European Scientific Journal September 2014 /SPECIAL/ edition Vol.

3 ISSN: 1857 – 7881 (Print) e - ISSN 1857- 7431

SUSTAINABILITY IN INFORMATION SYSTEMS AUDITING

Alifah Aida Binti Lope Abdul Rahman

A.Al-Nemrat
D.S. Preston

Abstract
Auditing is a systematic process of obtaining and evaluating evidence of activities,
events or transactions. Currently, audit practices have been revolutionized by the
development of information technology and basically information systems auditing focuses
on assessing proper implementation, operation and control of information systems resources
within organisation. Several frameworks have been formulated for information systems
auditing implementation to achieve improvement in auditing performance related to
compliance requirements, internal controls evaluation and information systems success.
However, sustainability dimensions in the information systems auditing practices and the
development of appropriate framework are not enough discussed in the literature although
sustainability is becoming significant in achieving certain organisation‘s objective. Therefore,
this study intends to analyse the relevant requirements by auditors and sustainability factors
and use them to formulate IS audit by integrating sustainability in the auditing process. Thus,
improve audit performance and enhanced accountability and integrity of auditors.

Keywords: Sustainability, Continuous Auditing, Information Systems Auditing

Introduction
The main purpose of IS auditing is to provide assurance that the information systems
are functioning in an efficient and effective manner to achieve organisation‘s objective. As IS
are inter related, Sayana (2002, p. 2) suggested that information systems assessment should
be carried out by implementing an integrated evaluation of all IS components. In general, the
major elements consist of physical and environmental, systems and administration,
application software, network security, business continuity and data integrity. Each element
may have different priority, therefore the most significant elements may be selected for
auditing.
Hall and Singleton (2005, cited in Abdolmohammadi & Boss, 2011, p. 141) indicated
that IS audits includes the assessment of controls, computer resources, operation and IS
implementation. In addition, a number of audit techniques are used for gathering evidence
such as reviewing documents, interviewing and data analysis by using automated programs
According to AICPA, 2007, AU319.30, IS audit must be performed when;
a) The client utilizes complex business systems and relies extensively on IT
controls
b) The client has replaced or made any significant changes to its IT systems
c) The client extensively shares data between systems internal organizational
systems
d) The client is involved in electronic commerce
e) The client uses emerging technology

458
 European Scientific Journal September 2014 /SPECIAL/ edition Vol.3 ISSN: 1857 – 7881 (Print) e - ISSN 1857- 7431

f) Significant amounts of required audit evidence are electronic.

Another consideration of IS audit framework is proposed by the IIA Global
Technology Auditing Guide. Juergens (2006, cited in Majdalawieh and Zaghloul , 2009,
p.355) stated four aspects of IS audit universe from the Guide; a) IT Management, b)
Technical Infrastructure, c) Applications and d) External connections. Under this context IT
Management refers to the assessment of IT Governance and process, technical infrastructure
is the evaluation of supporting systems such as network, database management systems and
security. IS auditor is also required to evaluate the applications systems that are related to
business processes such as processing controls, access controls and input and output controls.
Going by this framework, external connections are related to audit activities within virtual
business environment such as e-commerce and online transactions.
Prior work on IS auditing has focused on the evaluation of controls and risks
assessment. Wulandari (2003, cited in Majdalawieh & Zaghloul, 2009, p.353) stated that
Information System audit is an assessment of system compliance to applicable policies,
procedures, rules and regulations and gives assurance that data integrity, suitable system
controls and value for money. Similarly, Mahzan &Veerankutty (2010, p.1557) also
highlighted the IT auditing activities of public sector in Malaysia is focusing on the
effectiveness of controls evaluation to ensure the policies, procedures, practices and
organisational structures are complied with the rules and regulations. Amancei and Surcel
(2010, p. 55) proposed systematic procedures in carrying risks assessment in organisations by
focusing key IT audit activities, namely IT strategic plan, organisation and operation of IT
department, IT systems and IT security. As the significant role of public sector auditors are
to provide assurance that public assets are safeguarded, value for money for government‘s
investment and integrity, the nature of IS audit conducted is to evaluate the effectiveness of
controls, systems are secured and functioned as intended, Petterson ( 2005, cited in Mahzan
and Veerankutty, 2011,p.1552).
According to ISACA, evaluation of the information systems covers a wide range of IT
areas that would have significant impact on the electronic service delivery; it comprises
controls assessment, IT investment, system reliability, software capability maturity model,
managing information system, project management and information security management. In
relation to information systems evaluation, COBIT specified a number of approach for
performing IT audit such as the balance scorecard for IT/business alignment, maturity models
for benchmarking, key goal indicators (KGI) for measuring the outcome and key
performance indicators (KPI) for performance measurement.
To date, sustainability issue has gained a significant amount of attention from several
disciplines. The introduction of sustainability into business operation including government‘s
agendas has been the subject of many researchers. In response to this issue, a number of
studies have examined sustainability, its definition, research framework, concept, approach,
and its implementation (Afgan and Andre, 2006; Searcy et al. 2007; Fuchs, 2008 and Erek et
al. 2009).The most widely recognised definition is given by the Brundtland Commission
(World Commission on Environment and Development, 1987, p.24) which mentioned that
sustainability is the progress that meets the needs of present without comprising the ability of
future generations to meet their own needs. To date, the term sustainability refers to an
integration of social, environmental and economic dimensions. Under this consideration,
Shrivastava (1995a, cited in Carter and Rogers, 2008, p. 363) claimed that sustainability has
the potential in minimising long term risks that associated with resource depletion,
fluctuations in energy cost, product liabilities, pollution and waste management.
Recent research has shown that in achieving sustainability values and competitive
advantages, it needs an integration of strategy plans and goals that bring benefit and greater
value to the organisation. Business continuity, resiliency and business endurance is also an

