Exploring the Key Risk Factors for Application of Cloud Computing in Auditing

Kuang-Hua Hu 1, Fu-Hsiang Chen 2,* and Wei-Jhou We 2 1 Accounting School, Nanfang College of Sun Yat-sen University, Wenquan Town, Conghua, Guangzhou 510970, China; 18320709916@163.com 2 Department and Graduate School of Accounting, Chinese Culture University, No. 55 Hwa Kang Rd., Yang Ming Shan, Taipei 11114, Taiwan; clark15152006@yahoo.com.tw * Correspondence: chenfuhsiang1@gmail.com; Tel.: +886-2-2861-0511 (ext. 35525)


Introduction
Cloud computing is becoming an important tool that professional CPA (Certified Public Accountant) firms and companies are using for their auditing and accounting information needs abroad.Cloud computing users plug into the cloud to fulfill their information technology needs.Specially, cloud computing should benefit small and medium size firms most, as the "ready-to-use" concept offers them the advantages of cost-savings, efficiency and flexibility.Audit services performed by CPA firms have moved from paper to cloud computing whereby client's financial report information is stored in cloud, and this audit process is subjected to many risk factors, such as authentication, data security and privacy, system availability, business continuity, and other legal requirements [1].Since the application of cloud computing technology in the auditing sector is more complicated than regular auditing work in the current system, effective and security audits are more detailed using information, and have become more difficult [2].Under such circumstances, auditors should realize the risk sources of cloud computing and create a sound auditing framework, so cloud computing audit work can go smoothly [3].
Cloud computing in auditing is thus a future trend, and several risk factors should be considered.Given the few available studies, the importance of this issue and the need for relevant literature, this study examined key risk factors that should be considered when using cloud computing in auditing.CPA firms can reference the study results when constructing their cloud computing applications.Cloud computing applications in auditing involve a huge number of dimensions and sub-factors.Prior studies of the related issues when discussing the security risks of cloud computing auditing by influential analysis mostly adopt narrative presentations [3][4][5][6].Fewer studies in the literature adopt qualitative data and some variables of the security risk of cloud computing auditing did not have quantitative data provided by experts.Furthermore, the related variables are not independent among them so there exists an influential interrelationship (dependence and feedback).However, conventional statistical methods have some restrictions in assumptions such as the linearity, normality, and independence of security risk variables of cloud computing auditing [7].Given that the assumptions are often inconsistent with the security risks of cloud computing auditing, the methods have intrinsic limitations in terms of effectiveness and validity.
If the dimensions and sub-factors affecting cloud computing in auditing can be constructed into a framework to determine their mutual impact, strategies for improvement can be prioritized and recommended to relevant authorities.In practice, the abovementioned risk factors are usually not mutually independent, and the dimensions and sub-factors may also be mutually influencing.To resolve the problem of mutual influence between the factors and sub-factors, this study used Multiple Attribute Decision Making (MADM), which is a methodology that simultaneously weighs multiple decision-making attributes to help decision makers prioritize program attributes and make an optimal selection when given limited viable options [8][9][10][11][12][13].The state-of-the-art survey methods of MADM can be applied to explore the key risk factors that conflict with each other when using cloud computing in auditing.MADM procedures focus on how to select the best one among specified finite alternatives/factors [13].Another advantage of MADM methods is that they have the capacity to analyze qualitative evaluation criteria [14].One disadvantage of MADM techniques is the high volume of calculations for finding pairwise comparison, and it is difficult to utilize them when there are a large number of criteria/factors.These techniques need arbitrary ideal levels; however they can't match with the subjective features of the decision makers [15].Liou [8] asserts that the Decision Making Trial and Evaluation Laboratory, (DEMATEL) can quantify complex problems and verify their direct and indirect relationship.Chen [16] recommends the DEMATEL-based Analytic Network Process (DANP) for solving dependence problem and feedback relationship since in practice, each dimension and its sub-factors may be mutually influencing and therefore a simple relationship construct should not be used.Peng and Tzeng [12] compromised by using the VlseKriterijumska Optimizacija I Kompromisno Resenje (VIKOR) to determine the dimensionality and sub-factor performance for future reference and development.
This MADM model proposed for solving real-world application of cloud computing in the auditing problems improves upon previous models in the following ways: (1) providing an interdependency model according to DANP concepts to overcome problems of dependence and feedback among risk factors; (2) incorporating VIKOR approaches to prioritize improvements according to the basic aspiration levels, allowing the proposed technique to avoid selecting the seemingly best solution from among alternatives.Instead, all alternatives were replaced by aspiration levels obtained from VIKOR; (3) offering strategic planning models that give decision-makers multiple solutions for improvement priorities.Hence, the MADM model shifts the focus from simple ranking and selection of the most preferable alternatives to performance improvements and methods.
Therefore this study used the MADM to explore cloud computing risk factors in auditing, and through literature review and interviews with industry experts, determined the dimensions and criteria that should be considered when using cloud computing in auditing.Using the DEMATEL approach, the mutual impact of the dimensions and criteria are first determined.Then using an integration of DEMATEL and DANP, the mutually influencing factors will been weighted.Finally, using the modified VIKOR, the performance of the dimensions and criteria for cloud computing in auditing are evaluated to determine key factors for consideration when using cloud computing in auditing and to prioritize strategies for improvement.The result can serve as reference and development basis for CPA firms constructing cloud computing application in auditing.According to the abovementioned observations, the main research questions this study aims to answer are as follows: 1. Which risk factors should be considered by CPA firms when cloud computing?2. When are these risk factors in the mutual influence and conflict and which are those are the key factors?3. When based on domain experts' cognition, those risk factors affect the executive performance?
The remainder of this paper is organized as follows: Section 1 briefly introduces the assessed dimensions and criteria in related literature; Section 2 discusses the analytical framework and methods for constructing the key factors for application of cloud computing in the auditing; Section 3 proposes an empirical case of an improvement plan for application of cloud computing in the auditing; Section 4 offers conclusions.

