Professional Documents
Culture Documents
Faculty of Business and Accountancy, University of Malaya, 50603 Kuala Lumpur, Malaysia.
2
National Audit Department, Malaysia.
Accepted 25 May, 2010
Information technology (IT) has become an increasingly important tool for the Malaysian government to
improve the delivery of its services. However, advances in information technology continuously render
control procedures obsolete. Indispensably audit methodology has to evolve to keep abreast with the
change in technology. This study investigates the IT practices of the public sector auditors in Malaysia.
We examine IT evaluation based on IT audit objectives, organisational characteristics, competency of
auditor and usage of Computer Assisted Audit Tools and techniques (CAATTs). Self-administered
questionnaires were mailed to 400 public sector auditors providing a usable sample size of 73. The
results show that application processing control and data integrity, privacy and security control were
the most frequent evaluations performed by public sector auditors. The most frequent IT audit objective
is the evaluation of compliance with policies, procedures and evaluation of internal control and these
objectives are performed differently in different divisions. CAATTs have been used most frequently as a
problem solving aid. Several appealing patterns emerged from the eight regression models. The
findings provide important implications for research on IT and public sector auditing.
Key words: IT auditing, public sector auditing, public sector auditors.
INTRODUCTION
The impact of information technology (IT) in business has
grown exponentially in recent years, changing the audit
process and resulting in both opportunities and
challenges for auditors. The audit profession is rapidly
advancing in response to changes in its environment. It is
also argued that auditors are struggling to maintain their
identity and purpose as the organisations they audit
undergo radical changes (Solomon and Trotman, 2003).
Advances in IT continuously render control procedures
obsolete, and the value of traditional audit has become
seriously questioned (Tongren and Warigon, 1997). As IT
changes occur more quickly, auditors must keep pace
with emerging technological changes and their impact on
their organisations data processing system, as well as
their own audit procedures (Rezaee and Reinstein,
1998).
IT is an increasingly powerful tool for improving the
delivery of government services. IT and the Internet in
particular have opened new possibilities for the government and the governed, just as it has for the businesses
and its customers (Hazman and Maniam, 2004; Moon,
2002). Over the past decade, many governments
including the Malaysian government have planned and
implemented programmes projected to introduce the
government into the digital land. The Malaysian
government is transforming itself as it increasingly moves
to delivering information and services electronically. The
highly complex bureaucracies that grew to regulate the
economy and society through the highly differentiated but
usually lowly integrated machinery (Marche and
McNiven, 2003; Davison et al., 2005) can eventually be
reconstructed through IT. Governments of both
developed and developing countries have embraced IT to
improve the quality of public services, to increase public
access to information and to energise more participation
in public affairs (Becker, 1998; Moon, 2002). Therefore,
public sector audit and accounting practices in Malaysia
are experiencing focal reform aimed at escalating
transparency, streamlining accountability and improving
overall financial management in line with international
standards and practices.
1552
1552
1553
1554
Types of auditor
Generally organizations classify the auditors as external,
internal (business) and IT auditors. IT auditors usually
recognise more types of security risks related to IT
control evaluation activities than business auditors
(Hunton and Wright, 2004). The presence of the IT
specialist allows for more complex evaluations of technology (Hermanson et al., 2000). In the CIS setting, auditors
reliance on IT specialists increases as the specialists
competence increases, and the accuracy of auditors
inherent and control risk assessments is affected more by
IT expertise than by general audit experience (Brazel and
Agoglia, 2005). However, business auditors who
possessed a fundamental understanding of IT systems
can successfully work in e-business environments as
they can gain necessary support though collaboration
with specialist auditors (Price, 2001). As an organizations reliance on technology increases, the differences in
the role of IT auditor and business auditors/internal
auditors are becoming less distinct (Pathak, 2003). It is
anticipated that the types of auditors would vary by IT
control evaluation activities.