459
 European Scientific Journal September 2014 /SPECIAL/ edition Vol.3 ISSN: 1857 – 7881 (Print) e - ISSN 1857- 7431

effort for sustainability in order to maintain competitiveness (Smith and Scharicz, 2011 cited
in Smith, 2012, p.5 and Asif et al., 2008, p.423).
Previous literatures have also identified influences on the process associated with
sustainability to improve organisational performance while simultaneously preserving
environmental system and safeguarding social benefit. Smith & Sharicz (2011, p.81) denoted
that a systematic governance structure and effective leadership are the key components to
adopt TBL sustainability. Millar et al. (2012, p.493) enhanced the views of Smith & Sharicz
(2011) by investigating and analysing the organisational change for sustainability.
Sustainability involves transformation in business structures and therefore, an effective
communication and collaboration to every hierarchy is essential to implement new strategies.
Sustainability is also perceived as a strategy for continuous improvement. Under this
context, Prajog and Sohal (2004, cited in Jaca et al., 2012, p.143), indicated that
sustainability is the ability of organisations to meet changes requirement in the business
processes, applying contemporary best practice methods and remain competitive in market.
Concerning continuous improvement, Jaca et al., (2012) analysed and measures several
factors for achieving systematic management of improvement activities.

Sustainability in information systems

Wide review of studies has indicated that information systems play a role as a key
element for sustainable development in health practices, supply chains, IS projects and
information security governance (Kimaro and Nhampossa, 2007; Silvius and Nedeski, 2011;
Piotrowicz and Cuthbertson, 2009). Korte et al.,(2012) and Silvius (2009) proposed
sustainability to be incorporated into information systems evaluation and for ICT projects.
Misund and Hioberg viewed sustainability in the context of information system (2003, quoted
in Nurdin et al. 2012, p. 70) as a technology that is capable of being maintained over a long
period of time. Kiggundu(1989 cited in Ali and Bailur, 2007) emphasised that sustainability
is an operational simplicity, flexibility, maintainability, robustness, availability and capability
of technical and managerial personnel. Similarly, Braa, Monteiro and Sahay (2004, cited in
Nurdin et al., 2012) claimed that sustainability is about making information systems work
over time. In conjunction with technology advancement, Oyomno (1996, quoted in Kimaro
and Nhampossa, 2007, p.3) noted that sustainability of IT is actually dependent upon
technology as the main role of IT is tosupport system utilization. Sustainability is also
encompasses a set of process including design, development and implementation and also
associated risks to the achievement of objectives.
A review by Silvius et al., (2009, p.43) proposed a framework of performance
indicators or criteria for sustainability in ICT projects by considering the triple P concept and
the project life cycle. Indicators were categorised as people, planet and profit and the effect is
actually depends on certain constraint such as cost, time and quality. Silvius and Nedeski
(2011, p. 6) enhanced the sustainability principles into project management by developing a
maturity model to monitor project performance.
Bagheri and Hjorth (2007, quoted in Esquer et al., 2008, p. 1028) claimed that the
concept of sustainability has been very challenging for many practitioners as it varies
according to the interest, needs and values of different communities. In this sense,
sustainability is necessary to consider the integration of both conceptual and practical
dimensions which include the principle or values, specific actions, processes and strategies to
achieve objectives.
The term ‗Sustainability‘ is a universal or macro concept that is being used to define
entire system or infrastructure such as health system (Kimaro, 2006: Kimaro and Nhampossa,
2007), information system (Marcel et al., 2012) information (Todorov and Marinova, 2010)
and economy (Majdalawieh et al., 2009). From the information systems viewpoint, it can be

460
 European Scientific Journal September 2014 /SPECIAL/ edition Vol.3 ISSN: 1857 – 7881 (Print) e - ISSN 1857- 7431

observed that most of sustainability research pertaining to this area have extensively
discussed environmental issues such as green information technology (green IT), green
information system (green IS) or green IT investment which focuses on reduction of energy
consumption or addresses issue on sustainability efforts on green supply (Erek et al., 2009;
Harmon et al., 2010)
Another consideration for sustainability literatures is sustainability for ICT
development and five (5) main dimensions have been identified, namely; financial, social,
institutional, technological and environmental. These five dimensions are crucial to be
considered in planning and implementing ICT projects. Proenza, (2001 cited in Ali and
Bailur, 2007) indicated that financial sustainability refers to the long term ability of ICT
projects to generate monetary benefit for maintaining the obligations of the organisation.
Technological sustainability is the ability for a technology to sustain and continuously
available for a long period of time, Misund and Hoiberg (2003 quoted in Ali and Bailur,
2007). Social sustainability refers to user satisfactions by considering cultural differences,
empowering marginalised groups, sharing and aligning goals with local people and adapting
to evolving community needs (Gόmez and Casadiego, 2002; Harris et al., 2003; Stoll and
Menou, 2003; Delgadillo, 2004 quoted in Ali and Bailur, 2007). Institutional sustainability
refers to the long term ability of process and structures of organisation to perform their
functions, Batchelor and Norrish (2003 cited in Ahmad Nawi et al., 2013, p. 696)
In addition to sustainability dimensions of environmental, social and economy, recent
literature has introduced sustainability from the hybrid systems perspective or systems of
systems. Hessami et al., (2009,p.84) applied Weighted Factor Analysis methodology (WeFA)
to examine the context, components, topology and the scope of sustainability from micro
systems to macro systems. Systems sustainability framework was formulated from WeFA
schema consisting of economy, environmental, social, technology, resource, uncertainty,
rapid change in the domain of deployment and complexity.