Related Literature
Providing quality service is a very important concern.Especially with an increasing mobile social and business environment, the demand for immediate access has become the trend.Cloud computing is not limited by time or space, and as long as CPAs have Internet connections, information can be accessed for customer inquiries regardless of location and time.Moreover, cloud computing can quickly support a diversity of application software so that during economic boom, CPA firms can continue to expand their operations while during economic downturns, their expenses are reduced to fees needed for their services [2].Hence CPA firms can flexibly adjust to their actual operation environment since their expansion is not limited by software, and their reduction will not create capital paralysis.In addition, flexible contracts allow CPA firms to pay fees based on different needed expenses, and hence easy control of cash flow.Cloud computing service models and application risk for CPA firms are described below.
Although cloud technology offers a set of low cost, high efficiency and high expandability advantages in cloud computing, there are still unresolved problems inherent in the processing of a large quantity of electronic data [17].For example, cloud computing system failure could result in security problems such as data loss or theft.Hence before adopting cloud computing services (SaaS, PaaS, IaaS), cloud computing information security must be considered [18].In terms of data security, CPA firms require very high information security because the consequences of stolen or damaged customer information would be disastrous and it must therefore be highly protected.
When considering cloud computing for its internal organization, CPA firms must evaluate the flexible distribution of their existing computing resources and especially information security [19].For example, is the remote information center secure?Is the information vulnerable to leaks?If the information shares storage with other departments or shares servers with other corporations, will it be compromised?The efficiency and availability of services must also be evaluated.For example, how efficient is the cloud computing transmission, implementation and availability?Another factor to consider is accuracy and portability.For example, how do CPA firms transfer their existing software and services to cloud service providers?How do CPA firms integrate their software with the services provided by the cloud service providers?Currently, there are detailed management standards for information security technology and management, such as the ISO27001 which delineates key indicators and requirements for hardware, software, managers, users and those with access during auditing.
The use of cloud computing for CPA firms is an inevitable trend, but the new trend poses potential risks.For CPA firms, using cloud computing services requires specialized knowledge and training.Users storing and accessing information in the virtual environment through IT technology are confronted with many risks.Therefore users must clearly understand these risks before implementation, including the legal roles and responsibilities of users and service providers, compliance with local laws and regulations, data protection, tangible security, privacy, incident response and availability [6].To effectively implement cloud computing, proactive measures must be taken to ensure security [20].The US National Institute of Standards and Technology (NIST) proposed the Framework for Improving Critical Infrastructure Cybersecurity and Special Publications 800 Series, which states that a network security structure should identify, protect, detect, respond and reply.Based on literature review and interviews with CPA and CPA firm IT experts, this study summarized the four dimensions and criteria for using cloud computing in auditing, as shown below.

Protection System
The cloud computing system of CPA firms should adopt established security systems for unified and complete analysis.By using various cloud computing security check systems and logs in its operations and maintenance, the detection and investigation of violations can be enhanced.To achieve data protection, a comprehensive mechanism for cloud computing log and review system should be constructed.The logs should include information such as user ID, operation date and time, operation content, and operation success.Zissis and Lekkas [21] pointed out the use of trusted subcontractors in the cloud environment and trusted encryption can ensure the confidentiality, integrity and reliability of information and communications [22].At the same time, to protect data, attempts should also be made to resolve specific security vulnerability.Choudhury et al. [23] also indicated that a strong authentication structure can restrict access by illegal cloud servers and ensure the safety and efficiency of cloud computing.Since the distribution patterns and open structure of cloud computing render it a target of intrusion, an effective intrusion monitor and defense system are required to satisfy user needs [24,25].

Technology Risks
To implement cloud computing, CPA firms should construct a cloud computing platform since it is important to the development of cloud computing.The cloud computing platform can comprehensively analyze the risks of the cloud computing services, and objectively evaluate the information security capability of the cloud computing service platform, business continuity capability and legality of the platform and services.Since security vulnerabilities are inherent in the infrastructure, service platforms and applications, Mansfield-Devine [26] believe that implementing a vulnerability management program to determine vulnerable areas followed by a good repair mechanism [27] to eliminate the vulnerabilities can safeguard against malware attacks [28].

