen, Z.; Yoon, J. IT Auditing to assure a secure cloud computing. In Proceedings of the 2010 IEEE 6th World Congress on Services, Miami, FL, USA, 5–10 July 2010.
Zhu, Y.; Hu, H.; Ahn, G.J.; Yau, S.S. Efficient audit service outsourcing for data integrity in clouds. J. Syst. Softw. 2012, 85, 1083–1095. [Google Scholar] [CrossRef]
Lori, M. Data security in the world of cloud computing. IEEE Secur. Priv. 2009, 7, 61–64. [Google Scholar]
Zissis, D.; Lekkas, D. Addressing cloud computing security issues. Future Gener. Comput. Syst. 2012, 28, 583–592. [Google Scholar] [CrossRef]
Kim, S.H.; Lee, I.Y. Block access token renewal scheme based on secret sharing in apache hadoop. Entropy 2014, 16, 4185–4198. [Google Scholar] [CrossRef]
Choudhury, A.J.; Kumar, P.; Sain, M.; Lim, H.; Jae-Lee, H. A strong user authentication framework for cloud computing. In Proceedings of the 2011 IEEE Asia-Pacific Services Computing Conference (APSCC), Jeju, Korea, 12–15 December 2011; pp. 110–115.
Khorshed, M.T.; Ali, A.B.M.S.; Wasimi, S.A. A survey on gaps, threat remediation challenges and some thoughts for proactive attack detection in cloud computing. Future Gener. Comput. Syst. 2012, 28, 833–851. [Google Scholar] [CrossRef]
Patel, A.; Taghavi, M.; Bakhtiyari, K.; Júnior, J.C. An intrusion detection and prevention system in cloud computing: A systematic review. J. Netw. Comput. Appl. 2013, 36, 25–41. [Google Scholar] [CrossRef]
Mansfield-Devine, S. A patchy response: The dangers of not keeping our systems secure. Comput. Fraud Secur. 2015, 2015, 15–20. [Google Scholar] [CrossRef]
Rasheed, H. Auditing for standards compliance in the cloud: Challenges and directions. In Proceedings of the 2011 international Arab conference on information technology (ACIT 2011), Riyadh, Saudi Arabia, 10–13 December 2011.
Albanese, M.; Jajodia, S.; Jhawar, R.; Piuri, V. Securing mission-centric operations in the cloud. In Secure Cloud Computing; Springer: New York, NY, USA, 2014; pp. 239–259. [Google Scholar]
Jincui, C.; Liqun, J. Role-based access control model of cloud computing. Energy Procedia 2011, 13, 1056–1061. [Google Scholar]
Chen, J.; Wu, G.; Shen, L.; Ji, Z. Differentiated security levels for personal identifiable information in identity management system. Expert Syst. Appl. 2011, 38, 14156–14162. [Google Scholar] [CrossRef]
Goode, J. The importance of identity security. Comput. Fraud Secur. 2012, 2012, 5–7. [Google Scholar] [CrossRef]
Liu, Z.; Yan, H.; Li, Z. Server-aided anonymous attribute-based authentication in cloud computing. Future Gener. Comput. Syst. 2015, 52, 61–66. [Google Scholar] [CrossRef]
Svantesson, D.J.B. Data protection in cloud computing—The Swedish perspective. Comput. Law Secur. Rev. 2012, 28, 476–480. [Google Scholar] [CrossRef]
Kikuchi, S.; Hiraishi, K. Improving reliability in management of cloud computing infrastructure by formal methods. In Proceedings of the 2014 IEEE Network Operations and Management Symposium (NOMS), Krakow, Poland, 5–9 May 2014.
Hwang, C.L.; Yoon, K.S. Multiple Attribute Decision Making: Method and Applications; Springer-Verlag: New York, NY, USA, 1981. [Google Scholar]
Yoon, K.P.; Hwang, C.L. Multiple Attribute Decision Making: An Introduction; Sage Publications: Thousand Oaks, CA, USA, 1995. [Google Scholar]
Cebi, S. A quality evaluation model for the design quality of online shopping websites. Electron. Commer. Res. Appl. 2013, 12, 124–135. [Google Scholar] [CrossRef]
Keramati, A.; Shapouri, F. Multidimensional appraisal of customer relationship management: Integrating balanced scorecard and multi criteria decision making approaches. Inf. Syst. E-Bus. Manag. 2016, 14, 217–251. [Google Scholar] [CrossRef]