Sustainability measurement
Having defined sustainability and issues to be considered, it is important to explore
how to assess sustainability. Piotrowicz (2009, p.492) claimed that sustainability cannot be
assessed by traditional performance measurement. As sustainability is a holistic concept
which involves integration and interdependence among systems, the sustainability
measurement has to be connected to economy, environment and social aspects.
Sustainability can be measured by using a set of indicators or indexes. In addition to
business‘s Guidelines, Standards and Regulations to be complied, many organisations have
developed their own mechanism as a sustainability performance indicators or sustainability
metrics for assessing their sustainability performance. Previous studies have introduced
several initiatives to measure sustainability. Delai and Takahashi (2011, p.440) denoted that
sustainability measurement implementation needs to consider four (4) situations; 1) the
sustainability measurement criteria, 2) theme and sub themes to be applied, 3) selection of
groups in the measurement process and 4) sphere of the company impacts to be taken into
account.
It is reported by United Nation 2002, that sustainability refers to the effort of
minimising negative impact on economy, environmental and social activity. The current
practices of laws, policies and regulations may also have impact to the development of a good
sustainability performance.
According to Nicho and Cusack (2007), IT auditing is able to develop quality
assurance, benchmarking and measurement. Prior sustainability literatures in information
systems evaluation were mainly discussed the effective use of computing resources to meet
business demands and to achieve sustainability objectives. However, less number of research

461
 European Scientific Journal September 2014 /SPECIAL/ edition Vol.3 ISSN: 1857 – 7881 (Print) e - ISSN 1857- 7431

has examined the importance of information systems in the area of sustainable information
systems auditing to collect audit evidence, analyse, execute audit work and report IS audit
findings. Therefore, there is a need to construct the dimension of sustainability from IS
auditing perspective.
In this study, the author proposed a continuous auditing methodology to be adapted to
measure sustainability in information systems. Identification of the important aspects of
sustainability in conducting information systems auditing will be determined by the current
literatures. The author engaged three phases to gain the objective of this study; includes 1)
current IS audit, 2) developing IS audit criteria and objective, 3) IS audit method (continuous
auditing).

New requirements for improvised the current audit practice

Auditors are required to investigate, collect and evaluate evidence to ensure the
process of compliance and controls are effective for organisation to achieve its goal. To date,
the current IS audit process is compliance oriented, as a result majority of IS audit findings
are compliance based rather than value for money audit assessment. The main role of
auditing is providing facts and reliable information, therefore the audit conclusion needs to be
comprehensive, value added and reliable in producing facts and supporting audit evidence. In
order to achieve this purpose, IS auditing activities need to be improvised, well defined
process and consistent. The development of the sustainable IS auditing process will be taking
into consideration IT Audit Management framework (Rosário et al., 2012, p. 2),
sustainabilityobjective, CA methodology and IS audit management processes to integrate
compliance and value for money audit assessment.

Current IS audit processes

Generally, IS auditing is performed according to four phases; planning, executing,
reporting and follow up. Audit standards require audit work to be properly planned to ensure
the effectiveness and the efficiency of audit performance. Planning audit work begins with
the establishment of audit objective, determines audit scope and defines audit criteria. ISACA
(1998) defined IT audit objective as a statement of the desired result or purpose to be
achieved by implementing control procedures in a particular IT activity. Innovation of
technology has affected the way auditing is conducted, however overall audit objectives are
not change, Yang & Guan (2004, p.554). Audit criteria are described in a measurable way
which includes policies, procedures and standards that should be complied by the
organisations. At the execution phase, it consisting the assessment or evaluation of the IS
process by following specific procedures, applying audit techniques and methodology to
gather audit evidence. IS auditing also includes the use of CAATTs to support audit work for
analysing the efficiency and the effectiveness of controls. At the end of the processes, audit
findings will be documented into a formal report for distribution. Follow up audit will be
performed on all audit issues subsequent to the issuance of audit reports by the Auditor
General.

Continuous auditing as IS audit method

The concept of continuous auditing (CA) has been discussed for several years. The
concept of continuous auditing has been studied by many researchers for example real time
assessment on financial statements (Rezaee et al., 2001), investors perceptions of a firm risk
(El-Masry and Reck, 2008) and later Majdalawieh et al., (2012) studied the integration of
continuous auditing within an enterprise system environment.
Rezaee et al., (2001, p. 151) defined CA as a systematic process of gathering
electronic audit evidence as a reasonable basis to render an opinion on fair presentation of

462
 European Scientific Journal September 2014 /SPECIAL/ edition Vol.3 ISSN: 1857 – 7881 (Print) e - ISSN 1857- 7431

financial statements prepared under the paperless, real-time accounting systems. They
introduced CA as a concurrent audit technique to be used in extracting evidence as the
application systems processing occurs. The emerging of technology has changed the audit
approach form traditional manual process to a paperless. Under this consideration, Rezaee et
al., (2002, p.160) defined CA as a comprehensive electronic audit process that enable
auditors to provide some degree of assurance on continuous information simultaneously with,
or shortly after, the disclosure of information. They proposed data warehouses and data marts
to be created for separating audit evidence on a real time basis. Data captured by using CA
application are held in data marts for testing and analysis. In relation to secured transmission,
Onion (2003, cited in Majdalawieh et al., 2012, p. 310) proposed keystroke level data
examination to monitor the integrity of the data by introducing the Extensible Continuous
Auditing Language.
According to ISACA (2011) continuous auditing is a methodology or framework that
enables auditors to provide written results on the subject matter. The ability to report on
events in a real time or near real time environment can provide significant benefits to the
users of audit reports. The main differences between traditional audits and continuous
auditing are the shortened time to release reports. Majority of literatures assumed that
continuous audits are conducted online, however, it is important to note that continuous
auditing may be performed either online or offline subjected to internal or external audit
requirements (El- Masry and L. Reck, 2008, p.782)
The most accepted CA definition given by CICA/AICPA research report)
CICA/AICPA, (1999 cited in Majdalawieh and Zaghloul, 2009, p. 360) defined that CA is a
methodology that enables auditors to provide written assurance on a subject matter using a
series of auditor‘s report issued simultaneously with or a short period of time after the
occurrence of events underlying the subject matter. In this context, CA may have to rely on
the current technology such as broad bandwidth, web application server technology, web
scripting solutions and ubiquitous database management systems with standard connectivity
(Sarva, 2006).
Many studies addressing the feasibility of CA to reduce firm risks and increase
investor‘s confidence (El-Masry and Reck, 2008), capability to receive results of the audit
procedures almost immediately after their occurrence (Rezaee et. al., (2001, p. 151), capable
to test key controls on recurring basis by applying embedded audit modules software e.g
ACL (Daigle et al., 2008). In terms of red flag detection, Debreceny et al., (2003 cited in
Davidson et al., 2013, p. 45) suggested that sufficient understanding of business processes
and controls risks are required to implement CA systems in order to ensure that appropriate
red flags are generated.
As processing systems becomes more complex due to the expansion of business and
networks, the security of the system and of the system‘s internal controls becomes more
critical. Therefore, it is crucial for a continuous assessment for accuracy and reliability of the
systems and CA allows auditors to examine internal controls structure in a whole, provides
capability to perform audit more frequently and offers the ability to expand the scope and
magnitude within critical areas of the organisation, ACL (2006, cited in Majdalawieh et al.,
2012, p. 307). In this context, Chen (2004, cited in Moorthy et al., 2011, p. 3528) has
explored the use of strategic systems approach in CA implementation as it offers continuous
monitoring in a real time environment and capable to detect material errors in financial
transactions.
CA is also perceived to enhance corporate governance effectiveness (Warren and
Parker, 2003 cited in Davidson et al., 2013, p. 45). With the implementation of the
Sarbanese-Oxley (SOX) Act2002, many companies are now concern about the adequacy of
internal controls over the systems that produced financial information. Vasarhelyi et

