An analysis of attributes that impact information technology audit quality: A study of IT and financial audit practitioners
Introduction
The purpose of this study is to analyze attributes identified in prior research that are thought to impact the quality of the information technology (IT) audit process. Prior research has identified several attributes that are argued to impact IT audit quality, both positively and negatively. These attributes include various characteristics of the process or system being audited, the procedures or techniques used to perform the audit, traits of the audit personnel themselves, organizational and environmental conditions, as well as many others. The natural extension of this work is to develop a structural model of IT audit quality and its antecedents; however, to date, there has not been an examination of these attributes to identify the underlying measurable components of IT audit quality. Additionally, the financial audit literature suggests other audit quality attributes which may also provide insight into IT audit quality. Therefore, the purpose of this research is to rationalize the potential constructs and develop potential instruments that allow for measurement of these constructs.
Recent research has identified the importance of IT audit to organizations and has called for additional research in this area (Weidenmier and Ramamoorti, 2006, Curtis et al., 2009). This attention to IT audit has been driven by two primary reasons, 1) increased spending and dependence on IT for business operations, and 2) new legislation and professional requirements related to the audit of these operations. Demand for IT services to support key business activities has driven the level of global IT spending to over $3.6 trillion for 2011 (Gartner Group, 2011). This reliance on IT and the investment it entails require an increased level of assurance that these systems deliver what they promise. IT audits are widely used internally to examine the operations, effectiveness, controls, and security of critical systems to identify opportunities for improvement and areas of weakness.
Discussions by the Public Company Accounting Oversight Board (PCAOB) Standing Advisory Group (SAG) regarding auditor's knowledge of information systems (IS) have emphasized the importance of information technology (IT) in general, and IT auditing specifically, to the external financial audits of public companies. In addition to the United States' Sarbanes–Oxley Act (SOX), a plethora of other laws, regulations, and standards have all necessitated additional IT assurance related to information security and privacy. These include, but are not limited to, the Health Insurance Portability and Accountability Act (HIPAA), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), the Payment Card Industry Data Security Standard (PCI DSS) and the European Union's Data Privacy Directive. In addition to these regulatory compliance requirements, auditors of public companies in the U.S. are bound by auditing standards that require adequate IT expertise to assess controls; for an insightful discussion of these standards please see Curtis et al. (2009).
IT audits may serve various objectives and multiple parties within an organization, and therefore there may be different definitions of IT audit quality. These definitions may include ideas such as impact or effectiveness, completeness as related to different standards, and efficiency or cost. One purpose of IT audits is to provide management with assurance that a system or automated process is meeting its objectives. Specifically, the focus may be on managements' control responsibilities over computer-based information assets and processes. In these cases, specific standards developed by groups such as ISO, PCAOB, or AICPA may assist in defining certain IT audit quality. For internal operational audits, the focus is usually on performance, i.e. cost reduction or improvements in productivity. Therefore the focus may be on the overall impact of the audit findings and the cost of performing the audit. Regardless, to perform an IT audit efficiently and effectively, firms must make appropriate decisions regarding the scope, resources (e.g., personnel or computer-automated audit tools), tasks or activities to be performed, methods, techniques, and other “inputs” to the IT audit process. Management's decisions regarding specific resources to deploy for a specific IT audit should attempt to maximize the overall audit quality and minimize the cost as related to their specific IT audit objectives. This also requires a consideration of other attributes that might impact the performance and outcome of the IT audit, but over which they have no or little control. These attributes might include the availability of key auditee personnel, the infrastructure or architecture on which a system is running, or the organizational structure of a business unit being audited.
One objective of this research is to assist these decision-makers by providing additional information regarding the relative importance of the attributes previously identified in the research and the underlying components that these attributes comprise. We believe that these could be used to help guide audit management's planning by making tradeoffs among the attributes. We also analyze whether differences exist with regard to perceptions of these components between key constituents.