Automating User Provisioning
Jincui and Liqun [29] indicate that in cloud computing applications, automating user provisioning is a complex issue, and CPA firms should adopt an appropriate mode of cloud computing control and effective measures to ensure the accuracy and completeness of user activity logs.The clocks and times for all major cloud computing systems should be synchronized, interviews and operations should be recorded onto a physical recording system, and cloud computing platform logs should be promptly backed up onto designated log server or secured interface.In addition, a monitoring software should be used to ensure the consistency and completeness of the user activity log.Chen et al. [30] noted that many enterprises implement automating user provisioning to enhance security, improve efficiency, reduce costs, maintain data quality and ensure regulation compliance.Cloud computing has changed the security landscape of enterprises from internal to external networks, with increased emphasis on identification, and message and data protection [31].Liu et al. [32] assert that basic anonymous cloud computing server verification can ensure user identity confidentiality and effective customer management.

Operations
Given the complexity and innovation in cloud services and cloud computing technology and increasing user concern with data privacy, CPA firms using cloud technology, data warehousing and data mining technology must confront the source, application, flow and protection of data, and find ways to fulfill their responsibilities and protect customer rights.Svantesson [33] indicates that the Swedish Data Protection Act dictates that data controllers must adopt appropriate technology and organization to protect personal data processing.In the cloud computing landscape for auditing, audit information is stored and accessed through Internet links, and audit evidence can only be obtained on the Internet link.Under normal circumstances, the audit information flows globally, and the data owner can neither control its flow nor control its storage location.When using cloud computing for auditing, auditors may not be able to ascertain where the audit evidence is hosted, and may not even know which country the audit information is stored in.On the other hand, audit evidence is often stored with the data of the cloud service providers and other customers in the same environment, and may result in completely unusable information or difficult information availability.Kikuchi and Hiraishi [34] propose an automatic synthesis technology for re-configuring the program to avoid undue changes.They also proposed a vulnerability recognition technology in the system configuration to increase service flexibility, reduce operator error and improve the reliability and availability of cloud services.
In this study, the risk factors for application of cloud computing in the auditing dimensions and criteria are derived from a literature review, brainstorming, CPA expert opinions, and interviews with IT department senior supervisors of CPA firms and academicians that specialize in computer auditing; and as the basis of the pre-test questionnaire.The results are shown in Table 1, including the four dimensions and 21 criteria.

Building a New MADM Model to Identify the Key Risk Factors for Application of Cloud Computing in the Auditing
This study uses a MADM tool characterized by multiple conflicting criteria [13,35,36].The MADM model is developed based on the abovementioned studies, and is selected as a fitting method for the assessment of the key factors for application of cloud computing in the auditing; decision-makers can use the outcome for improving and reducing the performance gaps in each criterion.This section includes four sub-sections: First, the DEMATEL method is used to construct an influential network relation map (INRM).Secondly, this study illustrates how to derive the influential weights of DANP, as based on the total influence matrix of DEMATEL.Thirdly, the modified VIKOR method is applied to transform the performance values into the amended gap.Finally, the data collection process is introduced.The analytical framework is illustrated in Figure 1.

Building an Influential Network Relation Map by DEMATEL
The DEMATEL technique is used to construct an INRM in order to understand specific societal problems [37,38].The DEMATEL technique can be divided into five stages.In the first stage, it calculates a system with n elements/criteria, and launches the evaluation scale using pairwise comparison of the aspects/criteria, in order to determine the degree of influence using a five-point scale ranging from 0 (no effect) to 4 (extremely influential), for pairwise comparison of perceptions/feelings by domain experts.The second stage measures the initial matrix to directly obtain influential matrix G.The third stage finds the normalized matrix Z, where the sums of at least one column or row, but not all, equal one.In the fourth stage, the total influential matrix P can be derived, and the INRM can be illustrated [12,39].Further explanation of the DEMATEL method may be found in Appendix A.1.

Identifying the Weights by DANP
The basic ANP concepts are applied in the DEMATEL method in order to confirm the influential relationship of the criteria of DANP, which shows the relative influential weights of criteria.The ANP method is considered suitable to treat complex network relationships, which is expanded from AHP (Analytic Hierarchy Process) method by Saaty [40].In this paper, the DEMATEL method is adopted into the ANP method to generate the un-weighted super-matrix.Therefore, this research combined the advantages of ANP and DEMATEL to solve the problems of dependence and feedback associated with the interrelations between criteria [16,41,42].The DANP process is as shown in Appendix A.2.

Measuring the Performance by Modified VIKOR
The VIKOR method, as introduced by Opricovic [43] and developed by Opricovic and Tzeng [44], uses the concept of compromise to solve MADM problems with conflicting criteria.The best one can be selected among the alternatives, as based on the concept of a compromise solution, when handling complex decision making problems in the MADM framework.The modified VIKOR is applied here to derive the optimal alternative/criteria; for detailed steps see Appendix A.3.