463
 European Scientific Journal September 2014 /SPECIAL/ edition Vol.3 ISSN: 1857 – 7881 (Print) e - ISSN 1857- 7431

al.,(2004, cited in Brown et al., 2007,p. 3) claimed that CA and analytic monitoring
techniques are capable to support the implementation of SOX (section 404) and Harrison
(2005, cited in Brown et al., 2007,p. 3) believed that CA techniques are the only way to
achieve compliance requirements of Federal regulations. In regards to SOX implementation,
El-Masry and Reck, 2008 confirmed that CA has significant impact on investors‘ perception
of firm risk and the value of a firm. The result of their study confirms that CA has positive
impacts on investor‘s perceptions of firm risk and investor confidence in their investing
decisions. In addition to investors‘ concern, CA is also able to satisfy the external parties of
organisation such as suppliers and the customer with real time information (Hao and Zhang,
2010, p.445)
One of the greatest advantages of CA is continuous assessment and the ability to
provide frequents report to decision makers (Hunton, et al., 2002 cited in Brown et al., 2007,
p.1), timely detection of abnormalities, thus allowing the management to adapt the strategic
planning process in order to deal with risks ( Ramaswamy & Leavins, 2007 cited in Charlton
and Marx, 2009, p. 50) and improve audit quality as CA is able to examine financial and
non financial information (Hao and Zhang, 2010, p.445). In addition, utilising CA provides
auditors to use advanced network technology and therefore can test larger samples or even
complete samples more efficient and effective than traditional audit. Under this
consideration, Groomer (2006, cited in Davidson et al., 2013, p. 45) claimed that CA can
eliminate statistical inferences.
While, the automation of evidence gathering process enables the auditor to reduce the
amount of time and cost in conducting examinations of transactions thus provides sufficient
time for auditors to understanding business processes and evaluate internal control structures.
In this sense, CA contributes to reduce audit risks (Rezaee et al., 2002, p. 151, Hao and
Zhang, 2010,p. 445).Under CA, auditor needs to employ a control risk oriented audit plan
which focus on the effectiveness and the sufficiency of internal controls activities, assess
inherent and control risks and a detail set of audit tests to be performed (Rezaee et al., 2002,
p. 151).

Limitation of continuous auditing

Despite early evidence of CA to improve audit practices by implementing real-time
assessment, real-time auditing is not always efficient in terms of cost benefit (Shin et al.,
2013,p. 596). According to Chan and Vasarhelyi, 2011, p. 154), the level of risk will
determine the work of CA, if there is high risk of business processes, then CA is the most
effective method. If the level of risks is lower, it will be more effective to conduct regular
auditing.
Chan and Vasarhelyi, (2011, p.155) claimed that the implementation of CA needs
automation auditing procedures to test automated business processes, however, it is
impossible to automate of all traditional audit procedures. Similarly, Shin et al., (2013,p.597)
argued that some businesses processes may require manual auditing practices and
professional judgment by the auditors.
CA may be implemented by internal and external auditors, therefore there is a
tendency for duplication of works. To be effective, Chan and Vasarhelyi (2011, p. 597)
suggested that internal auditors focus on supervision and testing a large volume of data and
external auditors high dimensional analyses, implement audit trail monitoring in the CA
systems and check for fraud among managers.

From continuous auditing to continuous monitoring

According to Alles et al., (2006, p.138), continuous monitoring is the subset of
continuous auditing known as continuous monitoring of business process controls (CMBPC)

464
 European Scientific Journal September 2014 /SPECIAL/ edition Vol.3 ISSN: 1857 – 7881 (Print) e - ISSN 1857- 7431

which is most relevant to the Section 404 of the Sarbanese/Oxley Act that require the
participation of managers and auditors to ensure the effectiveness and the efficiency of
controls over the firm‘s financial reporting processes. In this sense, Kogan et al., (1999, cited
in Alles et al., 2006, p. 138) highlighted the problem of CA implementation, either it is a
control oriented or data oriented as there are instances that process controls are not automated
or their settings are not readily accessible. In such environment, CA is perceived to be data
oriented where it works on automated substantive procedures and analytical procedures, and
involve manual procedures for testing controls.
Shin et al., (2013, p. 621), studied the implementation of the CA in the ERP-based
environment which involve significant role of CM in enhancing the effectiveness and
efficiency of auditing. They argued that CA system implementation can be divided into two
stages; 1) extraction of CM scenario and 2) the implementation of risks monitoring systems.

