The Impact of Information Technology On

Download as pdf or txt
Download as pdf or txt
You are on page 1of 17

African Journal of Business Management Vol. 5(9), pp.

3523-3539, 4 May, 2011


Available online at http://www.academicjournals.org/AJBM
DOI: 10.5897/AJBM10.1047
ISSN 1993-8233 ©2011 Academic Journals

Full Length Research Paper

The impact of information technology on internal


auditing
M. Krishna Moorthy1*, A. Seetharaman2 Zulkifflee Mohamed3, Meyyappan Gopalan4 and
Lee Har San5
1
Faculty of Business and Finance, Universiti Tunku Abdul Rahman, Perak Campus, 31900, Kampar,
Perak D.R., Malaysia.
2
S. P. Jain Center of Management, Singapore.
3
Faculty of Business Administration, Universiti Tun Abdul Razak, PINTAR Campus, 16-1,Jalan SS6/12, 47301 Petaling
Jaya, Selangor Darul Ehsan, Malaysia.
4
Faculty of Management, Multimedia University, Cyberjaya, Malaysia.
5
School of Accounting and Finance, Legenda Education Group, Negeri Sembilan, Malaysia.
Accepted 21 January, 2011

This paper evaluates the role of information technology and how it affects internal audit process in the
organization. The study also stresses on the global trend of adopting IT system (software/ hardware) in
producing a more controlled environment in delivering the auditing process. It also constitutes on how
IT affects internal control (control environment, risk assessment, control activities, information and
communication and monitoring) and provides guidelines and best practices in evaluating techniques
available to effectively perform auditing tasks internally. It also addresses how technology, Information
system (IS) and electronic data processing (EDP) have changed the way organizations conduct its
business, promoting operational efficiency and aid decision-making. It also spotlights many aspects of
IT risks and controls and highlights whether the right people are overseeing IT risks to the degree they
should. It demonstrates the impact of technology convergence on the internal control mechanism of an
enterprise. It emphasizes that the auditor also has a responsibility to assure that the governance level
of management (the audit committee and board of directors) understand risks accepted by
management and the liabilities potentially transferred to board members.

Key words: Internal audit, audit tools, IT audit, continuous auditing.

INTRODUCTION

Internal audits are designed to evaluate the effectiveness purposes for the systems, and understand the
of an operation's internal controls by first gathering infor- environment in which the systems operate. The other
mation about how a unit operates, identifying points at important uses for computers and networks by auditors
which errors or inefficiencies are possible, and identifying are in audit administration. By seeking new uses for
system controls designed to prevent or detect such computers and communications, auditors improve their
occurrences. Then, they test the application and perfor- ability to review systems and information and manage
mance of those controls to assess how well they work. their activities more effectively. Automated tools allow
Managers ought to routinely evaluate controls in their auditors to increase individual productivity and that of the
department's operations by following the same process. audit function.
Computers and networks provide most of the By recognizing the importance of emerging
information needed for auditing. In order to be effective, environment and requirement to perform audit task
auditors must use the computer as an auditing tool, audit effectively, auditors must recognize the key reasons to
automated systems and data, understand the business use audit tools and software, which will be further
explored, in later section. The key reasons include:

(i) On a personal level, learn a new skill.


*Corresponding author. E-mail: [email protected]. (ii) Improve company decision-making using improved data.
3524 Afr. J. Bus. Manage.

(iii) Increase the efficiency of an audit. to internal audit profession is somehow beyond an
(iv) Reduce routine tasks to provide more time for organizational control. Mismanagement and untested
creative and business analysis. presumption on this impact can be very much precious to
(v) Provide improved transparency governance of the the organization and may lead to conflict in achieving
organization. effective internal control mechanism. Proper handling of
(vi) Identify quantitative root causes for issues. resources, maintaining records, effective communication
(vii) Reduce fraud and abuse. through adopting technology offered by information
(viii) Identify savings in supplier, customer, human technology is critical to ensure completeness of audit
resource, computer, and enterprise management. process and benefited auditors. This paper focuses on
above critical basis and limiting the research scope within
This paper provides a brief analysis of the main areas functional audit task within an organization - mainly about
where software tools are used in auditing, technology the tools and techniques used by auditors in audit
impacts on the auditing profession, audit impacts on management and administration.
emerging business and technology issues, and an
example list of information technology products frequently
used by auditors. SURVEY OF LITERATURE

For a better understanding and revisit previous studies on


Research problem the information technology application to internal audit,
literature review is outline as a basis for defining research
From the literature reviews, it appears that the several problem and objective of this paper. The survey of
issues on IT and internal audit have to be addressed and literature covers the vigorous implication of technology
need to be answered. In essence, the research problems advancement towards internal audit profession and audit
are summarized as follows: management. The survey has been divided into a
categories such as changing role of auditors, continuous
1. No specific guidelines are available to ensure auditing, oversight IT risks and technology implication.
information technology impact can be softened through
audit best practices.
2. Absence of accounting standards to educate relevant Changing role of auditors
auditors in performing audit task and mitigate
organizational risk. David Yang and Liming Guan (2004) discussed on the
3. The role of internal auditor has not been specified evolution of auditing in the rapid escalation of technology,
thoroughly, and correctly to ensure necessary capability which openly contribute to information technology (IT)
and competencies being addressed and help auditor to auditing and internal control standards and guidelines.
perform auditing task effectively. Technology, information system (IS) and electronic data
4. To study on global trend of adopting IT system processing (EDP) have changed the way organizations
(software/ hardware) in implementation of continuous conduct its business, promoting operational efficiency
controlled environment (continuous auditing). and aid decision-making. In this essence, and in the case
of United States (US) as being explored by the authors,
various authoritative bodies, such as the American
Objectives of the research Institute of Certified Public Accountants (AICPA) and the
Information Systems Audit and Control Association
The objectives of the research are: (ISACA), have issued standards to facilitate and provide
sufficient guidance to auditors. According to AICPA’s
1. To identify reasons for lack of guidelines available to SAS No. 3, the objectives of accounting control are the
best practices. same in both a manual system and an IT system.
2. To address and suggest accounting standards to However, procedures used by an auditor may be
educate and help relevant auditors in performing audit affected. SAS No. 48, "the effects of computer processing
task and mitigate organizational risk. on the examination of financial statements," explained
3. To suggest a detailed role of internal auditor and and recommended auditors to evaluate the methods of
required skills and competencies in IT related audit. computer data processing and other significant factors
4. To address and detailed out IT system (software/ such as “planning and supervision, study and evaluation
hardware) for continuous auditing. of internal control, evidential matter, analytical review
procedures, and qualifications of the audit team”. It also
highlighted the distinguishing characteristics of IT
Scope of study systems that should be considered by the auditor when
conducting the evaluation process. Under SAS No. 94,
The application of information technology and its impact the AICPA specify factors auditors need to consider in
Moorthy et al. 3525

