This may be the author’s version of a work that was submitted/accepted

for publication in the following source:

Yigitbasioglu, Ogan
(2015)
External auditors’ perceptions of cloud computing adoption in Australia.
International Journal of Accounting Information Systems, 18, pp. 46-62.

This file was downloaded from: https://eprints.qut.edu.au/89236/

c Consult author(s) regarding copyright matters

This work is covered by copyright. Unless the document is being made available under a
Creative Commons Licence, you must assume that re-use is limited to personal use and
that permission from the copyright owner must be obtained for all other uses. If the docu-
ment is available under a Creative Commons License (or other specified license) then refer
to the Licence for details of permitted re-use. It is a condition of access that users recog-
nise and abide by the legal requirements associated with these rights. If you believe that
this work infringes copyright please provide details by email to qut.copyright@qut.edu.au

License: Creative Commons: Attribution-Noncommercial-No Derivative

Works 2.5

Notice: Please note that this document may not be the Version of Record
(i.e. published version) of the work. Author manuscript versions (as Sub-
mitted for peer review or as Accepted for publication after peer review) can
be identified by an absence of publisher branding and/or typeset appear-
ance. If there is any doubt, please refer to the published source.

https://doi.org/10.1016/j.accinf.2015.09.001
 External Auditors’ Perceptions of Cloud Computing Adoption in Australia

Ogan M. Yigitbasioglu
Queensland University of Technology

Abstract

Adopting a multi-theoretical approach, I examine external auditors’ perceptions of the reasons why
organizations do or do not adopt cloud computing. I interview forensic accountants and IT experts
about the adoption, acceptance, institutional motives, and risks of cloud computing. Although the
medium to large accounting firms where the external auditors worked almost exclusively used
private clouds, both private and public cloud services were gaining a foothold among many of their
clients. Despite the advantages of cloud computing, data confidentiality and the involvement of
foreign jurisdictions remain a concern, particularly if the data are moved outside Australia.
Additionally, some organizations seem to understand neither the technology itself nor their own
requirements, which may lead to poorly negotiated contracts and service agreements. To minimize
the risks associated with cloud computing, many organizations turn to hybrid solutions or private
clouds that include national or dedicated data centers. To the best of my knowledge, this is the first
empirical study that reports on cloud computing adoption from the perspectives of external auditors.

Keywords: cloud computing, information technology outsourcing, software as a service, forensic

accounting
1. Introduction

There is substantial evidence that 30-40% of information system (IS) projects experience cost
overruns and that 80-90% of IS investments fail to meet their performance objectives (Clegg et al.,
1997; Young, 2006). Additionally, according to a report by Standish Group International, 24% of IS
projects are either cancelled prior to completion or delivered but never used (SGI, 2009). Cloud
computing is an alternative to the in-house IT deployment model where computing resources are
purchased over the Internet on pay-per-use basis (Marston et al., 2011). Many organizations are
attracted to the perceived cost benefits of cloud computing and the innovative service capabilities it
provides (Marston et al., 2011; Sultan, 2011).

Although cloud computing adoption is predicted to grow at a rapid pace (Gartner, 2013; IBM,
2011), not all of the news about cloud computing is encouraging. For example, a report by the
Australian Communications and Media Authority revealed that 66% of small and medium-sized
enterprises (SME) did not utilize cloud computing services, and those that did used it mainly for
webmail (Francis, 2014). Furthermore, Harris Corporation, a US$6 billion US communications
company, closed down its cloud computing facility outside Washington DC because customers
preferred hosting mission-critical information on their own premises rather than on the cloud
(Garling, 2012).

Cloud computing is associated with a number of risks for its adopters (Grobauer et al., 2011). These
risks primarily arise because organizational data are stored outside the physical and legal
boundaries of the organization’s IT systems. Cloud computing raises critical legal and
accountability issues for both the organization opting to store data on the cloud and for the cloud
vendor providing the services. The risks are particularly concerning in relation to accounting and
customer-related data stored in the cloud and the ability to detect and prevent acts of fraudulent
activity or misconduct (Ryan and Loeffler, 2010).

Research on cloud computing is still nascent and can be classified into two broad groups: The first
group’s primarily focus is on the workings of cloud computing, i.e., the protocols, layers,
infrastructure, etc. (e.g. Foster et al., 2008; Pearson et al., 2009; Youseff et al., 2008). The second
stream of research adopts a business approach and discusses the implications of cloud computing
from an economic (e.g. Leimeister et al., 2010; Marston et al., 2011; Yigitbasioglu et al., 2013),

2
strategic (Ross and Blumenstein, 2013), or legal point of view (Hooper et al., 2013; Pollitt et al.,
2008; Ryan and Loeffler, 2010). A number of recent studies have contributed to the latter group by
providing empirical evidence in relation to the factors that influence the intention to adopt cloud
computing services in various regions such as Germany (Benlian and Hess, 2011), Taiwan (Hsu et
al., 2014; Lian et al., 2014; Lin and Chen, 2012; Low et al., 2011), England (Alshamaila et al.,
2013), South Korea (Lee et al., 2013), India (Gupta et al., 2013), and Australia (Yigitbasioglu,
2014). Most of these studies have used the survey method to focus on either SMEs (Alshamaila et
al., 2013; Gupta et al., 2013) or particular industries such as the high-tech (Low et al., 2011), retail
and manufacturing (Wu et al., 2013), or health sectors (Lian et al., 2014).

Despite a growing body of empirical evidence in this field, most studies adopt a quantitative
approach and therefore miss out on the opportunity to provide a more in-depth account of the issues
involved in the adoption and use of cloud computing. For example, why are certain types of cloud
configurations preferred over others, and what factors influence organizations’ adoption decisions?

The aim of this study is to provide qualitative evidence on cloud computing adoption from a new
perspective: those of external auditors in Australian accounting firms with forensic accounting
practices. External auditors in accounting firms were chosen in this study because many of the
medium to large accounting firms provide IT services to their clients, so they are expected to be
advanced users of IT. Interviews with both IT experts (ITE) and forensic accountants (FA) were
carried out to gain insight into the multifaceted issues involved in cloud computing adoption, which
are of technical, economic, and legal in nature. Additionally, these participants were chosen because
of their experience with cloud computing, both within but also across client firms as users,
implementers, and forensic investigators of such services. The participants in this study were not the
IT decision-makers and therefore did not represent the official position of their respective firms.
The study specifically addresses the following research question (RQ):

RQ: How do external auditors, employed by medium to large public accounting firms in Australia,
perceive the reasons why organizations do or do not adopt cloud computing services?

The paper takes a multi-theoretical approach and draws from theories such as institutional theory
and transaction costs economics to explore cloud computing adoption. The study sheds light on
various cloud issues such as institutional motives, cost management, security, and transaction risks.
This qualitative study contributes to the growing literature on cloud computing by presenting new

3
evidence from a new perspective in a much-speculated-upon area. This paper also addresses calls
for more empirical research on cloud computing by previous studies (Kshetri, 2013; Marston et al.,
2011).

The remainder of the paper is structured as follows. In Section 2, I briefly define cloud computing
and review the most frequent theories used to study IT outsourcing and cloud computing adoption.
This section also introduces the institutional theory, which has received little attention in the cloud
computing literature. Section 3 presents the data and research method, which is followed with the
findings in Section 4. Finally, Section 5 concludes the paper and suggests future avenues for
research.

2. Cloud Computing

Cloud computing enables information technology outsourcing (ITO) whereby computing resources
are purchased over the Internet using a pay-per-use model (Marston et al., 2011; Ross and
Blumenstein, 2013; Yigitbasioglu et al., 2013). The cloud computing delivery model is built upon
old and new computing technology paradigms such as grid computing, service-oriented architecture
and virtualization (Youseff et al., 2008). The cloud computing delivery model provides three
optional layers: the software layer, the platform layer, and the infrastructure layer. Organizations
can elect to outsource one or several of these layers, where platform as a service and infrastructure
as a service enable organizations to remotely access, develop, and deploy a variety of applications
and hardware (Youseff et al., 2008). In contrast to the public cloud, the private cloud may refer to
two settings: (i) it may correspond to the traditional IT model where computing resources are
retained within the corporate firewall, or (ii) it may be managed by a different party on a remote or
local site using dedicated infrastructure (Marston et al., 2011).

Cloud computing differs from traditional ITO in several ways. First, IT resources are exclusively
delivered over the Internet, which also allows their near-instant scalability, as IT resources are
managed through software (Marston et al., 2011). Cloud computing also introduces a number of
new actors such as service providers and brokers, which leads to more complex relationships that
were more restricted in the past (Leimeister et al., 2010). Finally, cloud computing contracts tend to
be shorter and therefore offer more flexibility and less commitment on the part of the customer
(Yigitbasioglu et al., 2013).

4
Cloud computing is of interest to accountants and accounting firms because they operate within a
knowledge-intensive business environment that relies heavily on the use of IT. For example, many
auditors and forensic accountants use computer-assisted audit technologies and audit support
systems (Braun and Davis, 2003; Dowling and Leech, 2014; Van Akkeren et al., 2013).
Additionally, extensive software exists for the accountant, ranging from small, off-the-shelf
packages to sophisticated enterprise systems that assist them with their daily tasks (Gelinas et al.,
2011; Hall, 2012). Therefore, in the accounting sector, it is expected that IT will continue to play an
important role. Furthermore, as with many other sectors, the accounting sector must continue to
invest in IT to boost productivity (Banker et al., 2002).

To understand the factors that might contribute to firms’ adoption of cloud computing, a review of
the relevant literature is useful. To date, researchers have used both organizational- and user- level
theories to study IT and cloud computing adoption. In the next sub-section, I provide a brief
overview of the relevant theories as well as the empirical papers on cloud computing that have
adopted the reviewed theories. This review should not be considered an exhaustive list of the
theories; rather, it is based on previous research in the ITO and cloud computing literature. Table 1
presents a summary of the findings in terms of the issues (variables) studied, the sign of the relation
to cloud adoption (for quantitative studies), as well as the theories used, the method, and the sample.

Insert Table 1 here: Empirical Studies on Cloud Computing Adoption

2.1. Transaction Cost Theory

Transaction Cost Theory (TCE) has been the most frequently used theoretical framework for the
study of ITO in general (Lacity et al., 2011). TCE suggests that when transaction costs are
significantly high, organizations are better off internalizing capabilities such as information and
communication technologies (ICT) (Williamson, 1985). Transaction costs refer to the cost of
searching, negotiating, and contracting with vendors as well as monitoring service-level agreements
(SLA). TCE highlights the problem of opportunism due to asset-specific investments and the notion
of incomplete contracts, which leads to behavioral uncertainty and transaction risk (Williamson,
1985). Cloud computing adopters are therefore likely to face three types of contracting risks that
relate to (i) shirking and intentional underperformance, (ii) theft of intellectual property, (iii) and
opportunistic repricing and vendor lock-in (Alchian and Demsetz, 1972; Aron et al., 2005; Chen
and Bharadwaj, 2009; Clemons and Hitt, 2004; Clemons and Row, 1992; Willcocks et al., 1999).

