Factors associated with IT audits by the internal audit function

1
Factors associated with IT audits by the internal
audit function

• Mohammad J. Abdolmohammadi
• Scott R. Boss
• Bentley University

2
Outline

• Introduction
• Background and Research Questions
• Model Specification
• Research Method
• Results
• Discussion and implications
• Summary
• Conclusions/Future Research

3
Having an Internal Audit Function is unavoidable

• Internal Audit Function (IAF) is increasingly a
  part of corporate governance
• NYSE requires an IAF for listed companies
• Regulations outside the US (Australia, UK, etc.)
  strongly encourage existence of IAF

Introduction
4
Having an Internal Audit Function is unavoidable

• Respondents in our data indicated that internal
  auditing was required
• 2006 56.4 percent
• 2009 (estimated) 66.1 percent

Introduction
5
Impact of SOX (2002) on the IAF

• Enormous strain on the most resources
• External auditors are no longer allowed to
  provide consulting services
• Documenting and evaluating internal control
  systems largely fallen to the IAF
• IAFs are looking to re-balance their efforts
• Less documenting
• More testing

Introduction
6
What are the costs?

• Sufficient personnel
• Personnel sufficiently trained
• Personnel sufficiently trained in specialties
  that were previously handled by external auditors
• IT Audits

Introduction
7
IT Audits

• An audit of computer-based aspects of information
  systems
• AU 319.30 requires IT audits when there is/are a
• Complex systems that rely on IT controls
• Significant change in IT systems (replacement)
• Extensive data sharing between systems
• Involvement in e-commerce
• Use emerging technology
• Significant portions of potential audit evidence
  is electronic

Introduction
8
IT Audits

• Typically auditors must possess specialized
  skills
• Possibly specialized certifications
• IT knowledge is essential for IT auditors to
  function effectively

Introduction
9
The IAF and IT audits?

• Is the IAF involved?
• To what degree is the IAF involved?
• How is the involvement compared to the past?
• The future?
• Which variables are potentially associated with
  IT audits by the IAF?
• RQ1 What proportion of IAFs time is spent on
  IT audits?

Research Questions
10
Explanatory Variables

• Do certifications have an effect on IT Audits?
• Proxy for Skills/Technical knowledge
• CISA certification
• Other certifications?
• RQ2a CISA certification?
• RQ2b CIA certification?
• RQ2c CPA certification?
• RQ2d CMA certification?

Research Questions
11
Explanatory Variables

• Professional certifications require continuous
  professional education (CPE)
• CIAs 80 hours/24 months
• Only a portion likely to be technical training
• RQ3 Is basic and/or advanced technology
  training positively related to IT audits by IAFs?

Research Questions
12
Explanatory Variables

• Organizational knowledge
• Experience within the firm
• Longevity
• RQ4 Is the age of the IAF positively related to
  IT audits?

Research Questions
13
Control Variables

• Chief Audit Executive (CAE) characteristics
• Experience (years)
• Academic degree (grad vs. undergrad)
• Academic major (CS/IS vs. other)
• IAF Group (Old Commonwealth vs Non-Commonwealth
• US (Non)
• Australia, Canada, New Zealand, UK/Ireland (Old)
• Size of the organization (not the IAF size)

Research Questions
14
Model Specification

• OLS Regression Model
• ITAudit a ?1CISA ?2CIA ?3CPA ?4CMA
  ?5Training ?6IAFage ?7CAEexp ?8CAEDegree
  ?9CAEMajor ?10Group ?11LnEmploy e

Model Specification
15
Model Specification
Variable Explanation
ITAudit Proportion of IAF time spent on IT audits
CISA Proportion of IAF that is certified as CISA
CIA Proportion of IAF that is certified as CA
CPA Proportion of IAF that is certified as CPA
CMA Proportion of IAF that is certified as CMA
Training Training of the IAF professional staff on basic/advanced technology.
IAFage Number of years that IAF has been in existence in the organization
CAEexp Years of experience as CAE
CAEDegree Graduate degree 1, undergraduate degree 0
CAEMajor Information systems or computer science 1, 0 otherwise
Group Binary (0/1) 0 if US, 1 if other
LnEmploy Natural logarithm of total number of employees (full-time equivalent)
e Error term
Model Specification
16
CBOK Database

• Survey of internal auditors world-wide
• Listing of issues of concern to the IAF
• Populated by the Institute of Internal Auditors
  (IIA)
• Utilized CAE responses (1,029)
• Knowledge of the IAF
• Knowledge about their staff

Data
17
Data Characterization

• 1,029 responses
• US 760 (74)
• Australia 72 (7)
• Canada 116 (11)
• New Zealand 13 (1)
• UK/Ireland 68 (7)

Data
18
Table 1Descriptive Statistics RQ1
Results
19
Table 1Descriptive Statistics RQ1
Results
20
Table 1Descriptive Statistics RQ1
Results
21
Table 1Descriptive Statistics RQ1
Results
22
Table 1 Descriptive Statistics Explanatory
Results
23
Table 1 Descriptive Statistics Explanatory
Results
24
Table 1 Descriptive Statistics Explanatory
Results
25
Table 1 Descriptive Statistics Explanatory
Results
26
Training

1. Never
3. Less frequently than annually
5. More frequently than annually

Results
27
Table 1 Descriptive Statistics Explanatory
Results
28
Table 1 Descriptive Statistics Explanatory
Results
29
Table 1Descriptive Statistics Control
Results
30
Table 1Descriptive Statistics Control
Results
31
Table 1Descriptive Statistics Control
Results
32
Table 1Descriptive Statistics Control
Results
33
Table 2Correlation Matrix
Results
34
Table 2Correlation Matrix
Results
35
Table 2Correlation Matrix
Results
36
Models

• Model 1 CISA Certification
• Model 2 CIA Certification
• Model 3 CPA Certification
• Model 4 CPA Certification

Results
37
Table 3OLS Regression (IT Audit as DV)
Results
38
Table 3OLS Regression (IT Audit as DV)
Results
39
Table 3OLS Regression (IT Audit as DV)
Results
40
Table 3OLS Regression (IT Audit as DV)
Results
41
Table 3OLS Regression (IT Audit as DV)
Results
42
Table 3OLS Regression (IT Audit as DV)
Results
43
Table 3OLS Regression (IT Audit as DV)
Results
44
Summary

• RQ1
• IT audit comprised 7.97 percent of IAF time in
  2003, 10.61 percent in 2006
• Estimated to increase to 13.4 percent in 2009
• RQ2
• CISA positively related to IT Audits
• CIA CMA not associated with IT Audits
• CPA negatively associated with IT Audits
• RQ3
• IT training is positively associated with IT
  Audits
• RQ4
• IAF Age and Organization size are positively
  associated with IT Audits

Discussion Implications
45
Conclusions

• IAF involvement in IT audit is modest but
  increasing _at_ approximately one percent per year
• IAFs should plan to increase their proportion of
  IT audits
• IAFs should consider hiring individuals with IT
  audit skills
• IAF personnel should be provided with more
  extensive IT training

Discussion Implications
46
Future Research Questions

• Why is the percentage of time on IT Audits so
  low?
• What percentage of IAF should be IT Audit?
• Is there a theoretical reason why CPA
  certification is negatively associated with IT
  audits?
• Does industry impact IT audit involvement?
• More in technology companies?

Discussion Implications
47
Future Research Questions

• Other variables to include as IVs?
• Should other responders (Audit managers, IA
  employees, etc) be included in future studies?
• Examine culture
• Examine professional rank differences
• Does culture (a la Hofstede) play any role in IT
  audit involvement?

Discussion Implications
48
Questions/comments?