Framework: Integrating CA in the IS audit process

In achieving sustainability values of information systems auditing and using CA as a
tools, a systematic and conceptual framework of information systems auditing needs to be
established. It is important to consider the element of public sector auditing in developing the
framework therefore it was created based on the International Standards of Supreme Audit
Institutions (ISSAI, 2007). In light of sustainability developments, this paper includes the
concept of sustainability from the information systems perspective in conducting IS audit
works. Under this context, the proposed framework is designed based on literatures from
continuous auditing, sustainability and auditing related to information systems auditing.The
framework contains of three essential factors; audit plan audit execution, audit
reporting/follow up. Follow- up audit will be conducted on all audit issues subsequent to the
issuance of audit reports.
Basically, the audit processes are divided into 3 phases; 1) audit plan, 2) audit
execution and 3) audit reporting/follow up. The audit plan phases start with the determination
of audit approaches, either compliance oriented or performance oriented. This identification
requires the sustainability mechanism where auditors need to take into account the concept
and factors contributing for sustainability development. At the planning phases, the
requirements of sustainability mechanisms need to be addressed with the establishment of
audit objectives, audit criteria and audit scope, usually it is defined according to decision
making level; specifically strategic, tactical and operational.
At the strategic level, it involves top management to formulate audit objectives and
identify strategies to accomplish those objectives. In setting audit plan, it comprises several
activities such as understanding entity, determining business objectives, understanding the
information systems of the entity, understanding the IT projects invested ( if any) conducting
risk assessment to determine IT risks factors and business risk factors, isolate significant
information systems that are supporting the business processes, selection audit topic,
establishing audit schedule for conducting fieldwork to the preparation of audit report and
lastly conform the plan with management.
The tactical level refers to the implementation of strategic decisions. In this regards,
the sustainability initiative is need to be embedded in the audit objectives in terms of
structuring work flow, establishing audit criteria, defining audit techniques and procedures,
acquisition of resources. The operational level refers to routine activities, decisions and
responsibilities in managing resources and delivery services. At planning phase, the IS audit
team needs to consider strategic and tactical design for embedding sustainability into the IS
audit work.

465
 European Scientific Journal September 2014 /SPECIAL/ edition Vol.3 ISSN: 1857 – 7881 (Print) e - ISSN 1857- 7431

IS AUDIT PLANNING

SUSTAINABILITY STRATEGIC OBJECTIVE IS AUDIT PROCESSES (ISACA)

- Continuity of operation , - Setting audit objective, scope and

- Flexibility, methodology
- Availability - Conducting risks assessment
- Maintainability - Defining audit materiality
- Continuous improvement - Gathering audit evidence
- Capability of the systems to provide - Using of CAATs
reliable and accurate information - Outsourcing IS activities
- Ability of the systems to provide - Audit sampling
effective service to users - Internal controls review
- System endurance - Application systems review
Figure:
- 1: IS Audit
Business Planning Phase
continuity - SDLC review
- Resiliency - Post implementation review
- Security management review
- Assessment on IT project
- Change management

In addition to common audit practices, sustainable strategic objectives may be

developed at the planning phase. Compliance auditing and performance auditing have
different audit objectives, however the scope of audit works for both approaches such as risks
assessment, assessment on laws, regulations and policies requirements are similar as well as
for internal controls evaluations. In this sense, the researcher highlighted audit quality and
efficiency in achieving sustainability objectives through CA implementation.
In general, at the audit execution phase, the audit team begins to integrate the
sustainability strategic plan in performing the audit works either it will be for compliance
audit or performance audit. These activities involve the process of evaluating the
effectiveness of controls, reliability of information systems and the integrity of information.
These assessments must be aligned and correspond to the audit objectives and audit criteria
Many business processes are dominated by IT/IS applications, therefore CA is able to
provide timely, reliable information, capable to reduce audit cycle thus results in cost savings
and promote positive social impacts. In this regards, CA is perceived as a technical solution
to address the needs of sustainability in information systems auditing. The features of CA
The integration of sustainability into the audit works may be accomplished through a
continuous auditing approach cum continuous monitoring, in which features CA actually tied
to sustainability goals and targets.

IS Auditing Methodology
Continuous auditing and continuous
monitoring
IS Auditing Implementation/ Audit Procedures
- Assessment on the IT/IS project,
- Evaluation of application systems
- Review on the IT Governance
- Selection of samples
- Risk assessment analysis
- Assessment on service level
IS Reporting/Follow-up
-Internal and external communication on
sustainability of the IS implementation
Figure 2: is audit execution and reporting phase
application systems, IT Governance,

466

application systems, IT Governance,

 European Scientific Journal September 2014 /SPECIAL/ edition Vol.3 ISSN: 1857 – 7881 (Print) e - ISSN 1857- 7431

The final stage of the sustainability integration into IS auditing process are follow up
activities. The purpose of follow up is to ensure the implementation of sustainability into IS
projects or application system development or IT Governance is satisfactory.
Figure 3: Use of the CA/CM concept in defining and generating IS audit questions based on the sustainability
objectives
(FOR COMPLIANCE AUDIT)
IS Procedures
Personnel activated the The application systems The application The application
application systems and process transactions/ systems reconcile systems generates
input data input
transactions/input output

Audit objective To ensure appropriate controls are in place for input, process and output.
Sustainability strategic objective To ensure the continuity of IS operations
CA objective Transactions are generated timely and accurately.

Potential CA methods: Audit hooks, Continuous and intermittent simulation (CIS)

Figure 3: procedures flow diagrams by using ca/cm

(FOR PERFORMANCE AUDIT)

IS Procedures
The establishment of
The assessment of the
audit objectives for IS
3e by auditors:
project: economy,
Implementation of the IS economy, efficiency
efficiency
project. and effectiveness
andeffectiveness

To ensure the IS project implementation are value for money

Audit objective
Sustainability strategic The IS project are planned and implemented according to 5 dimensions-financial,
objective social, institutional, technological and environmental.
CA objective Continuous monitoring on the internal controls and the implementation of projects.