Chen, F.H.; Chi, D.J. Application of a new DEMATEL to explore key factors of China’s corporate social responsibility: Evidence from accounting experts. Qual. Quant. 2015, 49, 135–154. [Google Scholar] [CrossRef]
Saaty, T.L. Decision Making with Dependence and Feedback: The Analytic Network Process: The Organization and Prioritization of Complexity; RWS Publications: Pittsburgh, PA, USA, 1996. [Google Scholar]
Chen, F.H.; Tzeng, G.H.; Chang, C.C. Evaluating the enhancement of corporate social responsibility websites quality based on a new hybrid MADM model. Int. J. Inf. Technol. Decis. Mak. 2015, 14, 697–724. [Google Scholar] [CrossRef]
Lee, W.H.; Hwang, K.P.; Lin, W.J.; Shieh, J.L. An analysis of trusted service manager development modes by mobile operating system designers in Taiwan. Electron. Commer. Res. Appl. 2015, 14, 592–602. [Google Scholar] [CrossRef]
Opricovic, S. Multicriteria Optimization of Civil Engineering Systems. Fac. Civ. Eng. Belgrade 1998, 2, 5–21. [Google Scholar]
Opricovic, S.; Tzeng, G.H. Extended VIKOR method in comparison with outranking methods. Eur. J. Oper. Res. 2007, 178, 514–529. [Google Scholar] [CrossRef]
Saaty, T.L. The Analytic Hierarchy Process; McGraw-Hill: New York, NY, USA, 1980. [Google Scholar]
Li, H.; King, G.; Ross, M.; Staples, G. BS7799: A suitable model for information security management. In Proceedings of the Americas Conference on Information Systems (AMCIS), California, CA, USA, 13–15 August 2000.
Calder, A. ISO27001/ISO27002: A Pocket Guide; IT Governance: Cambridgeshire, UK, 2013. [Google Scholar]
Ruan, K.; Carthy, J. Cloud computing reference architecture and its forensic implications: A preliminary analysis. In Digital Forensics and Cyber Crime; Springer: Berlin/Heidelberg, Germany, 2013; pp. 1–21. [Google Scholar]
Pearson, S. Taking account of privacy when designing cloud computing services. In Proceedings of the 2009 ICSE Workshop on Software Engineering Challenges of Cloud Computing; IEEE Computer Society: Washington, DC, USA, 2009; pp. 44–52. [Google Scholar]
Scarfone, K. Guide to Security for Full Virtualization Technologies; DIANE Publishing: Collingdale, PA, USA, 2011. [Google Scholar]
Kepczyk, R.H. Remote access cloud hosting options for CPA firms. CPA Pract. Manag. Forum 2011, 7, 10–13. [Google Scholar]
Wu, L.; Buyya, R. Service Level Agreement (SLA) in Utility Computing Systems; IGI Global: Hershey, PA, USA, 2010. [Google Scholar]
Cloud computing security considerations, Intelligence and security. Australian Government Department of Defence. Available online: http://www.asd.gov.au/publications/protect/cloud_computing_security_considerations.htm (accessed on 18 August 2016).
Allen, M.J. Cloud computing heavenly solution or pie in the sky? Pa. CPA J. 2011, 82, 1–4. [Google Scholar]
Badger, L.; Grance, T.; Patt-Corner, R.; Voas, J. Draft Cloud Computing Synopsis and Recommendations; NIST special publication: Washington, DC, USA, 2011. [Google Scholar]
Hogan, M.; Liu, F.; Sokol, A.; Tong, J. Nist Cloud Computing Standards Roadmap; NIST Special Publication: Gaithersburg, MD, USA, 2011. [Google Scholar]
Pan, L.; Wang, D. A cross-entropy-based admission control optimization approach for heterogeneous virtual machine placement in public clouds. Entropy 2016, 18, 95. [Google Scholar] [CrossRef]
Duffy, H. How “cloud-ready” is your firm? CPA Pract. Manag. Forum 2012, 8, 5–6. [Google Scholar]
Lu, M.T.; Hu, S.K.; Huang, L.H.; Tzeng, G.H. Evaluating the implementation of business-to-business m-commerce by SMEs based on a new hybrid MADM model. Manag. Decis. 2015, 3, 290–317. [Google Scholar] [CrossRef]
Liou, J.J.H.; Chuang, Y.H.; Tzeng, G.H. A fuzzy integral-based model for supplier evaluation and improvement. Inf. Sci. 2014, 266, 199–217. [Google Scholar] [CrossRef]