5
Exogenous factors such as the uncertainty around new technologies and regulations also increase
transaction risk (Sutcliffe and Zaheer, 1998). With respect to the technology itself, the literature has
raised some concerns around the security and reliability of cloud computing (Benlian and Hess,
2011; Grobauer et al., 2011; Gupta et al., 2013). The confidentiality, integrity, and availability of a
system is very critical, as IT failure may lead to a loss in shareholder value (Cavusoglu et al., 2004;
Modi et al., 2014). There is also some uncertainty regarding cloud computing legislation. For
example, litigation may be difficult when the client, the vendor, the data center, and the Internet
service provider potentially reside in different nations (Clemons and Chen, 2011). Yigitbasioglu
(2014) applied TCE to study cloud computing adoption and found that perceived vendor
opportunism and perceived security risk had a negative effect on adoption intention. To limit cloud
computing risks, organizations can choose to keep firm-specific IT data or intellectual property that
is linked to a firm’s competitive advantage in house (Ross and Blumenstein, 2013). Such decisions
may lead organizations to opt for hybrid cloud computing models where low-level security data are
externalized and mission-critical applications and data are kept within the boundaries of the firm
(Goscinski and Brock, 2010; Marston et al., 2011; Ross and Blumenstein, 2013).

2.2. Resource-Based View

The resource-based view (RBV) of the firm focuses on the types of resources that a firm needs to
access to attain a competitive advantage. It is the internal capabilities and resources rather than
products or services that generate competitive advantage (Wernerfelt, 1984). Resources add value to
a company if they are rare, inimitable, and are not substitutable (Wright and McMahan, 1992).
Information technology as a resource can lead to competitive advantage if it is firm-specific and
difficult for competitors to copy. This is not the case with cloud computing, as services are
marketed to the masses in a generic, off-the-shelf fashion (Ryan and Loeffler, 2010). There is
therefore a view that an organization’s competitive advantage in a cloud computing environment
will depend on its ability to take a holistic and strategic approach toward the planning, coordination,
and integration of cloud-based services (Garrison et al., 2012; Ross and Blumenstein, 2013). This
line of reasoning is also consistent with the extensive literature on strategic IT alignment, which is a
predictor of IT investment profitability (Henderson and Venkatraman, 1993; Preston and
Karahanna, 2009; Tallon, 2007).

6
Specifically, organizations adopting cloud computing services are likely to benefit from developing
competencies in, for example, leadership, business-systems thinking, relationship building, and
contract facilitation and monitoring (Feeny and Willcocks, 1998). Effective managerial and
technical skills are required to successfully integrate new technologies into an existing IT
infrastructure ahead of the competition (Garrison et al., 2012). Specifically, aligned business and
information-systems thinking through the intellectual and social alignment of business and IT
(Reich and Benbasat, 1996) can lead to higher profits and competitive advantage (Henderson et al.,
1996). Together with leadership and architecture planning, systems thinking as a capability is also
important because it supports outsourcing contracts, specifically those with longer time horizons
(Willcocks and Feeny, 2006). Cloud adopters can build relational competence with vendors through
better communication and socialization (Cousins and Menguc, 2006). Over time, the effective use
of relational competencies can lead to trust. Trust contributes to competitive advantage because it
develops gradually and is therefore more difficult to substitute or imitate (Ibrahim and Ribbers,
2009). Finally, contract facilitation and monitoring are capabilities that cloud computing adopters
are required to improve upon because these capabilities are considered to be core in the ITO
literature (Feeny and Willcocks, 1998; Willcocks and Feeny, 2006).

2.3. Diffusion of Innovation and the TOE Framework

The diffusion of innovation theory (DOI) is one of the most popular research paradigms used to
examine IT adoption (Wu et al., 2013). According to this theory, the key elements in the diffusion
of innovations are communication channels, time, and the social system (Rogers, 2010). Potential
adopters assess innovations according to relative advantage, compatibility, complexity, trialability,
and observability (Rogers, 2010). The DOI theory has strong theoretical foundations, as
demonstrated by its evidence in various innovations such as Electronic Data Interchange
(Premkumar et al., 1994), e-commerce/e-business (Hong and Zhu, 2006; Zhu et al., 2006), and
ERPS adoption (Bradford and Florin, 2003). Applying the theory, adopters may perceive cloud
resources as relatively advantageous when compared to existing internal solutions because the cloud
makes a ‘clear’ case for itself. Compatibility in Roger’s DOI theory refers to the extent to which an
innovation is consistent with the values, experiences, and needs of potential adopters. In the IT
literature, compatibility may also refer to the modularity of the IT infrastructure, i.e., whether the
system comprises sharable and reusable components (Bush et al., 2010; Wu et al., 2013). Cloud
computing may be perceived as compatible if the existing IT infrastructure is modular, but it may
clash with the values of the firm due to agency issues such as managerial empire building (Jensen,

7
1986) and career concerns (Holmström, 1999; Holmstrom and Costa, 1986). Cloud services may
also be considered less complex, as they tend to be turnkey solutions (Yang and Tate, 2012). Thus,
adopters may expect them to be easily integrated into existing structures and processes. Cloud
computing solutions may also score high on trialability because cloud vendors readily provide
demos of their products to potential customers. There is also wide media coverage of firms’
announcements of cloud adoption, which significantly contributes to its observability. A study by
Wu et al. (2013) that combined the DOI theory with the information processing theory (March and
Simon, 1958; Van de Ven and Ferry, 1980) focused on a number of characteristics of businesses,
such as process complexity and information system compatibility, to explain the intention to adopt
cloud computing. Wu et al. (2013) reported that business process complexity and information
system compatibility were inversely associated with cloud computing adoption, although
entrepreneurial culture and application functionality were positively associated with adoption.

The Technology, Organization and Environment (TOE) framework (Depietro et al., 1990;
Tornatzky et al., 1990) has been used by many IT adoption researchers (e.g. Chau and Tam, 1997;
Chong and Ooi, 2008; Oliveira and Martins, 2011) and has also been very popular in the cloud
computing adoption literature (Alshamaila et al., 2013; Hsu et al., 2014; Lian et al., 2014; Lin and
Chen, 2012; Low et al., 2011). Although the TOE framework is similar to Roger’s diffusion of
innovation model, the former also includes the environmental context, which is better at explaining
intra-firm innovation adoption (Oliveira and Martins, 2011). A study by Alshamaila et al. (2013)
that adopted TOE found that factors such as relative advantage, uncertainty, geo-restrictions,
compatibility, trialability, and size played roles in the adoption of cloud computing in the northeast
England. These findings were also largely supported by Low et al. (2011), although complexity of
innovation, compatibility with values and needs, and technology readiness were determined to have
no association with adoption. Furthermore, a qualitative study in Taiwan reported that IT
professionals were concerned with cloud computing’s compatibility with IS policy, the
development environment, and the business’ needs and that they were not ready to adopt until
security- and standardization-related issues were resolved (Lin and Chen, 2012).

2.4. Theory of Reasoned Action and Technology Acceptance Model

The Theory of Reasoned Action (TRA) (Fishbein and Ajzen, 1975) originated with social
psychology, and it suggests that behavioral intention is a function of attitudes and subjective norms.
The TRA explains the decision process of individuals within the context of limited resources and

8
social expectations. Although not specifically developed for the information systems field, much of
the earlier research has used the TRA to explore the underlying factors driving information systems’
adoption and use. The findings from the information system studies have been consistent with the
findings of studies that employed TRA in other contexts (Venkatesh et al., 2003). Benlian and Hess
(2011) used TRA to study the intention to adopt software as service by German companies. Benlian
and Hess (2011) found that the intention to adopt cloud computing was driven by an appraisal of the
perceived risks and opportunities associated with software outsourcing. Their results suggested that
security risks and the risks associated with performance, costs, and strategy significantly
contributed to the overall perceived risk of cloud computing adoption, which was consistent with
the ITO literature (Lacity et al., 2009). With respect to opportunities, cost advantages, information
system quality improvements, and strategic flexibility in terms of implementation speed and vendor
flexibility were identified as significant factors for the intention to adopt cloud computing (Benlian
and Hess, 2011). However, the desire to focus on core competencies and access to specific
resources were not associated with cloud computing opportunities (Benlian and Hess, 2011).

The Technology Acceptance Model (TAM) is based on TRA and predicts the acceptance and use of
technology by its users (Davis et al., 1989). The TRA was specifically developed for the
information systems field, and it explains information system adoption through perceived
usefulness and perceived ease of use. TAM and its variants, namely, TAM2 and TAM3, have been
applied to a diverse set of technologies and users, thus shedding light on the adoption and utilization
of IT (Venkatesh and Bala, 2008). TAM is not only useful for understanding the factors that drive
users’ intention to use IT, but it also provides a set of interventions that management can use to
increase its utilization (Venkatesh and Bala, 2008). While IT managers within firms will find the
model valuable, cloud vendors are also likely to find it useful, as they may be able to increase
adoption by manipulating the various factors that drive acceptance. Within the context of cloud
computing, Wu (2011) employed TAM with Rough Set Theory to mine for factors influencing
cloud computing adoption. Wu (2011) found that expert opinions, speed, and security of back-ups
were three key factors that influenced cloud computing adoption.

2.5. Institutional Theory

While the reviewed theories above have different foci, many of the theories, such as TCE and RBV,
explain structural changes in organizations as a result of competitive forces and the desire for

9
efficiency (Liang et al., 2007). Such motives rely on the efficient-choice perspective, which is based
on two assumptions: (i) organizations can freely and independently choose a technology, (ii) and
organizations are relatively certain about their goals and their assessments of how efficient
technologies will be in attaining those goals (Malmi, 1999; March, 1978). The second assumption is
contentious because some uncertainty is involved with new technologies, and therefore
organizations might chose to imitate others, as suggested by institutional theory (DiMaggio and
Powell, 1983). Furthermore, institutional theory argues that in addition to efficiency concerns,
organizations are driven by legitimacy concerns, which often lead to mimetic behavior and
institutional isomorphism (DiMaggio and Powell, 1983). Some evidence for institutional
isomorphism exists in the ITO literature (Loh and Venkatraman, 1992; Willcocks et al., 1995). In
this respect, the typology provided by Abrahamson (1991) is useful in explaining how innovations
are diffused, i.e., through forced selection, fashion, fad, or efficient choice (Abrahamson, 1991).
Forced-selection theories assume that organizations have no choice but to adopt innovations due to
the substantial power of organizations such as government bodies (Carroll et al., 1986; DiMaggio,
1988; Scott, 1987). This situation is unlikely to be the case in the Australian private sector. The
fashion perspective also assumes the influence and power of other organizations (fashion setters),
such as consulting firms, business schools, the mass media, and government agencies. However,
their influence is weaker than in forced selection. In Australia as elsewhere, cloud computing has
been somewhat encouraged by the government through the Australian Government Cloud
Implementation Initiative, so this motive might be relevant for the Australian context. Finally, from
the fad perspective, organizations imitate adopters due to the high level of uncertainty associated
with the technology in question. As mentioned previously, organizations might also imitate to
appear legitimate (DiMaggio and Powell, 1983) or to limit the risk of competitors gaining a
competitive advantage (Katz and Shapiro, 1985). A study by Malmi (1999) found that more than
half of the companies using a Balanced Scorecard in Finland had motives related to managerial
fashions or fads. A significant role was played by consultants as well as numerous seminars and
workshops that tried to sell the idea (Malmi, 1999). The uncertainty around cloud computing in
terms of risks and benefits continues to be large (Lin and Chen, 2012), so similar motives may be
relevant.