financial statement auditing process and its implication to level and did not conclude the real effect of internet’s
audits of all size of businesses. The authors has also corporate reporting to auditors.
reviewed and discussed the five most significant aspects Jenny Goodwin (2004) has compared features of the
of No. 94, and this supported by Tucker (2001). In internal audit function between organizations in the
addition, SAS No. 94 recognized the types of systems, private and public sector. Several aspects has been
controls and evidence auditors encountered. The author carefully examined in which include organizational status,
has touched briefly on the Statement Of Information using internal audit as a "tour of duty" function, outsour-
System Auditing (SISA), which defined mandatory cing of audit function, risk management, and interactions
requirements for IS auditing and reporting. This is with external auditors. The study is based on a survey
reviewed through SISA 010 to SISA 080. The authors done in Australia and New Zealand organizations. Survey
have provided thorough explanation on auditing standard was done to indicate the length of time spent by
and guideline available in US, and suggest on how this respondents in internal audit process and it has appeared
standards and guidelines can assist auditors funda- that internal audit has a higher status in the public sector
mentally in IT auditing. However, the authors have not rather than in private sector entities. On outsourcing,
specified type of IT auditing application and how it directly survey indicated that both sectors engaged in some
affects auditing profession. The authors also failed to outsourcing of internal audit activities particularly in
prove significance impact of technology to the auditor’s information technology and system. The percentage
roles and responsibility. outsourced is quite similar between these two sectors.
Iqbal Khadaroo (2005) has explored on the widespread Author has also discussed on the major activities
of corporate reporting on the Internet and its implication affiliated with internal audit, specified as financial audit
to auditing profession. The phenomenal growth of and internal controls, risk management operations and
Internet ultimately contributes to electronic, web-based systems audits. The author has explored internal audit
Internet reporting information. The author first had interaction with external auditors from the perspective of
revised several literature and accounting standards to the chief internal auditor and results indicated there are
understand the nature of best practice and code of no significant differences between public and private
conduct for web-based business reporting. The author sector responses. Further, in both sectors, external
later had examined Internet reporting practices in auditors have a high level of access to internal audit
Malaysia and set the limit of the study to 100’s Kuala reports. This may reflect the greater level of competition
Lumpur Stock Exchange Composite Indexed (KLSE CI) in the private sector audit market compared to public
companies in Malaysia for year 2003 and 2004. The sector. In conclusion, the author suggested that there are
author found out that there was a significant increase of differences in status between internal audit functions in
companies using the internet to supply information to the the two sectors but that internal audit activities and
public. The core activities of disclosing information are interactions with external auditors are similar. The author
mainly on general web page attributes (line of product, only discussed on the comparison of internal auditing
business function and product promotional activities), activities and features on structural basis without further
Investor relations, and financial information; including elaborate on the functionality of internal audit process in
audit reports. The author has suggested that although the organization.
usage of Internet can benefits the company, reliability Jayalakshmy et al. (2005) has highlighted the
and verification of information disclosed has to be pressures auditors would face in the era of globalisation
guarded. Based on his survey, a large number of the and challenges in order to maintain trust and integrity.
KSLE listed companies (14%) are hyper-linking audited The authors have reviewed a wide range of articles and
financial statements to unaudited information. This may journals published and covered areas of audit fraud, true
contributed to a potential manipulation by the company and fair view interpretation, auditor independence and
and influence users in accessing valid and reliable role of internal auditors. This is analysed by many
information. The accounting profession has to play an authors such as Hillison et al. (1999), where the authors
important role in improving the quality of information have discussed the role and responsibility of internal
provided and assuring users about their reliability. The auditors in the detection and prevention of fraud. In
author suggested that specific audit procedures to be addition, Roufaiel and Dorweiler (1994) expressed that
taken, for instance as recommended by auditing computer fraud is easy to commit but difficult to prevent
guidance issued in Australia and New Zealand (AASB, and therefore, the auditors should define their responsi-
2002; PPB, 2003). The author also suggested several bility for computer fraud. The authors have defined the
security measures, for example the hosting of audited lack of independence, integrity and credibility of the
information on an auditor's web site, may provide auditors auditing profession on the role and responsibility to detect
with better control, reducing audit risks and further and prevent audit fraud. They also discussed on the
improve the credibility and reliability of information to accounting uncertainty and changes in standards over
users. Nevertheless, the author has only discussed and time have affected auditors in forming a true and fair view
analyzed implication of auditing profession on the surface (TFV) opinion. The concept of "true and fair view" (TFV)
3526 Afr. J. Bus. Manage.

(TFV) is well known to accountants as well as auditors. It organization. However, several issue on reliability and
has been the fundamental basis of audited accounts for consistency arised when those software are not meeting
many years. The recent audit failure cases have revealed auditors expectation. The author also discussed on the
the issue on the concept of TFV and whether this concept availibility of open-source software available in the web
certify by auditors or not, needs an overhaul to format. Using open-source software has distinct opera-
strengthen the audit process. This should be supported tional advantages. Auditors with very specific software
by taking account the judgments from stakeholders of the needs may have to look beyond the built-in capabilities of
company and the auditors. The authors have provided available products and consider crafting their own audit
acceptable awareness to the auditors, corporations and tools. The author also observed customazation in develo-
general public on the necessity to revamp the existing ping fraud-auditing techniques. The article does not
auditing practices. This can help the auditors not only to provide any detailed analysis on impact of technology
be professionals, but also to be seen as professionals. It advancement and availability of complex audit software
is noted that internal auditors, rather than external could promote to efficient and effective audit
auditors, will be more helpful in detecting and reporting performance.
fraud, since internal auditors work with the management. Romas Staciokas and Rolandas Rupsys (2005) has
This automatically brings into consideration that the aimed to understand internal audit functions, explore
internal auditors should possess the same level of implication of information technology (IT) and analyze
independence, integrity and professionalism as the advantages of internal audit in the organizational
external auditors. The authors have suggested that apart governance. The author has explored the origin and
from defining the role of the auditors, it is also necessary acceptable definition of internal audit by reviewing litera-
to consider whether an overhaul in the concept of TFV ture, comparative analyses, and review latest research.
will help the auditors in performing their duties sincerely. The definition of Internal audit has continually changed
Unfortunately, the authors have not thoroughly provides and revised decade by decade, and still we are still facing
field and statistical data on study, and the argument is certain issues understanding of internal audit function
purely based on secondary data. The authors have also and it position within the organization. At present, the
not defined each role and responsibility taken by the function of internal audit includes not only of internal
auditors to detect and prevent audit fraud. No analysis control effectiveness, fraud investigations or assistance
was done on the possibility of actual application. to external auditors, but also identification of organiza-
Russel Jackson (2004) explored the auditors tional risks, consultations to the senior management with
approaches in utilising the audit tools, softwares and how regard to risk management, process improvement or
technology evalution affecting their practises. The author global operations. It is vital for all members of organi-
has illustrated the Internal Auditor's 10th annual software zation (management, accountants, audit committee, etc.)
survey in discussing the issues interconnected with audit to have same and adequate understanding of what
software in United States. The author observed that the internal audit is all about. According to author and
limitation of implementing audit software particularly supported by Ruud and Bodenmann (2001), it is
concerned with cost implication, failure of software to important to understand needs and expectations of
meet audit departments needs, and resistance in training internal and external decision makers towards internal
to auditors. The author has cited the key note presented audit function. The author has also explained that there is
by several experts in the audit-related software who had some independency problem faced by internal audit
various experience in implementing and maintaining the being as an integral part of organization. In exploring the
software inside the organization. Richard Lanza (2004), implication of IT, the author has defined the significant
as one of them, an audit manager, and founder of benefits of IT in auditing process. Auditors aided by IT
AuditSoftware.net has shared his extensive experience in based application; Computer Assisted Audit Tools
the fields by suggesting several method in ensuring the (CAATs) increased effectiveness of internal audit in the
successful implementation of audit software in the organization. On the other hand, IT development for
organization. Richard Lanza noted that, although audit example, automation and computerization had increased
programs in general are simple to open, they can be risk of discontinuing organizations activity, data loss, net-
complex to run. This can be achiever through interactive work breakdown and influence business monitoring and
training, and continuously monitor the learning process. control process. The author has reemphasized the aim of
Lanza (2004) has noted that the business sponsor internal audit function is to monitor, evaluate and improve
(management) might reluctant to accommodate and risk management, controls, and governance process.
approved the training since they perceived the training- Unfortunately, the author has not provided enough analy-
time might led to un-productivity. The author also dis- sis on how different corporate governance’s approaches
closed much information on the type of software adopted can influence internal audit process in the organization.
in the organization, its popularity, reliability and overall Harrison and Datta (2007) compared the user
satisfaction. Many audit related software enable an perceptions of feature level usages and application level
organization to subsribe to and implement them in the usages and found that users perceive a software
Moorthy et al. 3527