Data Collection
In order to ensure effective pair-wise comparisons and good consistency, Saaty [45] suggests that there should be a limited number of factors in a single construct.The relative importance criteria were found by asking experts (a total of eight senior supervisors of IT departments of CPA firms, two CPA experts, and two academicians that specialize in computer auditing) to answer the pre-test questionnaire, selecting the important criteria (based on triangular fuzzy numbers and with a mean

Building an Influential Network Relation Map by DEMATEL
The DEMATEL technique is used to construct an INRM in order to understand specific societal problems [37,38].The DEMATEL technique can be divided into five stages.In the first stage, it calculates a system with n elements/criteria, and launches the evaluation scale using pairwise comparison of the aspects/criteria, in order to determine the degree of influence using a five-point scale ranging from 0 (no effect) to 4 (extremely influential), for pairwise comparison of perceptions/feelings by domain experts.The second stage measures the initial matrix to directly obtain influential matrix G.The third stage finds the normalized matrix Z, where the sums of at least one column or row, but not all, equal one.In the fourth stage, the total influential matrix P can be derived, and the INRM can be illustrated [12,39].Further explanation of the DEMATEL method may be found in Appendix A.1.

Identifying the Weights by DANP
The basic ANP concepts are applied in the DEMATEL method in order to confirm the influential relationship of the criteria of DANP, which shows the relative influential weights of criteria.The ANP method is considered suitable to treat complex network relationships, which is expanded from AHP (Analytic Hierarchy Process) method by Saaty [40].In this paper, the DEMATEL method is adopted into the ANP method to generate the un-weighted super-matrix.Therefore, this research combined the advantages of ANP and DEMATEL to solve the problems of dependence and feedback associated with the interrelations between criteria [16,41,42].The DANP process is as shown in Appendix A.2.

Measuring the Performance by Modified VIKOR
The VIKOR method, as introduced by Opricovic [43] and developed by Opricovic and Tzeng [44], uses the concept of compromise to solve MADM problems with conflicting criteria.The best one can be selected among the alternatives, as based on the concept of a compromise solution, when handling complex decision making problems in the MADM framework.The modified VIKOR is applied here to derive the optimal alternative/criteria; for detailed steps see Appendix A.3.

Data Collection
In order to ensure effective pair-wise comparisons and good consistency, Saaty [45] suggests that there should be a limited number of factors in a single construct.The relative importance criteria were found by asking experts (a total of eight senior supervisors of IT departments of CPA firms, two CPA experts, and two academicians that specialize in computer auditing) to answer the pre-test questionnaire, selecting the important criteria (based on triangular fuzzy numbers and with a mean of eight and above).Question responses ranged from 0 to 10 with a high score meaning high importance, the results are shown in Table 2.The pre-test questionnaire results were applied and the DEMATEL, DANP and modified VIKOR methods combined and incorporated into the questionnaire design.A total of 40 interviews (a total of 20 senior supervisors of IT departments of CPA firms, 15 CPA experts, and five professors of computer auditing) have been carried out mainly for the analysis of interactions between the application of cloud computing in the auditing dimensions and criteria as well as performance.

Dimensions/Criteria Descriptions References
Protection system (A) Tangible and intangible security (a 1 ) Use information assets, systems and peripherals for infrastructure and set necessary restrictions for security purposes.
[ [46][47][48] Network connection and data transmission (a 2 ) Use Internet connection and data transfer process to ensure data accuracy and authenticity [21,46] Authentication method and authorization system (a 3 ) Before accessing data, users are required to verify personal password and authorized data.[23,49] Prevent intrusion (a 4 ) Centralized management model provides all-weather monitoring network and analyzes intrusions.[24,25] Technology risks (B) Patchy response (b 1 ) Programs are repaired by software providers when attacked by malwares.[26,28,48,50] Supervisor (b 2 ) Top management or highly authorized users.[29] Segregation of duties (b 3 ) Avoid unauthorized access or excessive authorization to ensure that customer information are fully protected and not used by other customers. [29] Automating user provisioning (C)

Access rights administration (c 1 )
To read or write system files, or be read or written, permission must be granted to change and obtain authorization.[46,48,50] Removal of entrance (c 2 ) Remove access authorization of former employees and those in violation of level authorization.[48] Periodic inspection of access (c 3 ) Periodic testing of identity management system to detect damage and ensure access security.[30,31] Operations (D) Private laws (d 1 ) Regulate customer data collection, processing and use to avoid infringement of personal rights and promote appropriate use of personal information.[33,49] Incident management (d 2 ) Information log for operational errors due to incomplete information and hacked important information.[44,46,51] Undesirable event management (d 3 ) Timely assistance by providers to resolve any information problems and failure.[44,46,51] Service resilience (d 4 ) Simple and succinct to avoid being burdened by excessive details when updating.[46] Reliability and availability (d 5 ) Authorized users can access needed information anytime and anywhere.[34,52]

Empirical Analysis
This section explains the study, which proposed improvement priorities based on questionnaire results and assessment.The empirical analysis process is shown in Figure 2.