Figure 1. Model procedure for new multiple attribute decision making for the application of cloud computing in auditing.

Figure 2. Diagram of the process for the empirical case.

Figure 3. The INRM of total influence relationships for the application of cloud computing in the auditing.

Table 1. The pre-test questionnaire risk factors for application of cloud computing in the auditing.

**Table 1.** The pre-test questionnaire risk factors for application of cloud computing in the auditing.
Perspectives (Dimensions)
Protection system	Technology risks	Automating user provisioning	Operations
Approval layers and controls Tangible and intangible security Network connection and data transmission Authentication method and authorization system Prevent intrusion Chain of custody process	Patchy response Supervisor Segregation of duties Software monitoring technology	Access rights administration Removal of entrance Periodic inspection of access Data backup Data recovery	Private laws Incident management Undesirable event management Service resilience Reliability and availability Supervision and management function

Table 2. The factors for application of cloud computing in the auditing.

**Table 2.** The factors for application of cloud computing in the auditing.
Dimensions/Criteria	Descriptions	References
Protection system (A)
Tangible and intangible security ( $a_{1}$ )	Use information assets, systems and peripherals for infrastructure and set necessary restrictions for security purposes.	[46,47,48]
Network connection and data transmission ( $a_{2}$ )	Use Internet connection and data transfer process to ensure data accuracy and authenticity	[21,46]
Authentication method and authorization system ( $a_{3}$ )	Before accessing data, users are required to verify personal password and authorized data.	[23,49]
Prevent intrusion ( $a_{4}$ )	Centralized management model provides all-weather monitoring network and analyzes intrusions.	[24,25]
Technology risks (B)
Patchy response ( $b_{1}$ )	Programs are repaired by software providers when attacked by malwares.	[26,28,48,50]
Supervisor ( $b_{2}$ )	Top management or highly authorized users.	[29]
Segregation of duties ( $b_{3}$ )	Avoid unauthorized access or excessive authorization to ensure that customer information are fully protected and not used by other customers.	[29]
Automating user provisioning (C)
Access rights administration ( $c_{1}$ )	To read or write system files, or be read or written, permission must be granted to change and obtain authorization.	[46,48,50]
Removal of entrance ( $c_{2}$ )	Remove access authorization of former employees and those in violation of level authorization.	[48]
Periodic inspection of access ( $c_{3}$ )	Periodic testing of identity management system to detect damage and ensure access security.	[30,31]
Operations (D)
Private laws ( $d_{1}$ )	Regulate customer data collection, processing and use to avoid infringement of personal rights and promote appropriate use of personal information.	[33,49]
Incident management ( $d_{2}$ )	Information log for operational errors due to incomplete information and hacked important information.	[44,46,51]
Undesirable event management ( $d_{3}$ )	Timely assistance by providers to resolve any information problems and failure.	[44,46,51]
Service resilience ( $d_{4}$ )	Simple and succinct to avoid being burdened by excessive details when updating.	[46]
Reliability and availability ( $d_{5}$ )	Authorized users can access needed information anytime and anywhere.	[34,52]

Table 3. Total influence relation matrix

P_{D}

: four perspectives (or called dimensions).

**Table 3.** Total influence relation matrix $P_{D}$ : four perspectives (or called dimensions).
Perspectives	A	B	C	D	Row Sum ( $d_{i}$ )	Column Sum ( $r_{i}$ )	$d_{i} + r_{i}$	$d_{i} - r_{i}$
A	0.8241	0.8330	0.8257	0.8210	3.064	3.306	6.370	−0.242
B	0.7595	0.7650	0.7537	0.7542	2.979	3.316	6.114	−0.157
C	0.8247	0.8314	0.8244	0.8042	3.067	3.215	6.282	−0.148
D	0.7541	0.8312	0.8227	0.8070	2.995	1.307	4.302	1.688

Table 4. Total influence relation matrix

P_{C}

: fifteen criteria.

