Add to collection(s) Add to saved
  1. Business
  2. Management

Summary of results for effect of e-business on internal audit

advertisement 
The Impact of E-Business upon the Internal Audit Function
Information Systems Audit and Control Association
Summary Report
Amr Kotba, Dave Hendersonb & Alan Sangsterc
Study Background
Over the past few years, the exponential growth in the Internet and easy-to-use web browsers
has transformed the business environment, not only disrupting brick-and-mortar business
models, but also creating a multitude of innovative electronic business (e-business) models. Ebusiness models are implemented through complex information and communication
technologies that allow business partners (e.g. customers, suppliers, employees, etc.) to interact
in unprecedented ways. This technology-centric nature of e-business has changed the business
landscape in which the internal audit function is practiced. This study intends to provide further
insights into the changes resulting from the implementation of e-business models on the
technical and professional systems in which internal auditors operate. In particular, this study
aims to explore: (i) how e-business changes the internal audit function; and (ii) how ebusiness-driven changes to internal audit impact the role and expertise of the internal auditor.
The importance of this study originates from an apparent paradox. On the one hand, the fact
that e-business has influenced and will continue to influence every aspect of the business
world, in which internal auditing is practiced. On the other hand, the review of previous
literature revealed that the impact of e-business on internal audit practice is relatively underexplored with a lack of empirical studies addressing the likely changes to the internal audit
practice and the profession. This study attempts to fill this gap in literature by reporting on
attitudes and practices of a sample of internal auditors worldwide. Using an online survey, we
seek perceptions of generalist internal auditors and IT internal audit specialists on how ebusiness affects the internal audit function, knowledge and skills needed by internal auditors
and, in turn, their role.
The questionnaire consisted of 22 questions including demographic data questions. Most
questions were measured on a five-point Likert-type scale ranging from 1 to 5, in which 1
1
equaled “strongly disagree” and 5 equaled “strongly agree”, the respondents were allowed to
add their personal comments that they feel might be of benefit to the study. Additionally, there
were a number of open-end questions. We collected data from December 2010 to April 2011.
We targeted respondents from different sources such as the IIA in the UK & Ireland, UK
Higher Education Internal Audit Service providers, various IDEA & ACL user groups in the
UK, www.itaudit.co.uk, and www.isaca.org.
Descriptive Statistics
A total of 162 individuals opened/started the questionnaire by going to the on-line survey and
79 completed the survey for a completion rate of 48.7%. As shown in Table 1, 57% of
participants are internal auditors, 18% are specialist IT internal auditors and 25% are both
internal auditors and specialist IT internal auditors. Participants are experienced, as the average
number of years of experience for internal auditors is 12 and 7 for specialist IT internal
auditors, and well educated, as 37% have an Accounting undergraduate degree, 54% have a
non-Accounting undergraduate degree, 8% have a graduate Accounting degree, and 29% have
a graduate business degree. Many participants are active in professional associations as 73%
belong to the Institute of Internal Auditors (IIA), and 36% are a member of the Information
Systems Audit and Control Association (ISACA). In addition, participants come from ten
different countries; with the majority from the USA and the UK, and represent thirteen
different industries.
Participants work within internet-based business models that range from enterprises using the
web only to build awareness amongst stakeholders to enterprises using an integrated webbased supply chain linking together customers and suppliers with back-office processing and
information systems. The majority of participants (60%) work for organizations that either
integrate internet-processed activities with back-office information systems or interact with
different stakeholders through an integrated web-based supply chain. Overall, it appears that
participants work for organizations that use e-business for sophisticated purposes.
2
Table 1: Demographics of the respondents
A. Respondent Role
Internal auditor
Specialist IT auditor
Internal auditor & Specialist IT auditor
B. Years of Experience as Specialist IT Auditor
1-5 years
6-10 years
11-15 years
16-20 years
C. Years of Experience as Internal Auditor role
1-5 years
6-10 years
11-15 years
16-20 years
>20 years
D. Academic Qualification
Non-Accounting bachelor’s degree
Accounting bachelor’s degree
MBA
Master’s of Accounting degree
Other master’s degree
Ph.D.
None
E. Professional Qualification
IIA
ISACA
AICPA
CIPFA
Others
None
F. IT Professional Qualifications
CISA
IIA IT Auditing Certificate or IIA Qualification in Computer Auditing
Others
None
No.