Empirical Analysis
This section explains the study, which proposed improvement priorities based on questionnaire results and assessment.The empirical analysis process is shown in Figure 2.

Background and Problem Description
Cloud computing is appropriate for corporations needing mobile services and IT outsourcing, and the business programs of CPA firms are consistent with these needs [51].For accounting and auditing, cloud technology offers the advantage of revolutionary technological development, and cloud computing allows CPA firms to purchase less new software and hardware each year.At the same time, efficiency, seamless programs and quality service are becoming increasing important for CPA firms, and cloud computing provides information access that is limited by time or space so that CPAs can access information as long as the Internet is available.The main advantages of using cloud computing are as described above, but before using cloud computing in auditing to manage client's information, what issues should CPA firms consider and how would these issues affect client service?

DEMATEL Verification of the Analysis of Interactions between Dimensions and Criteria
According to the research method described in Section 3.1, the average initial direct-influence matrix G involving 15 criteria has been derived from expert interviews, and is a 15 × 15 matrix.The DEMATEL procedure were then utilized to obtain a normalized direct-influence matrix, and then carried out to obtain the total-influence matrix Z as shown in Table 3. From the understanding of the interviewed experts, there would be interactions between the 4 dimensions and 15 standards.The total-influence matrix TD for the dimension and TC for the criteria is derived, as shown in Tables 3  and 4. The sum of influence given di − ri and received di − ri (please see Appendix A: DEMATEL step

Background and Problem Description
Cloud computing is appropriate for corporations needing mobile services and IT outsourcing, and the business programs of CPA firms are consistent with these needs [51].For accounting and auditing, cloud technology offers the advantage of revolutionary technological development, and cloud computing allows CPA firms to purchase less new software and hardware each year.At the same time, efficiency, seamless programs and quality service are becoming increasing important for CPA firms, and cloud computing provides information access that is limited by time or space so that CPAs can access information as long as the Internet is available.The main advantages of using cloud computing are as described above, but before using cloud computing in auditing to manage client's information, what issues should CPA firms consider and how would these issues affect client service?

DEMATEL Verification of the Analysis of Interactions between Dimensions and Criteria
According to the research method described in Section 3.1, the average initial direct-influence matrix G involving 15 criteria has been derived from expert interviews, and is a 15 × 15 matrix.The DEMATEL procedure were then utilized to obtain a normalized direct-influence matrix, and then carried out to obtain the total-influence matrix Z as shown in Table 3. From the understanding of the interviewed experts, there would be interactions between the 4 dimensions and 15 standards.The total-influence matrix T D for the dimension and T C for the criteria is derived, as shown in Tables 3  and 4. The sum of influence given di − ri and received di − ri (please see Appendix A: DEMATEL step 3, Equations (3), ( 5) and ( 6)) for each dimension and criterion can be derived and shown in Tables 3  and 5.The influential network-relationship can be visualized by drawing an INRM four dimensions and their subsystem as illustrated in Figure 3.
Entropy 2016, 18, 401 9 of 24 3, Equations (3), ( 5) and ( 6)) for each dimension and criterion can be derived and shown in Tables 3  and 5.The influential network-relationship can be visualized by drawing an INRM four dimensions and their subsystem as illustrated in Figure 3.According to the influential relation (d i − r i ), it can be found that a "Operations (D)" (di − ri = 1.688 maximum) has the highest degree of an impact relationship that affects other dimensions directly.Otherwise, "Protection system (A)" (di − ri = −0.242minimum) is the most vulnerable to impact.
Results of Table 3 show that the four dimensions, namely Protection system (A), Technology risks (B), Automating user provisioning (C) and Operations (D) are mutually influential.According to the influential relation (di − ri), it can be found that a "Operations (D)" (di − ri = 1.688 maximum) has the highest degree of an impact relationship that affects other dimensions directly.Otherwise, "Protection system (A)" (di − ri = −0.242minimum) is the most vulnerable to impact.This is further illustrated in Figure 3, indicating that influential priority can be sequenced as: "Operations (D)"_"Automating user provisioning (C)"_"Technology risks (B)"_"Protection system (A)".When considering the improvement, the panel experts all regard "operations" first and agree the first priority for improvement should be a "Operations (D)"which can then produce an influential effect on the remaining dimensions.
For CPA firms, the most serious problem is incorrect information or cloud service system failure when using cloud computing in auditing, so when using cloud computing, information correctness and cloud service system support should be the foremost objectives for CPA firms, as the occurrence of any problem in these areas could result in auditing failure.Therefore signing a contract with cloud providers to require cloud computing system stability [53] can reduce system downtime and maintain high work efficiency and quality service [54].
In terms of criteria, Table 5 shows that 15 of the criteria are mutually influencing.Compared to other criteria, Private Laws (d 1 ) is the most influential (di − ri = 0.429); in contrast, Authentication method and authorization system (a 3 ) is the least influential (di − ri = −0.185).When using cloud computing in auditing, client audit information is a critical concern for CPA firms.In compliance with the governmental Personal Information Protection Act, CPA firms must properly protect client audit information, and store the information in a secure, damage and leak proof facility [55].At the same time, the Personal Information Protection Act has also ensured that cloud computing systems are more sophisticated and audit information less vulnerable to hackers.Furthermore, analysis of each dimension showed that in the Protection system (A) dimension, Tangible and intangible security (a 1 ) is the most important criterion (di − ri = 0.160) whereas Authentication method and Authorization system (a 3 ) is the least influential criterion (di − ri = −0.185).CPA firms must have hardware and software support to successfully implement cloud computing, and must ensure that their equipment are subjected to rigorous protection and monitoring to protect stored customer audit information [56].Therefore, compared to other criteria in the Protection system dimension, the Tangible and intangible security (a 1 ) criterion is more influential.
In the Technology risks (B) dimension, Supervisors (b 2 ) is the most important criterion (di − ri = 0.050) whereas Segregation of duties (b 3 ) is the least influential criterion (di − ri = −0.029).
In cloud computing, CPA firms depend on a primary user to centrally manage the cloud computing, and implement a set of strict segregation of duties to prevent unauthorized users from accessing customer audit information.Without such segregation, customer audit information may be subjected to unauthorized access or leakage, and result in lawsuits that may severely jeopardize the reputation of the CPA firms.Therefore, compared to other criteria in the Technology risks (B) dimension, the Supervisors (b 2 ) criterion is more influential.
In the Automating user provisioning (C) dimension, Periodic inspection of access (c 3 ) is the most important criterion (di − ri = 0.052) whereas Removal of entrance (c 2 ) is the least influential criterion (di − ri = −0.075).Cloud computing is an information technology, and when used in auditing, regular testing for damage or inadequacy is critical to ensure that the cloud computing system is updated with the latest version, secure and in compliance with SLA specification [51,57] to prevent information leak that may result in hacker damage.Therefore, compared to other criteria, the Periodic inspection of access (c 3 ) criterion is more influential.
In the Operations (D) dimension, Privacy laws (d 1 ) is the most important criterion (di − ri = 0.429) whereas Reliability and availability (d 5 ) is the least influential criterion (di − ri = −0.152)for the same reason as described above.Therefore, compared to other criteria, the Privacy laws (d 1 ) criterion is more influential.

