Title: Factors associated with IT audits by the internal audit function
1Factors associated with IT audits by the internal
audit function
- Mohammad J. Abdolmohammadi
- Scott R. Boss
- Bentley University
2Outline
- Introduction
- Background and Research Questions
- Model Specification
- Research Method
- Results
- Discussion and implications
- Summary
- Conclusions/Future Research
3Having an Internal Audit Function is unavoidable
- Internal Audit Function (IAF) is increasingly a
part of corporate governance - NYSE requires an IAF for listed companies
- Regulations outside the US (Australia, UK, etc.)
strongly encourage existence of IAF
Introduction
4Having an Internal Audit Function is unavoidable
- Respondents in our data indicated that internal
auditing was required - 2006 56.4 percent
- 2009 (estimated) 66.1 percent
Introduction
5Impact of SOX (2002) on the IAF
- Enormous strain on the most resources
- External auditors are no longer allowed to
provide consulting services - Documenting and evaluating internal control
systems largely fallen to the IAF - IAFs are looking to re-balance their efforts
- Less documenting
- More testing
Introduction
6What are the costs?
- Sufficient personnel
- Personnel sufficiently trained
- Personnel sufficiently trained in specialties
that were previously handled by external auditors - IT Audits
Introduction
7IT Audits
- An audit of computer-based aspects of information
systems - AU 319.30 requires IT audits when there is/are a
- Complex systems that rely on IT controls
- Significant change in IT systems (replacement)
- Extensive data sharing between systems
- Involvement in e-commerce
- Use emerging technology
- Significant portions of potential audit evidence
is electronic
Introduction
8IT Audits
- Typically auditors must possess specialized
skills - Possibly specialized certifications
- IT knowledge is essential for IT auditors to
function effectively
Introduction
9The IAF and IT audits?
- Is the IAF involved?
- To what degree is the IAF involved?
- How is the involvement compared to the past?
- The future?
- Which variables are potentially associated with
IT audits by the IAF? - RQ1 What proportion of IAFs time is spent on
IT audits?
Research Questions
10Explanatory Variables
- Do certifications have an effect on IT Audits?
- Proxy for Skills/Technical knowledge
- CISA certification
- Other certifications?
- RQ2a CISA certification?
- RQ2b CIA certification?
- RQ2c CPA certification?
- RQ2d CMA certification?
Research Questions
11Explanatory Variables
- Professional certifications require continuous
professional education (CPE) - CIAs 80 hours/24 months
- Only a portion likely to be technical training
- RQ3 Is basic and/or advanced technology
training positively related to IT audits by IAFs?
Research Questions
12Explanatory Variables
- Organizational knowledge
- Experience within the firm
- Longevity
- RQ4 Is the age of the IAF positively related to
IT audits?
Research Questions
13Control Variables
- Chief Audit Executive (CAE) characteristics
- Experience (years)
- Academic degree (grad vs. undergrad)
- Academic major (CS/IS vs. other)
- IAF Group (Old Commonwealth vs Non-Commonwealth
- US (Non)
- Australia, Canada, New Zealand, UK/Ireland (Old)
- Size of the organization (not the IAF size)
Research Questions
14Model Specification
- OLS Regression Model
- ITAudit a ?1CISA ?2CIA ?3CPA ?4CMA
?5Training ?6IAFage ?7CAEexp ?8CAEDegree
?9CAEMajor ?10Group ?11LnEmploy e
Model Specification
15Model Specification
Variable Explanation
ITAudit Proportion of IAF time spent on IT audits
CISA Proportion of IAF that is certified as CISA
CIA Proportion of IAF that is certified as CA
CPA Proportion of IAF that is certified as CPA
CMA Proportion of IAF that is certified as CMA
Training Training of the IAF professional staff on basic/advanced technology.
IAFage Number of years that IAF has been in existence in the organization
CAEexp Years of experience as CAE
CAEDegree Graduate degree 1, undergraduate degree 0
CAEMajor Information systems or computer science 1, 0 otherwise
Group Binary (0/1) 0 if US, 1 if other
LnEmploy Natural logarithm of total number of employees (full-time equivalent)
e Error term
Model Specification
16CBOK Database
- Survey of internal auditors world-wide
- Listing of issues of concern to the IAF
- Populated by the Institute of Internal Auditors
(IIA) - Utilized CAE responses (1,029)
- Knowledge of the IAF
- Knowledge about their staff
Data
17Data Characterization
- 1,029 responses
- US 760 (74)
- Australia 72 (7)
- Canada 116 (11)
- New Zealand 13 (1)
- UK/Ireland 68 (7)
Data
18Table 1Descriptive Statistics RQ1
Results
19Table 1Descriptive Statistics RQ1
Results
20Table 1Descriptive Statistics RQ1
Results
21Table 1Descriptive Statistics RQ1
Results
22Table 1 Descriptive Statistics Explanatory
Results
23Table 1 Descriptive Statistics Explanatory
Results
24Table 1 Descriptive Statistics Explanatory
Results
25Table 1 Descriptive Statistics Explanatory
Results
26Training
- Never
-
- Less frequently than annually
-
- More frequently than annually
Results
27Table 1 Descriptive Statistics Explanatory
Results
28Table 1 Descriptive Statistics Explanatory
Results
29Table 1Descriptive Statistics Control
Results
30Table 1Descriptive Statistics Control
Results
31Table 1Descriptive Statistics Control
Results
32Table 1Descriptive Statistics Control
Results
33Table 2Correlation Matrix
Results
34Table 2Correlation Matrix
Results
35Table 2Correlation Matrix
Results
36Models
- Model 1 CISA Certification
- Model 2 CIA Certification
- Model 3 CPA Certification
- Model 4 CPA Certification
Results
37Table 3OLS Regression (IT Audit as DV)
Results
38Table 3OLS Regression (IT Audit as DV)
Results
39Table 3OLS Regression (IT Audit as DV)
Results
40Table 3OLS Regression (IT Audit as DV)
Results
41Table 3OLS Regression (IT Audit as DV)
Results
42Table 3OLS Regression (IT Audit as DV)
Results
43Table 3OLS Regression (IT Audit as DV)
Results
44Summary
- RQ1
- IT audit comprised 7.97 percent of IAF time in
2003, 10.61 percent in 2006 - Estimated to increase to 13.4 percent in 2009
- RQ2
- CISA positively related to IT Audits
- CIA CMA not associated with IT Audits
- CPA negatively associated with IT Audits
- RQ3
- IT training is positively associated with IT
Audits - RQ4
- IAF Age and Organization size are positively
associated with IT Audits
Discussion Implications
45Conclusions
- IAF involvement in IT audit is modest but
increasing _at_ approximately one percent per year - IAFs should plan to increase their proportion of
IT audits - IAFs should consider hiring individuals with IT
audit skills - IAF personnel should be provided with more
extensive IT training
Discussion Implications
46Future Research Questions
- Why is the percentage of time on IT Audits so
low? - What percentage of IAF should be IT Audit?
- Is there a theoretical reason why CPA
certification is negatively associated with IT
audits? - Does industry impact IT audit involvement?
- More in technology companies?
Discussion Implications
47Future Research Questions
- Other variables to include as IVs?
- Should other responders (Audit managers, IA
employees, etc) be included in future studies? - Examine culture
- Examine professional rank differences
- Does culture (a la Hofstede) play any role in IT
audit involvement?
Discussion Implications
48Questions/comments?