1 / 48

Factors associated with IT audits by the internal audit function

Factors associated with IT audits by the internal audit function. Mohammad J. Abdolmohammadi Scott R. Boss Bentley University. Outline. Introduction Background and Research Questions Model Specification Research Method Results Discussion and implications Summary

qamra
Télécharger la présentation

Factors associated with IT audits by the internal audit function

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Factors associated with IT audits by the internal audit function Mohammad J. Abdolmohammadi Scott R. Boss Bentley University

  2. Outline • Introduction • Background and Research Questions • Model Specification • Research Method • Results • Discussion and implications • Summary • Conclusions/Future Research

  3. Having an Internal Audit Function is unavoidable • Internal Audit Function (IAF) is increasingly a part of corporate governance • NYSE requires an IAF for listed companies • Regulations outside the US (Australia, UK, etc.) strongly encourage existence of IAF Introduction

  4. Having an Internal Audit Function is unavoidable • Respondents in our data indicated that internal auditing was required: • 2006 – 56.4 percent • 2009 (estimated) – 66.1 percent Introduction

  5. Impact of SOX (2002) on the IAF • Enormous strain on the most resources • External auditors are no longer allowed to provide consulting services • Documenting and evaluating internal control systems largely fallen to the IAF • IAFs are looking to “re-balance” their efforts • Less documenting • More testing Introduction

  6. What are the costs? • Sufficient personnel • Personnel sufficiently trained • Personnel sufficiently trained in specialties that were previously handled by external auditors • IT Audits Introduction

  7. IT Audits • An audit of computer-based aspects of information systems • AU 319.30 requires IT audits when there is/are a: • Complex systems that rely on IT controls • Significant change in IT systems (replacement) • Extensive data sharing between systems • Involvement in e-commerce • Use emerging technology • Significant portions of potential audit evidence is electronic Introduction

  8. IT Audits • Typically auditors must possess specialized skills • Possibly specialized certifications • IT knowledge is essential for IT auditors to function effectively Introduction

  9. The IAF and IT audits? • Is the IAF involved? • To what degree is the IAF involved? • How is the involvement compared to the past? • The future? • Which variables are potentially associated with IT audits by the IAF? • RQ1 – What proportion of IAFs’ time is spent on IT audits? Research Questions

  10. Explanatory Variables • Do certifications have an effect on IT Audits? • Proxy for Skills/Technical knowledge • CISA certification • Other certifications? • RQ2a – CISA certification? • RQ2b – CIA certification? • RQ2c – CPA certification? • RQ2d – CMA certification? Research Questions

  11. Explanatory Variables • Professional certifications require continuous professional education (CPE) • CIA’s – 80 hours/24 months • Only a portion likely to be technical training • RQ3 – Is basic and/or advanced technology training positively related to IT audits by IAFs? Research Questions

  12. Explanatory Variables • Organizational knowledge • Experience within the firm • Longevity • RQ4 – Is the age of the IAF positively related to IT audits? Research Questions

  13. Control Variables • Chief Audit Executive (CAE) characteristics • Experience (years) • Academic degree (grad vs. undergrad) • Academic major (CS/IS vs. other) • IAF Group (Old Commonwealth vs Non-Commonwealth • US (Non) • Australia, Canada, New Zealand, UK/Ireland (Old) • Size of the organization (not the IAF size) Research Questions

  14. Model Specification • OLS Regression Model: ITAudit = α+ 1CISA + 2CIA + 3CPA + 4CMA + 5Training + 6IAFage + 7CAEexp + 8CAEDegree+ 9CAEMajor + 10Group + 11LnEmploy +ε Model Specification

  15. Model Specification Model Specification

  16. CBOK Database • Survey of internal auditors world-wide • Listing of issues of concern to the IAF • Populated by the Institute of Internal Auditors (IIA) • Utilized CAE responses (1,029) • Knowledge of the IAF • Knowledge about their staff Data

  17. Data Characterization • 1,029 responses • US – 760 (74%) • Australia – 72 (7%) • Canada – 116 (11%) • New Zealand – 13 (1%) • UK/Ireland – 68 (7%) Data

  18. Table 1Descriptive Statistics – RQ1 Results

  19. Table 1Descriptive Statistics – RQ1 Results

  20. Table 1Descriptive Statistics – RQ1 Results

  21. Table 1Descriptive Statistics – RQ1 Results

  22. Table 1 Descriptive Statistics – Explanatory Results

  23. Table 1 Descriptive Statistics – Explanatory Results

  24. Table 1 Descriptive Statistics – Explanatory Results

  25. Table 1 Descriptive Statistics – Explanatory Results

  26. Training • Never • Less frequently than annually • More frequently than annually Results

  27. Table 1 Descriptive Statistics – Explanatory Results

  28. Table 1 Descriptive Statistics – Explanatory Results

  29. Table 1Descriptive Statistics – Control Results

  30. Table 1Descriptive Statistics – Control Results

  31. Table 1Descriptive Statistics – Control Results

  32. Table 1Descriptive Statistics – Control Results

  33. Table 2Correlation Matrix Results

  34. Table 2Correlation Matrix Results

  35. Table 2Correlation Matrix Results

  36. Models • Model 1 – CISA Certification • Model 2 – CIA Certification • Model 3 – CPA Certification • Model 4 – CPA Certification Results

  37. Table 3OLS Regression (IT Audit as DV) Results

  38. Table 3OLS Regression (IT Audit as DV) Results

  39. Table 3OLS Regression (IT Audit as DV) Results

  40. Table 3OLS Regression (IT Audit as DV) Results

  41. Table 3OLS Regression (IT Audit as DV) Results

  42. Table 3OLS Regression (IT Audit as DV) Results

  43. Table 3OLS Regression (IT Audit as DV) Results

  44. Summary • RQ1 • IT audit comprised 7.97 percent of IAF time in 2003, 10.61 percent in 2006 • Estimated to increase to 13.4 percent in 2009 • RQ2 • CISA positively related to IT Audits • CIA & CMA not associated with IT Audits • CPA negatively associated with IT Audits • RQ3 • IT training is positively associated with IT Audits • RQ4 • IAF Age and Organization size are positively associated with IT Audits Discussion & Implications

  45. Conclusions • IAF involvement in IT audit is modest but increasing @ approximately one percent per year • IAFs should plan to increase their proportion of IT audits • IAF’s should consider hiring individuals with IT audit skills • IAF personnel should be provided with more extensive IT training Discussion & Implications

  46. Future Research Questions • Why is the percentage of time on IT Audits so low? • What percentage of IAF should be IT Audit? • Is there a theoretical reason why CPA certification is negatively associated with IT audits? • Does industry impact IT audit involvement? • More in technology companies? Discussion & Implications

  47. Future Research Questions • Other variables to include as IVs? • Should other responders (Audit managers, IA employees, etc) be included in future studies? • Examine culture • Examine professional rank differences • Does culture (a la Hofstede) play any role in IT audit involvement? Discussion & Implications

  48. Questions/comments?

More Related