Potential CA methods: Continuous monitoring - Shin et al. (2013)

Figure 4 : procedures flow diagrams by using ca/cm

Implication of study for the audit profession

From the discussion and analysis, CA is an appropriate audit method in performing
compliance audit and performance audit works. From the compliance audit perspective, CA
is capable to detect unauthorised activity, reduce errors and produce timely report. In
conjunction to sustainability requirement, CA has a technology that provides opportunity for
the auditors to examine the ability of the system to provide service to users, the capability of
the systems to provide accurate and reliable information to users and stakeholders and
resiliency of the systems.
From the performance audit viewpoint, CA allows manual procedures that require
professional judgment by the auditor for example the evaluation of management estimates,
(Chan and Vasarhelyi, 2011, p. 155). Performance audit objective is to assess whether the
government‘s activities/programmes/projects have been carried out in effective, efficient and
economy manner to achieve their desired objectives. In relation to sustainability strategic
objective, previous literatures has identified five (5) dimensions that need to be considered in
planning and implementing ICT projects; namely financial, social, institutional, technological
and environmental. Under this context, the continuous auditing cum continuous monitoring
procedures provides the opportunity for auditors to fulfil the sustainability requirements such

467
 European Scientific Journal September 2014 /SPECIAL/ edition Vol.3 ISSN: 1857 – 7881 (Print) e - ISSN 1857- 7431

as reducing the potential of IS project failure, cost overrun and project delayed. The adoption
of CA and its techniques could enhance audit works by providing objective information to
public.

Conclusion
This study has attempted to explore the use of CA techniques to provide advantage for
IS auditing implementation. As sustainability is becoming important issue in many
organisations, the integration of sustainability to IS audit work is crucial to produce reliable
and objective report to public. The application of CA to achieve sustainability strategic
objective in IS auditing is perceived to have advantage to auditors and have great impacts
upon the process of IS auditing, implementing audit procedures and audit assurance as a
whole.
The current study has provided a brief views from the initial investigation. Further
studies are necessary to explore how important of sustainability dimension in information
systems evaluation and how views and perceptions expressed in applying CA as part of audit
methods in compliance and performance auditing.

References:
Abdolmohammadi, M.J. and Boss, S. R. (2011) ‗Factors associated with IT audits by the
internal function‘, International Journal of Accounting Information Systems, 11, pp. 140–151
Afgan, H. N., Andre, P. and Carralho, G.M. (2006) ‗Sustainability: the management system
property‘ PICMET Proceedings, Istanbul, Turkey, 9 to 13 July 2006.
Alles, M.G., Kogan, A. and Vasarhelyi, M.A. (2008) ‗Putting Continuous Auditing theory
into practice: lesson from two pilot implementations‘, Journal of Information Systems, 22 (2),
pp.195-214
Ali, M. and Bailur, S. (2007) ‗The challenge of sustainability In ICT4D –Is bricolage The
Answer?‘ Proceedings of the 9th International Conference on Social Implications of
Computers in Developing Countries, Sao Paulo, Brazil, May 2007
Amancei, C.and Surcel, T. (2010) ‗Increasing the efficiency of IT audit methodology
by using the organizations tolerance to IT systems availability‘, Informatica Ecomicá , 14(1),
pp.49-56
Bierstaker, J.L., Burnaby, P. and Thibodeau, J. (2001) ‗The impact of information technology
on the audit process: an assessment of the state of the art and implications for the future‘,
Managerial Auditing Journal, 16(3), pp. 159-164
Brown, C. E., Wong, J.A.andBaldwin, A.A. (2007) ‗Research streams in continuous audit: a
review and analysis of the existing literature‘, Journal of Emerging Technologies in
Accounting, pp. 1-28
Burrowes, A. and Persson, M. (2000) „The Swedish management audit: a precedent for
performance and value for money audits‘, Managerial Auditing Journal, 15(3), pp. 85-96
Carter, C. R. and Rogers, D. S. (2008) ‗A framework of sustainable supply chain
management: moving toward new theory‘, International Journal of Physical Distribution &
Logistics Management, 38( 5), pp. 360-387
Charlton, G. and Marx, B. (2009) ‗An investigation into the impact of continuous auditing on
the external auditors of the four largest banks in South Africa‘, South Africa Journal of
Accounting Research, 23(1), pp.45-65
Chen, D.Q., Mocker, M., Preston, D.S. and Teubner, A. (2010) ‗Information system strategy:
reconceptualization, measurement and implication‘, MIS Quarterly, 34 (2), pp. 233-259

468
 European Scientific Journal September 2014 /SPECIAL/ edition Vol.3 ISSN: 1857 – 7881 (Print) e - ISSN 1857- 7431

Daujotaitė, D. and Maĉerinskienė, I. (2008) ‗Development of performance audit in public