We believe that there are four primary contributions attributable to this research activity. First, we identify and rationalize specific attributes associated with the IT audit quality domain, including attributes from the general audit quality domain that are relevant to IT audit quality. Specifically, we begin with the general framework proposed by Merhout and Havelka (2008) and expand this work by integrating other attributes from the IT audit domain and then relevant items identified in the financial audit quality domain.
Second, we evaluate the relative importance of these attributes to IT audit quality. By evaluating the individual attributes, we can compare our results to the work of prior researchers that have done similar work in the general audit quality domain to determine if IT audits have different requirements or peculiarities. Our results indicate that there is a different priority in the skills and knowledge required for IT audit quality as compared to attributes identified in prior financial audit quality literature.
Third, we perform a factor analysis to determine the underlying components of the attributes identified. In general, factor analysis allows us to reduce a large set of items into a smaller set of composite components that are more easily manageable. The long-term goal of this stream of research related to IT audit quality is to develop a testable model of constructs that may impact IT audit quality. The research presented in this paper is a critical, initial step in rationalizing and developing measurable constructs related to IT audit quality. This paper is similar to Carcello et al. (1992) who focus on identifying the critical factors related to financial audit quality.
Fourth, we analyze differences in perceived importance of the IT audit quality factors generated by the factor analysis between distinct groups involved in the IT audit process. We identify differences in perceptions between IT and financial auditing participants. This may aid in developing a better understanding of expectations and perceptions of the IT audit process and quality for these groups, and, hopefully allow management to improve audit planning and execution so all parties perceive similar (higher) quality.
The remainder of this paper proceeds as follows. Section 2 provides a review of the existing IT and financial audit quality literature and identifies potential IT audit quality attributes. Section 3 describes the research method and approach for analyzing the IT audit quality attributes. In Section 4, we describe the results of the analysis including explanation and interpretation of supported factors, perceived importance of each factor, and differences in evaluation of the factors between IT audit participants. Section 5 discusses specific observations from our data, limitations of our study, and implications for future research and for practitioners.
Section snippets
Background
This work was directly motivated by the call for additional research in IT audit (Weidenmier and Ramamoorti, 2006) which suggests the need for greater understanding of IT and the related audit process. Additionally, a recent survey of more than 450 internal auditor professionals conducted by Protiviti identified IT auditing as one of the top two areas that requires improvement (Filipek, 2007). Potential reasons for this result include: a) advances in information technology and increases in IT
Research methodology
The purpose of our research is to refine and validate attributes suggested by prior research that would impact IT audit quality. Additionally, understanding the relative perceived importance of the attributes, and the factors resulting from our analysis, provides an opportunity to focus on critical concerns. Lastly, we also explore differences in perception about the perceived importance between key IT audit groups. We believe that understanding these differences in perception may be critical
Analysis
Our analysis of the survey responses includes examination of individual survey items to determine which attributes individually might be most important to IT audit quality, a factor analysis to determine if underlying components exist that might be useful for further study, and an analysis of differences in respondent groups.
Discussion
The importance of IT audit quality has increased with additional spending on IT and a variety of new legislation. The purpose of this study is to refine the factors related to IT audit quality and evaluate their relative importance. Our research supports 13 factors associated with IT audit quality, and Independence and Business Process Knowledge are among the highest rated factors for impact on IT audit quality and among the factors which explain the greatest variance in the factor analysis. We
References (75)
- et al.
Factors associated with IT audits by the internal audit function
Int J Acc Inf Syst
(2010) Discussion of IT assurance competencies
Int J Acc Info Syst
(2004)- et al.
An examination of contextual factors and individual characteristics affecting technology implementation decisions in auditing
Int J Acc Inf Syst
(2008) Discussion of “An examination of contextual factors and individual characteristics affecting technology implementation decisions in auditing”
Int J Acc Info Syst
(2008)- et al.
Audit support systems and decision aids: current practice and opportunities for future research
Int J Acc Info Syst
(2007) - et al.