Using the DANP to Determine Factor Weight
Using a combination of DEMATEL and DANP, the factor weight of each criterion is obtained.Using Equations (A10), (A11) and (A12), the DEMATEL Total influence-relation matrix is used to construct the un-weighted super-matrix, as shown in Table 6.Using Equations (A8), (A14) and (A15), and the weighted super-matrix for each dimension is obtained, as shown in Table 7. Finally, the limit super-matrix is used to obtain the global weights of the elements, as shown in Table 8.The results are applied to the modified VIKOR method to determine each criterion performance.

Implementation Performance of each Dimension and Standard
The modified VIKOR method is used to evaluate the overall performance gap of key factors in cloud computing in auditing.Based on the 40 experts assessment, this study ranked the criterion performance items in the cloud computing auditing on a score of 1 to 10, with 1 being the lowest score and 10 the highest score, and a higher score representing better performance.Each criterion score and the total average gap (S k = ∑ n j=1 w j r jk ) is obtained using the DANP global weights multiplied by the gap (r jk ).As shown in Table 9, the average performance value is calculated from all the values of the criteria performance and their corresponding gaps (r jk = ).Based on these performance values, decision makers can identify the performance value of each dimension and criterion.The results showed that compared to other dimensions, Automating user provisioning (C) had a highest performance value of 7.899 and Technology risks (B) had a lowest value of 7.440.The overall average performance value is 7.607, which is 0.239 less than the expected optimal value (10), indicating a 23.9% gap from the optimal standard.

Management Implication
Figure 3 illustrates the causal relationship between the dimensions and criteria in this study.Through the INRM, the order of priority for improving key factors in cloud computing in auditing is: Operations (D), Automating user provisioning (C), Technology Risks (B), and Protection system (A).The results indicate that compared to other dimensions, Operations (D) is the most influential.Unlike laptops which are easily misplaced, CPA firms using cloud computing to store audit information can reduce the risk of losing information and increase audit information security [58].At the same time, CPA firms are obliged to ensure the security and confidentiality of customer information, and to fulfill their commitment to customer information security, they must exercise more caution when using cloud computing.Hence in the Operations (D) dimension, the most important element is compliance with Personal Information Protection Act, followed by information log of incorrect audit information, cloud service system error or any other errors.The system is then updated according to prioritized log content to reduce time cost due to operating system delays.Therefore, in the abovementioned interview, experts perceived Operation as the most influential.
When considering only the single dimension of Operations (D) for improving cloud computing in auditing, the following criteria prioritization is recommended: (d 1 ) _ (d 3 ) _ (d 2 ) _ (d 4 ) _ (d 5 ); when considering only criteria (d 2 ), (d 3 ), (d 4 ), (d 5 ) in this dimension, recommended prioritization is (d 3 ) _ (d 2 ) _ (d 4 ) _ (d 5 ).For other dimensions, improvement prioritization for corresponding criteria is shown in Table 10.In addition, as shown in Table 9, the performance values overall have an average of 7.607, with 10 as the desired level.The average gap, indicating room for improvement, is 0.239 (this is the distance from 1.0).