**Table 4.** Total influence relation matrix $P_{C}$ : fifteen criteria.
Criteria	$a_{1}$	$a_{2}$	$a_{3}$	$a_{4}$	$b_{1}$	$b_{2}$	$b_{3}$	$c_{1}$	$c_{2}$	$c_{3}$	$d_{1}$	$d_{2}$	$d_{3}$	$d_{4}$	$d_{5}$
$a_{1}$	0.714	0.830	0.861	0.845	0.759	0.787	0.808	0.808	0.802	0.793	0.712	0.796	0.783	0.771	0.726
$a_{2}$	0.805	0.799	0.894	0.883	0.807	0.820	0.840	0.845	0.837	0.831	0.727	0.824	0.813	0.803	0.754
$a_{3}$	0.774	0.827	0.788	0.846	0.768	0.795	0.816	0.814	0.808	0.790	0.703	0.795	0.776	0.767	0.723
$a_{4}$	0.798	0.861	0.877	0.799	0.788	0.804	0.824	0.833	0.826	0.821	0.716	0.824	0.806	0.794	0.748
$b_{1}$	0.734	0.796	0.807	0.796	0.667	0.740	0.759	0.765	0.754	0.754	0.662	0.757	0.744	0.736	0.695
$b_{2}$	0.786	0.846	0.865	0.847	0.764	0.732	0.825	0.831	0.824	0.804	0.709	0.803	0.785	0.782	0.727
$b_{3}$	0.789	0.843	0.871	0.851	0.756	0.799	0.754	0.831	0.823	0.807	0.712	0.805	0.792	0.785	0.733
$c_{1}$	0.804	0.866	0.891	0.876	0.782	0.813	0.837	0.777	0.841	0.827	0.737	0.818	0.801	0.805	0.766
$c_{2}$	0.763	0.820	0.848	0.833	0.748	0.778	0.798	0.806	0.731	0.792	0.697	0.775	0.761	0.758	0.711
$c_{3}$	0.799	0.864	0.886	0.879	0.793	0.816	0.836	0.839	0.833	0.762	0.734	0.822	0.811	0.806	0.760
$d_{1}$	0.816	0.863	0.887	0.874	0.796	0.816	0.841	0.853	0.842	0.829	0.679	0.831	0.812	0.809	0.760
$d_{2}$	0.784	0.846	0.871	0.859	0.786	0.793	0.817	0.821	0.812	0.807	0.720	0.748	0.805	0.798	0.752
$d_{3}$	0.769	0.826	0.857	0.847	0.772	0.782	0.805	0.811	0.804	0.800	0.713	0.807	0.723	0.782	0.733
$d_{4}$	0.762	0.821	0.843	0.838	0.759	0.777	0.801	0.805	0.797	0.789	0.700	0.794	0.778	0.709	0.727
$d_{5}$	0.706	0.759	0.768	0.764	0.697	0.714	0.731	0.735	0.727	0.727	0.649	0.737	0.723	0.711	0.613

Note:

\frac{1}{n (n - 1)} \sum_{i = 1}^{n} \sum_{j = 1}^{n} \frac{| g_{i j}^{p} - g_{i j}^{p - 1} |}{g {}_{i j}^{p}} \times 100 % = 1.49 % < 5 %

, significant confidence is 98.51%, where

g_{i j}^{p}

and

g_{i j}^{p - 1}

denote the average scores of the samples for p − 1 and p and n denotes number of criteria, here n = 15 and n × n matrix. Where p = 40 indicates the number of experts.

Table 5. The sum of the influences given and received on the perspectives and criteria.