2.6. Other Studies

Other studies have used no particular theory or adopted frameworks from the business domain. For
example, a study by Gupta et al. (2013) suggested that cost reduction, security and privacy, and ease

10
of use positively affected cloud computing adoption in SMEs. Lee et al. (2013) used Political,
Economic, Social, and Technological (PEST) analysis and reported that reduced costs and
economies of scale were the most important drivers of cloud computing adoption, whereas distrust
in its security, possessiveness of IT resources, and legal issues were among the main inhibitors.
Similar conclusions can be found in other studies (Brender and Markov, 2013; Sultan, 2011).

A review of the literature suggests that there is little knowledge about how cloud computing
adoption choices are made by firms. For example, we do not know what types of institutional
motives drive cloud computing adoption or the types of applications that are moved into the cloud,
e.g., core (critical) or non-core (non-critical). The ITO literature suggests a selective approach to
outsourcing where only the mundane (non-core/non-critical) aspects of the IT function are
outsourced (Beaumont and Costa, 2002). This approach may or may not be applicable to the cloud
computing era. It is also not clear how companies with significant investments in legacy
applications such as enterprise resource planning systems (ERPS) approach cloud computing. It is
questionable to what extent cloud computing providers can match the capabilities of in-house IT
experts with regard to customized software.

3. Research Method and Data

3.1. Method

A qualitative approach was chosen to explore the perceptions of external auditors working in
medium to large Australian accounting firms regarding the adoption of cloud computing in
Australia. This approach was similar to that of Wright and Wright (2002), where semi-structured
interviews were carried out to study external (IT) auditors’ perceptions of the risks of ERPS. The
method was also consistent with much of the explorative research in information systems (Myers
and Newman, 2007). The use of semi-structured interviews allowed the participants to freely
express their views while permitting the opportunity to follow topical trajectories when appropriate
(Crabtree, 1999). Semi-structured interviews were also carried out to enable in-depth exploration of
the research questions from the perspectives of a range of experts. An interview guide was
generated to permit exploration of the issues pertaining to the adoption of cloud computing services
(see Appendix 1).

11
 3.2. Research Context

The sample consisted of external auditors working in medium to large public accounting firms with
forensic accounting practices in Australia. The target participants’ organizations included the Big 4
accounting firms (PWC, Deloitte, EY, and KPMG) as well as mid-tier accounting firms in
Australia. Despite significant differences in employee size and turnover, all of the target firms had
offices across a number of locations in Australia (and in many cases abroad) that offered a variety
of professional services including forensic accounting. They were also all large enough (more than
100 employees), especially vis-a-vis small accounting firms, to have reasonably “sophisticated IT
systems”, which permitted a grouping of the firms on the basis of their structural properties, which
did not seem to differ substantially. External auditors from medium to large accounting firms with
forensic accounting practices were chosen for several reasons. First, professional service firms such
as accounting firms rely on their image in the marketplace to reassure their clients that they will
receive high quality service (Empson, 2004). Thus, these accounting firms are expected to be
innovative, given that many also provide technology-related services. Additionally, because the
sample included individuals in accounting firms that provided advisory services in various areas
such as risk, IT, and forensic accounting, the participants were considered to be very experienced
and knowledgeable regarding the issues surrounding cloud computing. Moreover, the individuals in
the accounting firms were not only in a position to provide insight on their own firms but also on
the trends and developments in the local economy through their client engagements. This approach
was similar to studies that reported on accounting firm specialists and auditors’ experiences with
clients on issues such as ERPS risks (Wright and Wright, 2002) and corporate governance (Cohen
et al., 2010; Cohen et al., 2002). Finally, individuals in accounting firms with forensic accounting
practices were chosen so I could interview FAs in addition to ITEs. FAs were interviewed because
of their potential contribution and expertise regarding the legal issues involved in cloud computing.

3.3. Data Collection

A combination of convenience and snowball sampling was used to collect data for this study
(Neuman, 2005). Individuals were identified as potential interviewees at various forensic-
accounting-related events at Queensland University of Technology in 2013. These individuals were
interviewed and/or referred the researcher to other people in their organizations. Data were
collected through face-to-face semi-structured and exploratory interviews. The participants had

12
first-hand experience with cloud computing solutions as users, consultants or forensic accountants.
The majority of the interviews were carried out at the participants’ offices. The interviews lasted
approximately 45-60 minutes and were recorded with the permission of the interviewees and then
transcribed. The transcripts were then sent back to the interviewees for factual accuracy and were
amended if necessary. A total of 16 interviews were conducted in eight different organizations. All
of the organizations had over 100 employees and had a number of offices across Australia. Three of
the participant firms were from the Big 4. Six of the participants had a “forensic accountant” role
within the organization, although many of them were also experts in IT because of their technical
background and the high IT involvement in their tasks (Gray, 2011). A list of the interviewees with
their position descriptions and years of experience is provided in Appendix 2.

The first part of the interview focused on the motives and benefits of cloud computing, whereas the
second section asked questions regarding its risks, including from a legal and forensic accounting
perspective. The interviewees reflected on their perceptions based on their actual experiences with
cloud computing solutions throughout the interviews. The interview guide with the questions is
presented in Appendix 1.

3.4. Data Analysis

The interview data were analyzed based on the Corbin and Strauss (2008) coding techniques used
for thematic analysis. Because of the literature review prior to data collection, the approach was
based on a looser application of the grounded theory (Urquhart, 2007) rather than the traditional
method (Glaser, 1998). The purpose of the initial analysis was to label the raw data according to
different concepts and categories. The initial analysis identified 38 concepts. After open coding,
axial coding was carried out to explore the relationships between the concepts and categories. This
procedure was followed by selective coding, where the concepts and categories were integrated to
build a structure for the theory. The analysis was repeated to compare and contrast the labels, which
led to further abstractions and a reduction in the original categories (Corbin and Strauss, 2008). The
analysis resulted in six themes (4.1-4.6) and a number of sub-themes that are presented in the next
section.

13
4. Findings and Discussion

4.1. Cloud computing adoption and acceptance

“Eventually, in 5 to 10 years’ time, everyone will be using it [cloud computing], no matter

whether you like it or not.” (FA6, mid-tier)

Whereas the above statement provides a sobering snapshot of what to expect in terms of the
diffusion of cloud computing in Australia and possibly abroad in the near future, the current
adoption rates of public cloud computing by the medium to large accounting firms were very low.
None of the interviewed external auditors utilized public cloud computing services substantially,
i.e., public cloud computing was not used for managing the day-to-day operations of the firm or for
storing critical data. Instead, the interviewees indicated that their firms used private clouds or leased
dedicated data centers from cloud providers either abroad or locally. According to the interviews,
some of the non-Big 4 accounting firms developed their own internal private clouds, whereas some
of the Big 4 used cloud solutions that were linked to private (or leased and dedicated) data centers
abroad. This result was somewhat surprising given that many of the firms interviewed were helping
clients to migrate to the public (but also private) cloud. Some of the interviewees mentioned that it
was a matter of information confidentiality that prevented them from migrating to the public cloud,
particularly if the data are moved across different countries/legislations, which is an issue that has
been widely addressed in the literature (e.g. Clemons and Chen, 2011; Egwutuoha et al., 2013;
Marston et al., 2011). For the interviewees, information security was the top priority. Thus, it
seemed that the accounting firms’ choices and actions were determined (Fishbein and Ajzen, 1975)
with this in mind to minimize the various security and transaction risks (Williamson, 1985)
associated with cloud computing that are explored later in the paper. This finding was similar to that
from a survey by Wolters Kluwer, a global information services and publishing firm, which
reported that only 27% of Australian accountants servicing SMEs used cloud-based software
(Kluwer, 2013).

Given that many of the interviewees’ clients were already in the process of adopting cloud
computing solutions and the interviewees were involved with these solutions, some observations
from the clients and therefore the local industry are provided next. The interviewees reported that
many of their clients from various sectors, including small accounting firms and the public sector,
were adopting cloud-based solutions. Cloud-based software adopted by client organizations

14
included e-mail and productivity software (e.g., Enterprise 365), storage & backup (e.g., Google
Drive, CloudAlly), accounting (e.g., Xero, MYOB Accounts Live, Quicken), various
fleet/marine/hotel management solutions, customer relationship management (e.g., Salesforce.com),
point of sale, event management (e.g., Eventbrite), collaboration (e.g., Yammer, Enterprise Social
Networks), and enterprise resource planning (e.g., NetSuite). The services mentioned were in line
with the results of an Australian survey by Yigitbasioglu (2014).

As with the accounting firms themselves, not all of the above-mentioned cloud computing services
adopted by the client organizations fell under the definition of the public cloud, as the data were
often kept within Australia or on the client’s premises, even if it was managed by a cloud vendor.
This approach was partly attributable to data export protection laws applicable to certain sectors
such as banking or government but also because of organizational preferences and concerns with
respect to security, which is an issue that has been widely discussed in the literature (Benlian and
Hess, 2011; Marston et al., 2011). These findings also highlighted the variety of cloud computing
configurations that exist in terms of how (or by whom) the applications/data are managed, where
they are located, and where they are stored. For example, the vendor may manage a client’s IT
resources on the client’s premises or at a remote site onshore/offshore. If the data are stored at a
remote site, the server where the data are kept may be virtualized, or the data may reside on a
dedicated server. The different cloud computing configurations offer different levels of risk, which
are further discussed under “IT security”.

It was reported that the clients utilized some of the services for only a short period of time, i.e.,
when additional data storage capabilities were required for file sharing or for managing events
(event management systems), which are temporary by nature. This approach was expected given
that one of the main benefits of cloud computing is its near-instant scalability and speed of
deployment without any of the “red tape” associated with in-house software development life cycles
(Leimeister et al., 2010; Marston et al., 2011). Similarly, the interviewees mentioned that
organizations sometimes used cloud services until their internal capabilities were sufficiently
developed to manage their own internal IT infrastructure. This approach enabled the organizations
to focus on core competencies (Wüllenweber et al., 2008) and provided them time to accumulate
the required financial capital and/or capabilities to manage IT in house. This approach would
particularly benefit start-ups or organizations with limited capital and technical expertise, such as
SMEs.

15
The interviewees mentioned that organizations often consider switching to cloud computing when it
is time to renew their licenses and hardware, which normally require large investments. As for more
complex software such as enterprise resource planning software or legacy software, the switch is
likely to take several years:

“…. if they go cloud, the provider can for a period of time, until they migrate from the
legacy system to the new system, offer some sort of virtualized environment in the cloud,
they create a virtual machine of the physical machine that they have right now because they
spent millions of dollars customizing the software, they can’t just migrate it in two days so
they virtualize that machine, and that will be part of their cloud computing contract they will
sign and that would be available to them for the next 2-3 years in the cloud until they
migrate their data into the new system. That would be the way of going ahead.” (ITE9, mid-
tier)

The adoption of technologies is of little use without their acceptance by their users. According to
the TAM, perceived ease of use and usability is a good predictor of technology use (Davis et al.,
1989). Some of the interviewees praised the usability of the solutions on the market. The following
quote from one of the interviews illustrates the case for Xero, a cloud-based accounting software
program that is very popular among small business owners in Australia.