application as a sum of features. DeWayne Searcy and Jon Woodroof (2003) have
According to Kim et al., (2009), Technology features assessed the continuous auditing advantages over tra-
have a large impact on technology acceptance in the ditional auditing, and also present significant hurdles in its
internal audit profession as influencing system usage, implementation. According to the CICA/AICPA research
perceived usefulness, and perceived ease of use. Sys- report, CA is “a methodology that enables independent
tem usage, perceived usefulness, and perceived ease of auditors to provide written assurance on a subject matter
use are high in basic features and low in advanced using a series of auditors’ reports issued simultaneously
features. Technology features will have a large influence with, or a short period of time after, the occurrence of
on technology acceptance in other professions. events underlying the subject matter.” A CA relies heavily
on information technology. A CA leverages technology
and opens database architecture to enable auditors to
Continuous auditing monitor a company’s systems over the Internet using
sensors and digital agents.
Zabihollah Rezaee et al. (2001) have discussed on the The entire audit routines described above is done
technological advances in which will change the audit electronically and automatically, in real time basis. The
process in near future. The focus of the study is on author has defined the only constraints of CA are the
continuous auditing (CA) and its implications to inde- performance limitations of the client’s system and the
pendent auditors; analyzing internal control in the ever- update frequency of the client’s records. The author also
changing IT world; and examine key auditing aspects. suggested the more frequent audit to ensure the integrity
The audit process has evolved from the traditional of the data. Implementing CAs can facilitate the elimina-
manual audit of an accounting system to the methods of tion of audit wastes possible in the current audit area. In
auditing with and through computers. The paperless, general, there are several types of wastes that can occur
electronically, on-line, and real-time application had which are over-auditing, waiting for the data to complete
contributed to continuous auditing methodologies. The the audit task, a significant delay between the reporting
authors have explored several auditing application, in period and the issuance of the audit report to investors
which would allow real-time preparation, publication, and creditors, inefficiencies in the audit process itself and
examination, and extraction of financial information. Real- audit errors and mistakes. Furthermore, by leveraging
time accounting (RTA) systems, financial information and technology, a CA allows firms to produce audited finan-
audit evidence are available in electronic form and create cial statements immediately as demanded by interested
a new procedure in conducting financial audit. Technolo- parties. CAs will require initial increases in investments
gical advancements have also increased the importance for technology and different skill sets for auditors. CAs
of internal controls. This has been supported by the also, in the long run allows the firms to redeploy their
Committee of Sponsoring Organizations (COSO) report audit staff and resources to other services, while
where indicated that components of the internal control maintaining high levels of reliability and quality. The
structure are control environment, risk assessment, author stressed that CPA firms must be ready for the time
information and communication, control activities, and when more companies realize the financial incentives for
monitoring. If adequate control procedures exist in the moving to the CA. The author has clearly discussed on
organization, then the auditor should perform tests of the challenges to implementing CA but do not provide
controls to determine the effectiveness of internal control critical suggestion on what is immediate action to be
structure, policies and procedures. The authors have also taken by an organization to ensure reliability and quality
suggested that Independent Auditors to anticipate of audit work is maintained by adopting CA.
thoroughly in scrutinize electronic evidences and Junaid Shaikh (2004) discussed on the impact of e-
evaluate its implication to the organization. This can be commerce to the auditing process and methodologies.
monitored through a substantive test, which designed to The author aimed to explore the application of technolo-
test for conformity of accounting procedures in validating gies, in which may assist auditors in improving the quality
financial statements. The major benefit of utilizing CA can of their auditing process and how to use computer-
reduce time and costs auditors traditionally spent on ma- assisted auditing techniques (CAATs) more effectively
nual examination of transactions and account balances. It with the emerging information technologies. The author
may also enable auditors to focus more on understanding has disclosed a concept of electronic auditing (EA) where
a client's business and industry, and its internal control some of the audit tasks conducted electronically over the
structure. The authors had profoundly explored and internet with the support of information technologies. The
defined Continuous Auditing, highlight its importance, dis- author has identified three emerging information tech-
cussed conceptual framework, and examined significant nologies to constitute a software framework to facilitate
audit issues of performing CA. However, the authors EA. These technologies include object-oriented distri-
have not provided sufficient suggestion on how auditors buted middleware, internet security technologies, and
should react in adapting continuous auditing process and intelligent agents. The author has also proposed a new
technology advancement as a whole. CAAT called GASI based on the EA framework. GASI
3528 Afr. J. Bus. Manage.

inherits most of the existing GAS features and is able to internal auditors to develop and implement continuous
achieve the same objectives as other concurrent CAATs. auditing, despite the fact that it was originally proposed
Moreover, GASI can be designed and deployed indepen- for external auditors performing financial audits. In fact,
dently from the auditee’s EDP systems. The author has internal auditors may find advantages over external
demonstrated on how a CPA may conveniently audit the auditors in adopting the strategic-systems approach in
loan account of a bank with EA framework. The author continuous auditing. The author has clearly defined the
also implicated that this system emulates EDP applica- framework on how strategic system approach can
tions in the banking industry and is based on the CORBA separates the traditional continuous auditing with recent
architecture industrial standard. However, the EA has IT development. However, the author has not defined the
some limitations. This approach depends on distributed skill required by auditors in performing this theoretical
middleware standard that is CORBA, DCOM, or Java approach of continuous auditing process.
RMI, to enable the interconnections of the auditor's GASI,
auditee’s EDP systems, and the internet. All of these
middleware technologies are in their infantry stage and Oversight IT risks
this implies that they are evolving standards.
The author has successfully defines the implication and Linda Hadden et al. (2003) had explored the role of the
suggested practical approach in enabling auditors to audit committee and internal auditors in the IT area and
improve audit tasks within the emerging information have called for greater audit committee and internal audit
technolo-gies available. However, the author has not involvement in IT risk oversight. The authors have sug-
provide example of how auditors need to design gested that an organization may be able to achieve more
specialized audit software for each auditee's electronic effective IT oversight by tapping into the resources of the
data processing (EDP) system if the EDP system uses audit committee and external auditors to a greater extent.
proprietary file formats or different operating systems. In this essence, audit committee members should take a
Yining Chen (2004) has explored the strategic systems more active role in overseeing this area. Many compa-
approach in performing continuous auditing. With rapid nies rely heavily on information technology (IT) and
emergence of information technology (IT) and the constitute increases in organizational risk. In addressing
demand for timelier assurance of financial information, these risks, three key questions must be answered:
auditors required to invent new approaches to
continuously monitor, gather, and analyze audit evidence. 1. Who is qualified to address IT risks?
Historically, continuous auditing meant using programs or 2. Who is trying to address IT risks?
software to detect auditor-specified exceptions from 3. Does there appear to be a good match in terms of who
transactions that are processed either in a real-time or a is most qualified to oversee IT risks and who is actually
near real-time environment. The recent development of overseeing such risks?
extensible business reporting language (XBRL) will also
enhance the availability, exchangeability, and relevance The first question is important because many aspects of
of financial statements. With all this progress, information IT risks and controls are technical in nature. In many
is made available to decision-makers on a real-time and organizations, it is unclear who has the technical
electronic financial reporting basis. Continuous auditing expertise to address IT risks. The second question is
depends on a continuous flow of transaction data and relevant because a number of governance participants,
analysis. Continuous auditing using a strategic-systems beyond management, could be involved in IT risk
approach will allow the auditor to continuously monitor oversight, including the audit committee, internal auditors,
and analyze the transactions processed in a real-time and external auditors. Coordinating efforts across these
accounting system. The strategic-systems approach can groups is an important part of effective and efficient
also provide a greater ability to detect material control of IT risks. Finally, the third question is important
misstatements in financial auditing. Auditors need to work because it addresses whether the right people are
through the seven components of the strategic-systems overseeing IT risks to the degree they should. During the
Knowledge Acquisition Framework, including: considering survey, the audit committee members were asked to and
the company's strategic advantages; determine and the authors have derived several justification and sum-
analyzing risks; understanding key processes and mary on which, audit committee members are perceived
competencies required to realize strategic goals and to have moderate IT qualifications, while internal and
objectives; measuring and benchmarking process external auditors are perceived to have "above moderate"
performance; preparing the entity-level business model to qualifications. The audit committee members also rated
serve as a strategic-systems lens; using the model to the activity level or commitment of the audit committee,
create expectations about key assertions in the financial internal auditors, and external auditors with respect to IT
statements; and comparing reported financial results to risk oversight. In this age of reliance on IT and multiple
expectations, using professional judgment. The strategic- participants in governance, internal auditors are urged to
systems approach offers a framework and guidance for assist management and the audit committee in assessing
Moorthy et al. 3529