Assurance practitioners' and educators' self-perceived IT knowledge level: an empirical assessment
Int J Acc Info Syst
(2004) Discussion of IT assurance competencies
Int J Acc Info Syst
(2004)- et al.
Audit specialization, perceived audit quality, and audit fees in the local government audit market
J Acc Publ Policy
(2007) - et al.
Assurance on XBRL instance documents: a conceptual framework of assertions
Int J Acc Info Syst
(2010) - et al.
The evolving role of IS audit: a field study comparing the perceptions of IS and financial auditors
Adv Acc
(2003)
The CICA's IT competency model
Int J Acc Info Syst
Identifying organizational drivers of internal audit effectiveness
Int J Aud
The changing role of IS audit among the big five US-based accounting firms
Info Syst Cont J
Audit groups and group support systems: a framework and propositions for future research
J Info Syst
The determinants of audit client satisfaction among clients of big 6 firms
Acc Horiz
The impact of information technology of the audit process: an assessment of the state of the art and implications for the future
Managerial Aud J
Assurance on XBRL-related documents: the case of United Technologies Corporation
J Info Syst
A measure of perceived auditor ERP systems expertise
Managerial Aud J
IT audit approaches for enterprise resource planning systems
ICFAI J Aud Pract
Discussion of information technology-related activities of internal auditors
J Info Syst
Audit quality attributes: the perceptions of audit partners, preparers, and financial statement users
Aud J Pract Theory
Audit partner tenure and audit quality
Acc Rev
Discussion of an analysis of the group dynamics surrounding internal control assessment in information systems audit and assurance domains
J Info Syst
How is audit quality perceived by big 5 and local auditors in China? A preliminary investigation
Int J Aud
Auditors' training and proficiency in information systems: a research synthesis
Int J Acc Info Syst
Systems controls reliability and assessment effort
Int J Aud
As assessment of accounting information security
CPA J
Factors affecting auditors' utilization of evidential cues: taxonomy and future research directions
Managerial Aud J
IT audit skills found lacking
Research methods in the social sciences
Gartner says worldwide IT spending to grow 5.1 percent in 2011
Auditor tenure and perceptions of audit quality
Acc Rev
Relation of sample size to the stability of component patterns
Psychol Bull
Information technology auditing and assurance
Control and audit of electronic data interchange
MIS Quart
Development of an information technology audit process quality framework
Am Confer Info Syst
Grounded theory of the information technology audit process by external auditors: using group data for grounded theory development. 1st Annual Pre-ICIS Workshop on Accounting Information Systems. Phoenix, AZ
Cited by (57)
Assessing the effectiveness of advisory boards in accounting programs
2023, Journal of Accounting EducationThe impact of the input level of information system audit on the audit quality: Korean evidence
2021, International Journal of Accounting Information SystemsCitation Excerpt :Most business processes today are performed under the information system environment, and the reliance on business insights from this system is rapidly increasing. Accordingly, the importance of IT-based IS audit is also increasing in external auditing (Curtis et al., 2009; Stoel et al., 2012). Especially in the area of accounting, unimaginable risks such as database and system hacking and network breaches (Hunton et al., 2004) may heighten financial crime and serious distrust in accounting data.
The influence of a good relationship between the internal audit and information security functions on information security outcomes
2018, Accounting, Organizations and SocietyCitation Excerpt :In addition, IT and security managers perceive that effective dialogue with auditors aids in the discovery of security vulnerabilities and in the design of recommendations for security improvements (Werlinger, Hawkey, Botta, & Beznosov, 2009). Furthermore, IT audit professionals believe that audits can potentially provide useful insights and recommendations for improving the effectiveness and efficiency of an organization's information security efforts (Khan, 2016; Merhout & Havelka, 2008; Stoel et al., 2012). They also believe that the relationship between IT auditors and IT professionals is important to the success of the IAF in providing these insights (Havelka & Merhout, 2013; Merhout & Havelka, 2008; Stoel et al., 2012).
The important role of information technology and internal auditing in risk management: evidence from Greece
2024, Journal of Operational Risk