“Most of the accounting systems are installed models and are designed by accountants for
other accountants, not really for business people. When you speak to somebody who uses
Xero, they say finally I understand what’s going on in my business so that’s better design,
more usable. Whatever screen it brings up, it tends to have a visual component in there.”
(ITE3, Big 4)

Software usability is also desirable, as it is associated with usefulness and user satisfaction (Calisir
and Calisir, 2004), which in turn may lead to higher productivity (Donahue, 2001; Juristo et al.,
2007). Cloud computing applications were also considered to be very useful and acceptable due to
the pricing model, which was reflected in the following comment:

“...it is a consumption model, and if you think of the way software vendors have typically
worked historically, they pop the champagne cork when you sign the contract, and you
know you pay them lots of money and they say good luck with making it work, whereas
with cloud, you turn it on and the incentive for the cloud software provider is, you know, I
get paid by how much they use, you have much more alignment towards the same goal as
opposed to the other model, where they say we have done the sale, you work out how to use
it, we are going to find another sale.” (ITE1, Big 4)

16
 4.2. Institutional factors

In terms of what institutional motives drove cloud computing adoption, the findings suggest that
there were many: As exemplified below, some of the interviewees stated that the adoption of cloud
computing by public companies served as a model for many of the companies, which was consistent
with the institutional theory and the fad perspective:

“I think QLD or the federal government is really trying to push cloud computing and show
people look, we are providing it and that it is safe and that’s a motivation for small
companies, they say if the government is doing it, maybe we can do it as well.” (FA1, mid-
tier)

It was notable that the statement above specifically referred to small companies, which again agrees
with the predictions in the literature, i.e., that cloud computing particularly appeals to SMEs
(Marston et al., 2011). Wu (2011) investigated the role of social influence and found that expert
opinion was a key factor in cloud computing adoption. Thus, companies might view the government
as a role model or expert. As a result of mimetic behavior and the pro-innovation bias (Rogers and
Shoemaker, 1983), some firms run the risk of following the fad without necessarily understanding
the implications of the technology:

“Everybody is doing it, so they feel like they should be doing this. It’s the new thing, even
though they don’t understand what it is.” (FA2, Big 4)

There is a high level of media coverage and numerous local events organized by consultants and
vendors around cloud computing that promote the technology. This exposure undoubtedly helps to
influence the belief systems and subjective norms of IT decision makers in organizations (Fishbein
and Ajzen, 1975; Rogers, 2010). However, the fashion setters did not seem to force fashions onto
gullible managers, as firms’ decisions to favor private over public cloud computing services
appeared to be rational because the perceived risks outweighed the opportunities (Abrahamson,
1996).

Old institutional theory commonly defines institutions as “a way of thought or action of some
prevalence and permanence, which is embedded in the habits of a group or customs of a people”
(Hamilton, 1932, p. 84). The interviews revealed that authority-based decisions were made to adopt
or reject cloud computing by a few individuals with power, status, or expertise (Rogers, 2010).

17
 “What tends to happen with cloud computing is that it doesn’t just reduce the overall costs
but also the size of the team. I have had a lot of executives say to me, CIO’s just trying to
protect the empire of their status… often times this sort of change in adopting cloud has
really nothing to do with strategy, costs; its politics, its political, it is like, ‘no, we don’t do
that.’” (ITE3, Big 4)

This approach contrasted with the view of new institutional theory, which argues that executives
have little influence because they are swept along by external forces and constrained by many
conventions and norms (Hambrick, 2007). The literature suggests that outsourcing may affect IT
managers’ reputation and career and the way they are viewed by peers, clients, and staff due to the
loss of power over the control of resources (Gonzalez et al., 2006). However, the evidence to date is
not very strong in support of this premise. Known also as psychosocial risk (Gewald and Dibbern,
2009), for example, Benlian and Hess (2011) did not find a significant association between
managerial risk and the perceived risk of software as a service (SAAS) adoption. Conversely, Lee et
al. (2013) did find some support for the IT possessiveness of managers and SAAS adoption. Thus,
as with every innovation, this finding points to the critical role of top management in supporting the
adoption of new technologies through resource provision and commitment (Lee and Kim, 2007).
Consistent with the TOE framework, this finding corroborates that of Low et al. (2011), who
identified a significant relation between top management support and cloud computing adoption.

4.3. Cloud computing as a potential competitive resource

As discussed earlier, although cloud computing can hardly be considered a competitive resource by
itself, the interviews revealed that it may provide some advantages when it is successfully managed
and integrated with an organization’s internal capabilities. These advantages relate to cost
management, agility, and the deployment of IT resources.

4.3.1. Cost management

A number of cost issues were identified through the interviews. Reduced IT costs was one of the
most frequently mentioned benefits associated with cloud computing, which was consistent with
previous studies (Benlian and Hess, 2011; Gupta et al., 2013; Lee et al., 2013).

“It does save costs because you don’t need to renew your hardware, and you don’t have to
worry about the computer room and the air conditioning; we have so many problems in this

18
 building with air conditioning, for example, it suddenly turns off and the temperature is
going up, and we have to bring in the portable coolers.” (FA1, mid-tier)

Most organizations that adopted cloud computing services did not experience any cost overruns,
which is considered to be a significant issue in the ITO literature and is referred to as hidden costs
(Barthelemy, 2001). Hidden costs relate to (i) search and contracting, (ii) transition, (iii) managing
the effort, and (iv) switching or re-internalizing IT resources should the contract be terminated
(Barthelemy, 2001). Although the Internet may reduce some types of hidden costs such as search
costs, there is a danger if “standard” contracts are adopted because they may prove to be costly in
the long run. Specifically, poorly negotiated contracts or SLAs can lead to cost overruns and
diminish the benefits of cloud computing, as discussed in the ITO literature (Barthelemy, 2001) and
evidenced in the following interview:

“If you adopt a cloud e-mail solution, you need to pay a service provider to actually extract
or go through the archives; it’s not part of your actual contract that you can get access to the
archive. So the commercial model wasn’t properly understood by the adopter. In extreme
cases, it became for some organizations more and more expensive to operate their business
in the cloud than what they expected, and that turned into them migrating back into their
own infrastructure” (ITE10, Big 4)

Interviewees also mentioned that the cost benefits may not necessarily come in the form of lower
overall IT costs but through improved IT budgeting accuracy. This difference is significant because
the idiosyncratic characteristics of IT, such as rapid changes in design, high levels of uncertainty,
and short product life cycles, often lead to budgeting difficulties (Chandra et al., 2007). Thus, the
adoption of cloud computing may improve planning and cash flow. As a service, switching costs
associated with cloud computing were also perceived to be lower compared with traditionally
sourced IT. When switching costs and asset-specific investments are lower (Williamson, 1985), IT
agility may be improved, as organizations can more easily switch to better technologies.

19
 4.3.2. IT agility

The interviewees emphasized the flexibility of cloud computing in terms of allowing organizations
to better adapt to the changing landscape of technology, which can help the alignment of IT with the
company strategy, which is significant because of the short product life cycle of software and the
ever-increasing types of devices and associated platforms.

“IT departments are overloaded with demands; they need to improve the tempo with which
they operate, in my view, that’s the strategic part of cloud, it allows you to maintain a faster
tempo of adaptation and absorption of change and pursue the opportunity, as opposed to
being on the slow lane, building and getting infrastructure and having to manage a whole lot
of things.” (ITE8, Big 4)

Through the increased speed of deployment of cloud services, organizations can improve their
agility and develop capabilities that can lead to competitive advantage (Wernerfelt, 1984). This
finding confirmed and expanded on that of Benlian and Hess (2011), who suggested that cloud
computing would lead to strategic flexibility in terms of faster value to market and lower vendor
lock-ins. Agility can also be improved by eliminating (internal) IT project failures by outsourcing
IT development through cloud computing:

“Cloud actually reduces massive amounts of risk in terms of project failures and long cycle
times and getting to the end of things that don’t work, which we often see; to me, that’s a
massive risk [reduction].” (ITE3, Big 4)

Given the statistics mentioned in the introduction on IT failures, agility may be a major advantage,
although it comes at the expense of other risks, which are explored later.

4.4. IT Governance and risks

The conventional IT risks in terms of availability, integrity, confidentiality, and performance still
apply in the cloud computing environment, but these risks are addressed through contracts as
opposed to internal IT governance mechanisms. In any case, IT risks need to be managed
effectively because IT failure is often associated with significant impacts on shareholder value, as
demonstrated by cases such as Sobeys Inc., Sydney Water, and TJX Companies (Parent and Reich,
2009).

20
Various IT governance frameworks such as COBIT, COSO, and AS 8015 have been developed by
professional bodies to provide security guidelines for companies. The frameworks cover three risk
areas: the security of data and information, the integrity of hardware and software, and IT
implementation projects (Parent and Reich, 2009). More recently, these frameworks have started to
address the specific risks within the cloud computing environment, such as COSO: Enterprise Risk
Management for Cloud Computing and COBIT: IT Control Objective for Cloud Computing. It is
important for cloud computing clients to develop IT governance procedures to address and mitigate
the risks. The identification and mitigation of risks will limit damage and improve IT governance in
the cloud computing era.

4.4.1. Internal vs. external security capabilities

Some of the characteristics that are often associated with cloud computing risks (e.g., having data at
a remote site) have also been perceived as some of its strengths. Interviewees mentioned that in
most cases, cloud computing is more secure than in-house IT capabilities, especially if the
organization uses a reputable cloud provider such as Microsoft or Amazon that holds certified third-
party-assurance audits.

“From the physical point of view, it is much better because normally a data center has
different types of security; they have CCTV’s and everything, this building doesn’t have
CCTV……. but again, it comes down to the online security, and it comes down to where
they are sitting; are they using the proper equipment and hardware to protect your data?”
(ITE7, mid-tier)

“You are not worrying if there is an earthquake here, what happens to the data, or if there is
a fire, we have backups, but how many hours we need to work on those backups to bring it
back up, how many hours we are losing, how much money we are losing?” (FA1, mid-tier)

In some cases, organizations saw cloud computing as a way to secure their IT systems due to a lack
of internal capabilities and the ever-increasing number of reported security incidents (Chai et al.,
2011).

“Some organizations are adopting it as a risk mitigation strategy because they don’t have the
internal capability. They see engaging in cloud is a way to get secure environments, best of
breed.” (ITE1, Big 4)

21
Although cloud computing may provide a more secure IT environment, weaknesses in internal
control can still leave an organization vulnerable to attacks from the inside. This vulnerability is
particularly significant given the increase in fraud committed by internal parties, from 33% in 2009
to 54% in 2011 (PWC, 2012). However, cloud computing can expose the adopting organization to
further risk because of the involvement of third parties in managing the IT infrastructure.