the organization's IT skill set, promote greater IT risk accessing in depth on how IT risk can affect the audit
involvement on the part of the audit committee and exter- scope of work.
nal auditors, assist management and the audit committee
in identifying gaps or overlaps in IT risk coverage and
encourage the organization to explore enterprise risk Technology implication
management (ERM) techniques to address IT and other
risks at an enterprise level. The authors through this Jagdish Pathak (2005) has demonstrates the impact of
study and survey results suggested all corporate gover- technology convergence on the internal control
nance players; management, audit committee, internal mechanism of an enterprise. It is important for an auditor
auditors, and external auditors to increase their IT-related to be aware of the security hazards faced by financial or
efforts in minimizing the chances of an IT-related control the entire organizational information system. The author
failure. specified the modern auditor as a complex, trained and
John Siltow (2003) has explored the interconnection of eclectically educated person since most of the profess-
internal audit practice and exposure to IT risks in general sional audit organizations expect auditors to possess
way and almost every path of the auditors in performing skills not only in the conventional aspects of financial
their job. Due to fast magnitude of IT ever-changing systems but also in the eclectic sphere of knowledge
environment, the author has suggested the internal related to the information technology and management,
auditors to ensure organization to form a scenario security and forensics, sociology, and professional judg-
planning in verifying the integrity of data and its sources. ment. International information technology (IT) security
Auditors also need to be aware of the risks associated standards are identified and used to select the best
with these areas to help their organizations review vital technical solution for an organization's risk and security
systems and ensure the enterprise runs smoothly. problems. Despite the technological benefits brought to
Outside threat such as intruders, or hackers, may also security, the technology also directly impacting risk
target companies for illicit gain or other malicious management functions throughout the organization. At
purposes. Recent security surveys have shown that a this point of the convergence trend, technology can bring
large number of information security breaches originate new capabilities and vulnerabilities to physical security
from inside the organization. Employees can inadverten- and risk management. A number of factors are causing a
tly harm the organization's systems by deleting important paradigm shift in risk and security philosophy. This shift is
files, opening e-mail attachments that contain viruses, or being driven by the "convergence" of IT security methods
attempting to fix malfunctioning devices without adequate with those of the more traditional physical security me-
knowledge or training. To help mitigate the risk of both thods. The impact is being felt throughout the community,
deliberate and unintentional damage, organizations need but is perhaps currently most evident at the risk manage-
to establish effective access-control measures. The ment or governance level. To understand the impact
author has also suggested internal auditors to pay more technology has on risk, it is important to understand the
attention towards authorization processes. In this dynamics involved when technology is added into the
essence, access control represents as the "front door" to physical security paradigm. The author offered brief
the organization. On network security risks, auditor needs description on the difference between static and dynamic
to consider exploitation of social engineering, where security systems and take into consideration the inherent
penetration into the organization’s system can be done weaknesses in security system. The author also
without any technical know-how. This threat can be suggested the risk management components of physical
mitigated through training and educating employees. security and technology to be treated as financial assets,
Apart from internal and external threat, the auditor has and auditors to perform due diligence in locating the
also need to deal with hardware and software risks, as vulnerabilities of new technological components before
well as threats stemming from the employees who use they are fully implemented. The author has only provided
these assets. Discovery of illegal software can lead to a conceptual analysis of the current state of affairs and
reputation harm, and unnecessary damages to the there are no specific findings presented and lack of data
organization. In this essence, the author suggested an analysis to support the relationship of risk management,
effective software management helps optimize the internal control and organizational vulnerabilities.
organization's IT systems and reduce the total cost of Charles Le Grand (2001) has discussed on the basis of
ownership. Addressing potential technology risks can be information technology usage in audit management in an
extremely difficult, as the process requires organizations organization. Audit management is charged with provi-
to predict problems within a complex, ever-changing en- ding an effective audit force, directing audit resources for
vironment. However, sufficient internal audit awareness maximum benefit to the organization, and complying with
can help deter attackers, ensure decisions are made laws, regulations, and policies regarding auditing. The
based on accurate and timely information, and keep definition of internal auditing, as approved by The IIA in
overall IT risks to a minimum. The author has only briefly June 1999, indicates “Internal auditing is an independent,
explained the impact of IT risk to auditor without objective assurance and consulting activity designed to
3530 Afr. J. Bus. Manage.

add value and improve an organization's operations. It interrogation, automated risk analysis, decision support,
helps an organization accomplish its objectives by and neural networks are not as heavily used. It is also
bringing a systematic, disciplined approach to evaluate noted that technologies had put information systems to a
and improve the effectiveness of risk management, new and different use: communication, rather than
control, and governance processes.” The authors has computation. On the other hand, rapid development of
described the tools used by auditors and classified it information technologies causes continued worry about
accordingly. On risk analysis and risk management, the new auditing risks. The major concern to internal auditors
auditor must assess risk and risk management and find is the methodologies available to tackle modern
ways to communicate with management to assure con- information systems and technologies. The author also
sistent views on risk. The auditor also has a responsibility discussed on the differentiating factor for leaders in
to assure that the governance level of management (the defining what technologies are used and how extensively
audit committee and board of directors) understands risks they should involve. Auditing leaders also rely
accepted by management and the liabilities potentially significantly on formal training rather than on-the-job
transferred to board members. The author has stressed training. Author revealed and identified level of
the auditor to establish the priorities in performing audit information technologies used and examined variances of
tasks monitor the changing environment and examine the implementation of different sizes and types of
organizational and operational controls surrounding organizations. The concerns of auditing professional had
information privacy. This would provide assurance that about their profession and methodology are also explored
the organization not only have appropriate privacy where respondents are dissatisfied with their ability to
policies, but remain in compliance with them. The author audit new technology. The author had proposed how best
also defined the control self assessment (CSA) as a po- to leverage technology in auditing practice and achieved
pular methodology for identifying and evaluating internal auditing efficiencies through the new means of
controls. CSA allows business owners and operators to technology. The author did not explored and elaborated
focus on risk exposures and the means to mitigate, or more on the aspect of competencies and methodology
better manage, those risks. The author also suggested acquired to leverage and absorbed the challenges faced
auditors to make use their websites to provide a conti- by the auditors.
nuously available executive information system. Auditors David Coderee (1993) has explained how computer
may use the Internet to send secure communications assisted audit tools and techniques (CAATT) based
over an unsecured medium. Internet use also changes programs can automate certain audit function in the
rapidly and experience in this area will provide knowledge organization. Firstly, the author has presented numerous
and skills that are valuable in audits and audit planning. benefits of CAATT for audit planning and reporting. It can
The author has provide a better understanding on how IT be used to increase audit coverage, improve the integra-
application used in the audit management process but, tion of audit skills, strengthen independence of auditing
somehow has not producing any empirical suggestion to from information system functions, and foster greater
help an auditors to accomplish the audit objectives, by credibility and increase cost-effectiveness through the
improving the effectiveness of risk management, control, development of reusable computerized techniques. The
and governance processes. author demonstrates and suggests how automated tools
Deloitte and Touche (1996) discussed the current and techniques have improved the value, efficiency, and
impact of information technology on Internal Audit depart- effectiveness of audit. Example of several aspects was
ment. The survey on “Internal Auditing Self-Assessment included in supporting author’s argument. This has been
Tool” helps the author to determine the proficiency of defined in “internal control over hazardous material”
internal auditing process, which level of technology used where the ultimate audit’s objective was to review
in organizations and the impact of technology to the controls over the procurement, distribution, storage, and
organization. Survey shows that information systems disposal of hazardous materials. With the help of CAATT-
have become tools to assist auditors in their day-to-day based application, the auditors were able to identify the
activities and most organizations perceived themselves high-risk, high-materiality sites and generated transaction
as equally exposed to any technology and their obligation lists for the on-site manual review. This is resulting in
to audit proficiently. minimization of risks associated with hazardous material
Coinciding with this trend, information systems are and benefited the internal control process. From another
increasingly able to support remote workers and facilities. perspective, the author has given an example of
Network technology, groupware, and on-line services workforce reduction program where CAATT used to
such as the Internet had shrink distances. However, review the efficiency and effectiveness of this program.
survey showed that the heaviest use of technology is With programs such as workforce reduction system,
focused on workflow-related tools such as computer personnel information system, and payroll system, the
networks, e-mail, electronic working papers, and presen- audit was successfully provides senior management with
tation graphics. By comparison, newer technologies that an assessment of the effectiveness of the program. The
directly support the auditing process, such as file author also observed on how auditor examined the
Moorthy et al. 3531