Size of organization
Organization represented by number of auditors in the
organizations who performed IT related auditing size can
also influence IT audit activities. The availability of
resources plays a part in determining the auditors
participation in e-business initiatives (Pathak, 2003). In
larger audit department, as opposed to small ones, there
is a greater tendency to participate in e-business system
development process. Further, larger number of internal
auditors may signal greater commitment to control, as
well as greater resources available for IT auditing
(Hermanson et al., 2000). Larger companies generally
have larger internal audit staffs, and prior research has
documented a positive relation between company size
and control strength (Brans and Waterhouse, 1975;
Ivancevich et al., 1998; Karnes et al., 1992; Snell, 1992).
It is expected that the size of organizations would vary by
IT control evaluation activities.
Structure of computerized information systems
Another organisational characteristic is whether the
organisations computerised information systems are
centralised or decentralised. Centralized systems consist
of a central computer in one location that processes and
stores all the company's data. Decentralized systems
(also known as distributed systems) allow for more localized entry, processing, and storage of data (Hermanson
et al., 2000). Decentralized systems present audit concern regarding the completeness, integrity, and security
of the distributed data (Warren et al., 1998). It is forecasted
1555
1556
1557
IT evaluation control
ITC1
Type of activity
New systems development and acquisition. The internal auditor evaluates the acquisition standards
and methods that are used, whether the standards and methods are being used correctly, and
whether system development technologies are being used correctly (Hermanson et al., 2000).
ITC2
Examines systems under development to evaluate the quality of the testing, the accuracy of the
data conversion, and the effectiveness of the post-implementation evaluations (Hermanson et al.,
2000).
ITC3
Considers revision to existing systems and evaluates the program-change controls, methods, and
procedures, and whether these are operating properly (Hermanson et al., 2000).
ITC4
Considers IT assets and facilities management. Ensuring IT assets are safeguarded is an important
task for the auditor. The evaluation in this area also may include inspections of the actual computer
locations and assessments of staffing practices, data centre access, and data libraries (Warren et
al., 1998).
ITC5
Encompasses data integrity, privacy, and security. As open systems, electronic data interchange
(EDI), and internet communications become more prevalent, this evaluation will become even more
important (Hermanson et al., 2000). Uncontrolled or loosely controlled networks increase business
risk by enhancing the possibility of problems such as data tampering, destruction of data through
infection with viruses, business interruption through loss of network communications, and legal
liability through theft of personally confidential or firm confidential data (Warren et al., 1998).
ITC6
ITC7
Considers control over operating systems and networks. Some of the tests considered in ITC7
include evaluation of the cost effectiveness of the IT, evaluation of the procedures to manage the
operating system and network, evaluation of the network reliability, evaluation of the sufficiency of
the performance measures, and evaluation of compliance with the standards and procedures set for
the operating system and network (Hermanson et al., 2000).
ITC8
Deals with the traditional application-processing flows and controls. This evaluation includes
determining whether the data for the application are processed correctly, preventing errors and
omissions, ensuring the reliability of the data-processing outputs, and ensuring that only properly
authorised transactions are processed (Hermanson et al., 2000).
1558
Organisation characteristic
Structure of organisations
Frequency
31
20
14
6
2
%
42.47
27.40
19.18
8.22
2.74
Types of auditors
General auditor
IT auditor
30
43
41.1
58.9
Style of auditing
8
27
38
11.0
37.0
52.1
31
42
42.5
57.5
Mean
2.27
2.38
1.73
Median
2.00
2.00
2.00
Std. deviation
0.786
0.637
0.672
Mean
4.054795
4.002283
3.794521
3.786693
3.462329
3.307241
3.263699
3.246575
Std.
deviation
0.89583
0.903736
1.105025
0.818966
1.182681
1.168286
1.174003
1.130426
No. of
test
4
6
1
7
4
7
4
3
K_W Government
(Sig. value)
0.046
0.426
0.005*
0.037
0.006*
0.290
0.005*
0.060
1559
IT audit objective
X2
X3
X1
X4
Mean
Std.
deviation
4.37
4.16
3.95
3.60
.993
.913
1.189
1.115
K-W Government
(Sig. value)
0.004*
0.423
0.373
0.156
Usage of CAATTs
CAATTs as problem solving aids
CAATTs in data integrity testing
CAATTs use in system analysis and documentation
CAATTs use in system or program testing
CAATTs an administrative tool
Mean
3.5068
3.3836
3.1918
3.0548
2.9178
Std. deviation
1.27064
1.32948
1.37090
1.34258
1.26659
Table 6. Comparison of Kruskal Wallis tests on IT control evaluation activities by organisation characteristics (N = 73).