“IT governance [in many companies] is pretty poor anyway; when you introduce another
factor like cloud computing, they think it goes away, but you are adding another facet to the
IT governance; not only you have business using their own software, having proper approval
processes and administrative access to finance packages, but you also have other people in
another country with administrative access as well because they need it.” (FA4, Big 4)

However, the use of trusted, reputable, and third-party-audited vendors can limit this risk.
Additionally, in Australia, cloud vendor employees go through rigorous screening, although this
may not be true in other countries.

4.4.2. Confidentiality, integrity, and availability

According to the interviewees, the main concern was not security (e.g., hacking) but data privacy
and the involvement of foreign jurisdictions. Australia has strong privacy laws with heavy fines for
violations. The recently introduced Australian Information Privacy Act requires that organizations
keep a log of customer information disclosures to third parties so that such disclosures can be
provided to the authorities if necessary. Consistent with the previous literature (Alshamaila et al.,
2013; Benlian and Hess, 2011; Gupta et al., 2013; Lee et al., 2013; Marston et al., 2011) and the
TRA and TCE perspectives, the interviews reflected such concerns through decisions against using
the public cloud.

“We decided not to use cloud computing at this stage, mainly because we would have to
store our clients’ information in the cloud based on the products out there…….that’s one of
the main reasons because the legislation out of Australia is different from inside Australia,
and we are keeping our clients’ data, and we are guaranteeing that it’s safe and private; if it
is not in Australia, how can we guarantee it?” (ITE9, mid-tier)

“The Information Privacy Act requires you to be able to get information regarding when
and to whom it was disclosed. By going to the public cloud, you lose control over that in a
way. So the issue is not about security, but if you can by law access and provide that
information. Also, the other country may have to disclose that information to their own
government, and you won’t have the opportunity to say no.” (ITE2, Big 4)

22
One security risk that was identified from the interviews is related to virtualization, which allows a
single server to behave as multiple servers. This issue is well-known and to some extent has been
discussed in the literature (Karadsheh, 2012; Subashini and Kavitha, 2011). Virtualization is
beneficial because it increases the usage of CPU, which can be as low as 5% in a traditional server
(Armbrust et al., 2010). However, virtualization creates interdependency among the computing
resources of the hosted organizations, both physically and virtually.

“If there is a legal issue and they grab the computer, essentially 20 companies are gone, not
only one. Of course, there are back-ups, but it might take a couple of hours to bring them up
to speed and make them live.” (ITE9, mid-tier)

“They [another company] might be under attack, and it will affect you and you haven’t done
anything wrong and they have.” (FA6, mid-tier)

When malware or a virus compromises a virtual machine (VM) and gains access to the hypervisor,
it is very likely that other VMs may be compromised as well. Cloud computing and IT vendors such
as IBM have been developing solutions for the guest hopping problem despite a lack of agreed-
upon guidelines or standards (Bizarro and Garcia, 2013). To limit this type of risk, organizations
may choose to use a dedicated server, although they have to bear additional costs.

The slow speed of the Internet was also a concern for some of the interviewees and their clients,
which especially in rural areas prohibited the adoption of the cloud. This problem was also
highlighted by Yigitbasioglu (2014) because it affected the intention to adopt cloud computing as
per the TCE. In 2012, Australia started a $40 billion project to gradually replace the copper network
for telephony with fiber optic technology. This change will address the current problems with the
speed of the Internet. However, because cloud computing is an online service, there is a single point
of failure in the event of the Internet going down. In case of Internet Service Provider failure, even
if a 3G or 4G network is available as a fallback option, supporting an entire organization on such a
network could quickly become prohibitive from a cost point of view.

23
 4.5. Contracting and transaction risks

The importance of formal controls through contracting has long been recognized in the outsourcing
literature (Kern and Willcocks, 2002; Saunders et al., 1997). As discussed by Karadsheh (2012), the
SLA is critical to the successful utilization of cloud computing services, which was emphasized in
one of the interviews.

“You need to mention in your contract where your data is to be stored in Australia; if your
company is big enough, you can put in the agreement that they use dedicated servers for
your business, that way you are not sitting on the same server as someone else. What sort of
security and uptime do they guarantee that the information will be available 99.99%? I think
it all comes down to the contract that you have with the provider because it is totally out of
your hand.” (FA5, Big 4)

Managing IT resources through a provider requires a different set of skills. Interviewees mentioned
that some organizations found it difficult to manage their providers.

“Organizations did not appreciate the actual effort required or the internal requirement and
the skill set to be able to support the journey to the cloud. They thought that somebody who
is good at looking at network and infrastructure, that manager can easily take on the role of
managing a cloud provider. They need to make sure they have the right capacity and
capability in their teams to be able to go to the cloud, it’s more of a contract management
role than a technology role.” (ITE1, Big 4)

Furthermore, cloud service providers may have an incentive to cheat on the SLA by providing a
user with less processing power than specified in the SLA. Zhang et al. (2013) proposed algorithms
that can act as third-party auditors (TPA) to detect SLA violations. Other authors have developed
automated TPA tools to verify the integrity of data on the cloud (Wang et al., 2013).

4.6. Cloud computing and forensics

Interviewees also referred to the “advantages” of cloud computing-based solutions for e-mail or file
back-up, which can help to prevent accidental or purposeful deletion of data by employees. This
capability was seen as an advantage in the case of forensic investigations, although the same could
be enforced using in-house IT systems.

24
 “If there is a litigation hold on your organization where you are not allowed to delete any e-
mail, this [cloud computing] service will stop that; you can enforce through your cloud
litigation hold and have access to archives for several years.” (ITE4, mid-tier)

A disadvantage attributable to cloud computing is its potential to complicate forensic investigations,

as suggested by Pollitt et al. (2008) and Taylor et al. (2010). Of particular concern is data that are
not retrievable because of a remote location. In such cases, valuable forensic evidence can be
missed. Many organizations in Australia therefore use cloud computing providers that partner with
local ICT firms such as Telstra to comply with local regulations and requirements. Additionally, the
use of multiple devices and interfaces coupled with pervasive encryption are factors that increase
the time and cost of forensic accounting (Garfinkel, 2010).

“For the theft of intellectual property cases we are dealing with right now, we have a lot of
cases at the moment that involve SkyDrive, Google Drive, basically the employees installing
the software on the machine or even using a web interface and transfer the company data to
the server, then they resign, go to another company, they download that data and give it to
the next employer. So it is theft of intellectual property, and it is difficult for us to do this
investigation in some cases because we don’t have access to that server, it is a Google server
sitting somewhere in America, and we don’t have the jurisdiction to go there and get the
data, Google is not going to give you the data, which we have tried and they said no.” (FA1,
mid-tier)

“If you want to go to the new employer and check their files to see if you can find an exact
copy of the previous company’s file on the second company’s server, you need to convince
the judge to give you permission to go to that company, and for that we need enough
evidence to prove that this person did actually upload some files to the Internet. In some
cases we do…..but in some cases, we can’t provide enough evidence because the use of
cloud is against us sometimes.” (FA1, mid-tier)

Overall, the interviews provided a rich account of the factors affecting the adoption decision of
organizations as perceived by external auditors. The evidence brings to the fore the role of political,
economic, and technological factors in adoption as demonstrated by the applicability of a range of
theories such as TAM, institutional theory, RBV, and TCE. The interviews highlight the rapid
growth of cloud computing, although the medium to large accounting firms and many of their
clients were increasingly adopting private (as opposed to public) cloud solutions for applications
associated with core capabilities. This was due to their desire to minimize compliance and security
risks. While a well-negotiated cloud contract is expected to provide financial benefits and agility to
organizations, the ultimate decision to adopt will rest with top management and their institutional
belief systems. These issues are further discussed under ‘Conclusions’ in the next section.

25
5. Conclusions

The purpose of this study was to explore external auditors’ perceptions of the reasons why
organizations do or do not adopt cloud computing in Australia. The contribution of this paper is the
qualitative evidence that it provides and the application of theoretical triangulation (Gioia and Pitre,
1990) to improve our understanding of cloud computing adoption. Additionally, to the best of my
knowledge, this is the first study that reports on cloud computing adoption from the perspective of
external auditors in accounting firms. Given the diversity of the literature and the relevant theories,
the paper adopts a multi-theoretical (Eisenhardt, 1989; Hesterly et al., 1990) and qualitative
approach to study the complex issues around the adoption of cloud computing services. This
approach helps to capture both the efficient-choice perspective associated with most of the theories
as well as the complementary institutional view of new technology adoption.

Interviews were conducted with ITEs and FAs working at three of the Big 4 accounting firms as
well as at five mid-tier accounting firms in Australia. As expected, the FAs were very
knowledgeable on the legal issues. The FAs were also familiar with the technical issues involved
with cloud computing because most of them had an IT background. However, the reverse was not
necessarily true i.e. some of the ITEs did not refer to the legal aspects of the cloud. There were no
notable differences between the perceptions of the participants from the Big 4 and the mid-tier
accounting firms. This was likely to be attributable to the similarities between the firms in terms of
the services they provided, their ‘IT sophistication’, and the high level of education and experience
of the participants.

The findings from the interviews reveal that, although cloud computing is gaining a strong foothold
in many Australian organizations, firms often opt for private or hybrid solutions instead of the
public cloud. Such a decision was the case for the accounting firms but was also true for many of
their clients. This approach seemed to be a deliberate and calculated action (Fishbein and Ajzen,
1975), as many medium to large (accounting) firms, as reported by the participants, placed
significant weight on the information security and confidentiality aspects of their data (Fishbein and
Ajzen, 1975). Often, applications that contained critical data were retained in house or were kept on
a dedicated leased server, whereas non-critical public data were moved offshore. Some firms also
chose a vendor such as AWS that partnered with a local provider such as Telstra to keep the data
onshore and therefore within the local jurisdiction. By using hybrid clouds, organizations could also
ensure that they complied with the recently introduced Australian Information Privacy Act. These

26
findings were consistent with the sentiment in the literature regarding the potential preference for
hybrid systems over the public cloud (Goscinski and Brock, 2010; Marston et al., 2011; Ross and
Blumenstein, 2013). These findings were also in agreement with some of the recent media
announcements by Australian firms with respect to their migration strategy to the cloud (e.g. Foo,
2013).

According to the interviewees, several institutional factors emerged. The interviewees

acknowledged the role of the government in promoting the technology in a normative manner
(Swanson and Ramiller, 1997). Some organizations also chose to mimic others by following the
“fad” and by potentially drawing on the common competence (Abrahamson, 1991; Swanson and
Ramiller, 2004). Additionally, adoption decisions were subject to the institutionalized beliefs of a
few executives in firms, which was consistent with the old institutional as well as the DOI theory
(Hamilton, 1932; Rogers, 2010).