controls over the closure process of a production plant. In phase of the audit process. Unfortunately, the authors
this scenario, the audit team helps the organization to have not implied which level of technology adopted
determine whether equipment and inventory items were ultimately can revamp and incriminate the current
sold at an appropriate price, and properly safeguarded to auditing procedures and profession.
prevent theft or loss. The CAATT developed for this
closure were successfully used and reduced timing of the
planning phase generally by more than 50%. The article Financial reporting
has profoundly demonstrate the benefits and effective-
ness of CAATT in automating audit functions in the Zezhong Xiao et al. (1997) had explored the relationship
organization and allowed improvement of efficiency and between Information Technology and Corporate Financial
effectiveness of auditing process be established. How- reporting. The authors had put an effort to investigate of
ever, the author has not provided any research survey whether contingent factors can explain the degree and
and reports to support and justify his statements. The pattern of IT impact on CFR. The authors had described
analysis of how CAATT automating of audit function is the contingency perspective, the hypotheses formulated
merely based on survey and suggestion of unverifiable on the basis of this perspective and the results of the
sources. tests of those hypotheses. It segmented the sample into
James et al. (2001) have explored the current impact of sub-samples according to the specified contingent factors
technology on the audit process, and discussed the and examined the contingent relationships in sub-
future implications of technological trends to the audit samples. The authors suggested that the effect of IT use
profession. The author briefly provides information on in accounting is not confined to accountants and indivi-
current usage of technology by audit firms. In future dual organizations, but it requires monitoring and control
years, paperless audits will become common where audit at the communal level. In the discussion to prevent
clients tend to shift towards paperless systems, and will further increase in the information asymmetry between
be depending on audit software for enhancing related managers and external users, the authors suggested the
auditing procedures. Technologies such as electronic financial reporting regulators to encourage companies to
data interchange (EDI), image processing, and electronic make greater use of IT to improve external reporting. The
file transfer (EFT) will make traditional audit trails authors noted on the effect of IT on the information
disappear. The authors have taken an interview approach asymmetry, and its implications to managers in which led
to analyse and investigate which audit technologies being to moral hazard and adverse selection. It would be
used and any future planning within the organization. interesting to investigate further how the enlarged
Observations on how technology has impacted audit information asymmetry has been exploited, and whether
planning, testing, and documentation are discussed. The it is more likely for companies to experience moral hazard
author noted that as clients become more technically and adverse selection problems. While support for an
sophisticated, auditing processes from beginning to end agency theory perspective was identified in relation to the
becomes a requirement. The new-age process audit level of gearing, it was not consistent across all levels of
should address and guide client's business process and gearing, suggesting that other unidentified factors were
capable in measure performances. Many firms have affecting the relationship. Overall, the findings show that
adopted a risk-based audit approach to evaluate on how the impact of IT on CFR is not unconditional and that the
external and internal risks affect the audit process. For contingency perspective is a useful framework for
example, risk control workbench investigating this impact. However, further contingent
(PricewaterhouseCoopers LLP) used to advise clients on factors need to be explored by the authors before
which internal control process needs to be improved to conclude any statement on correlation and relationships
address certain risks. On audit testing in control environ- between IT and corporate financial reporting. The authors
ment, auditors must obtain an in-depth understanding of also failed to bring IT-related issues into perspective and
such systems to be able to audit through the client's possibly suggest raising awareness of opportunities and
enterprise system. In this new audit environment, threats especially in term of corporate financial reporting
software packages (for example, ACL and IDEA) are (CFR).
capable to improve audit efficiency by performing a Roger Debreceny et al. (2005) has reviewed audit
variety of audit tasks that previously were completed software used in facilitating auditing process in financial
manually. It would also be used for fraud detection. The services sectors, in particular, the extent and nature of
author has noted that continuous monitoring will become use of computer assisted audit tools (CAATs) by local
increasingly important in the future as audit paper trails and international commercial banks in Singapore. Inter-
slowly disappeared. In lieu with the globalization, remote views were conducted with internal auditors and found
access software and client/server technology are out that CAATs are frequently being used in special
essential to keep pace with businesses in the information investigation audits. One of the most widely deployed
age. The author has concluded that technology will CAATs is GAS. Examples of GAS include the audit
continue to have a dramatic impact on virtually every command language ( ACL), interactive data extraction
3532 Afr. J. Bus. Manage.

and analysis (IDEA) and Panaudit Plus. These softwares (Ajzen, 1991) indicates that intentions can combine with
assist auditor for data investigation. The auditor must perceived behavioral control to affect behavior. The
understand the application of technology in order to construct of auditor intent with respect to ERP systems
identify the risk factors, which have a direct impact on was excluded from this study in an attempt to achieve a
audit procedures. Auditors have to focus their attention parsimonious measure. Given that auditors are part of a
on the computerized internal control systems and test profession and thus abide by a code of conduct, inten-
these systems for accuracy and completeness (Coderre, tions toward auditing may be a perception that lacks the
1996, 1998). GAS in this assertion can aid in performing variation present in perceived behavioral control, which is
substantive tests in banks to obtain audit evidence. GAS affected by personal training/experience. Notwithstan-
is also used to help detect material misstatements in the ding, future research could evaluate whether the mea-
financial statements. Given the wide range of risks faced sure can be improved (that is better explain about auditor
by banks and their highly computerized state coupled behavior) by adding questions to capture the construct of
with the functionality that GAS provides, it can be intent. Third, more research is needed to evaluate the
expected that bank auditors will use GAS. There is little predictive and concurrent validity (that is criterion validity)
evidence on the usage of GAS in substantive testing in of the measure and its stability over time. Fourth, the
audits of banks. The study found that external auditors measure relates to a specific form of system: ERP
from the major professional accounting firms make no systems. While this form of system may be the dominant
use of GAS, either in the conduct of the information type encountered by auditors of public companies
systems component of the external audit or in the testing (Cerullo and Cerullo, 2000), there are variety of systems
of financial statement assertions. One finding on why in use and this measure may not properly measure
GAS is not usually used by bank internal auditors is that auditor perceptions of expertise with respect to other IT.
they perceive GAS as interrogation tools to perform fraud Lastly, the audit expertise literature has clearly shown
investigations rather than as general audit tools. From that experience and training combine to create expertise
these findings, it can be concluded that bank auditors do in auditors. Still, other dimensions of ERP sys-tems
use GAS, but only to a limited extent. The authors have expertise not included in the measure (for example ERP
also contributed to better understanding and provide implementation knowledge) may be relevant to determi-
guidance on the role that CAATs play in the audit process ning perceived auditor ERP systems expertise. The
of financial institutions. Unfortunately, the guidelines and author suggested auditors on how self-perception with a
suggestion provided is limited and the authors had tool to examine how auditor self-perceptions of ERP sys-
generalized the CAAT’s impact to financial institutions as tems expertise can affect auditor behavior and the quality
a whole. of contemporary audit services. The author has not
Joseph Brazel (2005) is trying to develop, assess, and explained further on ERP system type and its usage in
provide uses for a measure of perceived enterprise the organization in estimating how ERP would impact
resource planning (ERP) systems expertise for financial Auditors.
statement auditors. ERP systems are the dominant
system used by the public company clients of audit firms.
In such settings, the theory of planned behavior suggests METHODOLOGY
that auditor perceptions of their own ERP systems
The topic gave a preliminary understanding to further understand-
expertise should influence their perceived behavioral ding the role, impact and IT risk toward auditors. The information
control and, in turn, explain auditor behavior. The author and data of the research project were gathered from various
has reviewed this theory and suggested that auditors who sources of secondary data. Sources of secondary data include
have higher levels of ERP systems expertise should journal articles published in magazines and downloaded from the
perceive they have more behavioral control in ERP Internet Websites including Emerald and EBSCO Host Research
settings. Recent accounting research has shown that, in Databases. The Internet search engine like Google, Lycos and
Yahoo also offered excellent search for locating on-line articles.
ERP system settings, auditors are not apt to recognize Other references were also made on the research topic from va-
heightened inherent and control risks; and auditors with rious chapters of relevant accounting and textbooks. The research
higher perceived ERP systems expertise are better able framework is developed as shown in Figure 1.
to use IT audit specialists and plan the scope of
substantive procedures to mitigate ERP system related
risks. Possible future uses of the measure include RESULTS AND DISCUSSION
examining its effects on the performance of ERP system
related audit tasks and customizing the measure to Use of information technology in audit management
determine the systems expertise levels of other types of
auditors. There are several limitations to this study and Audit management is charged with providing an effective
the measure it has developed. First, the measure audit force, directing audit resources for maximum benefit
captures auditors' perceptions or self-assessments of to the organization, and complying with laws, regulations,
ERP systems expertise, not their actual experience, and policies regarding auditing. This involves reviewing
training, etc. Second, the theory of planned behavior processes, activities, and information that represent the
Moorthy et al. 3533