**Table 5.** The sum of the influences given and received on the perspectives and criteria.
Perspectives/Criteria	Row Sum (d_i)	Column Sum (r_i)	d_i + r_i	d_i – r_i	Order
Protection system (A)	3.064	3.306	6.370	−0.242
Tangible and intangible security (a₁)	3.250	3.090	6.340	0.160	1
Network connection and data transmission (a₂)	3.380	3.317	6.697	0.063	2
Authentication method and authorization system (a₃)	3.235	3.420	6.655	−0.185	4
Prevent intrusion (a₄)	3.334	3.372	6.706	−0.038	3
Technology risks (B)	2.979	3.136	6.114	−0.157
Patchy response (b₁)	2.166	2.187	4.353	−0.021	2
Supervisor (b₂)	2.321	2.271	4.592	0.050	1
Segregation of duties (b₃)	2.309	2.338	4.647	−0.029	3
Automating user provisioning (C)	3.067	3.215	6.282	−0.148
Access rights administration (c₁)	2.445	2.423	4.868	0.022	2
Removal of entrance (c₂)	2.330	2.405	4.735	−0.075	3
Periodic inspection of access (c₃)	2.434	2.382	4.816	0.052	1
Operations (D)	2.995	1.307	4.302	1.688
Privacy laws (d₁)	3.890	3.461	7.351	0.429	1
Incident Management (d₂)	3.822	3.917	7.739	−0.095	3
Undesirable event management (d₃)	3.758	3.840	7.598	−0.082	2
Service resilience (d₄)	3.707	3.809	7.516	−0.102	4
Reliability and availability (d₅)	3.433	3.585	7.018	−0.152	5

Table 6. Unweighted super-matrix W based on DANP.

**Table 6.** Unweighted super-matrix W based on DANP.
Criteria	$a_{1}$	$a_{2}$	$a_{3}$	$a_{4}$	$b_{1}$	$b_{2}$	$b_{3}$	$c_{1}$	$c_{2}$	$c_{3}$	$d_{1}$	$d_{2}$	$d_{3}$	$d_{4}$	$d_{5}$
$a_{1}$	0.220	0.238	0.239	0.239	0.234	0.235	0.235	0.234	0.234	0.233	0.237	0.233	0.233	0.234	0.236
$a_{2}$	0.255	0.236	0.256	0.258	0.254	0.253	0.251	0.252	0.251	0.252	0.251	0.252	0.250	0.252	0.253
$a_{3}$	0.265	0.264	0.244	0.263	0.258	0.259	0.260	0.259	0.260	0.259	0.258	0.259	0.260	0.258	0.256
$b_{1}$	0.260	0.261	0.261	0.240	0.254	0.253	0.254	0.255	0.255	0.256	0.254	0.256	0.257	0.257	0.255
$b_{2}$	0.323	0.327	0.323	0.326	0.308	0.329	0.327	0.322	0.322	0.325	0.324	0.328	0.327	0.325	0.325
$b_{3}$	0.334	0.332	0.334	0.333	0.342	0.316	0.346	0.334	0.335	0.334	0.333	0.331	0.331	0.332	0.333
$b_{4}$	0.343	0.340	0.343	0.341	0.351	0.355	0.327	0.344	0.344	0.342	0.343	0.341	0.341	0.343	0.341
$c_{1}$	0.336	0.336	0.338	0.336	0.337	0.338	0.338	0.318	0.346	0.345	0.338	0.337	0.336	0.337	0.336
$c_{2}$	0.334	0.333	0.335	0.333	0.332	0.335	0.334	0.344	0.314	0.342	0.334	0.333	0.333	0.333	0.332
$c_{3}$	0.330	0.331	0.328	0.331	0.332	0.327	0.328	0.338	0.340	0.313	0.328	0.331	0.331	0.330	0.332
$d_{1}$	0.188	0.185	0.187	0.184	0.184	0.186	0.186	0.188	0.188	0.187	0.174	0.188	0.190	0.189	0.189
$d_{2}$	0.210	0.210	0.211	0.212	0.211	0.211	0.210	0.208	0.209	0.209	0.214	0.196	0.215	0.214	0.215
$d_{3}$	0.207	0.207	0.206	0.207	0.207	0.206	0.207	0.204	0.206	0.206	0.209	0.211	0.192	0.210	0.211
$d_{4}$	0.204	0.205	0.204	0.204	0.205	0.205	0.205	0.205	0.205	0.205	0.208	0.209	0.208	0.191	0.207
$d_{5}$	0.192	0.192	0.204	0.192	0.193	0.191	0.191	0.195	0.192	0.193	0.195	0.197	0.195	0.196	0.179

Table 7. Weighted super-matrix

W^{α}

based on DANP.