Consistent with the literature, various advantages of cloud computing were identified that affect
firms’ intention to adopt cloud services, for example, in terms of IT cost management and
improvements in IT agility. Some cloud computing solutions were also perceived to have a higher
level of usability, which suggests that they are more likely to be accepted by users (Davis et al.,
1989). Such acceptance is important because usability is associated with usefulness and user
satisfaction and may lead to higher productivity (Calisir and Calisir, 2004; Donahue, 2001; Juristo
et al., 2007). Thus, when effectively integrated with an organization’s internal capabilities, cloud
computing could potentially contribute to the development of competitive resources (Garrison et al.,
2012; Ross and Blumenstein, 2013; Wernerfelt, 1984). However, it may also be subject to how well
the transaction costs and risks are managed (Williamson, 1985). If contract negotiation is poorly
executed, it might become more costly to use cloud services. Additionally, some organizations do
not seem to sufficiently understand the SLAs, or they have difficulty identifying their needs in
advance. These problems may increase the cost of using the service above what was initially
anticipated, thus diminishing the benefit of the cloud. Such firms may not be ready to outsource
their IT capabilities yet.

Contrary to the general belief about cloud computing, physical or network security was often not a
main concern for the interviewees, and even less so when onshore data centers were used.
Additionally, many of the interviewees indicated that security in the cloud is often better than in in-
house IT systems, especially in the case of reputable and third-party-audited vendors. Furthermore,

27
cloud computing should not be viewed as a quick fix to secure the organizational IT environment,
and even less so when appropriate internal controls are absent. While migrating to the cloud can
protect servers from external attacks, the service does not make up for poor internal controls.
Therefore, the risk of fraud and accidental/intentional damage will persist if internal controls are not
addressed during the migration process.

After all, cloud computing is a form of outsourcing, and the traditional ITO literature identifies
more than 40 risks in relation to moving computing resources to an external provider (Lacity et al.,
2009). Whereas some of those risks, such as cost overruns and vendor lock-ins, may be better
managed in the cloud era through better planning, contracting, and cloud standards, other risks may
become more profound due to virtualization (in the case of the public cloud) and the Internet. Cloud
computing may also create new opportunities for employees to commit fraud, e.g., through illegal
document uploads. Such actions may complicate forensic investigations, and in some cases,
forensic evidence may be lost, especially when foreign jurisdictions are involved. Traditionally, the
ITO literature suggests a phased and selective approach to outsourcing that can minimize the risks
associated with new technologies and new vendor relationships (Earl, 1989; Willcocks et al., 1995).
This approach may be an option as well, or alternatively, organizations can adopt private or hybrid
solutions that provide higher levels of control but at a higher cost, which was a strategy followed by
many of the firms mentioned in the interviews.

As evident from the study, there does not seem to be an equally large incentive for large
organizations to migrate to the public cloud as there is for SMEs. Although many of the benefits of
using the cloud accrue from the public cloud setting, large organizations such as the Big 4
accounting firms or multinationals may have the internal economies of scale to run their own
private clouds or to lease dedicated data centers. Additionally, according to a controversial
McKinsey Consulting survey, a best of breed data center of a large organization can operate with
higher efficiencies and at lower costs than cloud providers can achieve (as cited in Marston et al.,
2011). It is therefore logical to conclude that public cloud computing services are better suited for
SMEs, whereas hybrid clouds are a better fit for larger firms. Additionally, some industries are less
likely to move into the public cloud, partly due to data export limitations as in the banking sector
but also when security/data privacy is a top priority. It was therefore perhaps not surprising that
none of the accounting firms in the sample used public cloud services to store critical data. In any
case, cloud computing is envisioned to grow at a rapid pace, which will shift the focus from IT

28
resources as a source for competitive advantage to the way they are deployed, managed, and aligned
with an organization’s strategy in a continuous fashion.

5.1. Limitations and future research

The first limitation relates to the interviewees, who were not the IT decision makers within their
accounting firms. Although the external auditors’ perceptions provided valuable insights, their
statements do not represent the official position of the accounting firms but their personal views.
This limitation opens up an opportunity for future research, i.e., studies in the future would benefit
from interviewing the IT decision makers (or board members) within (accounting) firms. Another
limitation of the study relates to the interviewees’ perceptions of cloud computing by drawing on
their engagements with client firms, which inevitably led to some generalizations. Although similar
approaches exist in the literature (Cohen et al., 2010; Cohen et al., 2002; Wright and Wright, 2002),
data collected directly from clients might have offered additional insight. Furthermore, the sample
did not include any small accounting firms. Their situation might be quite different from those of
larger accounting firms, as public cloud computing services appear to be a better fit for smaller
firms who lack economies of scale (Marston et al., 2011). Therefore, future studies might want to
focus on small accounting firms to see whether the findings are comparable. In terms of what
methods to pursue in the future, both quantitative and qualitative studies would be welcome.
Studies in the future could test hypotheses drawing on institutional theory to confirm the findings of
the study. For example, which institutional pressures (mimetic, coercive, normative) are more
salient in cloud computing adoption and are they likely to differ across industries? Additionally,
future studies could combine institutional theory with, for example, the TRA or TAM to test for
moderation effects. Furthermore, research is needed to measure the actual benefits of cloud
computing rather than the expected benefits using cross-sectional data from organizations that
actually use cloud services. However, case study research reporting on the use of specific cloud
computing solutions such as cloud-based enterprise resource planning systems might also be
beneficial. This approach would help to identify issues that may not be immediately apparent.
Finally, more research is welcome that focuses on technology adoption and use by accounting
firms, which is currently very limited or dated.

Overall, the findings from this study confirm some of the speculation presented in the literature but
also provide additional insight from the perspective of external auditors. The findings are expected

29
to be transferable to other countries such as the United States, Canada, and the United Kingdom due
to cultural and organizational similarities across these nations (Hofstede, 2001). Researchers and
practitioners will find this study valuable because of its empirical depth and theoretical scope, as
well as the new perspective it provides, that of external auditors.

30
References
Abrahamson, E. Managerial fads and fashions: The diffusion and rejection of innovations.
Academy of management review, 1991 16(3): 586-612.
Abrahamson, E. Management fashion. Academy of management review, 1996 21(1): 254-285.
Alchian, A. A., and Demsetz, H. Production, information costs, and economic organization. The
American Economic Review, 1972: 777-795.
Alshamaila, Y., Papagiannidis, S., and Li, F. Cloud computing adoption by SMEs in the north east
of England: A multi-perspective framework. Journal of Enterprise Information
Management, 2013 26(3): 250-275.
Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R., Konwinski, A., et al. A view of cloud
computing. Communications of the ACM, 2010 53(4): 50-58.
Aron, R., Clemons, E. K., and Reddi, S. Just right outsourcing: understanding and managing risk.
Journal of Management Information Systems, 2005 22(2): 37-55.
Banker, R. D., Chang, H., and Kao, Y.-c. Impact of information technology on public accounting
firm productivity. Journal of Information Systems, 2002 16(2): 209-222.
Barthelemy, J. The hidden costs of IT outsourcing. Mit Sloan Management Review, 2001 42(3): 60-
69.
Beaumont, N., and Costa, C. Information technology outsourcing in Australia. Information
Resources Management Journal (IRMJ), 2002 15(3): 14-31.
Benlian, A., and Hess, T. Opportunities and risks of software-as-a-service: Findings from a survey
of IT executives. Decision Support Systems, 2011 52(1): 232-246.
Bizarro, P. A., and Garcia, A. VIRTUALIZATION: BENEFITS, RISKS, AND CONTROL.
Internal Auditing, 2013 28(4): 11-18.
Bradford, M., and Florin, J. Examining the role of innovation diffusion factors on the
implementation success of enterprise resource planning systems. International Journal of
Accounting Information Systems, 2003 4(3): 205-225.
Braun, R. L., and Davis, H. E. Computer-assisted audit tools and techniques: Analysis and
perspectives. Managerial Auditing Journal, 2003 18(9): 725-731.
Brender, N., and Markov, I. Risk perception and risk management in cloud computing: Results
from a case study of Swiss companies. International Journal of Information Management,
2013 33(5): 726-733.
Bush, A. A., Tiwana, A., and Rai, A. Complementarities between product design modularity and IT
infrastructure flexibility in IT-enabled supply chains. Engineering Management, IEEE
Transactions on, 2010 57(2): 240-254.
Calisir, F., and Calisir, F. The relation of interface usability characteristics, perceived usefulness,
and perceived ease of use to end-user satisfaction with enterprise resource planning (ERP)
systems. Computers in Human Behavior, 2004 20(4): 505-515.
Carroll, G., Goodstein, J., and Delacroix, J. (1986). The political environments of organizations: An
ecological view: Produced and distributed by Center for Research in Management,
University of California, Berkeley Business School.
Cavusoglu, H., Mishra, B., and Raghunathan, S. The effect of internet security breach
announcements on market value: Capital market reactions for breached firms and internet
security developers. International Journal of electronic commerce, 2004 9(1): 70-104.
Chai, S., Kim, M., and Rao, H. R. Firms' information security investment decisions: Stock market
evidence of investors' behavior. Decision Support Systems, 2011 50(4): 651-661.
Chandra, A., Menon, N. M., and Mishra, B. K. Budgeting for information technology. International
Journal of Accounting Information Systems, 2007 8(4): 264-282.
Chau, P. Y., and Tam, K. Y. Factors Affecting the Adoption of Open Systems: An Exploratory
Study. MIS quarterly, 1997 21(1).

31
Chen, Y., and Bharadwaj, A. An empirical analysis of contract structures in IT outsourcing.
Information Systems Research, 2009 20(4): 484-506.
Chong, A. Y.-L., and Ooi, K.-B. Adoption of interorganizational system standards in supply chains:
an empirical analysis of RosettaNet standards. Industrial Management & Data Systems,
2008 108(4): 529-547.
Clegg, C., Axtell, C., Damodaran, L., Farbey, B., Hull, R., Lloyd-Jones, R., Nicholls, J., Sell, R.,
and Tomlinson, C. Information technology: a study of performance and the role of human
and organizational factors. Ergonomics, 1997 40(9): 851-871.
Clemons, E. K., and Chen, Y. (2011). Making the decision to contract for cloud services: managing
the risk of an extreme form of IT outsourcing. Paper presented at the System Sciences
(HICSS), 2011 44th Hawaii International Conference on.
Clemons, E. K., and Hitt, L. M. Poaching and the misappropriation of information: Transaction
risks of information exchange. Journal of Management Information Systems, 2004 21(2):
87-107.
Clemons, E. K., and Row, M. C. Information technology and industrial cooperation: the changing
economics of coordination and ownership. Journal of Management Information Systems,
1992 9(2): 9-28.
Cohen, J., Krishnamoorthy, G., and Wright, A. Corporate Governance in the Post‐Sarbanes‐Oxley
Era: Auditors’ Experiences*. Contemporary Accounting Research, 2010 27(3): 751-786.
Cohen, J., Krishnamoorthy, G., and Wright, A. M. Corporate governance and the audit process*.
Contemporary Accounting Research, 2002 19(4): 573-594.
Corbin, J., and Strauss, A. (2008). Basics of qualitative research: Techniques and procedures for
developing grounded theory. US: Sage.
Cousins, P. D., and Menguc, B. The implications of socialization and integration in supply chain
management. Journal of Operations Management, 2006 24(5): 604-620.
Crabtree, B. F. (1999). Doing qualitative research: Sage Publications.
Davis, F. D., Bagozzi, R. P., and Warshaw, P. R. User acceptance of computer technology: a
comparison of two theoretical models. Management science, 1989 35(8): 982-1003.
Depietro, R., Wiarda, E., and Fleischer, M. (1990). The context for change: Organization,
technology and environment. In L. G. Tornatzy & F. Mitchell (Eds.), The processes of
technological innovation (pp. 151-175). Lexington, Mass.: Lexington Books.
DiMaggio, P. J. Interest and agency in institutional theory. Institutional patterns and organizations:
Culture and environment, 1988 1: 3-22.
DiMaggio, P. J., and Powell, W. W. The iron cage revisited: Institutional isomorphism and
collective rationality in organizational fields. American sociological review, 1983 48(April):
147-160.
Donahue, G. M. Usability and the bottom line. IEEE software, 2001 18(1): 31-37.
Dowling, C., and Leech, S. A. A Big 4 Firm's Use of Information Technology to Control the Audit
Process: How an Audit Support System is Changing Auditor Behavior. Contemporary
Accounting Research, 2014 31(1): 230-252.
Earl, M. J. (1989). Management Strategies for Information Technology: Prentice-Hall. Edwards.
Egwutuoha, I. P., Schragl, D., and Calvo, R. A Brief Review of Cloud Computing, Challenges and
Potential Solutions. Parallel & Cloud Computing, 2013 2(1).
Eisenhardt, K. M. Making fast strategic decisions in high-velocity environments. Academy of
Management journal, 1989 32(3): 543-576.
Empson, L. Organizational identity change: managerial regulation and member identification in an
accounting firm acquisition. Accounting, Organizations and Society, 2004 29(8): 759-781.
Feeny, D. F., and Willcocks, L. P. Core IS capabilities for exploiting information technology. Sloan
Management Review, 1998 39(3): 9-21.

