120 likes | 267 Views
Academic Discussion of “Factors associated with IT audits by the internal audit function.â€. by Jeffrey W. Merhout, Ph.D., CPA (inactive) Farmer School of Business Miami University, Oxford OH. Strengths/Contributions.
E N D
Academic Discussion of “Factors associated with IT audits by the internal audit function.” by Jeffrey W. Merhout, Ph.D., CPA (inactive) Farmer School of Business Miami University, Oxford OH
Strengths/Contributions • Answers an important research question: how much time does the average internal audit “shop” spend on IT audits. The reported percentages for 2003 and 2006 are very enlightening for research and teaching, and perhaps for practice too. • Addresses another key research issue: variables that are potentially associated with IT audits. • International dimension with countries including Canada, Australia, New Zealand, the U.K./Ireland, and the U.S.
Strengths/Contributions • Good discussion of literature about the key KSAs required for IT auditors (e.g., Merhout and Buchman) and justification of CISA as your proxy for technical knowledge. The CISA is truly a key certification. • Research questions are logically derived, except for possibly the age of the IAF as a proxy for organizational experience. But even the authors themselves recognize as a possible limitation.
Strengths/Contributions Opportunities for future research are tremendous (as outlined by authors): • “does the negative association of CPA and IT audits suggest that less CPAs should be hired in favor of more CISA and other certifications?” • “The results also indicate that additional investigation is needed to identify the most effective training material to adequately prepare technology-oriented IAs to become more familiar with technology and comfortable with IT audits.” • “This result suggests that IS/CS training may be useful for CAEs that did not major in IS/CS, a point awaiting further investigation.” • “A similar issue for future study might be the investigation of differences in IT audits by industry.” • “Future studies may benefit from extending the study to other influential respondents such as audit managers.” I could easily envision using this paper in a research class to see if students could pick up these opportunities or could construct a study to answer these questions.
Possible Opportunities for Improvement • The title of paper does not convey the real value of the paper: “associated with” is too vague. Should “exploratory study” be included? • Why are more IT audits “better?” Perhaps a discussion of the value-added activities that the IT audit function can provide would help to address the “so what” question. e.g., see Merhout and Havelka, 2008 in CAIS. • Is there any more recent CBOK data available to see if the actual 2009 percentages panned out? • Still not sure why the US is separated out from these other (predominately) English-speaking countries.
Possible Opportunities for Improvement Why is time the proxy for dependent variable? Is time determined by the number of man-hours on the engagement? Would the number of audits be another possibility? Under the “explanatory variables” section, you state: “If the IAF does possess these skills, then it is also likely to perform IT audits. If it does not then the IT audit may be performed by other departments (e.g., Management Information Systems), or may be cosourced, or completely outsourced.” • The MIS/IT departments cannot audit themselves. This is not “legally” acceptable, nor is it practical because these departments are not trained in audit norms and procedures. Page 2 Footnote – Sox compliance has an average “cost of 2.2 million” • per what? year, lifetime, since SOX?
Possible Opportunities for Improvement Age of the IAF as a proxy for organizational experience: • How did you determine that organizational experience is a factor associated with more IT audits? • Is your reasoning circular? (e.g., “organizational knowledge can be drawn from IT auditors’ experience in the organization;” but you use this as a determinant of the amount of IT audits performed.) • Is age the only available data that could be used for this proxy? You addressed this as a limitation, however, which is good. And it is a good topic for future research. • Perhaps the audience has some suggestions for an alternative proxy?
Possible Opportunities for Improvement Under the Control Variables section, you state: “More experienced CAEs may favor spending time on more traditional audits (with which they have familiarity and experience, and comfort level) than the IT audit. Thus, we use CAE experience as a control variable and expect a negative association with IT audits.” • I do not follow your reasoning here very clearly. Data analysis section (under Table 1) IAF size: “The data indicates that on average IAFs have 12.33 members…” However, you then refer to mean years of 6.22 for Australia… • Is it members or years (or both)?
Possible Opportunities for Improvement Summary and Implications section: • Perhaps a summary table of your conclusions would be helpful. • RE: “Increases in IT audits by IAFs should decrease the dependence of organizations on their MIS departments…” • The MIS/IT departments cannot audit themselves. This is not “legally” acceptable, nor is it practical because these departments are not trained in audit norms and procedures.
Possible Opportunities for Improvement RE: “the results of the study imply that significant increase in IT audits requires investment in recruiting, training, and CISA certification of new recruits because these variables are positively and significantly associated with IT audits.” • Logical suggestions, but potentially costly; once again I suggest you discuss the reason why “more IT audits is better.” • Perhaps a brief discussion of the value-added of more IT audits is appropriate. • Page 19 also suggests the value-added dimension of the IAF, but can we scientifically show this? • Would a risk-based annual audit plan presumably include the appropriate proportion of IT audits? Is that more important than sheer numbers of IT audits?
More Future Research Opportunities for future research are tremendous (as outlined by Merhout) • More international representation might be insightful: e.g., more Western, but non-English speaking countries (e.g., Europe and South America) and Asian countries. What about Hong Kong? • Page 19 suggests the value-added dimension of the IAF, but how can we scientifically show this? • Do CAEs believe their risk-based annual audit plan leads to the appropriate proportion of IT audits or are the CAEs forced to do fewer IT audits than they would otherwise because of a lack of resources? • “Future studies may benefit from extending the study to other influential respondents such as audit managers.” • Does the CBOK database include responses from audit managers?
Conclusion • Thank you for the opportunity to review and discuss this paper. • Please feel free to contact me to discuss further: • Jmerhout@muohio.edu • 513.907.0558 Jeff Merhout