%
43
14
19
57%
18%
25%
13
11
5
1
43%
37%
17%
3%
16
9
8
4
9
35%
20%
17%
8%
20%
41
28
22
6
7
2
4
54%
37%
29%
8%
9%
3%
5%
55
27
11
7
24
4
73%
36%
15%
9%
32%
5%
23
5
21
37
34%
7%
31%
54%
Key Findings
Overall, it was found that the respondents, whether generalist or IT internal auditors, believe
that e-business has been taking the internal audit function in new directions. In particular,
results suggest that e-business does not impact one phase more than another, but has a
pervasive impact on the internal audit. However, it appears that internal audit procedures are
more geared toward IT issues, while 69% believe that e-business increases the salience of IT
3
issues during the audit planning phase and almost one-third indicates that the increased
implementation of e-business models will result in audit procedures will be more focused on IT
issues. This has been explained by a respondent:
"The internal audit plan should be modified to take into consideration the
following: The risks related to IT specially if the IT is a significant component
of the business strategy, the controls have IT components, the testing methods
and using of CAAT's (Computerized Audit Automated Techniques)"
As a result, majority of respondents (Table 2) believe that a larger proportion of internal audit
work is done by IT audit specialists in an e-business environment than in a non e-business
environment. This has also been echoed in participants’ qualitative responses, for example:
“Participation is throughout the entire process to some degree or another.”
Table 2: Internal audit work completed by IT audit specialists
Percentage
0%
1% - 25%
26% - 50%
51% - 75%
76% - 99%
100%
In a non e-business audit scenario
No.
%
10
12%
38
45%
23
27%
7
8%
3
4%
3
4%
In a an e-business audit scenario
No.
%
6
7%
12
14%
19
23%
23
28%
17
20%
6
7%
Consistently, the majority of respondents (80%) agree that adopting an e-business model
significantly raises the relevance and importance of IT audit expertise, requiring internal
auditors to be more knowledgeable and skilled in IT auditing issues. For example, this was
voiced by a respondent:
“Internal Auditors must be, at a minimum, conversant in hardware and
application vernacular in order to be able to understand the true scope of the
audit universe and the applicable risks. In addition, the increased use of data
analytics on e-business data, requires the auditor to understand the process by
which the web application and enterprise system record, interface, compile and
report data.”
Not only that but also half of respondents indicated that adopting an e-business model slightly
raises the proportion of IT audit specialists to generalist internal auditors, results in a greater
emphasis on IT expertise when recruiting, and a greater career opportunities for IT auditors.
4
Accordingly, two-thirds of participants believe that IT audit professional qualifications, such as
the CISA, are even more important in an e-business audit context.
While participants clearly believe that an e-business model raises the relevance and importance
of IT knowledge and expertise, they are less confident not only about their internal audit team
members, but also about the IT expertise of their team members. This can be attributed to a
lack of e-business audit training. Only half of the participants have received training in auditing
in an e-business context. Of the participants who have received this training, most have
received it from vendors, in-house, continuing professional development, or other sources (e.g.,
professional associations such as ISACA and the IIA); few participants have received training
from college courses (Table 3).
Table 3: Sources of training received for auditing e-business
Source
Vendor training
College training
In-house training
CPD
Other –please describe
No
21
6
24
16
15
%
53%
15%
60%
40%
38%
Conclusion
Our results indicate that the audit internal audit function appears to be going through another
shift. While e-business may be viewed as an extension of traditional business, it has changed
the way organisations conduct business, the nature of work done, the nature of business
relationships, and how organisations structure themselves. This, in turn, has altered the entity’s
risk profile and associated mitigating processes. Thus, it is doubtful that conventional internal
audit practices and techniques are appropriate for such businesses. In other words, if
conventional audit practices and techniques are applied to e-business, significant risks may go
unnoticed, particularly when dealing with complex e-business systems. The focus should be on
using IT-based techniques such as continuous auditing and monitoring.
Given that e-business is a highly technology-centric business, technical IT roles are
increasingly important, driving the need for internal auditors with specialized IT technical
knowledge and skills. In this sense, it can argued that internal auditors need to acquire
5
specialized IT audit expertise in order to make appropriate enquires and to understand the
technical implications of the responses obtained, to identify the risks associated with e-business
and to evaluate the internal controls. Given that such specialized IT knowledge and skills are
not traditionally part of the internal auditors’ education and training, this might open the door
to non-financial internal auditors to take over much of the internal auditor’s role in leading and
conducting e-business internal audit function.
a
Amr Kotb is a Senior Lecturer in Accounting in the Department of Accounting and Finance, Middlesex
University Business School. His research interests include auditing, forensic accounting and corporate social
responsibility.
b
David Henderson is an Assistant Professor at the College of Charleston.
c
Alan Sangster is a Professor of Accounting Education in Middlesex University Business School. His research
interests lie in accounting systems, accounting education, accounting history, and accounting practice.
6
Related documents
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Green Impact Auditor
Green Impact Auditor
Case
Case
lecture4
lecture4
Mystery Fraud Training Outline
Mystery Fraud Training Outline
Getting to Know Internal Auditing - The Institute of Internal Auditors
Getting to Know Internal Auditing - The Institute of Internal Auditors
grp-2
grp-2
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
Download
advertisement