Identify Software and


guidelines hardware to assist
available to best auditing process
practices

Application of IT to
Internal Audit

Accounting Roles of Internal


standards – audit Auditor –
task and mitigate necessary skills
organizational risk and competencies

Figure 1. Research framework.

greatest risks, planning and managing individual audit controls exist for the purpose of managing risks. Auditors,
engagements, maintaining records of prior and current also, may pursue risk reduction rather than perceiving the
audits, directing and scheduling personnel, and commu- greater scope and importance of risk management.
nicating effectively with audit clients, senior management, Managers outside of auditing typically do not think of
and the board of directors. Audit management includes a management responsibilities in terms of controls. They
lot more that just using the right tools, but this paper is think of the processes and activities they manage, and
mainly about the tools and techniques. how they manage risks. So an important communication
tool for auditors is a clear and understood identification
and assessment of risks. Managers understand risks and
Understanding risk analysis and risk management can probably describe the most significant risks they
manage. An auditor can supplement the manager’s list of
The scope and direction for auditing objectives should be risks by asking questions about the types of things
determined by assessing those areas representing auditors know can typically go wrong. It is generally more
greatest risks to the organization. There are many effective to proceed from a discussion of threats and risks
approaches to risk analysis and management. Ideally risk to an assessment of controls than to start by talking
analysis will be performed as a risk management process about controls.
within the organization – with or without direct The list of risks provided by management and
involvement from internal auditing. If risk management is supplemented by the auditor is the first element of the
not a formal management process, then the auditor must auditor’s risk analysis. The next steps involve assessing
assess risks and risk management and find ways to the probabilities of exposures resulting from risks and the
communicate with management to assure consistent potential costs. For this, an auditor can use tools as
views on risks. simple as spreadsheets or databases, or can opt for
Risk assessment is an iterative process and the results more complex systems possibly tied into an integrated
of risk assessments should be maintained in a manner to audit management system. Whatever the approach and
facilitate reference and updating by auditors during tools used, the auditor’s risk assessment should be
subsequent audit projects. The definition of internal shared with management, and a general consensus
auditing, approved June 1999, indicates an active role for should be sought to assure effective communication of
internal auditors in risk management for their objectives, priority, and scope of the audits.
organizations: Internal auditing is an independent, The auditor also has a responsibility to assure that the
objective assurance and consulting activity designed to governance level of management (the audit committee
add value and improve an organization's operations. It and board of directors) understand risks accepted by
helps an organization accomplish its objectives by management and the liabilities potentially transferred to
bringing a systematic, disciplined approach to evaluate board members. If governance and executive
and improve the effectiveness of risk management, management do not have a clear understanding of risk
control, and governance processes. Sometimes auditors management within the organization three results are
may focus on business controls and bypass the fact that likely:
3534 Afr. J. Bus. Manage.

1) Risk decisions will be made at levels of the availability of audit resources provide input to the
organization that are too low to adequately understand strategic audit schedule. Tactical planning is performed
and assume responsibility for the potential consequences for each audit project.
for risks accepted.
2) Risk decisions will not be adequately communicated to
Strategic audit planning
governance and executive management and they will be
unaware of some risks accepted on behalf of the
Strategic scheduling factors are both logical and
organization and individuals.
logistical. For example, known problems with systems
3) Inadequate resources may be provided for risk
development methods, system and program change
management in critical areas (for example, information
control, or access controls should be addressed before
security) because senior management is not aware of the
auditors consider getting involved in individual systems
potential consequences.
development projects or application system reviews.
Weak-nesses in key control areas such as access
management and change control can also impact the
Understanding and monitoring the changing
reliability of any information used by auditors and may
environment
impact the scope and time required to assess and test
controls.
The audit universe can also be subject to change –
In conducting audits of systems, information, or busi-
sometimes significant change. For example, five years
ness processes in areas where auditors know or suspect
ago Internet electronic commerce was a small item on
key control weaknesses, the audit approach may be
the audit universe inventory – if it was listed at all. Today
improved by initially targeting information for retrieval and
it is a major item on most audit inventories but is still not
analysis that will provide evidence of the consequences
listed on some. Issues related to information security,
of control weaknesses. This approach can generate
privacy, and secure electronic commerce, especially over
evidence of the consequences of weak controls and may
the unsecured medium of the Internet, are items of major
be a more effective use of the auditor’s time than
importance to many organizations. In many cases
conducting extensive analyses of the systems and control
internal auditors will soon be required to demonstrate
environments to identify and assess controls.
expertise in subjects they cannot currently explain.

Tactical audit planning


Understanding internal control evaluation
Software tools can assist in assessing available auditor
Control self assessment (CSA) is a popular methodology skills and assigning the appropriate people to audit
for identifying and evaluating internal controls. CSA project teams. Audit scheduling software should support
allows business owners and operators to focus on risk assignment of auditors with critical skills as needed within
exposures and the means to mitigate, or better manage, an audit project, and allow such auditors to proceed to
those risks. Often an internal auditor will become familiar other projects once their tasks are completed, even if the
with CSA and may act as a facilitator for group discus- audit is not finished. Such software should also assess
sions to identify and assess internal controls, address the impacts of schedule and priority changes, compen-
their strengths and weaknesses, and discuss opportu- sate for special assignments, and extend the impacts of
nities for improvements. Popular technology for CSA schedule overruns to other projects remaining in the
involves hardware and software with interactive devices schedule.
for group communications in face-to-face meetings. A
facilitator poses questions or statements to participants,
with a set of response choices – typically projected on a Changing role of auditors: The use of computer
large screen. The software produces a graph of the assisted audit tools and techniques (CAATTs)
results of keypad responses, and projects it for the group
to see. Some systems provide for unstructured text As audit tools are growing more powerful and
responses. Responses are typically anonymous to sophisticated, they are also becoming easier to learn and
encourage frankness and openness. Immediate feedback use. But they also must fit into a complex and ever
is a key feature of CSA systems. changing environment. Features of audit software can
easily conflict with features of other software on the
computer or network, and must be carefully managed. As
Understanding audit planning and scheduling tools become more powerful, auditors may use features
or services provided in the software that command large
Audit planning is both strategic and tactical. The amounts of system resources (memory, processing
inventory of the audit universe, priority for audits, and cycles, communication bandwidth, and storage) and
Moorthy et al. 3535