**Table 7.** Weighted super-matrix $W^{α}$ based on DANP.
Criteria	$a_{1}$	$a_{2}$	$a_{3}$	$a_{4}$	$b_{1}$	$b_{2}$	$b_{3}$	$c_{1}$	$c_{2}$	$c_{3}$	$d_{1}$	$d_{2}$	$d_{3}$	$d_{4}$	$d_{5}$
$a_{1}$	0.060	0.066	0.066	0.066	0.066	0.066	0.066	0.066	0.066	0.065	0.066	0.065	0.065	0.065	0.066
$a_{2}$	0.070	0.065	0.070	0.071	0.071	0.071	0.070	0.071	0.070	0.071	0.070	0.070	0.070	0.070	0.071
$a_{3}$	0.073	0.073	0.067	0.072	0.072	0.073	0.073	0.073	0.073	0.073	0.072	0.072	0.073	0.072	0.072
$a_{4}$	0.072	0.072	0.071	0.066	0.071	0.071	0.071	0.072	0.072	0.072	0.071	0.071	0.072	0.072	0.071
$b_{1}$	0.065	0.066	0.065	0.065	0.060	0.064	0.064	0.064	0.064	0.065	0.065	0.065	0.065	0.065	0.065
$b_{2}$	0.067	0.067	0.066	0.067	0.066	0.061	0.067	0.067	0.067	0.067	0.066	0.066	0.066	0.066	0.066
$b_{3}$	0.069	0.068	0.069	0.068	0.068	0.069	0.063	0.069	0.069	0.068	0.068	0.068	0.068	0.068	0.068
$c_{1}$	0.069	0.069	0.068	0.069	0.069	0.069	0.069	0.063	0.069	0.069	0.069	0.069	0.069	0.069	0.068
$c_{2}$	0.068	0.068	0.068	0.068	0.068	0.069	0.069	0.069	0.063	0.068	0.068	0.068	0.068	0.068	0.068
$c_{3}$	0.067	0.068	0.067	0.068	0.068	0.067	0.067	0.068	0.068	0.063	0.067	0.067	0.068	0.067	0.068
$d_{1}$	0.060	0.059	0.060	0.059	0.059	0.060	0.060	0.060	0.060	0.060	0.055	0.060	0.060	0.060	0.060
$d_{2}$	0.067	0.067	0.067	0.068	0.067	0.068	0.067	0.067	0.067	0.067	0.068	0.062	0.068	0.068	0.068
$d_{3}$	0.066	0.066	0.066	0.066	0.066	0.066	0.066	0.065	0.066	0.066	0.066	0.067	0.061	0.067	0.067
$d_{4}$	0.065	0.066	0.065	0.065	0.066	0.066	0.066	0.066	0.066	0.066	0.066	0.066	0.066	0.061	0.066
$d_{5}$	0.061	0.062	0.065	0.062	0.062	0.061	0.061	0.062	0.061	0.062	0.062	0.062	0.062	0.062	0.057

Table 8. Influential weights of DANP for each criterion obtained by

\lim_{k \to \infty} {(W_{α})}^{k}

.

**Table 8.** Influential weights of DANP for each criterion obtained by $\lim_{k \to \infty} {(W_{α})}^{k}$ .
Criteria	$a_{1}$	$a_{2}$	$a_{3}$	$a_{4}$	$b_{1}$	$b_{2}$	$b_{3}$	$c_{1}$	$c_{2}$	$c_{3}$	$d_{1}$	$d_{2}$	$d_{3}$	$d_{4}$	$d_{5}$
Weights (DANP)	0.0653	0.0701	0.0721	0.0710	0.0643	0.0661	0.0680	0.0685	0.0678	0.0672	0.0595	0.0671	0.0659	0.0653	0.0617

Table 9. Integrated index of dimensions and criteria.