sector‘5th International Conference Business and Management, Vilnius, Lithuania, 16 to17
May 2008.
Delone, W.H. and McLean, E.R. (2003) ‗The DeLone and McLean Model of information
systems success: a ten-year update‘, Journal of Information System, 19 (4), pp. 9-30.
De Bu‘rca, S., Fynes, B. and Brannick, T. (2006) ‗The moderating effects of information
technology sophistication on services practice and performance‘, International Journal of
Operation & Production Management, 26(11), pp. 1240-1254
Davidson, I.B., Desai, N.K. and Gerard, G.J. (2013) ‗The effect of continuous auditing on the
relationship between internal audit sourcing and the external auditor‘s reliance on the internal
audit function‘, Journal Of Information Systems American Accounting Association, 27 (1)
pp. 41–59
Delai I. and Takahashi S. (2011) ‗Sustainability measurement system: A reference model
proposal‘, Social Responsibility Journal, 7 (3), pp. 438-471
Dittenhofer, M. (2001) ‗Performance auditing in government‘, Managerial Auditing
Journal,16(8) pp. 438-442.
Ebrahim, Z., Irani, Z. and Al Shawi, S. (2004) ‗A Strategic Framework for E-government
Adoption in Public Sector Organisations‟Proceeding of the Tenth Americas Conference on
Information Systems, New York, August 2004.
El-Masry, EHE., and L. Reck, J. (2008) ‗Continuous online auditing as a response to the
Sarbanese Oxley Act‟,Managerial Auditing Journal, 23(8), pp. 779-802.
Erek, K., Schmidi, N-H., Zarnekow, R. and Kolbe, M. L. (2009) ‗Sustainability in
information system assessment of current practices in information systems organisations‘
Proceeding of the 15th American Conference on Information System, San Francisco,
California, 6 to 9August2009.
Esquer-Peralta, J., Velasquez, L. and Munguia, N. (2008) ‗Perceptions of core elements for
sustainability management system (SMS)‘, Management Decision, 46 (7), pp.1027-1038
Fuchs, C. (2006) ‗The implication of new information and communication technologies for
sustainability‘, Springer Science + Business Media B.V., pp.291-309
Gauld, R. (2007) ‗Public sector information system project failures: lessons from a New
Zealand hospital organization‘, Government Information Quarterly, 24 (2007), pp. 102-114.
Goldfinch, S. (2007) ‗Pessimism, computer failures and information system development in
the public sector‘, Public Administration Review, Sept/Oct.2007, pp. 917-929.
Goolsarran, S. A. (2007) ‗The evolving role of supreme audit institutions‘, Journal of
Government Financial Management, pp. 28-32
Griffiths, A. and Petrick, A.P. (2001)„Corporate architecture for sustainability‘, International
Journal of Operations & Production Management, 21(12), pp.1573-1585
Grönlund, A., Svärdsten, F. and Öhman, P. (2011) ‗Value for money and the rule of law: the
(new) performance audit in Sweden‘,International Journal of Public Sector Management,
24(2), pp.107-121
Guan, Y. (2010) ‗A study on the internal control of accounting information system,‘
IEEEInternational Conference on Computer and Communication Technologies in
Agriculture Engineering, 2010, pp.203-206
Hao, Y. and Zhang, Y. (2010) ‗Innovation and value added‘, IEEEThird International
Symposium on Information Processing, 2010, pp.442-446
Harmon, R., Demirkan, H., Auseklis, N. and Reinoso, M. (2010) ‗From green computing to
sustainable IT: developing a sustainable service orientation‘IEEE, Proceedings of the 43rd
Hawaii International Conference on System Sciences, 2010, pp. 1-10

469
 European Scientific Journal September 2014 /SPECIAL/ edition Vol.3 ISSN: 1857 – 7881 (Print) e - ISSN 1857- 7431

Heine, M.L., Grover, and Malhotra, M.K. (2003) ‗The relationship between technology and
performance: a meta-analysis of technology models‘, The International Journal of
Management Science, 31(3), pp. 189-204.
ISACA Standards Board (2002), ‗Continuous Auditing: Is It Fantasy or Reality?,‘
Information Systems Control Journal, 5, pp.1-4
ISACA White Paper (2011) ‗ Sustainability‘, Information Systems Control Journal, pp.1-13
Jin‘e, Y. and Dunjia, L. (1997) „Performance audit in the service of internal audit‘,
Managerial Auditing Journal, (12) 4, pp. 192-195
Jaca, C., Viles, E., Mateo, R. and Santos, J. (2012) ‗Component of sustainable improvement
systems: theory and practice‘, The TQM Journal, 24 (2), pp.142-154
Kimaro, H.C. and Nhampossa, J.L. (2007) ‗The challenges of sustainability of Health
Information Systems in developing countries: comparative case studies of Mozambique and
Tanzania‘, Journal of Health Informatics in Developing Countries, 1(1), pp. 1-10
Kogan, A., Sudit, E. F. and Vasarhelyi, M.A. (1999) ‗Continuous online auditing: a program
of research‘, Journal of Information Systems, (13) 2, pp. 87–103
Korte, M., Lee, K. and Fung, C.C. (2012) ‗Sustainability in Information Systems:
requirements and emerging technologies‘, IEEE, 2012 International Conference on
Innovation, Management and Technology Research (ICIMTR2012), Malacca, Malaysia, 21
to 22 May 2012, pp. 481-485
Leidner, D.E, Lo, J. and Preston, D. (2011) ‗An empirical investigation of the relationship of
IS strategy with firm performance‘, Journal of Strategic Information Systems, 20 (9), pp.
419-437
Lagsten, J. and Goldkuhl, G. (2008) ‗Interpretative IS evaluation: results and uses‘, The
Electronic Journal Information Systems Evaluation, 11(2), pp. 97- 108
Mahzan, N. and Veerankutty, F. (2011) ‗IT auditing activities of public auditors in Malaysia‘.
African Journal of Business Management, 5(5), pp.1551-1563.
Marks, N. (2010) ‗Continuous auditing reexamined‘, ISACA Journal, 1, pp. 1-5
Majdalawieh, M. and Zaghloul, I. (2008) ‗Paradigm shift in information systems auditing‘,
Managerial Auditing Journal, 24(4), pp. 352-367.
Majdalawiedh, M., Sahraoui, S., Barkhi, R. (2012) ‗Intra/inter Process Continuous Auditing
(IIPCA), Integrating CA Within an Enterprise System Environment‘, Business Process
Management Journal, 18(2), pp. 304-327.
Mat Nayan, M., Badioze, Z.H. and Tengku Sembuk, T.M. (2010) ‗Defining information
system failure in Malaysia: results from Delphi technique, 7(10), IEEE, pp.1616-1621
Mc Manus, J. and Harper, T.W. (Autumn 2007) ‗Understanding the sources of information
systems project failure‘, Management Services, 51(3), pp. 38-43
Melville, N.P. and Ross, S.M. (2010) ‗Information system innovation for environmental
sustainability‟, MIS Quarterly, 34(1), pp. 1-21.
Millar, C., Hind, P. and Magala S. (2012) ‗Sustainability and need for change: organisational
change and transformational vision‘, Journal of Organizational Change Management‟,
25(4), pp. 489-500
Moorthy, M. K., Seetharaman, A ., Mohamed, Z., Gopalan, M. and San L.H. (2011) ‗The
impact of information technology on internal auditing‘, African Journal of Business
Management, 5(9), pp. 3523-3539
Nicho, M. and Cusack, B. (2007) ‗A metrics generation model for measuring the control
objectives of information systems audit‘ IEEEProceeding of the 40th Hawaii International
Conference on System Science, 2007