compete with other users of those resources. For rule rather than the exception in the near future.
example, an auditor may request access to a file with a
program that will examine each record in the file and may
lock other users out until the process is complete. The Understanding electronic audit reporting
processing could also require large amounts of network
storage space at a time when it is in short supply and Some audit tools today provide automatic linking between
could cause a server to “crash.” It is important to work performed, information gathered, auditor
schedule such processing at times when other system assessments, and information used in or supporting audit
users will not be delayed or prevented from performing reports. Intelligent work papers may note answers in
their work. Alternatively, many audit organizations Internal Control Questionnaires (ICQ) that indicate actual
perform their audit analyses using files copied or archived or potential weaknesses and automatically prepare a
from the live production files. section in the audit report to document the weakness
CAATTs may also be large, powerful, or specialized and/or resolution of the problem.
enough to require a dedicated server for audit purposes. Audit reporting too, can automatically provide infor-
A server may be needed to support the audit Web site, or mation about sections of audits performed by individual
just to assure the independence and security required by auditors as they are completed so the audit supervisor
audit functions. And, as evidenced by the list of software will know the ongoing status of audit projects. Such
tools attached to this document, there are more tools reporting will also allow the supervisor to concentrate on
available than the amount of time an auditor may have to audit processes that indicate problems and/or provide
learn to use those tools. So the need for software additional resources in areas falling behind schedule.
specialists to support internal auditing is increasing even The audit report can easily contain links to work paper
as the software is getting easier to use. documents, worksheets, graphs or other information that
will be automatically updated as data changes. Report
files can be shared by audit team members and manage-
Understanding continuous internal control ment by implementing simple controls over access such
monitoring as read-only access to those not authorized to change
the files. Audit reports can be distributed in electronic
Continuous monitoring in systems and networks will be a format via email, file transfer, or audit web site. In such
byproduct of the increasing demand for immediate and cases auditors must assure appropriate security,
continuous access to reliable information by manage- confidentiality and access controls for such reports.
ment, owners, investors, and regulators of organizations Encryption technology is rapidly developing and will
of all types and sizes. The pervasive availability of become the standard mechanism for electronic message
electronic communications drives the demand for reliable integrity, sender and receiver authentication, and access
information and related assurance services. control.
Integrated accounting systems are rapidly becoming
commonplace, and will soon be the established basis for
the expectation of timeliness in availability of financial Virtual office and its implication to audit profession
information. Immediate financial reporting and availability
of information for comparison and analysis are becoming A search on the World Wide Web identifies hundreds of
byproducts of integrated applications across all areas of companies promoting virtual office equipment, software,
businesses and industries – combining operational and and services, but little on the subject of security, controls
financial information in integrated databases and and auditing. A search through the literature and
management reporting. The emergence of standards reference works familiar to IT security, control and audi-
such as Extensible Markup Language (XML) and the ting professionals provides plenty of information about
related Extensible Business Reporting Language (XBRL) controlling the familiar components used to facilitate the
will also help to accelerate the pace of increasing virtual office, but little in terms of the combination of risk
expectations for the availability of information and the factors inherent in virtual office environments.
related assurance of its integrity. The professionals responsible for implementing IT
As previously indicated, advancements in information security and controls must constantly adapt their stan-
monitoring and analysis are being accelerated both by dards, practices and techniques to meet the demands of
increasing demands for timely and accurate information, not only virtual offices, but the myriad other applications
and by advances in technology that contribute to the that can be accommodated and enhanced with today's
intelligence, capabilities, and timeliness of monitoring and burgeoning technologies. Since many new IT environ-
analysis systems. Continuous monitoring systems are not ments, including virtual office, are implemented primarily
new, but they also cannot be considered widespread at by people who are not IT security, control or audit
this time. But the advances in systems and the increasing specialists, the study can expect a number of installations
expectations of information availability will ensure that to create environments with unacceptable levels of risks.
continuous monitoring and auditing systems will be the This will create opportunities for the malefactors to exploit
3536 Afr. J. Bus. Manage.

security and control weaknesses which the study can computers distributed mini computers, local area network
hope will be sufficiently publicized to allow others to learn servers, desktop personal computers, notebook
from their mistakes. computers, and hand held computers.
The IIA research foundation's systems auditability and Virtual office audits include general reviews of the
control (SAC) reports identify business and technology overall security and control environment, information
risks in greater detail and relate them to associated manage-ment, individual application and support
controls and auditing. The structure of SAC modules is systems, and business processes. Whatever the scope
based on specific areas and applications of technology. or approach of individual virtual office audits, the auditors
In order to locate descriptions of virtual office risks, will have to be knowledgeable of the business, technical,
controls and auditing check the modules covering the and human risk factors involved. And they will have to
related technologies. ISACA's control objectives for know where to look for specific guidance on assessing
information and related technology (COBIT) identify risk risks, understanding relevant control objectives, identify-
assessment as an IT management process subject to ing and testing the controls in place, evaluating test
auditing. COBIT also provides a checklist format for results, and making appropriate recommenda-
control objectives and audit guidelines under the tions. Sources for the knowledge and guidance needed in
categories of planning and organization, acquisition and virtual office audits include:
implementation, delivery and support, and monitoring.
Descriptions of the related technologies and risk 1. Current business and technical publications.
elements are not included. 2. Reference materials and guides such as those
Some postulate that IT security, controls, and auditing published by professional associations.
consistently lag behind technology innovation and 3. Vendors' system and auditing technical guides.
implementation. But as long as the studies have had 4. Professional and technical standards.
computers, there have been those who predicted doom 5. Numerous Internet resources.
and spectacular losses from uncontrolled application of
technology. Indeed there have been some spectacular
losses, frauds and thefts. But overall the security, control Oversight IT risk: Risks associated with software
and auditing communities have adapted well to new tools and techniques
technologies using effective combinations of old and new
security, control and auditing techniques. Auditing Software ease of use may also result in the implement-
professionals routinely adopt and adapt the tools needed tation of features that unintentionally weaken information
to assess the extent of risks in any environment, select security provisions. While software vendors may not be
the controls and data to be tested, conduct tests, evalu- particularly open about their potential weaknesses, a
ate the results, and provide meaningful recommendations growing body of web sites document software weakness
to management at all levels in dealing with such issues and available corrections. This provides both positive and
as virtual offices. negative opportunities.
The virtual office/workplace presents a new level of risk As weaknesses in software are discovered and
and exposure for corporations. This emerging concept documented, the vendors of those software products
will have significant impacts on the internal auditing develop corrections, or “patches” that may be applied
profession. Virtual office increases the complexity in the until the weakness is corrected in the next formal
tasks of assessing internal controls and security requiring “release” version of the software. However, many
new auditing procedures, tools and skills. organizations do not apply such patches, for a variety of
Traditional internal audits tend to rely extensively on reasons. Hackers know software frequently goes
face-to-face interviews and reviewing various data and unmatched, so they search for particular versions of
reports. However, in a virtual office the employees or software with known weaknesses. They may then launch
contract workers supporting a function or project may be an attack against that system using software developed
located in numerous locations around the world. Some to exploit known weakness. Such software, called a
data and reports too may exist only in distributed or “script,” may require little or no knowledge to use. The
virtual office locations. Auditing the virtual office or the successful attack using a script may give the attacker
related processes and projects will be a function of both unlimited, or “root” access to the target system. Normally
how well auditability is planned and provided in the new root privileges are reserved for system administrators and
environments and how effectively the auditor can apply are closely monitored. Once an attacker has root access
"virtual audit" techniques. In traditional office environ- they have virtually unlimited access to the system, and
ments most information used to support various business may also obtain access privileges to other systems with
functions and decisions is processed and stored at a an established trust relationship.
central location or at specific offices. In the virtual Another element contributing to risk in information
environment critical and confidential information is systems and networks is the configuration of systems as
processed and stored on many platforms: Central host they are provided by vendors. Frequently systems are
Moorthy et al. 3537

initially installed with the security and control features systems administrators, information security
turned off. System and network engineers and professionals, and even hackers. An organization con-
administrators must select the appropriate mix of control cerned about their security may employ auditors or others
features they need and turn them on when the system is to assess system security using “tiger team” tactics –
installed. Sometimes security and control features will authorized attempts to break into their systems. In many,
conflict with features of other system components or may if not most, cases such attacks are successful and
add considerable overhead to system processing, such provide management with information about various ways
as through the use of system logging. When security outsiders can break into systems or insiders can exploit
components conflict with operations, the typical response system security weaknesses. Non-invasive tools are also
is to turn those components off. Unless the organization used to probe networks for security flaws that might be
provides strong security policy administration and/or exploited. New tools are also being introduced that will
auditing, management may be unaware security features evaluate the configuration of security features in key
are not being used. Therefore, frequent assessment and network components such as the operating system,
monitoring are important elements of information security firewalls, intrusion detection systems, virus protection
management. systems, and more.
Ecommerce tools also include encryption, Public Key
Infrastructures (PKI) and the Related Certification
Auditor’s task: Electronic commerce and internet Authorities (CA) that facilitate the distribution and
security validation of encryption keys and related services. A key
feature of being able to conduct business over the
Electronic commerce via the Internet has increased at an Internet while being assured of a valid agreement and
explosive pace in recent years. Most organizations have protecting privacy is obtaining the services of third-party
implemented business to business (B2B) and business to trusted agents. Assessment of PKI, CA, and third-party
consumer (B2C) ecommerce systems using Internet trust features built into systems, networks, and business
tools. Competition and opportunity are driving forces for operations is beyond the capabilities of most auditors
this growth. But rapid growth in an area of new today. Notable exceptions – auditors who must be fully
technological developments sets a stage for introduction capable of addressing ecommerce systems, security,
of new problems and escalation of the significance of controls, and assurance auditing – include those auditors
some older problems. working with organizations who are the leaders in
The Internet facilitates communications via email. implementing Internet ecommerce systems. Such
Today, email is the standard for the rate of progress and organizations include major banks and related financial
responsiveness for virtually every organization. Similarly, institutions, credit card providers and processing entities,
browsers and Web sites set the standard for providing large manufacturing organizations engaged in B2B
information about an organization and its products and and/or B2C commerce, leading technology providers, and
services. And in many cases the Web site is the vehicle similarly advanced organizations.
for delivery of information, products, and services. To be But, as previously noted, advancements in ecommerce
useful, information must be available, but this availability are occurring at an accelerating pace. E-business is
puts it at risk. Connectivity makes information available becoming synonymous with business. The automated
when and where it is needed and is the nature of doing tools and techniques being developed and deployed by
business today. Because organizations are linked the leaders today will become standard assurance and
through the Internet and other public networks to sup- auditing techniques used by auditors at all levels in the
pliers, customers, and business partners, they are also near future. A factor contributing to the increased capabi-
connected to virtually everyone else in the world. lity of auditors in ecommerce will be the demands by
Connectivity exposes information to risks outside the boards of directors, insurers, and regulatory bodies for
organization’s control. In the modern world, everything improved assurance of effective and continuous
that business or government does with their information information security.
technology becomes part of the global information
infrastructure. Organizations must build infrastructure to a
very high standard. Attaching weak components to the Best practices
infrastructure puts your organization as well as your
neighbors at risk. Responsible citizens will contribute only Information technology (IT) is pushing each phase of
sound components to that cooperative infrastructure. business, increasing efficiency and productivity, allowing
Therein lays the essence of the auditor’s involvement in instantaneous communications, processing transactions
providing assurance of the security of information and in real-time, and facilitating global relationships with
systems operating in connection with the Internet. customers and vendors.
Ecommerce tools for auditors are just beginning to Best practices in conducting internal audits stem from a
emerge. Mostly auditors are using the same tools as diverse, experienced, and skilled audit staff who possess
3538 Afr. J. Bus. Manage.