Items
Strategy (Sequence of Improvement Priority)

Conclusions
This study proposed Taiwan CPA firms for application of cloud computing in auditing as an empirical case to demonstrate that the MADM method could overcome the defects of the conventional MCDM method.First, the traditional model assumes that the criteria are independent and hierarchical in structure; however, real-world cloud computing in the auditing area frequently involves interdependent perspectives and criteria, decision problems are frequently characterized by interdependence criteria and dimensions and may even exhibit feedback-like effects.This study presented a MADM method that applies the characteristics of influential weights ANP and DEMATEL (DANP) to solve interdependence and feedback problems of cloud computing in the auditing risk criteria.Second, the VIKOR method set the aspired values as the aspiration level and the worst values as the tolerable level for all criterion functions, this enables a decision maker to reduce the gaps in alternatives to reach the aspiration levels.Third, the MADM method shifts the concept from the "ranking" or "selection" of the most preferable alternatives to the "improvement" of their performances to achieve the aspiration level based on INRM using the DEMATEL method.The INRM identifies how and in which directions the cloud computing risk factors influence each other, which helps decision maker to understand the root causes of performance issues and devise strategies for improvement.
Cloud computing is a ready-to-use technology [2] that allows CPA firms to reduce costs and the inconvenience of paper audits and storage.It also offers the advantages of efficiency, mobility and flexibility.However, potential risks must be considered.Although cloud computing service providers have strengthened security controls to prevent hacking, CPA firms must exercise precaution to prevent confidential information damage or loss.Hence based on literature review and a summary of expert recommendations for CPA firms when using cloud computing in auditing, this study constructed an assessment framework for cloud computing in auditing.The DEMATEL is used to construct a network diagram showing the influential relationship between the dimensions and criteria of cloud computing in auditing.The DANP is then used to analyze the weightings.Last, the modified VIKOR is used to examine the performance of cloud computing in auditing, and the DEMATEL is used to prioritize improvement strategies.Risk key factors and improvement strategies are recommended for CPA firms when using cloud computing for auditing.
The sequence of influence priorities was as follows: Operations (D), Automating user provisioning (C), Technology risks (B) and Protection system (A).The average gap between the actual and desired levels of the application and implementation of cloud computing in the auditing was 0.239, denoting the level that current Taiwan's CPA firms cloud computing implementation needs to reach.The implications of these results for management and improvement plans have been raised and formulated to help CPA firms effectively provide professional services and enjoy the advantages of cloud computing, thereby enhancing their reputation and quality and quantity of economic benefits.
However, there are some limitations.First, this study was conducted with relatively expert sample groups.A larger sample that brought more explanatory power would have allowed more sophisticated evaluation analysis.Second, the criteria used in this research design are key criteria obtained through the integration of literature review and summary of expert interviews.Future studies can use other methods such as longitudinal studies and in-depth interviews to obtain the criteria, and examine the advantages and disadvantages compared to this study.
Step 1: Calculate the direct influence-relation average matrix G. Assume the number of experts F and the number of criteria n are asked to propose that the pairwise comparisons between any two criteria are denoted by, and are given, an integer score of 0, 1, 2, 3, or 4, expressing the range from "absolutely no influence (0)" to "very high influence (4)" by natural language in linguistics (e.g., semantics), and showing the degree that each criterion i affects each criterion j.The answers by each expert form a n × n non-negative matrix where X 1 , ..., X p , ..., X P are the answer matrices by the P experts in practical experience, and the elements of X p are denoted by x p ij from expert p.Thus, an n × n average matrix P of all experts given can be built by Equation (A1): The average scores of the P experts are g ij = 1 P ∑ P f =1 x p ij .The average matrix is called the initial direct relation matrix G, and represents the degree of influence one criterion exerts on another, as well as the degree of influence it receives from other criteria.
Step 4: Find the normalized total influence relation matrix P c .DEMATEL is used to build total influence relation matrix from each perspective (dimension or cluster), with different degrees of influence relation for the criteria, as shown in Equation (A7): Entropy 2016, 18, 401 19 of 24 Step 5: Form an un-weighted super-matrix W . Normalize the total influence relation matrix C P as shown in Equation (A8):     ) where D n is the nth cluster; c nm is the mth criterion in the nth dimension; and P ij C is a submatrix of the influence relation by the criteria from a comparison of the ith dimension and the jth dimension.In addition, if the ith dimension has no influence on the jth dimension, then submatrix P ij C = [0], shows independence (no influence relation) in each other criterion.
Step 5: Form an un-weighted super-matrix W. Normalize the total influence relation matrix P C as shown in Equation (A8): Entropy 2016, 18, 401 19 of 24 Step 5: Form an un-weighted super-matrix W . Normalize the total influence relation matrix C P as shown in Equation (A8):     ) where P α C denotes the normalizing total influence relation matrix, and P α12 c is derived from Equations (A9) and (A10).Similarly, P αnn c can be obtained: According to the pair-wise comparisons with the criteria, and based on the basic concept of ANP, the un-weighted super-matrix W can be obtained by transposing the normalized influence-relation matrix P α C by dimensions (clusters), i.e., W = (P α C ) , as shown in Equation (A11): Entropy 2016, 18, 401 19 of 24 The normalized P α D and the un-weighted super-matrix W (shown as Equation (A11)), and the weighted super-matrix W α (normalized super-matrix) can be easily obtained by Equation (A14): Step 7: Find the limit super-matrix W α .Limit the weighted super-matrix by raising it to the kth power, until the super-matrix has converged and become a stable super-matrix.The global priority vectors are obtained, which are called the influential weights of DANP (DEMATEL-based ANP), such as lim k→∞ (W α ) k , where z represents any number of power.
In brief, according to the above process, the INRM and the influence weights of DANP can be obtained.Both the above (INRM and DANP) can be used to cope with the problem of interdependence and feedback in order to innovate/create the best systematic improvement strategies to reduce the gaps of criteria performance, in order that all criteria can achieve the aspiration level.