32
Fishbein, M., and Ajzen, I. (1975). Belief, attitude, intention and behavior: An introduction to
theory and research.
Foo, F. (2013, 6/08/2014). NAB eyes big gains with cloud provider. The Australian. Retrieved,
from http://www.theaustralian.com.au/technology/nab-eyes-big-gains-with-cloud-
provider/story-e6frganx-1226730224064, last access: 08/06.2015
Foster, I., Zhao, Y., Raicu, I., and Lu, S. (2008). Cloud computing and grid computing 360-degree
compared. Paper presented at the Grid Computing Environments Workshop, 2008. GCE'08,
Austin Tx.
Francis, H. (2014). SMEs still scared of the cloud: ACMA. Retrieved, from
http://www.theaustralian.com.au/business/latest/eighty-per-cent-of-aussies-using-the-cloud-
acma/story-e6frg90f-1226865028456, last access: 08/06/2015
Garfinkel, S. L. Digital forensics research: The next 10 years. Digital Investigation, 2010 7: S64-
S73.
Garling, C. (2012). Cloud’ Data Center Closes Because Federal Agencies Prefer Earth. Retrieved,
from http://www.wired.com/wiredenterprise/2012/02/harris/, last access: 09/06/2015
Garrison, G., Kim, S., and Wakefield, R. L. Success factors for deploying cloud computing.
Communications of the ACM, 2012 55(9): 62-68.
Gartner. (2013). Gartner Says Worldwide Public Cloud Services Market to Total $131 Billion.
Retrieved, from http://www.gartner.com/newsroom/id/2352816, last access: 09/06/2015
Gelinas, U., Dull, R., and Wheeler, P. (2011). Accounting information systems: Cengage Learning.
Gewald, H., and Dibbern, J. Risks and benefits of business process outsourcing: A study of
transaction services in the German banking industry. Information & Management, 2009
46(4): 249-257.
Gioia, D. A., and Pitre, E. Multiparadigm perspectives on theory building. Academy of
management review, 1990 15(4): 584-602.
Glaser, B. G. (1998). Doing grounded theory: Issues and discussions: Sociology Press.
Gonzalez, R., Gasco, J., and Llopis, J. Information systems outsourcing: A literature analysis.
Information & Management, 2006 43(7): 821-834.
Goscinski, A., and Brock, M. Toward dynamic and attribute based publication, discovery and
selection for cloud computing. Future Generation Computer Systems, 2010 26(7): 947-970.
Gray, D. Forensic accounting and auditing: compared and contrasted to traditional accounting and
auditing. American Journal of Business Education (AJBE), 2011 1(2): 115-126.
Grobauer, B., Walloschek, T., and Stocker, E. Understanding cloud computing vulnerabilities.
Security & privacy, IEEE, 2011 9(2): 50-57.
Gupta, P., Seetharaman, A., and Raj, J. R. The usage and adoption of cloud computing by small and
medium businesses. International Journal of Information Management, 2013 33(5): 861-
874.
Hall, J. (2012). Accounting information systems: Cengage Learning.
Hambrick, D. C. Upper echelons theory: An update. Academy of management review, 2007 32(2):
334-343.
Hamilton, W. H. Institution. Encyclopaedia of the social sciences, 1932 8: 84-89.
Henderson, J. C., and Venkatraman, N. Strategic alignment: Leveraging information technology for
transforming organizations. IBM systems journal, 1993 32(1): 4-16.
Henderson, J. C., Venkatraman, N., and Oldach, S. Aligning business and IT strategies. Competing
in the information age: Strategic alignment in practice, 1996: 21-42.
Hesterly, W. S., Liebeskind, J., and Zenger, T. R. Organizational economics: an impending
revolution in organization theory? Academy of management review, 1990 15(3): 402-420.
Hofstede, G. H. (2001). Culture's consequences: Comparing values, behaviors, institutions and
organizations across nations: Sage.

33
Holmström, B. Managerial incentive problems: A dynamic perspective. The Review of Economic
Studies, 1999 66(1): 169-182.
Holmstrom, B., and Costa, J. R. I. Managerial incentives and capital management. The Quarterly
Journal of Economics, 1986 101(4): 835-860.
Hong, W., and Zhu, K. Migrating to internet-based e-commerce: Factors affecting e-commerce
adoption and migration at the firm level. Information & Management, 2006 43(2): 204-221.
Hooper, C., Martini, B., and Choo, K.-K. R. Cloud computing and its implications for cybercrime
investigations in Australia. Computer Law & Security Review, 2013 29(2): 152-163.
Hsu, P.-F., Ray, S., and Li-Hsieh, Y.-Y. Examining cloud computing adoption intention, pricing
mechanism, and deployment model. International Journal of Information Management, 2014
34(4): 474-488.
IBM. (2011). New Global IBM Study Confirms Cloud Computing Poised to Take Off at
Companies. Retrieved, from http://www-03.ibm.com/press/us/en/pressrelease/34530.wss,
last access: 8/06/2015
Ibrahim, M., and Ribbers, P. M. The impacts of competence-trust and openness-trust on
interorganizational systems. European Journal of Information Systems, 2009 18(3): 223-
234.
Jensen, M. C. Agency cost of free cash flow, corporate finance, and takeovers. Corporate Finance,
and Takeovers. American Economic Review, 1986 76(2).
Juristo, N., Moreno, A. M., and Sanchez-Segura, M.-I. Analysing the impact of usability on
software design. Journal of Systems and Software, 2007 80(9): 1506-1516.
Karadsheh, L. Applying security policies and service level agreement to IaaS service model to
enhance security and transition. Computers & Security, 2012 31(3): 315-326.
Katz, M. L., and Shapiro, C. Network externalities, competition, and compatibility. The American
Economic Review, 1985: 424-440.
Kern, T., and Willcocks, L. Exploring relationships in information technology outsourcing: the
interaction approach. European Journal of Information Systems, 2002 11(1): 3-19.
Kluwer, W. (2013). Survey.
Kshetri, N. Privacy and security issues in cloud computing: The role of institutions and institutional
evolution. Telecommunications Policy, 2013 37(4): 372-386.
Lacity, M. C., Khan, S. A., and Willcocks, L. P. A review of the IT outsourcing literature: Insights
for practice. Journal of Strategic Information Systems, 2009 18(3): 130-146.
Lacity, M. C., Willcocks, L. P., and Khan, S. Beyond transaction cost economics: towards an
endogenous theory of information technology outsourcing. The Journal of Strategic
Information Systems, 2011 20(2): 139-157.
Lee, S., and Kim, K.-j. Factors affecting the implementation success of Internet-based information
systems. Computers in Human Behavior, 2007 23(4): 1853-1880.
Lee, S.-G., Chae, S. H., and Cho, K. M. Drivers and inhibitors of SaaS adoption in Korea.
International Journal of Information Management, 2013 33(3): 429-440.
Leimeister, S., Böhm, M., Riedl, C., and Krcmar, H. (2010). The Business Perspective of Cloud
Computing: Actors, Roles and Value Networks. Paper presented at the ECIS 2010, South
Africa.
Lian, J.-W., Yen, D. C., and Wang, Y.-T. An exploratory study to understand the critical factors
affecting the decision to adopt cloud computing in Taiwan hospital. International Journal of
Information Management, 2014 34(1): 28-36.
Liang, H., Saraf, N., Hu, Q., and Xue, Y. Assimilation of enterprise systems: the effect of
institutional pressures and the mediating role of top management. MIS quarterly, 2007
31(1): 59-87.
Lin, A., and Chen, N.-C. Cloud computing as an innovation: Percepetion, attitude, and adoption.
International Journal of Information Management, 2012 32(6): 533-540.

34
Loh, L., and Venkatraman, N. Diffusion of information technology outsourcing: influence sources
and the Kodak effect. Information Systems Research, 1992 3(4): 334-358.
Low, C., Chen, Y., and Wu, M. Understanding the determinants of cloud computing adoption.
Industrial Management & Data Systems, 2011 111(7): 1006-1023.
Malmi, T. Activity-based costing diffusion across organizations: an exploratory empirical analysis
of Finnish firms. Accounting, Organizations and Society, 1999 24(8): 649-672.
March, J. G. Bounded rationality, ambiguity, and the engineering of choice. The Bell Journal of
Economics, 1978: 587-608.
March, J. G., and Simon, H. A. Organizations. 1958.
Marston, S., Li, Z., Bandyopadhyay, S., Zhang, J., and Ghalsasi, A. Cloud computing - The
business perspective. Decision Support Systems, 2011 51(1): 176-189.
Modi, S. B., Wiles, M. A., and Mishra, S. Shareholder value implications of service failures in
triads: The case of customer information security breaches. Journal of Operations
Management, 2014.
Myers, M. D., and Newman, M. The qualitative interview in IS research: Examining the craft.
Information and Organization, 2007 17(1): 2-26.
Neuman, W. L. (2005). Social research methods: Quantitative and qualitative approaches: Allyn
and Bacon.
Oliveira, T., and Martins, M. F. Literature Review of Information Technology Adoption Models at
Firm Level. Electronic Journal of Information Systems Evaluation, 2011 14(1).
Parent, M., and Reich, B. H. Governing information technology risk. California Management
Review, 2009 51(3): 134-152.
Pearson, S., Shen, Y., and Mowbray, M. (2009). A privacy manager for cloud computing Cloud
Computing (Vol. 5931, pp. 90-106). Berlin Heidelberg: Springer.
Pollitt, M., Nance, K., Hay, B., Dodge, R. C., Craiger, P., Burke, P., Marberry, C., and Brubaker, B.
Virtualization and digital forensics: a research and education agenda. Journal of Digital
Forensic Practice, 2008 2(2): 62-73.
Premkumar, G., Ramamurthy, K., and Nilakanta, S. Implementation of electronic data interchange:
an innovation diffusion perspective. Journal of Management Information Systems, 1994:
157-186.
Preston, D. S., and Karahanna, E. Antecedents of IS strategic alignment: a nomological network.
Information Systems Research, 2009 20(2): 159-179.
PWC. (2012). Cybercrime: Out of obscurity and into reality.
Reich, B. H., and Benbasat, I. Measuring the linkage between business and information technology
objectives. MIS quarterly, 1996: 55-81.
Rogers, E. M. (2010). Diffusion of innovations: Simon and Schuster.
Rogers, E. M., and Shoemaker, F. F. Diffusion of innovation: A cross-cultural approach. New York,
1983.
Ross, P., and Blumenstein, M. Cloud computing: the nexus of strategy and technology. Journal of
Business Strategy, 2013 34(4): 39-47.
Ryan, W. M., and Loeffler, C. M. Insights into cloud computing. Intellectual Property &
Technology Law Journal, 2010 22(11): 22-28.
Saunders, C., Gebelt, M., and Hu, Q. Achieving success in information systems outsourcing.
California Management Review, 1997 39(2): 63-79.
Scott, W. R. The adolescence of institutional theory. Administrative science quarterly, 1987: 493-
511.
SGI. (2009). CHAOS Summary 2009. Retrieved, from
http://www.google.com.au/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CB0QFj
AA&url=http%3A%2F%2Fwww.portal.state.pa.us%2Fportal%2Fserver.pt%2Fdocument%