470
 European Scientific Journal September 2014 /SPECIAL/ edition Vol.3 ISSN: 1857 – 7881 (Print) e - ISSN 1857- 7431

Nurdin, N., Stockdale, R. and Scheepers H. (2012) ‗Organizational adaptation to sustain

information technology: the case of e-government in developing countries‘, Electronic
Journal of e-Government, 10( 1), pp.70-83
Omoteso, K., Patel, A. and Scott,P. (2010) ‗Information communications technology &
auditing: current implications and future directions‘, International Journal of Auditing, 14,
pp.147-162
Petter, S., DeLone, W. and McLean, R. E. (2012) ‗The past, present and future of information
system success‘, Journal of the Association for Information System, 13 (Special Issue), pp.
341-362
Piotrowicz, W. and Cuthbertson, R. (2008) ‗Sustainability- A new dimension in information
system evaluation‘, Journal of Enterprise Information Management, 22 (5), pp. 492-503
Plepys, A. (2002) ‗ The grey side of ICT‘, Environmental Impact AssessmentReview, 509-523
Malaysian Administration Modernization Planning Unit (2010), Public Sector ICT Strategic
Directions, Available at www.mampu.gov.my (Accessed: 10 September 2012)
Rahman, N. and Akhter, S. (2010) ‗Incorporating sustainability into information technology
management‘, International Journal of Technology Management & Sustainable
Development, 9 (2), pp.95-111
Raymond, H.A (1995) ‗Compliance auditing‘, The Internal Auditor, 52 (6), pp.42
Rezaee, Z., Elam, R. and Sharbatoghlieet, A. (2001) ‗Continuous auditing: the audit of the
future‘, Managerial Auditing Journal. 16(3), pp. 150-158
Rezaee, Z., Sharbatoghlieet A., Elam, R. and McMickle P.L (2001) ‗Continuous auditing:
building automated auditing capability, auditing: A Journal of Practice and Theory, 21( 1),
pp.147-163
Sarva, S. (2006) ‗Continuous auditing through leveraging technology‘, Information Systems
Control Journal, 1,pp. 1-4
Sayana, A.S. (2002) ‗IS audit process‘, Information Systems Control Journal, 1,pp. 1-4
Scheirer, M.A and Dearing J.W. (2011) ‗An agenda for research on the sustainability of
public health programs‘, American Journal of Public Health, 101(11), pp. 2059-2067
Searcy, C., Karapetrovic, S. and McCartney, D. (2007) ‗Application of a systems approach to
sustainable development performance measurement‘, International Journal of Productivity
and Performance Management, 57(2), pp. 182-197
Shaikh, J.M. (2005) ‗E-commerce impact: emerging technology – electronic auditing‟,
Managerial Auditing Journal, 20 (4), pp. 408-421
Shin, Il, Lee, M. and Park, W. (2013) ‗Implementation of the continuous auditing system in
the ERP-based environment‘, Managerial Auditing Journal , 28(7),pp. 592-627
Silvius, A.J.G., van den Brink, J. and Smit, J. (2009) ‗Sustainability in information and
communication technology project‘, Communication of the IIMA, 9(2), pp. 33-44
Silvius, A.J.G. and Nedeski S. (2011) ‗Sustainability in IS project: a case study‘,
Communication of the IIMA, 11(4),pp.1-12
Swanson, L.A. and Zhang, D.D. (2012) ‗Perspective on corporate responsibility and
sustainable development‘, Management of Environment Quality, An International Journal,
23(6), pp. 630-639.
Smith, P.A.C (2012) ‗The importance of organizational learning for organizational
sustainability,‘ The Learning Organization, 19(1), pp. 4-10.
Smith, P.A.C and Scharicz C.(2012) ‗The shift needed for sustainability‘, The Learning
Organisation,18(1), pp.73-86
The International Standards of Supreme Audit Institutions \ (1997) ISSAI 1: The Lima
Declaration. Available at: http/www.issai.org/media(622,1033)/ISSAI_1 (Accessed: 11 Jan
2013)

471
 European Scientific Journal September 2014 /SPECIAL/ edition Vol.3 ISSN: 1857 – 7881 (Print) e - ISSN 1857- 7431

The International Standards of Supreme Audit Institutions \ (1997) ISSAI 3000: Standards
and Guidelines for performance audit based on INTOSAI‟s auditing standards and practical
experienceAvailable at: http/www.intosai.org (Accessed: 20 Jan 2013)
Todorov V. and Marinova D. (2010)‗Information Theory Perspective on Modelling
Sustainability‘, IEEE Proceedings of the 43rd Hawaii International Conference on System
Sciences, 2010, pp.1-10
Wanyama, I. (2011) ‗Stakeholder perception of information systems development success in
the public sector‘, Management Science and Engineering, 5(2), pp.31-41
Yang, D.C. and Guan, L. (2004) „The evolution of it auditing and internal control standards
in financial management audit‘, Managerial Auditing Journal, 19 (4), pp. 544-555
Zheng, H., Chanaron, J.J., You, J. and Chen, X. (2009) ‗Designing a key performance
indicator system for technological innovation audit at firm‘s level: a framework and an
empirical study‘, IEEE, 8(9), pp.1-5

472