Appendix A.3. Measuring the Performance by Modified VIKOR
The VIKOR method, as developed by Opricovic and Tzeng [44], solves MADM problems with conflicting criteria.The concept of compromise is used for evaluation of the criteria for the different projects/alternatives in competition.It is based on the basic concept of the positive-ideal solution (or the aspiration level) and negative-ideal solution (or the worst level).The modified VIKOR method is, as follows: Step 1: Determine the positive-ideal solution and negative-ideal solution replaced by the aspiration levels and the worst value to fit today's real world situation.Define the best value (aspiration

Figure 1 .
Figure 1.Model procedure for new multiple attribute decision making for the application of cloud computing in auditing.

(Figure 1 .
Figure 1.Model procedure for new multiple attribute decision making for the application of cloud computing in auditing.

Figure 2 .
Figure 2. Diagram of the process for the empirical case.

Figure 2 .
Figure 2. Diagram of the process for the empirical case.

Figure 3 .
Figure 3.The INRM of total influence relationships for the application of cloud computing in the auditing.

Figure 3 .
Figure 3.The INRM of total influence relationships for the application of cloud computing in the auditing.
significant confidence is 98.51%, where g p ij and g p−1 ij denote the average scores of the samples for p − 1 and p and n denotes number of criteria, here n = 15 and n × n matrix.Where p = 40 indicates the number of experts.

,
is the nth cluster; nm c is the mth criterion in the nth dimension; and ij C P is a submatrix of the influence relation by the criteria from a comparison of the ith dimension and the jth dimension.In addition, if the ith dimension has no influence on the jth dimension, shows independence (no influence relation) in each other criterion.
A10)According to the pair-wise comparisons with the criteria, and based on the basic concept of ANP, the un-weighted super-matrix W can be obtained by transposing the normalized influence-relation matrix C α P by dimensions (clusters), i.e., )

,
is the nth cluster; nm c is the mth criterion in the nth dimension; and ij C P is a submatrix of the influence relation by the criteria from a comparison of the ith dimension and the jth dimension.In addition, if the ith dimension has no influence on the jth dimension, shows independence (no influence relation) in each other criterion.
A10) According to the pair-wise comparisons with the criteria, and based on the basic concept of ANP, the un-weighted super-matrix W can be obtained by transposing the normalized influence-relation matrix C α P by dimensions (clusters), i.e., )

,
is the nth cluster; nm c is the mth criterion in the nth dimension; and ij C P is a submatrix of the influence relation by the criteria from a comparison of the ith dimension and the jth dimension.In addition, if the ith dimension has no influence on the jth dimension, shows independence (no influence relation) in each other criterion.Step 5: Form an un-weighted super-matrix W . Normalize the total influence relation matrix C A10) According to the pair-wise comparisons with the criteria, and based on the basic concept of ANP, the un-weighted super-matrix W can be obtained by transposing the normalized influence-relation matrix C α P by dimensions (clusters), i.e., )

Step 6 :
Obtain the weighted super-matrix W α .The total influence-relation matrix P D of dimensions is derived according to the DEMATEL technique, as given by Equation (A12): influence-relation matrix P α D of dimensions can be obtained through the total influence-relation matrix P D divided by n ∑ j=1 p ij = p i , i = 1, 2, • • • , n., as shown in Equation (A13):

Table 1 .
The pre-test questionnaire risk factors for application of cloud computing in the auditing.

Table 2 .
The factors for application of cloud computing in the auditing.

Table 3 .
Total influence relation matrix P D : four perspectives (or called dimensions).

Table 4 .
Total influence relation matrix P C : fifteen criteria.

Table 5 .
The sum of the influences given and received on the perspectives and criteria.

Table 6 .
Unweighted super-matrix W based on DANP.

Table 8 .
Influential weights of DANP for each criterion obtained by lim k→∞ (W α ) k .

Table 9 .
Integrated index of dimensions and criteria.