Variable
ITC1
ITC2
ITC3
ITC4
ITC5
ITC6
ITC7
ITC8
Type of auditors*
Size**
.181
.126
.098
.451
.281
.065
.385
.636
.505
.386
.097
.143
.257
.093
.066
.451
Structure of CIS*
Sig. value
.645
.923
.114
.907
.210
.234
.151
.488
New system**
.249
.556
.722
.061
.221
.390
.339
.007*
Significant with Bonferroni correction for multiple comparisons: *p.05 = 0.025 ; **p.05 = 0.0167.
Organizational
evaluations
characteristics
and
IT
control
1560
1561
Table 7. Summary of multiple regression analysis - Correlation coefficient and significant value of each independent variables (N = 73).
Model
Independent variable
Sign of coefficient
Sig. value
Dependent variable
ITC1
Sys. Development and acquisition
0.350
0.000
bj
Sig.
-0.182
0.964
X1
Efficiency,
effective
economy
0.020
0.975
ITC2
Sys. Implementation
0.166
0.016
bj
Sig.
0.769
0.815
0.175
0.737
0.878
0.266
0.732
0.315
-0.871
0.038*
0.242
0.004*
0.021
0.947
10.138
0.171
-0.177
0.755
-0.209
0.812
-0.208
0.760
ITC3
Sys. Maintenance and program
0.281
0.000
bj
Sig.
0.444
0.916
0.942
0.163
0.654
0.518
10.469
0.119
-20.192
0.000*
0.195
0.067
0.442
0.0278
10.591
0.137
0.610
0.403
0.023
0.984
-0.312
0.721
ITC4
IT Safeguarding
0.201
0.006
bj
Sig.
10.477
0.163
0.200
0.231
-0.292
0.246
0.616
0.010*
-0.314
0.020*
0.067
0.013*
-0.005
0.958
0.641
0.017*
-0.375
0.041*
0.241
0.390
-0.095
0.663
ITC5
Data integrity, privacy, security
0.318
0.000
bj
Sig.
20.597
0.586
0.947
0.211
0.799
0.483
10.459
0.167
-0.521
0.385
0.423
0.001*
0.022
0.962
20.324
0.055
0.994
0.227
10.246
0.326
-20.011
0.044*
ITC6
Disaster recovery plan
0.344
0.000
bj
Sig.
10.109
0.875
0.661
0.554
10.737
0.304
20.688
0.087
-20.580
0.005*
0.703
0.000*
0.222
0.742
30.695
0.040*
0.169
0.889
-30.557
0.061
-10.149
0.431
ITC7
Operating system
0.342
0.000
bj
Sig.
50.264
0.289
10.702
0.033*
0.900
0.447
10.052
0.336
-0.464
0.456
0.392
0.002*
-0.137
0.773
10.022
0.411
10.816
0.036*
0.723
0.583
-20.030
0.051*
ITC8
Application processing
0.533
0.000
bj
Sig.
50.143
0.052
0.350
0.397
0.809
0.196
10.794
0.003*
-0.619
0.062
0.261
0.000*
0.298
0.236
0.451
0.490
0.389
0.385
-0.554
0.424
-20.092
0.000*
ITC Overall
Overall ITC evaluation
0.415
0.000
bj
Sig.
160.621
0.507
40.997
0.209
70.394
0.218
110.424
0.041*
-90.613
0.003*
20.521
0.000*
0.636
0.791
110.669
0.066
30.965
0.357
-30.016
0.650
-60.986
0.179
Adj.
R2
Sig.
X2
Compliance
X3
Internal
control
X4
Financial
statement
X5
CAATTs
X6
Competency
X7
Types of
auditors
X8
Size
X9
Structure
of CIS
X10
New
system
10.909
0.052*
10.615
0.074
-20.053
0.000*
0.238
0.021*
-0.227
0.0561
0.808
0.428
0.538
0.441
-0.928
0.390
0.909
0.280
1562
1563