the professional training. Leading companies capitalize change with the technologies, but to also explain the
on the professionalism of IA staff by assigning manage- effects of such changes to others. And finally, it is also
ment trainees a rotation in the department to offer first important to remember the importance of interpersonal
hand insight into company operations and develop skills contact in auditing as keyboards and email will never
in recognizing and mitigating risk. Additionally, smart replace the need for interpersonal skills.
companies provide their audit functions with the resour-
ces and authority to effectively fulfill the department's REFERENCES
mandate, which is defined in the audit charter created by
the board, audit committee, and senior management. In ACL Service Ltd URL: http://www.acl.com/solutions/audit.aspx
this instance, the best practices for internal audit are to Brazel JF (2005). A measure of perceived auditor ERP systems
expertise: Development, assessment, and uses. URL:
collaborate with the information technology department to http://www.emeraldinsight.com/Insight/Articles/0113409604.html
mitigate information systems risk proactively. Chen Y (2004). Continuous Auditing Using A Strategic System
Approach. URL:
http://www.emeraldinsight.com/Insight/Articles/055501101.html
LIMITATIONS Coderee DG (1993). Automating the audit function
URL: http://www.findarticles.com/p/articles/aut0_audit
Deloitte, Touche (1996). The Current Impact of Information Technology
The shortcoming of this study is that it adopts a on InternalAuditing Departments. URL:
conventional approach, as opposed to more proactive http://www.theiia.org/ecm/tech.cfm?doc_id=859
research methods and in-depth study to suggest any Debreceny R, Lee SL, Neo W, Toh JS (2005) Employing
generalized audit software in the financial services sector. URL:
practical implication to auditors at large. While it is http://www.emeraldinsight.com/Insight/Articles/0210909604.html
important to note there is no generic model for Goodwin J (2004). A comparison of internal audit in the private and
technology tools applicable to all organizations, it is also public sectors. URL:
important to recognize the increasing dependence on http://www.emeraldinsight.com/Insight/Articles/0251314604.html
Grand CL (2001). Use of Information Technology in Audit Management.
technology to accomplish and/or support virtually all-
URL:http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=34
auditing activities. The study stress that this shortcoming 5
is common in the benchmarking literature, and one Hadden LB, DeZoort FT, Hermanson DR (2003). IT Risk Oversight:
important research question is how to incorporated risk of The Roles of Audit Committees, Internal Auditors, and External
Auditors. URL:
emerging technology in shaping business controls, and
http://www.findarticles.com/p/articles/we_m11/is_4_59/ai_d02a7860
audit approaches and techniques. Harrison MJ, Datta P (2007). An empirical assessment of user
perceptions of feature versus application level usage. Commun
Assoc Inf Syst. 20: 300-321
Jackson RA (2004). Get the most out of audit tools URL:
Conclusions
www.findarticles.com/p/articles/mi_m4153/is_4_61/ai_n6169113
James L. Bierstaker JL, Burnaby P, Thibodeau J (2001). The impact of
This paper barely scratches the surface of information information technology on the audit process: an assessment of the
related to auditor uses of technology. It is important to state of the art and implications for the future URL:
http://www.emeraldinsight.com/Insight/Articles/0382201206.html
note there is no generic model for technology tools
Jayalakshmy R, Seetharaman A, Khong TW (2005). The changing role
applicable to all organizations. It is also important to of the auditors. URL:
recognize the increasing dependence on technology to http://www.emeraldinsight.com/Insight/Articles/057785604.html
accomplish and/or support virtually all-auditing activities. Khadaroo I (2005). Corporate reporting on the Internet: some
implications for the auditing profession. URL:
Technology topics make up an ever-increasing per-
http://www.emeraldinsight.com/Insight/Articles/0665856604.html
centage of the auditor’s professional knowledge and skills Kim HJ, Mannino M, Nieschwietz RJ (2009). Information technology
set. While technology background is important in under- acceptance in the internal audit profession: Impact of technology
standing new developments and directions, it is of little features and complexity. Int. J. Accounting Inf. Syst. 10(4): 214-228
Lanza RB (2004). Can Excel Double as Audit Software. URL:
use without continuous acquisition of new knowledge. http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5483
Effective use of audit technology tools is critical to the Pathak J (2005). Risk manage, internal controls and organizational
success of audit activity, but is only one step toward vulnerabilities. URL:
understanding the changes technology is bringing about http://www.emeraldinsight.com/Insight/Articles/0213406604.html
Searcy DL, Woodroof JB (2003). Continuous Auditing: Leveraging
in business and the auditing profession. Emerging Technology. URL:
technologies will continuously change the shape of and http://www.emeraldinsight.com/Insight/Articles/0619806601.html
approach to business controls, and audit approaches and Shaikh JM (2004) E-commerce impact: emerging technology –
techniques must change accordingly. electronic auditing URL:
http://www.emeraldinsight.com/Insight/Articles/0415560199.html
Another important role for auditors, and the auditing
Siltow J (2003). Shedding Light on Information Technology Risks. URL:
profession, is to encourage and support the efforts of http://www.theiia.org/iia/index.cfm?doc_id=4517
providers of systems and new technologies to enhance Staciokas R, Rupsys R (2005) Internal Audit and its Role in
the built-in monitoring and assurance features of systems Organizational Government. URL:
http://www.ktu.lt/en/science/journals/econo/infaut038.html
without considering them as processing overhead or as The Need for Continuous Controls Monitoring. URL:
elements that contribute to decreased performance. An http://www.metagroup.com/webhost/ONLINE/739743/d2951.htm
important role for auditors is to not only understand and Tucker GH (2001) IT and the Audit. URL:
Moorthy et al. 3539

http://www.aicpa.org/pubs/jofa/sept2001/tucker.htm Zabihollah Rezaee Z, Elam R, Sharbatoghlie A (2001). Continuous


Virtual Office Risk Manage. Security, Control, and Auditing. URL: auditing: the audit of the future. URL:
http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=644 http://lysander.emeraldinsight.com/vl=5729087/cl=81/nw=1/rpsv/~115
Xiao Z, Sangster A, Dodgson JH (1997). The relationship between 5/v16n3/s6/p150
information technology and corporate financial reporting. URL:
http://www.emeraldinsight.com/Insight/Articles/0510200604.html
Yang, David C, Guan, Liming (2004). The evolution of IT auditing and
internal control standards in finan. statement audits: The case of the
United States. URL: http://emeraldsight.com/0268-6902.htm

You might also like