Date of Award
PhD in Accountancy
Department of Accountancy
The Institute of Internal Auditors (IIA) defines integrated auditing as auditing that looks at more than one aspect of the area under review; which may include financial, operational, information technology (IT), compliance, environmental, and/or fraud related audit objectives. I examine the internal auditing function’s (IAF’s) use of integrated IT auditing and provide evidence of how internal auditors’ IT audit activities contribute to IT governance, a critical subset of corporate governance. Importantly, increased understanding of these IT audit practices assists educators in curriculum design reflective of practitioner needs.
I have three interrelated studies. The first synthesizes literature through an historical lens to answer the question: “How has the practice of IT auditing evolved within the IAF?” Including literature supporting interrelationships between accounting, technology, regulation, and competing/cooperating classes of auditors; I present a history of internal auditors’ IT audit activities while examining how these interactions reflect Abbott’s (1988) system of professions. I conclude with proposing opportunities for future research.
The second study qualitatively examines current internal auditors’ IT audit practices; triangulating content analysis from an ISACA provided dataset, publicly available interview-based Protiviti reports, and my own exploratory interviews. Results indicate internal auditors’ IT audits are expanding in scope and vary based on organizational context. I argue that integrated IT auditing takes on two forms, parallel with generalist and specialist auditors working simultaneously but separately on the same audit, and fully integrated involving the use of hybridized auditors within the IAF. I also argue that the use of hybridized internal auditors within the US context has grown significantly as a result of Sarbanes-Oxley legislation and growth will continue as demand for IT audit resources exceeds the available supply.
The third study uses a large-scale database, the 2010 Global Internal Audit Common Body of Knowledge from the IIA Research Foundation, to quantitatively examine correlations between organizational, IAF, and CAE characteristics; overall internal audit strategy, and the IAF’s IT audit strategy. I find that practice location and CAE characteristics are strongly related to the selection of an integrated IT audit strategy, as is an IAF strategy of assurance of sound risk management/internal control.
Gray, Joy M., "Information Technology Audits by Internal Auditors: Exploring the Evolution of Integrated IT Audits". 2016. 1.