35
 2Fstandish_group_chaos_summary_2009_pdf&ei=SiyqVKuLJsbQmAWosICoCg&usg=AF
QjCNGV1XYLFw7JKByfJCytjS5f9wUXXw, last access: 5/1/2015
Subashini, S., and Kavitha, V. A survey on security issues in service delivery models of cloud
computing. Journal of Network and Computer Applications, 2011 34(1): 1-11.
Sultan, N. A. Reaching for the “cloud”: How SMEs can manage. International Journal of
Information Management, 2011 31(3): 272-278.
Sutcliffe, K. M., and Zaheer, A. Uncertainty in the transaction environment: an empirical test.
Strategic Management Journal, 1998 19: 1-23.
Swanson, E. B., and Ramiller, N. C. The organizing vision in information systems innovation.
Organization Science, 1997 8(5): 458-474.
Swanson, E. B., and Ramiller, N. C. Innovating mindfully with information technology. MIS
quarterly, 2004 28(4): 553-583.
Tallon, P. P. A process-oriented perspective on the alignment of information technology and
business strategy. Journal of Management Information Systems, 2007 24(3): 227-268.
Taylor, M., Haggerty, J., Gresty, D., and Hegarty, R. Digital evidence in cloud computing systems.
Computer Law & Security Review, 2010 26(3): 304-308.
Tornatzky, L. G., Fleischer, M., and Chakrabarti, A. K. Processes of technological innovation.
1990.
Urquhart, C. The evolving nature of grounded theory method: The case of the information systems
discipline. The Sage handbook of grounded theory, 2007: 339-359.
Van Akkeren, J., Buckby, S., and MacKenzie, K. A metamorphosis of the traditional accountant:
An insight into forensic accounting services in Australia. Pacific Accounting Review, 2013
25(2): 188-216.
Van de Ven, A. H., and Ferry, D. L. (1980). Measuring and assessing organizations: Wiley New
York.
Venkatesh, V., and Bala, H. Technology acceptance model 3 and a research agenda on
interventions. Decision sciences, 2008 39(2): 273-315.
Venkatesh, V., Morris, M. G., Davis, G. B., and Davis, F. D. User acceptance of information
technology: Toward a unified view. MIS quarterly, 2003 27(3).
Wang, C., Chow, S. S., Wang, Q., Ren, K., and Lou, W. Privacy-preserving public auditing for
secure cloud storage. Computers, IEEE Transactions on, 2013 62(2): 362-375.
Wernerfelt, B. A resource‐based view of the firm. Strategic Management Journal, 1984 5(2): 171-
180.
Willcocks, L., Fitzgerald, G., and Feeny, D. Outsourcing IT: The strategic implications. Long
Range Planning, 1995 28(5): 59-70.
Willcocks, L. P., and Feeny, D. IT outsourcing and core IS capabilities: challenges and lessons at
Dupont. Information Systems Management, 2006 23(1): 49.
Willcocks, L. P., Lacity, M. C., and Kern, T. Risk mitigation in IT outsourcing strategy revisited:
longitudinal case research at LISA. The Journal of Strategic Information Systems, 1999
8(3): 285-314.
Williamson, O. (1985). The economic institutions of capitalism. New York: The Free Press.
Wright, P. M., and McMahan, G. C. Theoretical perspectives for strategic human resource
management. Journal of management, 1992 18(2): 295-320.
Wright, S., and Wright, A. M. Information system assurance for enterprise resource planning
systems: unique risk considerations. Journal of Information Systems, 2002 16(s-1): 99-113.
Wu, W.-W. Mining significant factors affecting the adoption of SaaS using the rough set approach.
Journal of Systems and Software, 2011 84(3): 435-441.
Wu, Y., Cegielski, C. G., Hazen, B. T., and Hall, D. J. Cloud Computing in Support of Supply
Chain Information System Infrastructure: Understanding When to go to the Cloud. Journal
of Supply Chain Management, 2013 49(3): 25-41.

36
Wüllenweber, K., Beimborn, D., Weitzel, T., and König, W. The impact of process standardization
on business process outsourcing success. Information Systems Frontiers, 2008 10(2): 211-
224.
Yang, H., and Tate, M. A descriptive literature review and classification of cloud computing
research. Communications of the Association for Information Systems, 2012 31(2): 35-60.
Yigitbasioglu, O. Modelling the Intention to Adopt Cloud Computing Services: A Transaction Cost
Theory Perspective. Australasian Journal of Information Systems, 2014 18(3).
Yigitbasioglu, O., Mackenzie, K., and Low, R. Cloud Computing: How does it differ from IT
outsourcing and what are the implications for practice and research? The International
Journal of Digital Accounting Research, 2013 13(1): 99-121.
Young, R. (2006). HB280-2006: Case Studies–How Boards and Senior Management Have
Governed ICT Projects to Succeed (or Fail): Sydney: Standards Australia.
Youseff, L., Butrico, M., and Da Silva, D. (2008). Toward a Unified Ontology of Cloud Computing.
Paper presented at the Gce: 2008 Grid Computing Environments Workshop, Austin TX.
<Go to ISI>://000265406000006
Zhang, H., Ye, L., Shi, J., Du, X., and Guizani, M. Verifying cloud service‐level agreement by a
third‐party auditor. Security and Communication Networks, 2013.
Zhu, K., Kraemer, K. L., and Xu, S. The process of innovation assimilation by firms in different
countries: a technology diffusion perspective on e-business. Management science, 2006
52(10): 1557-1576.

37
Study Variable and relation to adoption if Theory, Method, Sample
applicable
Benlian and Hess Security risks (-), performance risks (-), TRA,
(2011) hidden costs (-) strategic risks (-), cost Survey
advantages (+), quality improvements German companies
(+), strategic flexibility (+)

Sultan (2011) Scalability, cost structure, security No particular theory

Small Case Study

Low et al. (2011) Relative advantage (-), top management TOE,

support (+), firm size (+), competitive Survey
pressure (+), and trading partner power High-tech industry in
(+) Taiwan

Wu (2011) Expert opinions, speed, security of back- TAM (Rough Set Theory)
ups Survey
Taiwan

Lin and Chen (2012) Compatibility with IS policy, TOE

development environment, business Interviews
needs, security and standardisation Taiwan

Alshamaila et al. Relative advantage, uncertainty, geo- TOE

(2013) restriction, compatibility, trialability, Interviews
size, top management support, England
innovativeness, prior experience, etc.

Brender and Markov Various risks No particular theory

(2013) Case study
Switzerland

38
Lee et al. (2013) Various drivers (cost reduction, PEST Analysis,
economies of scale, ease of maintenance, Analytical Hierarchy
access to new software etc.) and Process
inhibitors (distrust in security, South Korea
possessiveness of IT resources, legal
issues, lack of understanding etc.)

Wu et al. (2013) Business process complexity (-), IPV and DOI

information system compatibility (-), Survey
entrepreneurial culture (+) and US manufacturing and
application functionality (+) retail

Gupta et al. (2013) Cost reduction (+), security and privacy No particular theory
(+), and ease of use (+) Survey
SME’s in India,
Singapore, Malaysia,
USA

Hsu et al. (2014) Perceived benefits (+), business concerns TOE

(-), IT capability (+) Survey
Taiwan

Lian et al. (2014) Data security, perceived technical TOE and HOT-fit model
competence, cost, top manager support, Survey
complexity Hospitals in Taiwan

Yigitbasioglu (2014) Perceived vendor opportunism (-), TCE

perceived security risk (-) Survey
Australia
Table 1: Empirical Studies on Cloud Computing Adoption

39
Appendix 1: Interview Guide

1. Is your firm or any of your clients using cloud computing?

2. If not, are you planning to use cloud computing services in the future?
3. What factors played a role in opting for cloud computing?
4. What factors played a role in deciding against cloud computing?
5. What motives drive cloud computing adoption in your opinion?
6. What is the role of external factors such as competitors’ actions, media and/or government
statements in opting for or deciding against cloud computing?
7. What are the benefits of cloud computing?
8. What types of applications are moved to the cloud, core or non-core?
9. Will this change in the future?
10. What new capabilities does cloud computing offer to your firm or clients?
11. What types of risks do you see with cloud computing?
12. How can those risks be addressed?
13. What types of IT governance procedures have to be in place to address the risks?
14. Have you or any of your clients had any problems with cloud computing services?
15. Can you please comment on the benefits obtained so far from using cloud computing services?
16. Have the benefits met your expectations? If not, why?
17. What are the implications of cloud computing from a forensic accounting point of view?
18. How does cloud computing affect forensic investigations?

40
Appendix 2: Interviewee demographics

Code Job Title Service Experience Firm Size

Area (years)
ITE1 Director IT 19 Big 4
ITE2 Senior Data IT 7 Big 4
Analyst
ITE3 Director IT 20 Big 4
ITE4 Senior Manager IT 15 Mid-tier
ITE5 Senior Manager IT 16 Mid-tier
ITE7 Senior Data IT 11 Mid-tier
Analyst
ITE8 Senior Manager IT 13 Big 4
ITE9 Senior Manager IT 12 Mid-tier
ITE10 Senior Manager IT 9 Big 4
FA1 Senior Digital Digital 8 Mid-tier
Forensic Analyst Forensics
FA2 Senior Consultant Fraud 10 Big 4
FA3 Partner Forensic 25 Mid-tier
FA4 Senior Consultant Fraud 12 Big 4
FA5 Senior Forensic Fraud 9 Big 4
Analyst
FA6 Forensic Analyst Forensic 6 Mid-tier

41