**Table 9.** Integrated index of dimensions and criteria.
Dimensions/Criteria	Local Weights	Global Weights (by DANP)	Performance	Relative Gaps
Protection system (A)	0.279	0.123	7.471	0.253
Tangible and intangible security (a₁)	0.234	0.065	6.967	0.303
Network connection and data transmission (a₂)	0.252	0.070	7.133	0.287
Authentication method and authorization system (a₃)	0.259	0.072	7.800	0.220
Prevent intrusion (a₄)	0.255	0.071	7.933	0.207
Technology risks (B)	0.199	0.123	7.440	0.256
Patchy response (b₁)	0.324	0.064	7.800	0.220
Supervisor (b₂)	0.333	0.066	7.233	0.277
Segregation of duties (b₃)	0.343	0.068	7.300	0.270
Automating user provisioning (C)	0.203	0.123	7.899	0.210
Access rights administration (c₁)	0.337	0.069	7.767	0.223
Removal of entrance (c₂)	0.333	0.068	7.800	0.220
Periodic inspection of access (c₃)	0.330	0.067	8.133	0.187
Operations (D)	0.320	0.123	7.644	0.236
Privacy laws (d₁)	0.186	0.060	8.333	0.167
Incident Management (d₂)	0.210	0.067	7.433	0.257
Undesirable event management (d₃)	0.206	0.066	7.367	0.263
Service resilience (d₄)	0.205	0.065	7.367	0.263
Reliability and availability (d₅)	0.193	0.062	7.800	0.220
Total performances	-	-	7.607	-
Total gap (S_k)	-	-	-	0.239

Table 10. The implementation improvement plan.

**Table 10.** The implementation improvement plan.
Items	Strategy (Sequence of Improvement Priority)
F1: Influential network of dimensions of DEMATEL	D _ C _ B _ A
F2: Influential network of criteria within individual dimensions	D: (d₁) _ (d₃) _ (d₂) _ (d₄) _ (d₅) (d₃) _ (d₂) _ (d₄) _ (d₅) (d₂) _ (d₄) _ (d₅) (d₄) _ (d₅) C: (c₃) _ (c₁) _ (c₂) (c₁) _ (c₂) B: (b₂) _ (b₁) _ (b₃) (b₁) _ (b₃) A: (a₁) _ (a₂) _ (a₄) _ (a₃) (a₂) _ (a₄) _ (a₃) (a₄) _ (a₃)

© 2016 by the authors; licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC-BY) license (http://creativecommons.org/licenses/by/4.0/).

Share and Cite

MDPI and ACS Style

Hu, K.-H.; Chen, F.-H.; We, W.-J. Exploring the Key Risk Factors for Application of Cloud Computing in Auditing. Entropy 2016, 18, 401. https://doi.org/10.3390/e18080401

AMA Style

Hu K-H, Chen F-H, We W-J. Exploring the Key Risk Factors for Application of Cloud Computing in Auditing. Entropy. 2016; 18(8):401. https://doi.org/10.3390/e18080401

Chicago/Turabian Style

Hu, Kuang-Hua, Fu-Hsiang Chen, and Wei-Jhou We. 2016. "Exploring the Key Risk Factors for Application of Cloud Computing in Auditing" Entropy 18, no. 8: 401. https://doi.org/10.3390/e18080401

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Menu

Exploring the Key Risk Factors for Application of Cloud Computing in Auditing

Abstract

1. Introduction

2. Related Literature

2.1. Protection System

2.2. Technology Risks

2.3. Automating User Provisioning

2.4. Operations

3. Building a New MADM Model to Identify the Key Risk Factors for Application of Cloud Computing in the Auditing

3.1. Building an Influential Network Relation Map by DEMATEL

3.2. Identifying the Weights by DANP

3.3. Measuring the Performance by Modified VIKOR

3.4. Data Collection

4. Empirical Analysis

4.1. Background and Problem Description

4.2. Analysis of Empirical Result

4.2.1. DEMATEL Verification of the Analysis of Interactions between Dimensions and Criteria

4.2.2. Using the DANP to Determine Factor Weight

4.2.3. Implementation Performance of each Dimension and Standard

4.3. Management Implication

5. Conclusions

Acknowledgments

Author Contributions

Conflicts of Interest

Appendix A. A novel hybrid MADM model combined with DEMATEL, ANP, and modified VIKOR

Appendix A.1. Building an Influential Network Relation Map by DEMATEL

Appendix A.2. Based on the DEMATEL Technique to Find the Influential Weights of DANP

Appendix A.3. Measuring the Performance by Modified VIKOR

References

Share and Cite

Article Metrics

Article Access Statistics

Further Information

Guidelines

MDPI Initiatives

Follow MDPI